Factor common syscall from GPU and Flash policies

content/common/sandbox_seccomp_bpf_linux.cc

Index: content/common/sandbox_seccomp_bpf_linux.cc
diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc
index 5e694f7a29abb263b2155bcc7df231dc512e2394..849f66767356c42a389271e08a4523d94326dce8 100644
--- a/content/common/sandbox_seccomp_bpf_linux.cc
+++ b/content/common/sandbox_seccomp_bpf_linux.cc
@@ -227,54 +227,67 @@ intptr_t GpuOpenSIGSYS_Handler(const struct arch_seccomp_data& args,
 
 #if defined(__x86_64__)
 // x86_64 only because it references system calls that are multiplexed on IA32.
-playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
-  switch(sysno) {
-    case __NR_read:
-    case __NR_ioctl:
-    case __NR_poll:
+bool IsGpuAndFlashPolicyAllowed_x86_64(int sysno) {
+  switch (sysno) {
+    case __NR_brk:
+    case __NR_clone:  // TODO(jln) restrict flags.
+    case __NR_close:
+    case __NR_dup:
+    case __NR_epoll_create:
+    case __NR_epoll_ctl:
     case __NR_epoll_wait:
-    case __NR_recvfrom:
-    case __NR_write:
-    case __NR_writev:
-    case __NR_gettid:
-    case __NR_sched_yield:  // Nvidia binary driver.
-
+    case __NR_exit:
+    case __NR_exit_group:
+    case __NR_fcntl:
+    case __NR_fstat:
     case __NR_futex:
+    case __NR_getegid:

[Chris Evans, 2012/08/07 06:43:45]

Should we start preparing for the renderer policy by creating a "harmless" class
of syscall where we're 100% sure a syscall is super safe? These simple get*id
calls could go in to it.

[jln (very slow on Chromium), 2012/08/07 08:02:41]

Done in the following CL. I went through every x86_64 system call and classified
it. The next CL will have us have every system call in the file and make a
conscious decision about it.

+    case __NR_geteuid:
+    case __NR_getgid:
+    case __NR_gettid:
+    case __NR_getuid:
+    case __NR_lseek:
     case __NR_madvise:
-    case __NR_sendmsg:
-    case __NR_recvmsg:
-    case __NR_eventfd2:
-    case __NR_pipe:
     case __NR_mmap:

[Chris Evans, 2012/08/07 06:43:45]

Unrelated to this CL I know, but maybe a TODO here to restrict mmap() flags? I
don't think Ubuntu ever patched the MAP_GROWSDOWN thing. Also, fcntl(), prctl(),
others...?

[jln (very slow on Chromium), 2012/08/07 08:02:41]

Yes, good point. There are quite a few where we'll want to restrict arguments.

     case __NR_mprotect:
-    case __NR_clone:  // TODO(jln) restrict flags.
-    case __NR_set_robust_list:
-    case __NR_getuid:
-    case __NR_geteuid:
-    case __NR_getgid:
-    case __NR_getegid:
-    case __NR_epoll_create:
-    case __NR_fcntl:
-    case __NR_socketpair:
-    case __NR_epoll_ctl:
+    case __NR_munmap:
+    case __NR_pipe:
     case __NR_prctl:
-    case __NR_fstat:
-    case __NR_close:
+    case __NR_read:
+    case __NR_recvmsg:
     case __NR_restart_syscall:
-    case __NR_rt_sigreturn:
-    case __NR_brk:
+    case __NR_rt_sigaction:  // Breakpad signal handler.
     case __NR_rt_sigprocmask:
-    case __NR_munmap:
-    case __NR_dup:
-    case __NR_mlock:
-    case __NR_munlock:
-    case __NR_exit:
-    case __NR_exit_group:
-    case __NR_lseek:
+    case __NR_rt_sigreturn:
+    case __NR_sched_yield:
+    case __NR_sendmsg:
+    case __NR_set_robust_list:
+    case __NR_shutdown:
+    case __NR_socketpair:
+    case __NR_write:
+      return true;
+    default:
+      if (IsGettimeSyscall(sysno) ||
+          IsKillSyscall(sysno)) {
+        return true;
+      } else {
+        return false;
+      }
+  }
+}
+
+// x86_64 only because it references system calls that are multiplexed on IA32.
+playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
+  switch(sysno) {
+    case __NR_eventfd2:
     case __NR_getpid:  // Nvidia binary driver.
     case __NR_getppid:  // ATI binary driver.
-    case __NR_shutdown:  // Virtual driver.
-    case __NR_rt_sigaction:  // Breakpad signal handler.
+    case __NR_ioctl:
+    case __NR_mlock:
+    case __NR_munlock:
+    case __NR_poll:
+    case __NR_recvfrom:
+    case __NR_writev:
       return playground2::Sandbox::SB_ALLOWED;
     case __NR_socket:
       return EACCES;  // Nvidia binary driver.
@@ -296,8 +309,7 @@ playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
         return playground2::Sandbox::ErrorCode(GpuOpenSIGSYS_Handler, NULL);
       }
     default:
-      if (IsGettimeSyscall(sysno) ||
-          IsKillSyscall(sysno)) { // GPU watchdog.
+      if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) {
         return playground2::Sandbox::SB_ALLOWED;
       }
       // Generally, filename-based syscalls will fail with ENOENT to behave
@@ -313,58 +325,21 @@ playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
 // x86_64 only because it references system calls that are multiplexed on IA32.
 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
   switch (sysno) {
-    case __NR_futex:
-    case __NR_write:
-    case __NR_epoll_wait:
-    case __NR_read:
-    case __NR_times:
-    case __NR_clone:  // TODO(jln): restrict flags.
-    case __NR_set_robust_list:
-    case __NR_getuid:
-    case __NR_geteuid:
-    case __NR_getgid:
-    case __NR_getegid:
-    case __NR_epoll_create:
-    case __NR_fcntl:
-    case __NR_socketpair:
-    case __NR_pipe:
-    case __NR_epoll_ctl:
-    case __NR_gettid:
-    case __NR_prctl:
-    case __NR_fstat:
-    case __NR_sendmsg:
-    case __NR_mmap:
-    case __NR_munmap:
-    case __NR_mprotect:
-    case __NR_madvise:
-    case __NR_rt_sigaction:
-    case __NR_rt_sigprocmask:
-    case __NR_wait4:
-    case __NR_exit_group:
-    case __NR_exit:
-    case __NR_rt_sigreturn:
-    case __NR_restart_syscall:
-    case __NR_close:
-    case __NR_recvmsg:
-    case __NR_lseek:
-    case __NR_brk:
-    case __NR_sched_yield:
-    case __NR_shutdown:
     case __NR_sched_getaffinity:
     case __NR_sched_setscheduler:
-    case __NR_dup:  // Flash Access.
     // These are under investigation, and hopefully not here for the long term.
-    case __NR_shmctl:
     case __NR_shmat:
+    case __NR_shmctl:
     case __NR_shmdt:
+    case __NR_times:

[Chris Evans, 2012/08/07 06:43:45]

Should we just fold times() into IsGettimeSyscall()? Every baby step towards PSS
seems useful :)

[jln (very slow on Chromium), 2012/08/07 08:02:41]

It is actually in my "global process environment" set, along with:
__NR_getrlimit
__NR_getrusage
__NR_times
__NR_personality  // can change its personality as well.
__NR_setrlimit
__NR_acct  // privileged
__NR_prlimit64  // like setrlimit / getrlimit

I will send that CL tomorrow, let's have that discussion then ? There is
definitely plenty to discuss, I'm not super happy with my current sets, but it's
a start.

+    case __NR_wait4:
       return playground2::Sandbox::SB_ALLOWED;
     case __NR_ioctl:
       return ENOTTY;  // Flash Access.
     case __NR_socket:
       return EACCES;
     default:
-      if (IsGettimeSyscall(sysno) ||
-          IsKillSyscall(sysno)) {
+      if (IsGpuAndFlashPolicyAllowed_x86_64(sysno)) {
         return playground2::Sandbox::SB_ALLOWED;
       }
       if (IsFileSystemSyscall(sysno)) {