Seccomp-bpf: create system call sets.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 25 matching lines @@
 namespace {
 
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
 #else
   return false;
 #endif
 }
 
-void LogSandboxStarted(const std::string& sandbox_name,
-                       const std::string& process_type) {
-  const std::string activated_sandbox =
-      "Activated " + sandbox_name + " sandbox for process type: " +
-      process_type + ".";
-  if (IsChromeOS()) {
-    LOG(WARNING) << activated_sandbox;
-  } else {
-    VLOG(1) << activated_sandbox;
-  }
-}
-
 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
   int syscall = args.nr;
   if (syscall >= 1024)
     syscall = 0;
   // Encode 8-bits of the 1st two arguments too, so we can discern which socket
   // type, which fcntl, ... etc., without being likely to hit a mapped
   // address.
   // Do not encode more bits here without thinking about increasing the
   // likelihood of collision with mapped pages.
   syscall |= ((args.args[0] & 0xffUL) << 12);
   syscall |= ((args.args[1] & 0xffUL) << 20);
   // Purposefully dereference the syscall as an address so it'll show up very
   // clearly and easily in crash dumps.
   volatile char* addr = reinterpret_cast<volatile char*>(syscall);
   *addr = '\0';
   // In case we hit a mapped address, hit the null page with just the syscall,
   // for paranoia.
   syscall &= 0xfffUL;
   addr = reinterpret_cast<volatile char*>(syscall);
   *addr = '\0';
   for (;;)
     _exit(1);
 }
 
-// TODO(jln) we need to restrict the first parameter!
-bool IsKillSyscall(int sysno) {
-  switch (sysno) {
-    case __NR_kill:
-    case __NR_tkill:
-    case __NR_tgkill:
-      return true;
-    default:
-      return false;
-  }
-}
-
-bool IsGettimeSyscall(int sysno) {
-  switch (sysno) {
-    case __NR_clock_gettime:
-    case __NR_gettimeofday:
-    case __NR_time:
-      return true;
-    default:
-      return false;
-  }
-}
-
-bool IsFileSystemSyscall(int sysno) {
-  switch (sysno) {
-    case __NR_open:
-    case __NR_openat:
-    case __NR_execve:
-    case __NR_access:
-    case __NR_mkdir:
-    case __NR_mkdirat:
-    case __NR_readlink:
-    case __NR_readlinkat:
-    case __NR_stat:
-    case __NR_lstat:
-    case __NR_chdir:
-    case __NR_mknod:
-    case __NR_mknodat:
-      return true;
-    default:
-      return false;
-  }
-}
-
 bool IsAcceleratedVideoDecodeEnabled() {
   // Accelerated video decode is currently enabled on Chrome OS,
   // but not on Linux: crbug.com/137247.
   bool is_enabled = IsChromeOS();
 
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   is_enabled = is_enabled &&
       !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode);
 
   return is_enabled;
@@ skipping 61 matching lines @@
 
   if (strcmp(pathname, kDriRcPath) == 0) {
     int ret = OpenWithCache(pathname, flags);
     return (ret == -1) ? -errno : ret;
   } else {
     return -ENOENT;
   }
 }
 
 #if defined(__x86_64__)
-// x86_64 only because it references system calls that are multiplexed on IA32.
-bool IsGpuAndFlashPolicyAllowed_x86_64(int sysno) {
-  switch (sysno) {
-    case __NR_brk:
-    case __NR_clone:  // TODO(jln) restrict flags.
-    case __NR_close:
-    case __NR_dup:
-    case __NR_epoll_create:
-    case __NR_epoll_ctl:
-    case __NR_epoll_wait:
-    case __NR_exit:
-    case __NR_exit_group:
-    case __NR_fcntl:
+
+// The functions below cover all existing x86_64 system calls.
+// The implicitly defined sets form a partition of the sets of
+// system calls.
+
+// TODO(jln) we need to restrict the first parameter!
+bool IsKillSyscall(int sysno) {
+  switch (sysno) {
+    case __NR_kill:
+    case __NR_tkill:
+    case __NR_tgkill:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAllowedGettimeSyscall(int sysno) {
+  switch (sysno) {
+    // case __NR_clock_getres:
+    case __NR_clock_gettime:
+    // case __NR_clock_nanosleep:

[Markus (顧孟勤), 2012/08/08 09:59:45]

We need to be careful when we deny system calls that are essentially a superset
of an older system call. It is not uncommon that never versions of system
libraries will at some point start using the newer system calls.

We learned this with the old seccomp sandbox and we have generally always
allowed a whole family of system calls -- and even then, we occasionally had
bugs where we missed something and a while later some user noticed that Chrome
started misbehaving for them.

In this particular case that means, either a) we crash (which is clearly not
very user friendly), or b) we return with an errno value.

But the caller might not necessarily expect and check for errno, which would
mean our delay just turned into a no-op. In some cases, this could in fact be
noticeable and result in a bug being filed. In a lot of cases, this would
probably just result in Chrome using 100% CPU where it shouldn't be doing so.

I understand that you don't want to make any functional changes with this CL.
But maybe you could add a comment explaining why this particular exception has
the potential to lead to a hard-to-find bug.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

Agreed, there is no doubt in my mind that we should allow nanosleep.
It's done in the other CL, where I make policy changes:
https://chromiumcodereview.appspot.com/10837156/

+    case __NR_gettimeofday:
+    case __NR_time:
+      return true;
+    case __NR_adjtimex:       // Privileged.
+    case __NR_settimeofday:   // Privileged.
+    case __NR_clock_adjtime:  // Privileged.
+    case __NR_clock_settime:  // Privileged.
+    default:
+      return false;
+  }
+}
+
+bool IsAmbiantFileSystemSyscall(int sysno) {

[Markus (顧孟勤), 2012/08/08 09:59:45]

Not quite sure if I understand the meaning of "ambient" in this particular
situation -- apart from the fact that it also appears to be misspelled.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

Thanks! Anyone has any good suggestion for a name here ?

+  switch (sysno)  {

[Markus (顧孟勤), 2012/08/08 09:59:45]

I guess, you are not really soliciting comments on how arbitrary and somewhat
wrong this policy looks right now. That's probably reserved for an upcoming
changelist.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

Yes!

+    // case __NR_getcwd:
+    case __NR_chdir:
+    // case __NR_fchdir:
+    // case __NR_umask:
+      return true;
+    default:
+      return false;
+  }
+}
+
+// System calls that directly access the file system. They might aquire
+// a new file descriptor or otherwise perform an operation directly
+// via a path.
+// For many, EPERM is a valid errno, but not for all of them.

[Markus (顧孟勤), 2012/08/08 09:59:45]

I see a lot of potential for confusion down the line, if you name a boolean
function IsXXXSyscall(), but then you start making policy decisions by
commenting out some of the system calls.

Maybe, instead of IsXXXSyscall() functions we should instead have
IsAllowedXXXSyscall() functions for everything?

Or you could make the policy decision in a separate function and then not
comment anything out in the IsXXXSyscall() function? That makes things cleaner
but is possibly too complex to be worthwhile.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

So far, I've done the following: IsXXX() is intended when the whole group will
likely be denied or allowed.

For sets where some system calls should be denied and some allowed, I have a
IsAllowedXXX(). But in addition to that, some system calls are commented out for
attack surface reduction.

In this particular CL, many system calls are commented out for attack surface
reduction because I didn't want to make any policy change. This changes with the
upcoming CLs, including https://chromiumcodereview.appspot.com/10837156.

+bool IsFileSystemSyscall(int sysno) {
+  switch (sysno) {
+    case __NR_access:
+    // case __NR_chmod:
+    // case __NR_chown:
+    // case __NR_creat:
+    case __NR_execve:

[Markus (顧孟勤), 2012/08/08 09:59:45]

I probably would have moved execve() into a separate category. It is both a file
system call and a process management call as it kills all other threads. If we
rely on helper threads (and we might or might not do so in the future), things
like execve() will need special attention.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

I don't think execve will matter much, unless we make drastic changes, because I
don't see any situation where we would allow it anyway.

In practice, execve() gives "roughly" the ability to open() and mmap a file, as
well as kill threads. Since mmap / killing of threads should generally be
allowed, I thought it fit nicely in this group.

+    // case __NR_faccessat:
+    // case __NR_fchmodat:
+    // case __NR_fchownat:  // Should be called chownat ?
+    // case __NR_futimesat:  // Should be called utimesat ?
+    // case __NR_getdents:
+    // case __NR_getdents64:

[Markus (顧孟勤), 2012/08/08 09:59:45]

In general, what is the plan for system calls that only exist on some
architectures? I think, but I might be mistaken, getdents64() is one of those.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

getdents64 exists on x86 32 and 64 bits. In general, this CL is only concerned
with 64 bits.
I plan to unify with 32 bits later, but it's difficult, and might need to wait
until we get argument inspection working.

+    // case __NR_lchown:
+    // case __NR_link:
+    // case __NR_linkat:
+    // case __NR_lookup_dcookie:
+    case __NR_lstat:
+    case __NR_mkdir:
+    case __NR_mkdirat:
+    case __NR_mknod:
+    case __NR_mknodat:
+    // case __NR_newfstatat:  // Should be called statat ?
+    case __NR_open:
+    case __NR_openat:
+    case __NR_readlink:
+    case __NR_readlinkat:
+    // case __NR_rename:
+    // case __NR_renameat:
+    // case __NR_rmdir:
+    case __NR_stat:
+    // case __NR_statfs:
+    // case __NR_symlink:
+    // case __NR_symlinkat:
+    // case __NR_truncate:
+    // case __NR_unlink:
+    // case __NR_unlinkat:
+    // case __NR_uselib:
+    // case __NR_ustat:  // Deprecated.
+    // case __NR_utime:
+    // case __NR_utimensat:   // New.
+    // case __NR_utimes:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAllowedFileSystemCapabilitySyscall(int sysno) {

[Markus (顧孟勤), 2012/08/08 09:59:45]

The list of system calls in this category seems somewhat random. For instance,
why is ftruncate() here and not in the same group as truncate()?

And what does fdatasync() do here? It is almost more like read()/write().

[jln (very slow on Chromium), 2012/08/08 17:55:07]

This group is for system calls that take a "fd" as a "capability". It's very
similar to the previous group but is for the "real" f* function.

Note that some names are misleading: for instance newfstatat should really be
(new)statat, (see line 223).

+  switch (sysno) {
+    // case __NR_fadvise64:
+    // case __NR_flock:
     case __NR_fstat:

[Markus (顧孟勤), 2012/08/08 09:59:45]

This would be an example where we also need fstat64(), if the platform supports
it. On x86-32, all modern libraries will use fstat64() in preference of fstat();
but there could still be a few remnants of calls to the old system call. So, we
need to support both.

On x86-64, fstat() is actually fstat64(), and there is no old 32bit API.

There are a whole bunch of other examples like this.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

There is no fstat64() in x86-64. (All system calls x86-64 system calls are
here). fstat64() is now fstat() and is implemented as sys_newfstat in the
kernel.
I am 100% sure that I didn't forget any x86_64 system call. I even wrote a
script to check :)

-    case __NR_futex:
+    // case __NR_fstatfs:  // Give information about the whole filesystem.
+    // case __NR_fsync:
+    // case __NR_fdatasync:
+    // case __NR_sync_file_range:
+      return true;
+    case __NR_fallocate:
+    case __NR_fchmod:
+    case __NR_fchown:
+    case __NR_ftruncate:
+    default:
+      return false;
+  }
+}
+
+bool IsGetProcessIdSyscall(int sysno) {

[Markus (顧孟勤), 2012/08/08 09:59:45]

Grouping getpid() et.al. together with getuid() et.al. feels a little random.
Especially as you seem to split things for the system calls that set ids or
related properties.

Fundamentally, a pid_t is very different from a user or group id.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

Yeah, good point. I didn't want to  have two many sets either, but I think
you're right on that one.
I'll wait until Chris / Jorge comment as well.

+  switch (sysno) {
+    // case __NR_capget:
     case __NR_getegid:
     case __NR_geteuid:
     case __NR_getgid:
+    // case __NR_getgroups:
+    // case __NR_getpid:
+    // case __NR_getppid:
+    // case __NR_getresgid:
+    // case __NR_getresuid:
+    // case __NR_getsid:
     case __NR_gettid:
     case __NR_getuid:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsProcessPrivilegeChange(int sysno) {
+  switch (sysno) {
+    case __NR_capset:
+    case __NR_iopl:    // Intel privilege.
+    case __NR_ioperm:  // Intel privilege.
+    case __NR_setfsgid:
+    case __NR_setfsuid:
+    case __NR_setgid:
+    case __NR_setgroups:
+    case __NR_setregid:
+    case __NR_setresgid:
+    case __NR_setresuid:
+    case __NR_setreuid:
+    case __NR_setuid:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsProcessGroupOrSession(int sysno) {
+  switch (sysno) {
+    case __NR_setpgid:
+    case __NR_getpgrp:
+    case __NR_setsid:
+    case __NR_getpgid:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsSignalHandling(int sysno) {
+  switch (sysno) {
+    case __NR_rt_sigaction:
+    // case __NR_rt_sigpending:
+    case __NR_rt_sigprocmask:
+    // case __NR_rt_sigqueueinfo:
+    case __NR_rt_sigreturn:
+    // case __NR_rt_sigsuspend:
+    // case __NR_rt_sigtimedwait:
+    // case __NR_rt_tgsigqueueinfo:
+    // case __NR_sigaltstack:
+    // case __NR_signalfd:
+    // case __NR_signalfd4:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsOperationOnFd(int sysno) {
+  switch (sysno) {
+    case __NR_close:
+    case __NR_dup:
+    // case __NR_dup2:
+    // case __NR_dup3:
+    case __NR_fcntl:
+    case __NR_shutdown:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsKernelInteralApi(int sysno) {
+  switch (sysno) {
+    case __NR_restart_syscall:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAllowedProcessStartOrDeath(int sysno) {
+  switch (sysno) {
+    case __NR_clone:  // TODO(jln): restrict flags.
+    case __NR_exit:
+    case __NR_exit_group:
+    // case __NR_fork:
+    // case __NR_get_thread_area:
+    // case __NR_set_thread_area:
+    // case __NR_set_tid_address:

[Markus (顧孟勤), 2012/08/08 09:59:45]

This is not quite intuitive, but this system call doesn't exist on all
architectures.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

Yeah, this CL is x86_64 only. Architecture unification is TODO.

+    // case __NR_unshare:
+    // case __NR_vfork:
+    // case __NR_wait4:
+    // case __NR_waitid:
+      return true;
+    case __NR_setns:  // Privileged.
+    default:
+      return false;
+  }
+}
+
+bool IsEpoll(int sysno) {
+  switch (sysno) {
+    case __NR_epoll_create:
+    // case __NR_epoll_create1:
+    case __NR_epoll_ctl:
+    // case __NR_epoll_ctl_old:
+    // case __NR_epoll_pwait:
+    case __NR_epoll_wait:
+    // case __NR_epoll_wait_old:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAllowedGetOrModifySocket(int sysno) {
+  switch (sysno) {
+    case __NR_pipe:
+    // case __NR_pipe2:
+    case __NR_socketpair:  // We will want to inspect its argument.
+      return true;
+    default:
+    case __NR_accept:
+    case __NR_accept4:
+    case __NR_bind:
+    case __NR_connect:
+    case __NR_socket:
+    case __NR_listen:
+      return false;
+  }
+}
+
+bool IsNetworkSocketInformation(int sysno) {
+  switch (sysno) {
+    case __NR_getpeername:
+    case __NR_getsockname:
+    case __NR_getsockopt:
+    case __NR_setsockopt:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsFutex(int sysno) {
+  switch (sysno) {
+    case __NR_futex:
+    // case __NR_get_robust_list:
+    case __NR_set_robust_list:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAddressSpaceAccess(int sysno) {
+  switch (sysno) {
+    case __NR_brk:
+    case __NR_madvise:
+    // case __NR_mincore:
+    // case __NR_mlock:
+    // case __NR_mlockall:
+    case __NR_mmap:
+    // case __NR_modify_ldt:
+    case __NR_mprotect:
+    // case __NR_mremap:
+    // case __NR_msync:
+    // case __NR_munlock:
+    // case __NR_munlockall:
+    case __NR_munmap:
+    // case __NR_readahead:
+    // case __NR_remap_file_pages:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAllowedGeneralIo(int sysno) {
+  switch (sysno) {
     case __NR_lseek:
-    case __NR_madvise:
-    case __NR_mmap:
-    case __NR_mprotect:
-    case __NR_munmap:
-    case __NR_pipe:
+    // case __NR_poll:
+    // case __NR_ppoll:
+    // case __NR_pread64:
+    // case __NR_preadv:
+    // case __NR_pselect6:
+    // case __NR_pwrite64:
+    // case __NR_pwritev:
+    case __NR_read:
+    // case __NR_readv:
+    // case __NR_recvfrom:  // Could specify source.
+    // case __NR_recvmmsg:  // Could specify source.
+    case __NR_recvmsg:   // Could specify source.
+    // case __NR_select:
+    // case __NR_sendfile:
+    // case __NR_sendmmsg:  // Could specify destination.
+    case __NR_sendmsg:   // Could specify destination.

[Markus (顧孟勤), 2012/08/08 09:59:45]

Unless I am terribly mistaken, sendmsg() is a superset of sendto(). So it is
pointless to disallow send() or sendto() if sendmsg() is allowed. And sendmmsg()
is just a performance optimization.

Also, if I interpret http://lwn.net/Articles/508865/ correctly, sendmsg() is now
a viable substitute for connect() (at least in some scenarios).

[jln (very slow on Chromium), 2012/08/08 17:55:07]

Yes, exactly, I've noticed that.
This is precisely why I treat them the same in the other CL that deals with
policy changes: https://chromiumcodereview.appspot.com/10837156

+    // case __NR_sendto:    // Could specify destination.
+    // case __NR_splice:
+    // case __NR_tee:
+    // case __NR_vmsplice:
+    case __NR_write:
+    // case __NR_writev:
+      return true;
+    default:
+    case __NR_ioctl:  // Can be very powerful.
+      return false;
+  }
+}
+
+bool IsPrctl(int sysno) {
+  switch (sysno) {
     case __NR_prctl:
-    case __NR_read:
-    case __NR_recvmsg:
-    case __NR_restart_syscall:
-    case __NR_rt_sigaction:  // Breakpad signal handler.
-    case __NR_rt_sigprocmask:
-    case __NR_rt_sigreturn:
+    // case __NR_arch_prctl:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAllowedBasicScheduler(int sysno) {
+  switch (sysno) {
     case __NR_sched_yield:
-    case __NR_sendmsg:
-    case __NR_set_robust_list:
-    case __NR_shutdown:
-    case __NR_socketpair:
-    case __NR_write:
-      return true;
-    default:
-      if (IsGettimeSyscall(sysno) ||
-          IsKillSyscall(sysno)) {
-        return true;
-      } else {
-        return false;
-      }
+    // case __NR_pause:
+    // case __NR_nanosleep:
+    // case __NR_getpriority:
+      return true;
+    case __NR_setpriority:
+    default:
+      return false;
+  }
+}
+
+bool IsAdminOperation(int sysno) {
+  switch (sysno) {
+    case __NR_kexec_load:
+    case __NR_reboot:
+    case __NR_setdomainname:
+    case __NR_sethostname:
+    case __NR_syslog:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsKernelModule(int sysno) {
+  switch (sysno) {
+    case __NR_create_module:
+    case __NR_delete_module:
+    case __NR_get_kernel_syms:  // Should ENOSYS.
+    case __NR_init_module:
+    case __NR_query_module:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsGlobalFSViewChange(int sysno) {
+  switch (sysno) {
+    case __NR_pivot_root:
+    case __NR_chroot:
+    case __NR_sync:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsFsControl(int sysno) {
+  switch (sysno) {
+    case __NR_mount:
+    case __NR_nfsservctl:
+    case __NR_quotactl:
+    case __NR_swapoff:
+    case __NR_swapon:
+    case __NR_umount2:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsNuma(int sysno) {
+  switch (sysno) {
+    case __NR_get_mempolicy:
+    case __NR_getcpu:
+    case __NR_mbind:
+    case __NR_migrate_pages:
+    case __NR_move_pages:
+    case __NR_set_mempolicy:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsMessageQueue(int sysno) {
+  switch (sysno) {
+    case __NR_mq_getsetattr:
+    case __NR_mq_notify:
+    case __NR_mq_open:
+    case __NR_mq_timedreceive:
+    case __NR_mq_timedsend:
+    case __NR_mq_unlink:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsGlobalProcessEnvironment(int sysno) {
+  switch (sysno) {
+    case __NR_acct:         // Privileged.
+    case __NR_getrlimit:
+    case __NR_getrusage:
+    case __NR_personality:  // Can change its personality as well.
+    case __NR_prlimit64:    // Like setrlimit / getrlimit.
+    case __NR_setrlimit:
+    case __NR_times:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsDebug(int sysno) {
+  switch (sysno) {
+    case __NR_ptrace:
+    case __NR_process_vm_readv:
+    case __NR_process_vm_writev:
+    case __NR_kcmp:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsGlobalSystemStatus(int sysno) {
+  switch (sysno) {
+    case __NR__sysctl:
+    case __NR_sysfs:
+    case __NR_sysinfo:
+    case __NR_uname:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsEventFd(int sysno) {
+  switch (sysno) {
+    case __NR_eventfd:
+    // case __NR_eventfd2:
+      return true;
+    default:
+      return false;
+  }
+}
+
+// Asynchronous I/O API.
+bool IsAsyncIo(int sysno) {
+  switch (sysno) {
+    case __NR_io_cancel:
+    case __NR_io_destroy:
+    case __NR_io_getevents:
+    case __NR_io_setup:
+    case __NR_io_submit:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsKeyManagement(int sysno) {
+  switch (sysno) {
+    case __NR_add_key:
+    case __NR_keyctl:
+    case __NR_request_key:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsSystemVSemaphores(int sysno) {
+  switch (sysno) {
+    case __NR_semctl:
+    case __NR_semget:
+    case __NR_semop:
+    case __NR_semtimedop:
+      return true;
+    default:
+      return false;
+  }
+}
+
+// These give a lot of ambiant authority and bypass the setuid sandbox.

[Markus (顧孟勤), 2012/08/08 09:59:45]

s/ambiant/ambient/ ?

[jln (very slow on Chromium), 2012/08/08 17:55:07]

Thanks!

+bool IsSystemVSharedMemory(int sysno) {
+  switch (sysno) {
+    case __NR_shmat:
+    case __NR_shmctl:
+    case __NR_shmdt:
+    // case __NR_shmget:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsSystemVMessageQueue(int sysno) {
+  switch (sysno) {
+    case __NR_msgctl:
+    case __NR_msgget:
+    case __NR_msgrcv:
+    case __NR_msgsnd:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAdvancedScheduler(int sysno) {
+  switch (sysno) {
+    case __NR_ioprio_get:  // IO scheduler.
+    case __NR_ioprio_set:
+    case __NR_sched_get_priority_max:
+    case __NR_sched_get_priority_min:
+    case __NR_sched_getaffinity:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_rr_get_interval:
+    case __NR_sched_setaffinity:
+    case __NR_sched_setparam:
+    case __NR_sched_setscheduler:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsInotify(int sysno) {
+  switch (sysno) {
+    case __NR_inotify_add_watch:
+    case __NR_inotify_init:
+    case __NR_inotify_init1:
+    case __NR_inotify_rm_watch:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsFaNotify(int sysno) {
+  switch (sysno) {
+    case __NR_fanotify_init:
+    case __NR_fanotify_mark:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsTimer(int sysno) {
+  switch (sysno) {

[Markus (顧孟勤), 2012/08/08 09:59:45]

These should probably be in the roughly the same category as the various sleep()
functions.

[jln (very slow on Chromium), 2012/08/08 17:55:07]

At least I should localize them closer in the C file. However, they do reach
significantly different attack surface. But I don't feel too strongly about it.

+    case __NR_getitimer:
+    case __NR_alarm:
+    case __NR_setitimer:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsAdvancedTimer(int sysno) {
+  switch (sysno) {
+    case __NR_timer_create:
+    case __NR_timer_delete:
+    case __NR_timer_getoverrun:
+    case __NR_timer_gettime:
+    case __NR_timer_settime:
+    case __NR_timerfd_create:
+    case __NR_timerfd_gettime:
+    case __NR_timerfd_settime:
+      return true;
+    default:
+      return false;
+  }
+}
+
+bool IsExtendedAttributes(int sysno) {
+  switch (sysno) {
+    case __NR_fgetxattr:
+    case __NR_flistxattr:
+    case __NR_fremovexattr:
+    case __NR_fsetxattr:
+    case __NR_getxattr:
+    case __NR_lgetxattr:
+    case __NR_listxattr:
+    case __NR_llistxattr:
+    case __NR_lremovexattr:
+    case __NR_lsetxattr:
+    case __NR_removexattr:
+    case __NR_setxattr:
+      return true;
+    default:
+      return false;
+  }
+}
+
+// Various system calls that need to be researched.
+// TODO(jln): classify this better.
+bool IsMiscSyscall(int sysno) {
+  switch (sysno) {
+    case __NR_name_to_handle_at:
+    case __NR_open_by_handle_at:
+    case __NR_perf_event_open:
+    case __NR_syncfs:
+    case __NR_vhangup:
+    // The system calls below are not implemented.
+    case __NR_afs_syscall:
+    case __NR_getpmsg:
+    case __NR_putpmsg:
+    case __NR_security:
+    case __NR_tuxcall:
+    case __NR_vserver:
+      return true;
+    default:
+      return false;
+  }
+}
+
+// End of the system call sets section.
+
+// x86_64 only because it references system calls that are multiplexed on IA32.
+bool IsGpuAndFlashPolicyAllowed_x86_64(int sysno) {
+  if (IsAddressSpaceAccess(sysno) ||
+      IsAllowedBasicScheduler(sysno) ||
+      IsAllowedFileSystemCapabilitySyscall(sysno) ||
+      IsAllowedGeneralIo(sysno) ||
+      IsAllowedGetOrModifySocket(sysno) ||
+      IsAllowedGettimeSyscall(sysno) ||
+      IsAllowedProcessStartOrDeath(sysno) ||
+      IsEpoll(sysno) ||
+      IsFutex(sysno) ||
+      IsGetProcessIdSyscall(sysno) ||
+      IsKernelInteralApi(sysno) ||
+      IsKillSyscall(sysno) ||
+      IsOperationOnFd(sysno) ||
+      IsPrctl(sysno) ||
+      IsSignalHandling(sysno)) {
+    return true;
+  } else {
+    return false;
+  }
+}
+
+// System calls that will trigger the crashing sigsys handler.
+bool IsGpuAndFlashPolicyWatched_x86_64(int sysno) {
+  if (IsAdminOperation(sysno) ||
+      IsAdvancedScheduler(sysno) ||
+      IsAdvancedTimer(sysno) ||
+      IsAsyncIo(sysno) ||
+      IsDebug(sysno) ||
+      IsEventFd(sysno) ||
+      IsExtendedAttributes(sysno) ||
+      IsFaNotify(sysno) ||
+      IsFsControl(sysno) ||
+      IsGlobalFSViewChange(sysno) ||
+      IsGlobalProcessEnvironment(sysno) ||
+      IsGlobalSystemStatus(sysno) ||
+      IsInotify(sysno) ||
+      IsKernelModule(sysno) ||
+      IsKeyManagement(sysno) ||
+      IsMessageQueue(sysno) ||
+      IsMiscSyscall(sysno) ||
+      IsNetworkSocketInformation(sysno) ||
+      IsNuma(sysno) ||
+      IsProcessGroupOrSession(sysno) ||
+      IsProcessPrivilegeChange(sysno) ||
+      IsSystemVMessageQueue(sysno) ||
+      IsSystemVSemaphores(sysno) ||
+      IsSystemVSharedMemory(sysno) ||
+      IsTimer(sysno)) {
+    return true;
+  } else {
+    return false;
   }
 }
 
 // x86_64 only because it references system calls that are multiplexed on IA32.
 playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
   switch(sysno) {
-    case __NR_eventfd2:
     case __NR_getpid:  // Nvidia binary driver.
     case __NR_getppid:  // ATI binary driver.
     case __NR_ioctl:
     case __NR_mlock:
     case __NR_munlock:
     case __NR_poll:
     case __NR_recvfrom:
     case __NR_writev:
       return playground2::Sandbox::SB_ALLOWED;
     case __NR_socket:
       return EACCES;  // Nvidia binary driver.
     case __NR_fchmod:
       return EPERM;  // ATI binary driver.
     case __NR_open:
       // Accelerated video decode is enabled by default only on Chrome OS.
       if (IsAcceleratedVideoDecodeEnabled()) {
         // Accelerated video decode needs to open /dev/dri/card0, and
         // dup()'ing an already open file descriptor does not work.
         // Allow open() even though it severely weakens the sandbox,
         // to test the sandboxing mechanism in general.
         // TODO(jorgelo): remove this once we solve the libva issue.
         return playground2::Sandbox::SB_ALLOWED;
       } else {
         // Hook open() in the GPU process to allow opening /etc/drirc,
         // needed by Mesa.
         // The hook needs dup(), lseek(), and close() to be allowed.
         return playground2::Sandbox::ErrorCode(GpuOpenSIGSYS_Handler, NULL);
       }
     default:
-      if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) {
+      if (IsGpuAndFlashPolicyAllowed_x86_64(sysno) || IsEventFd(sysno)) {
         return playground2::Sandbox::SB_ALLOWED;
       }
       // Generally, filename-based syscalls will fail with ENOENT to behave
       // similarly to a possible future setuid sandbox.
-      if (IsFileSystemSyscall(sysno)) {
+      if (IsFileSystemSyscall(sysno) || IsAmbiantFileSystemSyscall(sysno)) {
         return ENOENT;
       }
+
+      if (IsGpuAndFlashPolicyWatched_x86_64(sysno)) {
+          // Previously unseen syscalls. TODO(jln): some of these should
+          // be denied gracefully right away.
+          return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
+      }
       // In any other case crash the program with our SIGSYS handler
       return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
   }
 }
 
 // x86_64 only because it references system calls that are multiplexed on IA32.
 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
   switch (sysno) {
     case __NR_sched_getaffinity:
     case __NR_sched_setscheduler:
     // These are under investigation, and hopefully not here for the long term.
-    case __NR_shmat:
-    case __NR_shmctl:
-    case __NR_shmdt:
     case __NR_times:
     case __NR_wait4:
       return playground2::Sandbox::SB_ALLOWED;
     case __NR_ioctl:
       return ENOTTY;  // Flash Access.
     case __NR_socket:
       return EACCES;
     default:
-      if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) {
+      if (IsGpuAndFlashPolicyAllowed_x86_64(sysno) ||
+          IsSystemVSharedMemory(sysno)) {
         return playground2::Sandbox::SB_ALLOWED;
       }
-      if (IsFileSystemSyscall(sysno)) {
+      if (IsFileSystemSyscall(sysno) || IsAmbiantFileSystemSyscall(sysno)) {
         return ENOENT;
       }
+      if (IsGpuAndFlashPolicyWatched_x86_64(sysno)) {
+          // Previously unseen syscalls. TODO(jln): some of these should
+          // be denied gracefully right away.
+          return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
+      }
       // In any other case crash the program with our SIGSYS handler.
       return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
   }
 }
 #endif
 
 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) {
   if (sysno < static_cast<int>(MIN_SYSCALL) ||
       sysno > static_cast<int>(MAX_SYSCALL)) {
     // TODO(jln) we should not have to do that in a trivial policy.
@@ skipping 137 matching lines @@
       // Process-specific policy.
       ShouldEnableSeccompBpf(process_type) &&
       SupportsSandbox()) {
     return StartBpfSandbox_x86(command_line, process_type);
   }
 #endif
   return false;
 }
 
 }  // namespace content