Factor common syscall from GPU and Flash policies

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 209 matching lines @@
   if (strcmp(pathname, kDriRcPath) == 0) {
     int ret = OpenWithCache(pathname, flags);
     return (ret == -1) ? -errno : ret;
   } else {
     return -ENOENT;
   }
 }
 
 #if defined(__x86_64__)
 // x86_64 only because it references system calls that are multiplexed on IA32.
+bool IsGpuAndFlashPolicyAllowed_x86_64(int sysno) {
+  switch (sysno) {
+    case __NR_brk:
+    case __NR_clone:  // TODO(jln) restrict flags.
+    case __NR_close:
+    case __NR_dup:
+    case __NR_epoll_create:
+    case __NR_epoll_ctl:
+    case __NR_epoll_wait:
+    case __NR_exit:
+    case __NR_exit_group:
+    case __NR_fcntl:
+    case __NR_fstat:
+    case __NR_futex:
+    case __NR_getegid:

[Chris Evans, 2012/08/07 06:43:45]

Should we start preparing for the renderer policy by creating a "harmless" class
of syscall where we're 100% sure a syscall is super safe? These simple get*id
calls could go in to it.

[jln (very slow on Chromium), 2012/08/07 08:02:41]

Done in the following CL. I went through every x86_64 system call and classified
it. The next CL will have us have every system call in the file and make a
conscious decision about it.

+    case __NR_geteuid:
+    case __NR_getgid:
+    case __NR_gettid:
+    case __NR_getuid:
+    case __NR_lseek:
+    case __NR_madvise:
+    case __NR_mmap:

[Chris Evans, 2012/08/07 06:43:45]

Unrelated to this CL I know, but maybe a TODO here to restrict mmap() flags? I
don't think Ubuntu ever patched the MAP_GROWSDOWN thing. Also, fcntl(), prctl(),
others...?

[jln (very slow on Chromium), 2012/08/07 08:02:41]

Yes, good point. There are quite a few where we'll want to restrict arguments.

+    case __NR_mprotect:
+    case __NR_munmap:
+    case __NR_pipe:
+    case __NR_prctl:
+    case __NR_read:
+    case __NR_recvmsg:
+    case __NR_restart_syscall:
+    case __NR_rt_sigaction:  // Breakpad signal handler.
+    case __NR_rt_sigprocmask:
+    case __NR_rt_sigreturn:
+    case __NR_sched_yield:
+    case __NR_sendmsg:
+    case __NR_set_robust_list:
+    case __NR_shutdown:
+    case __NR_socketpair:
+    case __NR_write:
+      return true;
+    default:
+      if (IsGettimeSyscall(sysno) ||
+          IsKillSyscall(sysno)) {
+        return true;
+      } else {
+        return false;
+      }
+  }
+}
+
+// x86_64 only because it references system calls that are multiplexed on IA32.
 playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
   switch(sysno) {
-    case __NR_read:
+    case __NR_eventfd2:
+    case __NR_getpid:  // Nvidia binary driver.
+    case __NR_getppid:  // ATI binary driver.
     case __NR_ioctl:
-    case __NR_poll:
-    case __NR_epoll_wait:
-    case __NR_recvfrom:
-    case __NR_write:
-    case __NR_writev:
-    case __NR_gettid:
-    case __NR_sched_yield:  // Nvidia binary driver.
-
-    case __NR_futex:
-    case __NR_madvise:
-    case __NR_sendmsg:
-    case __NR_recvmsg:
-    case __NR_eventfd2:
-    case __NR_pipe:
-    case __NR_mmap:
-    case __NR_mprotect:
-    case __NR_clone:  // TODO(jln) restrict flags.
-    case __NR_set_robust_list:
-    case __NR_getuid:
-    case __NR_geteuid:
-    case __NR_getgid:
-    case __NR_getegid:
-    case __NR_epoll_create:
-    case __NR_fcntl:
-    case __NR_socketpair:
-    case __NR_epoll_ctl:
-    case __NR_prctl:
-    case __NR_fstat:
-    case __NR_close:
-    case __NR_restart_syscall:
-    case __NR_rt_sigreturn:
-    case __NR_brk:
-    case __NR_rt_sigprocmask:
-    case __NR_munmap:
-    case __NR_dup:
     case __NR_mlock:
     case __NR_munlock:
-    case __NR_exit:
-    case __NR_exit_group:
-    case __NR_lseek:
-    case __NR_getpid:  // Nvidia binary driver.
-    case __NR_getppid:  // ATI binary driver.
-    case __NR_shutdown:  // Virtual driver.
-    case __NR_rt_sigaction:  // Breakpad signal handler.
+    case __NR_poll:
+    case __NR_recvfrom:
+    case __NR_writev:
       return playground2::Sandbox::SB_ALLOWED;
     case __NR_socket:
       return EACCES;  // Nvidia binary driver.
     case __NR_fchmod:
       return EPERM;  // ATI binary driver.
     case __NR_open:
       // Accelerated video decode is enabled by default only on Chrome OS.
       if (IsAcceleratedVideoDecodeEnabled()) {
         // Accelerated video decode needs to open /dev/dri/card0, and
         // dup()'ing an already open file descriptor does not work.
         // Allow open() even though it severely weakens the sandbox,
         // to test the sandboxing mechanism in general.
         // TODO(jorgelo): remove this once we solve the libva issue.
         return playground2::Sandbox::SB_ALLOWED;
       } else {
         // Hook open() in the GPU process to allow opening /etc/drirc,
         // needed by Mesa.
         // The hook needs dup(), lseek(), and close() to be allowed.
         return playground2::Sandbox::ErrorCode(GpuOpenSIGSYS_Handler, NULL);
       }
     default:
-      if (IsGettimeSyscall(sysno) ||
-          IsKillSyscall(sysno)) { // GPU watchdog.
+      if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) {
         return playground2::Sandbox::SB_ALLOWED;
       }
       // Generally, filename-based syscalls will fail with ENOENT to behave
       // similarly to a possible future setuid sandbox.
       if (IsFileSystemSyscall(sysno)) {
         return ENOENT;
       }
       // In any other case crash the program with our SIGSYS handler
       return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
   }
 }
 
 // x86_64 only because it references system calls that are multiplexed on IA32.
 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
   switch (sysno) {
-    case __NR_futex:
-    case __NR_write:
-    case __NR_epoll_wait:
-    case __NR_read:
-    case __NR_times:
-    case __NR_clone:  // TODO(jln): restrict flags.
-    case __NR_set_robust_list:
-    case __NR_getuid:
-    case __NR_geteuid:
-    case __NR_getgid:
-    case __NR_getegid:
-    case __NR_epoll_create:
-    case __NR_fcntl:
-    case __NR_socketpair:
-    case __NR_pipe:
-    case __NR_epoll_ctl:
-    case __NR_gettid:
-    case __NR_prctl:
-    case __NR_fstat:
-    case __NR_sendmsg:
-    case __NR_mmap:
-    case __NR_munmap:
-    case __NR_mprotect:
-    case __NR_madvise:
-    case __NR_rt_sigaction:
-    case __NR_rt_sigprocmask:
-    case __NR_wait4:
-    case __NR_exit_group:
-    case __NR_exit:
-    case __NR_rt_sigreturn:
-    case __NR_restart_syscall:
-    case __NR_close:
-    case __NR_recvmsg:
-    case __NR_lseek:
-    case __NR_brk:
-    case __NR_sched_yield:
-    case __NR_shutdown:
     case __NR_sched_getaffinity:
     case __NR_sched_setscheduler:
-    case __NR_dup:  // Flash Access.
     // These are under investigation, and hopefully not here for the long term.
+    case __NR_shmat:
     case __NR_shmctl:
-    case __NR_shmat:
     case __NR_shmdt:
+    case __NR_times:

[Chris Evans, 2012/08/07 06:43:45]

Should we just fold times() into IsGettimeSyscall()? Every baby step towards PSS
seems useful :)

[jln (very slow on Chromium), 2012/08/07 08:02:41]

It is actually in my "global process environment" set, along with:
__NR_getrlimit
__NR_getrusage
__NR_times
__NR_personality  // can change its personality as well.
__NR_setrlimit
__NR_acct  // privileged
__NR_prlimit64  // like setrlimit / getrlimit

I will send that CL tomorrow, let's have that discussion then ? There is
definitely plenty to discuss, I'm not super happy with my current sets, but it's
a start.

+    case __NR_wait4:
       return playground2::Sandbox::SB_ALLOWED;
     case __NR_ioctl:
       return ENOTTY;  // Flash Access.
     case __NR_socket:
       return EACCES;
     default:
-      if (IsGettimeSyscall(sysno) ||
-          IsKillSyscall(sysno)) {
+      if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) {
         return playground2::Sandbox::SB_ALLOWED;
       }
       if (IsFileSystemSyscall(sysno)) {
         return ENOENT;
       }
       // In any other case crash the program with our SIGSYS handler.
       return playground2::Sandbox::ErrorCode(CrashSIGSYS_Handler, NULL);
   }
 }
 #endif
@@ skipping 161 matching lines @@
       // Process-specific policy.
       ShouldEnableSeccompBpf(process_type) &&
       SupportsSandbox()) {
     return StartBpfSandbox_x86(command_line, process_type);
   }
 #endif
   return false;
 }
 
 }  // namespace content