Add basic ARM policy to seccomp-bpf sandbox.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
 #include <signal.h>
 #include <string.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <ucontext.h>
 #include <unistd.h>
 
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "content/common/sandbox_linux.h"
 #include "content/common/sandbox_seccomp_bpf_linux.h"
 #include "content/public/common/content_switches.h"
 
 // These are the only architectures supported for now.
-#if defined(__i386__) || defined(__x86_64__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__arm__)
 #define SECCOMP_BPF_SANDBOX
 #endif
 
 #if defined(SECCOMP_BPF_SANDBOX)
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+#if defined(__i386__) || defined(__x86_64__)
 #include "sandbox/linux/services/x86_linux_syscalls.h"
+#elif defined(__arm__)
+#include "sandbox/linux/services/arm_linux_syscalls.h"

[jln (very slow on Chromium), 2012/08/14 20:11:50]

Once you're confident arm is well covered, please rename x86_linux_syscalls.h to
linux_syscalls.h instead and include the arm file from there.

[Jorge Lucangeli Obes, 2012/08/14 21:58:06]

Will do.

+#endif
 
 namespace {
 
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
 #else
   return false;
 #endif
 }
 
+inline bool IsARM() {

[jln (very slow on Chromium), 2012/08/14 19:10:35]

You're not using it at the moment.

[Jorge Lucangeli Obes, 2012/08/14 21:58:06]

Done.

+#if defined(__arm__)
+  return true;
+#else
+  return false;
+#endif
+}
+
 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
   int syscall = args.nr;
   if (syscall >= 1024)
     syscall = 0;
   // Encode 8-bits of the 1st two arguments too, so we can discern which socket
   // type, which fcntl, ... etc., without being likely to hit a mapped
   // address.
   // Do not encode more bits here without thinking about increasing the
   // likelihood of collision with mapped pages.
   syscall |= ((args.args[0] & 0xffUL) << 12);
@@ skipping 84 matching lines @@
   int flags = static_cast<int>(arg1);
 
   if (strcmp(pathname, kDriRcPath) == 0) {
     int ret = OpenWithCache(pathname, flags);
     return (ret == -1) ? -errno : ret;
   } else {
     return -ENOENT;
   }
 }
 
 #if defined(__i386__) || defined(__x86_64__)

[jln (very slow on Chromium), 2012/08/14 19:10:35]

Did you miss this?

 
 // The functions below cover all existing x86_64 and i386 system calls.
 // The implicitly defined sets form a partition of the sets of
 // system calls.

[jln (very slow on Chromium), 2012/08/14 19:10:35]

Also you probably want to add something to this comment: "We also make sure this
can compile on ARM, but we didn't list arm-specific system calls yet.

 
 // TODO(jln) we need to restrict the first parameter!
 bool IsKill(int sysno) {
   switch (sysno) {
     case __NR_kill:
     case __NR_tkill:
     case __NR_tgkill:
       return true;
     default:
       return false;
   }
 }
 
 bool IsAllowedGettime(int sysno) {
   switch (sysno) {
     case __NR_clock_gettime:
     case __NR_gettimeofday:
+    // __NR_time is not available for EABI ARM.
+    // See </arch/arm/include/asm/unistd.h> in the Linux kernel.
+#if !defined(__arm__)

[jln (very slow on Chromium), 2012/08/14 19:10:35]

It's better to whitelist: #if defined(__i386__) || defined(__x86_64__)

[Jorge Lucangeli Obes, 2012/08/14 21:58:06]

Done.

     case __NR_time:
+#endif
       return true;
     case __NR_adjtimex:         // Privileged.
     case __NR_clock_adjtime:    // Privileged.
     case __NR_clock_getres:     // Could be allowed.
     case __NR_clock_nanosleep:  // Could be allowed.
     case __NR_clock_settime:    // Privileged.
 #if defined(__i386__)
     case __NR_ftime:            // Obsolete.
 #endif
     case __NR_settimeofday:     // Privileged.
@@ skipping 554 matching lines @@
     default:
       return false;
   }
 }
 
 bool IsNuma(int sysno) {
   switch (sysno) {
     case __NR_get_mempolicy:
     case __NR_getcpu:
     case __NR_mbind:
+    // __NR_migrate_pages is not available for EABI ARM.
+    // See </arch/arm/include/asm/unistd.h> in the Linux kernel.
+#if !defined(__arm__)

[jln (very slow on Chromium), 2012/08/14 19:10:35]

Same here.

[Jorge Lucangeli Obes, 2012/08/14 21:58:06]

Done.

     case __NR_migrate_pages:
+#endif
     case __NR_move_pages:
     case __NR_set_mempolicy:
       return true;
     default:
       return false;
   }
 }
 
 bool IsMessageQueue(int sysno) {
   switch (sysno) {
@@ skipping 170 matching lines @@
     case __NR_inotify_add_watch:
     case __NR_inotify_init:
     case __NR_inotify_init1:
     case __NR_inotify_rm_watch:
       return true;
     default:
       return false;
   }
 }
 
+void LogSandboxStarted(const std::string& sandbox_name,

[jln (very slow on Chromium), 2012/08/14 19:10:35]

Rebase issue ? This should not exist in this file.

[Jorge Lucangeli Obes, 2012/08/14 21:58:06]

Done.

+                       const std::string& process_type) {
+  const std::string activated_sandbox =
+      "Activated " + sandbox_name + " sandbox for process type: " +
+      process_type + ".";
+  if (IsChromeOS()) {
+    LOG(WARNING) << activated_sandbox;
+  } else {
+    VLOG(1) << activated_sandbox;
+  }
+}
+
 bool IsFaNotify(int sysno) {
   switch (sysno) {
     case __NR_fanotify_init:
     case __NR_fanotify_mark:
       return true;
     default:
       return false;
   }
 }
 
@@ skipping 237 matching lines @@
 }
 #endif  // defined(__x86_64__) || defined(__i386__)
 
 playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) {
   if (sysno < static_cast<int>(MIN_SYSCALL) ||
       sysno > static_cast<int>(MAX_SYSCALL)) {
     // TODO(jln) we should not have to do that in a trivial policy.
     return ENOSYS;
   }
   switch (sysno) {
+    // __NR_migrate_pages is not available for EABI ARM.
+    // See </arch/arm/include/asm/unistd.h> in the Linux kernel.
+#if !defined(__arm__)

[jln (very slow on Chromium), 2012/08/14 19:10:35]

Same remark about whitelisting.

[Jorge Lucangeli Obes, 2012/08/14 21:58:06]

Done.

     case __NR_migrate_pages:
+#endif
     case __NR_move_pages:
     case __NR_process_vm_readv:
     case __NR_process_vm_writev:
     case __NR_ptrace:
       return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
     default:
       return playground2::Sandbox::SB_ALLOWED;
   }
 }
 
@@ skipping 45 matching lines @@
     return FlashProcessPolicy_x86_64;
   }
 
   if (process_type == switches::kRendererProcess ||
       process_type == switches::kWorkerProcess) {
     return BlacklistPtracePolicy;
   }
   NOTREACHED();
   // This will be our default if we need one.
   return AllowAllPolicy;
-#else
+#elif defined(__i386__)
   // On IA32, we only have a small blacklist at the moment.
   (void) process_type;
   return BlacklistPtracePolicy;
-#endif  // __x86_64__
+#elif defined(__arm__)
+  // On ARM, we don't block anything yet.

[jln (very slow on Chromium), 2012/08/14 19:10:35]

This seems at odd with what you're doing. Did you mean AllowAllPolicy ?

If not, please merge both in a elif defined i386 || arm.

[Jorge Lucangeli Obes, 2012/08/14 21:58:06]

Done.

+  (void) process_type;
+  return BlacklistPtracePolicy;
+#else
+  // This should not happen, we're compiling only on x86_64 or i386 or ARM.
+  (void) process_type;
+  NOTREACHED();
+#endif
 }
 
 // Initialize the seccomp-bpf sandbox.
-bool StartBpfSandbox_x86(const CommandLine& command_line,
+bool StartBpfSandbox(const CommandLine& command_line,
                          const std::string& process_type) {
   playground2::Sandbox::EvaluateSyscall SyscallPolicy =
       GetProcessSyscallPolicy(command_line, process_type);
 
   // Warms up resources needed by the policy we're about to enable.
   WarmupPolicy(SyscallPolicy);
 
   playground2::Sandbox::setSandboxPolicy(SyscallPolicy, NULL);
   playground2::Sandbox::startSandbox();
 
@@ skipping 42 matching lines @@
 }
 
 bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) {
 #if defined(SECCOMP_BPF_SANDBOX)
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
 
   if (IsSeccompBpfDesired() &&  // Global switches policy.
       // Process-specific policy.
       ShouldEnableSeccompBpf(process_type) &&
       SupportsSandbox()) {
-    return StartBpfSandbox_x86(command_line, process_type);
+    return StartBpfSandbox(command_line, process_type);
   }
 #endif
   return false;
 }
 
 }  // namespace content