| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
| 6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
| 10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
| (...skipping 25 matching lines...) Expand all Loading... |
| 36 namespace { | 36 namespace { |
| 37 | 37 |
| 38 inline bool IsChromeOS() { | 38 inline bool IsChromeOS() { |
| 39 #if defined(OS_CHROMEOS) | 39 #if defined(OS_CHROMEOS) |
| 40 return true; | 40 return true; |
| 41 #else | 41 #else |
| 42 return false; | 42 return false; |
| 43 #endif | 43 #endif |
| 44 } | 44 } |
| 45 | 45 |
| 46 void LogSandboxStarted(const std::string& sandbox_name, | |
| 47 const std::string& process_type) { | |
| 48 const std::string activated_sandbox = | |
| 49 "Activated " + sandbox_name + " sandbox for process type: " + | |
| 50 process_type + "."; | |
| 51 if (IsChromeOS()) { | |
| 52 LOG(WARNING) << activated_sandbox; | |
| 53 } else { | |
| 54 VLOG(1) << activated_sandbox; | |
| 55 } | |
| 56 } | |
| 57 | |
| 58 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { | 46 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { |
| 59 int syscall = args.nr; | 47 int syscall = args.nr; |
| 60 if (syscall >= 1024) | 48 if (syscall >= 1024) |
| 61 syscall = 0; | 49 syscall = 0; |
| 62 // Encode 8-bits of the 1st two arguments too, so we can discern which socket | 50 // Encode 8-bits of the 1st two arguments too, so we can discern which socket |
| 63 // type, which fcntl, ... etc., without being likely to hit a mapped | 51 // type, which fcntl, ... etc., without being likely to hit a mapped |
| 64 // address. | 52 // address. |
| 65 // Do not encode more bits here without thinking about increasing the | 53 // Do not encode more bits here without thinking about increasing the |
| 66 // likelihood of collision with mapped pages. | 54 // likelihood of collision with mapped pages. |
| 67 syscall |= ((args.args[0] & 0xffUL) << 12); | 55 syscall |= ((args.args[0] & 0xffUL) << 12); |
| 68 syscall |= ((args.args[1] & 0xffUL) << 20); | 56 syscall |= ((args.args[1] & 0xffUL) << 20); |
| 69 // Purposefully dereference the syscall as an address so it'll show up very | 57 // Purposefully dereference the syscall as an address so it'll show up very |
| 70 // clearly and easily in crash dumps. | 58 // clearly and easily in crash dumps. |
| 71 volatile char* addr = reinterpret_cast<volatile char*>(syscall); | 59 volatile char* addr = reinterpret_cast<volatile char*>(syscall); |
| 72 *addr = '\0'; | 60 *addr = '\0'; |
| 73 // In case we hit a mapped address, hit the null page with just the syscall, | 61 // In case we hit a mapped address, hit the null page with just the syscall, |
| 74 // for paranoia. | 62 // for paranoia. |
| 75 syscall &= 0xfffUL; | 63 syscall &= 0xfffUL; |
| 76 addr = reinterpret_cast<volatile char*>(syscall); | 64 addr = reinterpret_cast<volatile char*>(syscall); |
| 77 *addr = '\0'; | 65 *addr = '\0'; |
| 78 for (;;) | 66 for (;;) |
| 79 _exit(1); | 67 _exit(1); |
| 80 } | 68 } |
| 81 | 69 |
| 82 // TODO(jln) we need to restrict the first parameter! | |
| 83 bool IsKillSyscall(int sysno) { | |
| 84 switch (sysno) { | |
| 85 case __NR_kill: | |
| 86 case __NR_tkill: | |
| 87 case __NR_tgkill: | |
| 88 return true; | |
| 89 default: | |
| 90 return false; | |
| 91 } | |
| 92 } | |
| 93 | |
| 94 bool IsGettimeSyscall(int sysno) { | |
| 95 switch (sysno) { | |
| 96 case __NR_clock_gettime: | |
| 97 case __NR_gettimeofday: | |
| 98 case __NR_time: | |
| 99 return true; | |
| 100 default: | |
| 101 return false; | |
| 102 } | |
| 103 } | |
| 104 | |
| 105 bool IsFileSystemSyscall(int sysno) { | |
| 106 switch (sysno) { | |
| 107 case __NR_open: | |
| 108 case __NR_openat: | |
| 109 case __NR_execve: | |
| 110 case __NR_access: | |
| 111 case __NR_mkdir: | |
| 112 case __NR_mkdirat: | |
| 113 case __NR_readlink: | |
| 114 case __NR_readlinkat: | |
| 115 case __NR_stat: | |
| 116 case __NR_lstat: | |
| 117 case __NR_chdir: | |
| 118 case __NR_mknod: | |
| 119 case __NR_mknodat: | |
| 120 return true; | |
| 121 default: | |
| 122 return false; | |
| 123 } | |
| 124 } | |
| 125 | |
| 126 bool IsAcceleratedVideoDecodeEnabled() { | 70 bool IsAcceleratedVideoDecodeEnabled() { |
| 127 // Accelerated video decode is currently enabled on Chrome OS, | 71 // Accelerated video decode is currently enabled on Chrome OS, |
| 128 // but not on Linux: crbug.com/137247. | 72 // but not on Linux: crbug.com/137247. |
| 129 bool is_enabled = IsChromeOS(); | 73 bool is_enabled = IsChromeOS(); |
| 130 | 74 |
| 131 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 75 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 132 is_enabled = is_enabled && | 76 is_enabled = is_enabled && |
| 133 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode); | 77 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode); |
| 134 | 78 |
| 135 return is_enabled; | 79 return is_enabled; |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 197 | 141 |
| 198 if (strcmp(pathname, kDriRcPath) == 0) { | 142 if (strcmp(pathname, kDriRcPath) == 0) { |
| 199 int ret = OpenWithCache(pathname, flags); | 143 int ret = OpenWithCache(pathname, flags); |
| 200 return (ret == -1) ? -errno : ret; | 144 return (ret == -1) ? -errno : ret; |
| 201 } else { | 145 } else { |
| 202 return -ENOENT; | 146 return -ENOENT; |
| 203 } | 147 } |
| 204 } | 148 } |
| 205 | 149 |
| 206 #if defined(__x86_64__) | 150 #if defined(__x86_64__) |
| 207 // x86_64 only because it references system calls that are multiplexed on IA32. | 151 |
| 208 bool IsGpuAndFlashPolicyAllowed_x86_64(int sysno) { | 152 // The functions below cover all existing x86_64 system calls. |
| 209 switch (sysno) { | 153 // The implicitly defined sets form a partition of the sets of |
| 210 case __NR_brk: | 154 // system calls. |
| 211 case __NR_clone: // TODO(jln) restrict flags. | 155 |
| 212 case __NR_close: | 156 // TODO(jln) we need to restrict the first parameter! |
| 213 case __NR_dup: | 157 bool IsKillSyscall(int sysno) { |
| 214 case __NR_epoll_create: | 158 switch (sysno) { |
| 215 case __NR_epoll_ctl: | 159 case __NR_kill: |
| 216 case __NR_epoll_wait: | 160 case __NR_tkill: |
| 217 case __NR_exit: | 161 case __NR_tgkill: |
| 218 case __NR_exit_group: | 162 return true; |
| 219 case __NR_fcntl: | 163 default: |
| 164 return false; |
| 165 } |
| 166 } |
| 167 |
| 168 bool IsAllowedGettimeSyscall(int sysno) { |
| 169 switch (sysno) { |
| 170 // case __NR_clock_getres: |
| 171 case __NR_clock_gettime: |
| 172 // case __NR_clock_nanosleep: |
| 173 case __NR_gettimeofday: |
| 174 case __NR_time: |
| 175 return true; |
| 176 case __NR_adjtimex: // Privileged. |
| 177 case __NR_settimeofday: // Privileged. |
| 178 case __NR_clock_adjtime: // Privileged. |
| 179 case __NR_clock_settime: // Privileged. |
| 180 default: |
| 181 return false; |
| 182 } |
| 183 } |
| 184 |
| 185 bool IsAmbientFileSystemSyscall(int sysno) { |
| 186 switch (sysno) { |
| 187 // case __NR_getcwd: |
| 188 case __NR_chdir: |
| 189 // case __NR_fchdir: |
| 190 // case __NR_umask: |
| 191 return true; |
| 192 default: |
| 193 return false; |
| 194 } |
| 195 } |
| 196 |
| 197 // System calls that directly access the file system. They might aquire |
| 198 // a new file descriptor or otherwise perform an operation directly |
| 199 // via a path. |
| 200 // For many, EPERM is a valid errno, but not for all of them. |
| 201 bool IsFileSystemSyscall(int sysno) { |
| 202 switch (sysno) { |
| 203 case __NR_access: |
| 204 // case __NR_chmod: |
| 205 // case __NR_chown: |
| 206 // case __NR_creat: |
| 207 case __NR_execve: |
| 208 // case __NR_faccessat: |
| 209 // case __NR_fchmodat: |
| 210 // case __NR_fchownat: // Should be called chownat ? |
| 211 // case __NR_futimesat: // Should be called utimesat ? |
| 212 // case __NR_getdents: |
| 213 // case __NR_getdents64: |
| 214 // case __NR_lchown: |
| 215 // case __NR_link: |
| 216 // case __NR_linkat: |
| 217 // case __NR_lookup_dcookie: |
| 218 case __NR_lstat: |
| 219 case __NR_mkdir: |
| 220 case __NR_mkdirat: |
| 221 case __NR_mknod: |
| 222 case __NR_mknodat: |
| 223 // case __NR_newfstatat: // Should be called statat ? |
| 224 case __NR_open: |
| 225 case __NR_openat: |
| 226 case __NR_readlink: |
| 227 case __NR_readlinkat: |
| 228 // case __NR_rename: |
| 229 // case __NR_renameat: |
| 230 // case __NR_rmdir: |
| 231 case __NR_stat: |
| 232 // case __NR_statfs: |
| 233 // case __NR_symlink: |
| 234 // case __NR_symlinkat: |
| 235 // case __NR_truncate: |
| 236 // case __NR_unlink: |
| 237 // case __NR_unlinkat: |
| 238 // case __NR_uselib: |
| 239 // case __NR_ustat: // Deprecated. |
| 240 // case __NR_utime: |
| 241 // case __NR_utimensat: // New. |
| 242 // case __NR_utimes: |
| 243 return true; |
| 244 default: |
| 245 return false; |
| 246 } |
| 247 } |
| 248 |
| 249 bool IsAllowedFileSystemCapabilitySyscall(int sysno) { |
| 250 switch (sysno) { |
| 251 // case __NR_fadvise64: |
| 252 // case __NR_flock: |
| 220 case __NR_fstat: | 253 case __NR_fstat: |
| 221 case __NR_futex: | 254 // case __NR_fstatfs: // Give information about the whole filesystem. |
| 255 // case __NR_fsync: |
| 256 // case __NR_fdatasync: |
| 257 // case __NR_sync_file_range: |
| 258 return true; |
| 259 case __NR_fallocate: |
| 260 case __NR_fchmod: |
| 261 case __NR_fchown: |
| 262 case __NR_ftruncate: |
| 263 default: |
| 264 return false; |
| 265 } |
| 266 } |
| 267 |
| 268 bool IsGetProcessIdSyscall(int sysno) { |
| 269 switch (sysno) { |
| 270 // case __NR_capget: |
| 222 case __NR_getegid: | 271 case __NR_getegid: |
| 223 case __NR_geteuid: | 272 case __NR_geteuid: |
| 224 case __NR_getgid: | 273 case __NR_getgid: |
| 274 // case __NR_getgroups: |
| 275 // case __NR_getpid: |
| 276 // case __NR_getppid: |
| 277 // case __NR_getresgid: |
| 278 // case __NR_getresuid: |
| 279 // case __NR_getsid: |
| 225 case __NR_gettid: | 280 case __NR_gettid: |
| 226 case __NR_getuid: | 281 case __NR_getuid: |
| 282 return true; |
| 283 default: |
| 284 return false; |
| 285 } |
| 286 } |
| 287 |
| 288 bool IsProcessPrivilegeChange(int sysno) { |
| 289 switch (sysno) { |
| 290 case __NR_capset: |
| 291 case __NR_ioperm: // Intel privilege. |
| 292 case __NR_iopl: // Intel privilege. |
| 293 case __NR_setfsgid: |
| 294 case __NR_setfsuid: |
| 295 case __NR_setgid: |
| 296 case __NR_setgroups: |
| 297 case __NR_setregid: |
| 298 case __NR_setresgid: |
| 299 case __NR_setresuid: |
| 300 case __NR_setreuid: |
| 301 case __NR_setuid: |
| 302 return true; |
| 303 default: |
| 304 return false; |
| 305 } |
| 306 } |
| 307 |
| 308 bool IsProcessGroupOrSession(int sysno) { |
| 309 switch (sysno) { |
| 310 case __NR_setpgid: |
| 311 case __NR_getpgrp: |
| 312 case __NR_setsid: |
| 313 case __NR_getpgid: |
| 314 return true; |
| 315 default: |
| 316 return false; |
| 317 } |
| 318 } |
| 319 |
| 320 bool IsAllowedSignalHandling(int sysno) { |
| 321 switch (sysno) { |
| 322 case __NR_rt_sigaction: |
| 323 // case __NR_rt_sigpending: |
| 324 case __NR_rt_sigprocmask: |
| 325 // case __NR_rt_sigqueueinfo: |
| 326 case __NR_rt_sigreturn: |
| 327 // case __NR_rt_sigsuspend: |
| 328 // case __NR_rt_sigtimedwait: |
| 329 // case __NR_rt_tgsigqueueinfo: |
| 330 // case __NR_sigaltstack: |
| 331 // case __NR_signalfd: |
| 332 // case __NR_signalfd4: |
| 333 return true; |
| 334 default: |
| 335 return false; |
| 336 } |
| 337 } |
| 338 |
| 339 bool IsOperationOnFd(int sysno) { |
| 340 switch (sysno) { |
| 341 case __NR_close: |
| 342 case __NR_dup: |
| 343 // case __NR_dup2: |
| 344 // case __NR_dup3: |
| 345 case __NR_fcntl: |
| 346 case __NR_shutdown: |
| 347 return true; |
| 348 default: |
| 349 return false; |
| 350 } |
| 351 } |
| 352 |
| 353 bool IsKernelInteralApi(int sysno) { |
| 354 switch (sysno) { |
| 355 case __NR_restart_syscall: |
| 356 return true; |
| 357 default: |
| 358 return false; |
| 359 } |
| 360 } |
| 361 |
| 362 bool IsAllowedProcessStartOrDeath(int sysno) { |
| 363 switch (sysno) { |
| 364 case __NR_clone: // TODO(jln): restrict flags. |
| 365 case __NR_exit: |
| 366 case __NR_exit_group: |
| 367 // case __NR_fork: |
| 368 // case __NR_get_thread_area: |
| 369 // case __NR_set_thread_area: |
| 370 // case __NR_set_tid_address: |
| 371 // case __NR_unshare: |
| 372 // case __NR_vfork: |
| 373 // case __NR_wait4: |
| 374 // case __NR_waitid: |
| 375 return true; |
| 376 case __NR_setns: // Privileged. |
| 377 default: |
| 378 return false; |
| 379 } |
| 380 } |
| 381 |
| 382 bool IsAllowedEpoll(int sysno) { |
| 383 switch (sysno) { |
| 384 case __NR_epoll_create: |
| 385 // case __NR_epoll_create1: |
| 386 case __NR_epoll_ctl: |
| 387 // case __NR_epoll_ctl_old: |
| 388 // case __NR_epoll_pwait: |
| 389 case __NR_epoll_wait: |
| 390 // case __NR_epoll_wait_old: |
| 391 return true; |
| 392 default: |
| 393 return false; |
| 394 } |
| 395 } |
| 396 |
| 397 bool IsAllowedGetOrModifySocket(int sysno) { |
| 398 switch (sysno) { |
| 399 case __NR_pipe: |
| 400 // case __NR_pipe2: |
| 401 case __NR_socketpair: // We will want to inspect its argument. |
| 402 return true; |
| 403 default: |
| 404 case __NR_accept: |
| 405 case __NR_accept4: |
| 406 case __NR_bind: |
| 407 case __NR_connect: |
| 408 case __NR_socket: |
| 409 case __NR_listen: |
| 410 return false; |
| 411 } |
| 412 } |
| 413 |
| 414 bool IsNetworkSocketInformation(int sysno) { |
| 415 switch (sysno) { |
| 416 case __NR_getpeername: |
| 417 case __NR_getsockname: |
| 418 case __NR_getsockopt: |
| 419 case __NR_setsockopt: |
| 420 return true; |
| 421 default: |
| 422 return false; |
| 423 } |
| 424 } |
| 425 |
| 426 bool IsFutex(int sysno) { |
| 427 switch (sysno) { |
| 428 case __NR_futex: |
| 429 // case __NR_get_robust_list: |
| 430 case __NR_set_robust_list: |
| 431 return true; |
| 432 default: |
| 433 return false; |
| 434 } |
| 435 } |
| 436 |
| 437 bool IsAllowedAddressSpaceAccess(int sysno) { |
| 438 switch (sysno) { |
| 439 case __NR_brk: |
| 440 case __NR_madvise: |
| 441 // case __NR_mincore: |
| 442 // case __NR_mlock: |
| 443 // case __NR_mlockall: |
| 444 case __NR_mmap: |
| 445 // case __NR_modify_ldt: |
| 446 case __NR_mprotect: |
| 447 // case __NR_mremap: |
| 448 // case __NR_msync: |
| 449 // case __NR_munlock: |
| 450 // case __NR_munlockall: |
| 451 case __NR_munmap: |
| 452 // case __NR_readahead: |
| 453 // case __NR_remap_file_pages: |
| 454 return true; |
| 455 default: |
| 456 return false; |
| 457 } |
| 458 } |
| 459 |
| 460 bool IsAllowedGeneralIo(int sysno) { |
| 461 switch (sysno) { |
| 227 case __NR_lseek: | 462 case __NR_lseek: |
| 228 case __NR_madvise: | 463 // case __NR_poll: |
| 229 case __NR_mmap: | 464 // case __NR_ppoll: |
| 230 case __NR_mprotect: | 465 // case __NR_pread64: |
| 231 case __NR_munmap: | 466 // case __NR_preadv: |
| 232 case __NR_pipe: | 467 // case __NR_pselect6: |
| 468 // case __NR_pwrite64: |
| 469 // case __NR_pwritev: |
| 470 case __NR_read: |
| 471 // case __NR_readv: |
| 472 // case __NR_recvfrom: // Could specify source. |
| 473 // case __NR_recvmmsg: // Could specify source. |
| 474 case __NR_recvmsg: // Could specify source. |
| 475 // case __NR_select: |
| 476 // case __NR_sendfile: |
| 477 // case __NR_sendmmsg: // Could specify destination. |
| 478 case __NR_sendmsg: // Could specify destination. |
| 479 // case __NR_sendto: // Could specify destination. |
| 480 // case __NR_splice: |
| 481 // case __NR_tee: |
| 482 // case __NR_vmsplice: |
| 483 case __NR_write: |
| 484 // case __NR_writev: |
| 485 return true; |
| 486 default: |
| 487 case __NR_ioctl: // Can be very powerful. |
| 488 return false; |
| 489 } |
| 490 } |
| 491 |
| 492 bool IsAllowedPrctl(int sysno) { |
| 493 switch (sysno) { |
| 233 case __NR_prctl: | 494 case __NR_prctl: |
| 234 case __NR_read: | 495 // case __NR_arch_prctl: |
| 235 case __NR_recvmsg: | 496 return true; |
| 236 case __NR_restart_syscall: | 497 default: |
| 237 case __NR_rt_sigaction: // Breakpad signal handler. | 498 return false; |
| 238 case __NR_rt_sigprocmask: | 499 } |
| 239 case __NR_rt_sigreturn: | 500 } |
| 501 |
| 502 bool IsAllowedBasicScheduler(int sysno) { |
| 503 switch (sysno) { |
| 240 case __NR_sched_yield: | 504 case __NR_sched_yield: |
| 241 case __NR_sendmsg: | 505 // case __NR_pause: |
| 242 case __NR_set_robust_list: | 506 // case __NR_nanosleep: |
| 243 case __NR_shutdown: | 507 // case __NR_getpriority: |
| 244 case __NR_socketpair: | 508 return true; |
| 245 case __NR_write: | 509 case __NR_setpriority: |
| 246 return true; | 510 default: |
| 247 default: | 511 return false; |
| 248 if (IsGettimeSyscall(sysno) || | 512 } |
| 249 IsKillSyscall(sysno)) { | 513 } |
| 250 return true; | 514 |
| 251 } else { | 515 bool IsAdminOperation(int sysno) { |
| 252 return false; | 516 switch (sysno) { |
| 253 } | 517 case __NR_kexec_load: |
| 518 case __NR_reboot: |
| 519 case __NR_setdomainname: |
| 520 case __NR_sethostname: |
| 521 case __NR_syslog: |
| 522 return true; |
| 523 default: |
| 524 return false; |
| 525 } |
| 526 } |
| 527 |
| 528 bool IsKernelModule(int sysno) { |
| 529 switch (sysno) { |
| 530 case __NR_create_module: |
| 531 case __NR_delete_module: |
| 532 case __NR_get_kernel_syms: // Should ENOSYS. |
| 533 case __NR_init_module: |
| 534 case __NR_query_module: |
| 535 return true; |
| 536 default: |
| 537 return false; |
| 538 } |
| 539 } |
| 540 |
| 541 bool IsGlobalFSViewChange(int sysno) { |
| 542 switch (sysno) { |
| 543 case __NR_pivot_root: |
| 544 case __NR_chroot: |
| 545 case __NR_sync: |
| 546 return true; |
| 547 default: |
| 548 return false; |
| 549 } |
| 550 } |
| 551 |
| 552 bool IsFsControl(int sysno) { |
| 553 switch (sysno) { |
| 554 case __NR_mount: |
| 555 case __NR_nfsservctl: |
| 556 case __NR_quotactl: |
| 557 case __NR_swapoff: |
| 558 case __NR_swapon: |
| 559 case __NR_umount2: |
| 560 return true; |
| 561 default: |
| 562 return false; |
| 563 } |
| 564 } |
| 565 |
| 566 bool IsNuma(int sysno) { |
| 567 switch (sysno) { |
| 568 case __NR_get_mempolicy: |
| 569 case __NR_getcpu: |
| 570 case __NR_mbind: |
| 571 case __NR_migrate_pages: |
| 572 case __NR_move_pages: |
| 573 case __NR_set_mempolicy: |
| 574 return true; |
| 575 default: |
| 576 return false; |
| 577 } |
| 578 } |
| 579 |
| 580 bool IsMessageQueue(int sysno) { |
| 581 switch (sysno) { |
| 582 case __NR_mq_getsetattr: |
| 583 case __NR_mq_notify: |
| 584 case __NR_mq_open: |
| 585 case __NR_mq_timedreceive: |
| 586 case __NR_mq_timedsend: |
| 587 case __NR_mq_unlink: |
| 588 return true; |
| 589 default: |
| 590 return false; |
| 591 } |
| 592 } |
| 593 |
| 594 bool IsGlobalProcessEnvironment(int sysno) { |
| 595 switch (sysno) { |
| 596 case __NR_acct: // Privileged. |
| 597 case __NR_getrlimit: |
| 598 case __NR_getrusage: |
| 599 case __NR_personality: // Can change its personality as well. |
| 600 case __NR_prlimit64: // Like setrlimit / getrlimit. |
| 601 case __NR_setrlimit: |
| 602 case __NR_times: |
| 603 return true; |
| 604 default: |
| 605 return false; |
| 606 } |
| 607 } |
| 608 |
| 609 bool IsDebug(int sysno) { |
| 610 switch (sysno) { |
| 611 case __NR_ptrace: |
| 612 case __NR_process_vm_readv: |
| 613 case __NR_process_vm_writev: |
| 614 case __NR_kcmp: |
| 615 return true; |
| 616 default: |
| 617 return false; |
| 618 } |
| 619 } |
| 620 |
| 621 bool IsGlobalSystemStatus(int sysno) { |
| 622 switch (sysno) { |
| 623 case __NR__sysctl: |
| 624 case __NR_sysfs: |
| 625 case __NR_sysinfo: |
| 626 case __NR_uname: |
| 627 return true; |
| 628 default: |
| 629 return false; |
| 630 } |
| 631 } |
| 632 |
| 633 bool IsEventFd(int sysno) { |
| 634 switch (sysno) { |
| 635 case __NR_eventfd: |
| 636 // case __NR_eventfd2: |
| 637 return true; |
| 638 default: |
| 639 return false; |
| 640 } |
| 641 } |
| 642 |
| 643 // Asynchronous I/O API. |
| 644 bool IsAsyncIo(int sysno) { |
| 645 switch (sysno) { |
| 646 case __NR_io_cancel: |
| 647 case __NR_io_destroy: |
| 648 case __NR_io_getevents: |
| 649 case __NR_io_setup: |
| 650 case __NR_io_submit: |
| 651 return true; |
| 652 default: |
| 653 return false; |
| 654 } |
| 655 } |
| 656 |
| 657 bool IsKeyManagement(int sysno) { |
| 658 switch (sysno) { |
| 659 case __NR_add_key: |
| 660 case __NR_keyctl: |
| 661 case __NR_request_key: |
| 662 return true; |
| 663 default: |
| 664 return false; |
| 665 } |
| 666 } |
| 667 |
| 668 bool IsSystemVSemaphores(int sysno) { |
| 669 switch (sysno) { |
| 670 case __NR_semctl: |
| 671 case __NR_semget: |
| 672 case __NR_semop: |
| 673 case __NR_semtimedop: |
| 674 return true; |
| 675 default: |
| 676 return false; |
| 677 } |
| 678 } |
| 679 |
| 680 // These give a lot of ambient authority and bypass the setuid sandbox. |
| 681 bool IsSystemVSharedMemory(int sysno) { |
| 682 switch (sysno) { |
| 683 case __NR_shmat: |
| 684 case __NR_shmctl: |
| 685 case __NR_shmdt: |
| 686 // case __NR_shmget: |
| 687 return true; |
| 688 default: |
| 689 return false; |
| 690 } |
| 691 } |
| 692 |
| 693 bool IsSystemVMessageQueue(int sysno) { |
| 694 switch (sysno) { |
| 695 case __NR_msgctl: |
| 696 case __NR_msgget: |
| 697 case __NR_msgrcv: |
| 698 case __NR_msgsnd: |
| 699 return true; |
| 700 default: |
| 701 return false; |
| 702 } |
| 703 } |
| 704 |
| 705 bool IsAdvancedScheduler(int sysno) { |
| 706 switch (sysno) { |
| 707 case __NR_ioprio_get: // IO scheduler. |
| 708 case __NR_ioprio_set: |
| 709 case __NR_sched_get_priority_max: |
| 710 case __NR_sched_get_priority_min: |
| 711 case __NR_sched_getaffinity: |
| 712 case __NR_sched_getparam: |
| 713 case __NR_sched_getscheduler: |
| 714 case __NR_sched_rr_get_interval: |
| 715 case __NR_sched_setaffinity: |
| 716 case __NR_sched_setparam: |
| 717 case __NR_sched_setscheduler: |
| 718 return true; |
| 719 default: |
| 720 return false; |
| 721 } |
| 722 } |
| 723 |
| 724 bool IsInotify(int sysno) { |
| 725 switch (sysno) { |
| 726 case __NR_inotify_add_watch: |
| 727 case __NR_inotify_init: |
| 728 case __NR_inotify_init1: |
| 729 case __NR_inotify_rm_watch: |
| 730 return true; |
| 731 default: |
| 732 return false; |
| 733 } |
| 734 } |
| 735 |
| 736 bool IsFaNotify(int sysno) { |
| 737 switch (sysno) { |
| 738 case __NR_fanotify_init: |
| 739 case __NR_fanotify_mark: |
| 740 return true; |
| 741 default: |
| 742 return false; |
| 743 } |
| 744 } |
| 745 |
| 746 bool IsTimer(int sysno) { |
| 747 switch (sysno) { |
| 748 case __NR_getitimer: |
| 749 case __NR_alarm: |
| 750 case __NR_setitimer: |
| 751 return true; |
| 752 default: |
| 753 return false; |
| 754 } |
| 755 } |
| 756 |
| 757 bool IsAdvancedTimer(int sysno) { |
| 758 switch (sysno) { |
| 759 case __NR_timer_create: |
| 760 case __NR_timer_delete: |
| 761 case __NR_timer_getoverrun: |
| 762 case __NR_timer_gettime: |
| 763 case __NR_timer_settime: |
| 764 case __NR_timerfd_create: |
| 765 case __NR_timerfd_gettime: |
| 766 case __NR_timerfd_settime: |
| 767 return true; |
| 768 default: |
| 769 return false; |
| 770 } |
| 771 } |
| 772 |
| 773 bool IsExtendedAttributes(int sysno) { |
| 774 switch (sysno) { |
| 775 case __NR_fgetxattr: |
| 776 case __NR_flistxattr: |
| 777 case __NR_fremovexattr: |
| 778 case __NR_fsetxattr: |
| 779 case __NR_getxattr: |
| 780 case __NR_lgetxattr: |
| 781 case __NR_listxattr: |
| 782 case __NR_llistxattr: |
| 783 case __NR_lremovexattr: |
| 784 case __NR_lsetxattr: |
| 785 case __NR_removexattr: |
| 786 case __NR_setxattr: |
| 787 return true; |
| 788 default: |
| 789 return false; |
| 790 } |
| 791 } |
| 792 |
| 793 // Various system calls that need to be researched. |
| 794 // TODO(jln): classify this better. |
| 795 bool IsMiscSyscall(int sysno) { |
| 796 switch (sysno) { |
| 797 case __NR_name_to_handle_at: |
| 798 case __NR_open_by_handle_at: |
| 799 case __NR_perf_event_open: |
| 800 case __NR_syncfs: |
| 801 case __NR_vhangup: |
| 802 // The system calls below are not implemented. |
| 803 case __NR_afs_syscall: |
| 804 case __NR_getpmsg: |
| 805 case __NR_putpmsg: |
| 806 case __NR_security: |
| 807 case __NR_tuxcall: |
| 808 case __NR_vserver: |
| 809 return true; |
| 810 default: |
| 811 return false; |
| 812 } |
| 813 } |
| 814 |
| 815 // End of the system call sets section. |
| 816 |
| 817 // x86_64 only because it references system calls that are multiplexed on IA32. |
| 818 bool IsGpuAndFlashPolicyAllowed_x86_64(int sysno) { |
| 819 if (IsAllowedAddressSpaceAccess(sysno) || |
| 820 IsAllowedBasicScheduler(sysno) || |
| 821 IsAllowedEpoll(sysno) || |
| 822 IsAllowedFileSystemCapabilitySyscall(sysno) || |
| 823 IsAllowedGeneralIo(sysno) || |
| 824 IsAllowedGetOrModifySocket(sysno) || |
| 825 IsAllowedGettimeSyscall(sysno) || |
| 826 IsAllowedPrctl(sysno) || |
| 827 IsAllowedProcessStartOrDeath(sysno) || |
| 828 IsAllowedSignalHandling(sysno) || |
| 829 IsFutex(sysno) || |
| 830 IsGetProcessIdSyscall(sysno) || |
| 831 IsKernelInteralApi(sysno) || |
| 832 IsKillSyscall(sysno) || |
| 833 IsOperationOnFd(sysno)) { |
| 834 return true; |
| 835 } else { |
| 836 return false; |
| 837 } |
| 838 } |
| 839 |
| 840 // System calls that will trigger the crashing sigsys handler. |
| 841 bool IsGpuAndFlashPolicyWatched_x86_64(int sysno) { |
| 842 if (IsAdminOperation(sysno) || |
| 843 IsAdvancedScheduler(sysno) || |
| 844 IsAdvancedTimer(sysno) || |
| 845 IsAsyncIo(sysno) || |
| 846 IsDebug(sysno) || |
| 847 IsEventFd(sysno) || |
| 848 IsExtendedAttributes(sysno) || |
| 849 IsFaNotify(sysno) || |
| 850 IsFsControl(sysno) || |
| 851 IsGlobalFSViewChange(sysno) || |
| 852 IsGlobalProcessEnvironment(sysno) || |
| 853 IsGlobalSystemStatus(sysno) || |
| 854 IsInotify(sysno) || |
| 855 IsKernelModule(sysno) || |
| 856 IsKeyManagement(sysno) || |
| 857 IsMessageQueue(sysno) || |
| 858 IsMiscSyscall(sysno) || |
| 859 IsNetworkSocketInformation(sysno) || |
| 860 IsNuma(sysno) || |
| 861 IsProcessGroupOrSession(sysno) || |
| 862 IsProcessPrivilegeChange(sysno) || |
| 863 IsSystemVMessageQueue(sysno) || |
| 864 IsSystemVSemaphores(sysno) || |
| 865 IsSystemVSharedMemory(sysno) || |
| 866 IsTimer(sysno)) { |
| 867 return true; |
| 868 } else { |
| 869 return false; |
| 254 } | 870 } |
| 255 } | 871 } |
| 256 | 872 |
| 257 // x86_64 only because it references system calls that are multiplexed on IA32. | 873 // x86_64 only because it references system calls that are multiplexed on IA32. |
| 258 playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) { | 874 playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) { |
| 259 switch(sysno) { | 875 switch(sysno) { |
| 260 case __NR_eventfd2: | |
| 261 case __NR_getpid: // Nvidia binary driver. | 876 case __NR_getpid: // Nvidia binary driver. |
| 262 case __NR_getppid: // ATI binary driver. | 877 case __NR_getppid: // ATI binary driver. |
| 263 case __NR_ioctl: | 878 case __NR_ioctl: |
| 264 case __NR_mlock: | 879 case __NR_mlock: |
| 265 case __NR_munlock: | 880 case __NR_munlock: |
| 266 case __NR_poll: | 881 case __NR_poll: |
| 267 case __NR_recvfrom: | 882 case __NR_recvfrom: |
| 268 case __NR_writev: | 883 case __NR_writev: |
| 269 return playground2::Sandbox::SB_ALLOWED; | 884 return playground2::Sandbox::SB_ALLOWED; |
| 270 case __NR_socket: | 885 case __NR_socket: |
| 271 return EACCES; // Nvidia binary driver. | 886 return EACCES; // Nvidia binary driver. |
| 272 case __NR_fchmod: | 887 case __NR_fchmod: |
| 273 return EPERM; // ATI binary driver. | 888 return EPERM; // ATI binary driver. |
| 274 case __NR_open: | 889 case __NR_open: |
| 275 // Accelerated video decode is enabled by default only on Chrome OS. | 890 // Accelerated video decode is enabled by default only on Chrome OS. |
| 276 if (IsAcceleratedVideoDecodeEnabled()) { | 891 if (IsAcceleratedVideoDecodeEnabled()) { |
| 277 // Accelerated video decode needs to open /dev/dri/card0, and | 892 // Accelerated video decode needs to open /dev/dri/card0, and |
| 278 // dup()'ing an already open file descriptor does not work. | 893 // dup()'ing an already open file descriptor does not work. |
| 279 // Allow open() even though it severely weakens the sandbox, | 894 // Allow open() even though it severely weakens the sandbox, |
| 280 // to test the sandboxing mechanism in general. | 895 // to test the sandboxing mechanism in general. |
| 281 // TODO(jorgelo): remove this once we solve the libva issue. | 896 // TODO(jorgelo): remove this once we solve the libva issue. |
| 282 return playground2::Sandbox::SB_ALLOWED; | 897 return playground2::Sandbox::SB_ALLOWED; |
| 283 } else { | 898 } else { |
| 284 // Hook open() in the GPU process to allow opening /etc/drirc, | 899 // Hook open() in the GPU process to allow opening /etc/drirc, |
| 285 // needed by Mesa. | 900 // needed by Mesa. |
| 286 // The hook needs dup(), lseek(), and close() to be allowed. | 901 // The hook needs dup(), lseek(), and close() to be allowed. |
| 287 return playground2::Sandbox::ErrorCode(GpuOpenSIGSYS_Handler, NULL); | 902 return playground2::Sandbox::ErrorCode(GpuOpenSIGSYS_Handler, NULL); |
| 288 } | 903 } |
| 289 default: | 904 default: |
| 290 if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) { | 905 if (IsGpuAndFlashPolicyAllowed_x86_64(sysno) || IsEventFd(sysno)) { |
| 291 return playground2::Sandbox::SB_ALLOWED; | 906 return playground2::Sandbox::SB_ALLOWED; |
| 292 } | 907 } |
| 293 // Generally, filename-based syscalls will fail with ENOENT to behave | 908 // Generally, filename-based syscalls will fail with ENOENT to behave |
| 294 // similarly to a possible future setuid sandbox. | 909 // similarly to a possible future setuid sandbox. |
| 295 if (IsFileSystemSyscall(sysno)) { | 910 if (IsFileSystemSyscall(sysno) || IsAmbientFileSystemSyscall(sysno)) { |
| 296 return ENOENT; | 911 return ENOENT; |
| 297 } | 912 } |
| 913 |
| 914 if (IsGpuAndFlashPolicyWatched_x86_64(sysno)) { |
| 915 // Previously unseen syscalls. TODO(jln): some of these should |
| 916 // be denied gracefully right away. |
| 917 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); |
| 918 } |
| 298 // In any other case crash the program with our SIGSYS handler | 919 // In any other case crash the program with our SIGSYS handler |
| 299 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); | 920 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); |
| 300 } | 921 } |
| 301 } | 922 } |
| 302 | 923 |
| 303 // x86_64 only because it references system calls that are multiplexed on IA32. | 924 // x86_64 only because it references system calls that are multiplexed on IA32. |
| 304 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) { | 925 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) { |
| 305 switch (sysno) { | 926 switch (sysno) { |
| 306 case __NR_sched_getaffinity: | 927 case __NR_sched_getaffinity: |
| 307 case __NR_sched_setscheduler: | 928 case __NR_sched_setscheduler: |
| 308 // These are under investigation, and hopefully not here for the long term. | 929 // These are under investigation, and hopefully not here for the long term. |
| 309 case __NR_shmat: | |
| 310 case __NR_shmctl: | |
| 311 case __NR_shmdt: | |
| 312 case __NR_times: | 930 case __NR_times: |
| 313 case __NR_wait4: | 931 case __NR_wait4: |
| 314 return playground2::Sandbox::SB_ALLOWED; | 932 return playground2::Sandbox::SB_ALLOWED; |
| 315 case __NR_ioctl: | 933 case __NR_ioctl: |
| 316 return ENOTTY; // Flash Access. | 934 return ENOTTY; // Flash Access. |
| 317 case __NR_socket: | 935 case __NR_socket: |
| 318 return EACCES; | 936 return EACCES; |
| 319 default: | 937 default: |
| 320 if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) { | 938 if (IsGpuAndFlashPolicyAllowed_x86_64(sysno) || |
| 939 IsSystemVSharedMemory(sysno)) { |
| 321 return playground2::Sandbox::SB_ALLOWED; | 940 return playground2::Sandbox::SB_ALLOWED; |
| 322 } | 941 } |
| 323 if (IsFileSystemSyscall(sysno)) { | 942 if (IsFileSystemSyscall(sysno) || IsAmbientFileSystemSyscall(sysno)) { |
| 324 return ENOENT; | 943 return ENOENT; |
| 325 } | 944 } |
| 945 if (IsGpuAndFlashPolicyWatched_x86_64(sysno)) { |
| 946 // Previously unseen syscalls. TODO(jln): some of these should |
| 947 // be denied gracefully right away. |
| 948 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); |
| 949 } |
| 326 // In any other case crash the program with our SIGSYS handler. | 950 // In any other case crash the program with our SIGSYS handler. |
| 327 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); | 951 return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL); |
| 328 } | 952 } |
| 329 } | 953 } |
| 330 #endif | 954 #endif |
| 331 | 955 |
| 332 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) { | 956 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) { |
| 333 if (sysno < static_cast<int>(MIN_SYSCALL) || | 957 if (sysno < static_cast<int>(MIN_SYSCALL) || |
| 334 sysno > static_cast<int>(MAX_SYSCALL)) { | 958 sysno > static_cast<int>(MAX_SYSCALL)) { |
| 335 // TODO(jln) we should not have to do that in a trivial policy. | 959 // TODO(jln) we should not have to do that in a trivial policy. |
| (...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 473 // Process-specific policy. | 1097 // Process-specific policy. |
| 474 ShouldEnableSeccompBpf(process_type) && | 1098 ShouldEnableSeccompBpf(process_type) && |
| 475 SupportsSandbox()) { | 1099 SupportsSandbox()) { |
| 476 return StartBpfSandbox_x86(command_line, process_type); | 1100 return StartBpfSandbox_x86(command_line, process_type); |
| 477 } | 1101 } |
| 478 #endif | 1102 #endif |
| 479 return false; | 1103 return false; |
| 480 } | 1104 } |
| 481 | 1105 |
| 482 } // namespace content | 1106 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10834219:
Seccomp-bpf: create system call sets. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src