OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
(...skipping 888 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
899 case __NR_semtimedop: | 899 case __NR_semtimedop: |
900 return true; | 900 return true; |
901 default: | 901 default: |
902 return false; | 902 return false; |
903 } | 903 } |
904 } | 904 } |
905 #endif | 905 #endif |
906 | 906 |
907 #if defined(__x86_64__) | 907 #if defined(__x86_64__) |
908 // These give a lot of ambient authority and bypass the setuid sandbox. | 908 // These give a lot of ambient authority and bypass the setuid sandbox. |
909 bool IsAllowedSystemVSharedMemory(int sysno) { | 909 bool IsSystemVSharedMemory(int sysno) { |
910 switch (sysno) { | 910 switch (sysno) { |
911 case __NR_shmat: | 911 case __NR_shmat: |
912 case __NR_shmctl: | 912 case __NR_shmctl: |
913 case __NR_shmdt: | 913 case __NR_shmdt: |
914 case __NR_shmget: | |
914 return true; | 915 return true; |
915 case __NR_shmget: | |
916 default: | 916 default: |
917 return false; | 917 return false; |
918 } | 918 } |
919 } | 919 } |
920 #endif | 920 #endif |
921 | 921 |
922 #if defined(__x86_64__) | 922 #if defined(__x86_64__) |
923 bool IsSystemVMessageQueue(int sysno) { | 923 bool IsSystemVMessageQueue(int sysno) { |
924 switch (sysno) { | 924 switch (sysno) { |
925 case __NR_msgctl: | 925 case __NR_msgctl: |
(...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1132 } else { | 1132 } else { |
1133 return false; | 1133 return false; |
1134 } | 1134 } |
1135 } | 1135 } |
1136 | 1136 |
1137 // System calls that will trigger the crashing sigsys handler. | 1137 // System calls that will trigger the crashing sigsys handler. |
1138 bool IsBaselinePolicyWatched_x86_64(int sysno) { | 1138 bool IsBaselinePolicyWatched_x86_64(int sysno) { |
1139 if (IsAdminOperation(sysno) || | 1139 if (IsAdminOperation(sysno) || |
1140 IsAdvancedScheduler(sysno) || | 1140 IsAdvancedScheduler(sysno) || |
1141 IsAdvancedTimer(sysno) || | 1141 IsAdvancedTimer(sysno) || |
1142 #if defined(__x86_64__) | |
1143 IsAllowedSystemVSharedMemory(sysno) || | |
1144 #endif | |
1145 IsAsyncIo(sysno) || | 1142 IsAsyncIo(sysno) || |
1146 IsDebug(sysno) || | 1143 IsDebug(sysno) || |
1147 IsEventFd(sysno) || | 1144 IsEventFd(sysno) || |
1148 IsExtendedAttributes(sysno) || | 1145 IsExtendedAttributes(sysno) || |
1149 IsFaNotify(sysno) || | 1146 IsFaNotify(sysno) || |
1150 IsFsControl(sysno) || | 1147 IsFsControl(sysno) || |
1151 IsGlobalFSViewChange(sysno) || | 1148 IsGlobalFSViewChange(sysno) || |
1152 IsGlobalProcessEnvironment(sysno) || | 1149 IsGlobalProcessEnvironment(sysno) || |
1153 IsGlobalSystemStatus(sysno) || | 1150 IsGlobalSystemStatus(sysno) || |
1154 IsInotify(sysno) || | 1151 IsInotify(sysno) || |
1155 IsKernelModule(sysno) || | 1152 IsKernelModule(sysno) || |
1156 IsKeyManagement(sysno) || | 1153 IsKeyManagement(sysno) || |
1157 IsMessageQueue(sysno) || | 1154 IsMessageQueue(sysno) || |
1158 IsMisc(sysno) || | 1155 IsMisc(sysno) || |
1159 #if defined(__x86_64__) | 1156 #if defined(__x86_64__) |
1160 IsNetworkSocketInformation(sysno) || | 1157 IsNetworkSocketInformation(sysno) || |
1161 #endif | 1158 #endif |
1162 IsNuma(sysno) || | 1159 IsNuma(sysno) || |
1163 IsProcessGroupOrSession(sysno) || | 1160 IsProcessGroupOrSession(sysno) || |
1164 IsProcessPrivilegeChange(sysno) || | 1161 IsProcessPrivilegeChange(sysno) || |
1165 #if defined(__i386__) | 1162 #if defined(__i386__) |
1166 IsSocketCall(sysno) || // We'll need to handle this properly to build | 1163 IsSocketCall(sysno) || // We'll need to handle this properly to build |
1167 // a x86_32 policy. | 1164 // a x86_32 policy. |
1168 #endif | 1165 #endif |
1169 #if defined(__x86_64__) | 1166 #if defined(__x86_64__) |
1170 IsSystemVMessageQueue(sysno) || | 1167 IsSystemVMessageQueue(sysno) || |
1171 IsSystemVSemaphores(sysno) || | 1168 IsSystemVSemaphores(sysno) || |
1169 IsSystemVSharedMemory(sysno) || | |
1172 #elif defined(__i386__) | 1170 #elif defined(__i386__) |
1173 IsSystemVIpc(sysno) || | 1171 IsSystemVIpc(sysno) || |
1174 #endif | 1172 #endif |
1175 #if defined(__arm__) | 1173 #if defined(__arm__) |
1176 IsArmPciConfig(sysno) || | 1174 IsArmPciConfig(sysno) || |
1177 #endif | 1175 #endif |
1178 IsTimer(sysno)) { | 1176 IsTimer(sysno)) { |
1179 return true; | 1177 return true; |
1180 } else { | 1178 } else { |
1181 return false; | 1179 return false; |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1232 } | 1230 } |
1233 default: | 1231 default: |
1234 if (IsEventFd(sysno)) | 1232 if (IsEventFd(sysno)) |
1235 return playground2::Sandbox::SB_ALLOWED; | 1233 return playground2::Sandbox::SB_ALLOWED; |
1236 | 1234 |
1237 // Default on the baseline policy. | 1235 // Default on the baseline policy. |
1238 return BaselinePolicy_x86_64(sysno); | 1236 return BaselinePolicy_x86_64(sysno); |
1239 } | 1237 } |
1240 } | 1238 } |
1241 | 1239 |
1240 playground2::Sandbox::ErrorCode RendererProcessPolicy_x86_64(int sysno) { | |
1241 switch (sysno) { | |
1242 case __NR_ioctl: | |
1243 return ENOTTY; | |
Jorge Lucangeli Obes
2012/08/29 23:57:51
We were doing this in the Flash policy because we
jln (very slow on Chromium)
2012/08/30 00:05:32
I was considering EINVAL, but I think ENOTTY is th
| |
1244 case __NR_fdatasync: | |
Chris Evans
2012/08/30 00:08:26
It sort of feels like sync_file_range fits into th
jln (very slow on Chromium)
2012/08/30 00:29:15
Yes, it really depends on our strategy. In the sam
| |
1245 case __NR_fsync: | |
1246 #if defined(__i386__) || defined(__x86_64__) | |
1247 case __NR_getrlimit: | |
1248 #endif | |
1249 case __NR_pread64: | |
1250 case __NR_pwrite64: | |
1251 case __NR_sched_get_priority_max: | |
1252 case __NR_sched_get_priority_min: | |
1253 case __NR_sched_getparam: | |
1254 case __NR_sched_getscheduler: | |
1255 case __NR_sched_setscheduler: | |
1256 case __NR_setpriority: | |
1257 case __NR_sysinfo: | |
1258 case __NR_times: | |
1259 case __NR_uname: | |
1260 return playground2::Sandbox::SB_ALLOWED; | |
1261 default: | |
1262 #if defined(__x86_64__) | |
1263 if (IsSystemVSharedMemory(sysno)) | |
1264 return playground2::Sandbox::SB_ALLOWED; | |
1265 #endif | |
1266 | |
1267 // Default on the baseline policy. | |
1268 return BaselinePolicy_x86_64(sysno); | |
1269 } | |
1270 } | |
1271 | |
1242 // x86_64 only for now. Needs to be adapted and tested for i386. | 1272 // x86_64 only for now. Needs to be adapted and tested for i386. |
1243 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) { | 1273 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) { |
1244 switch (sysno) { | 1274 switch (sysno) { |
1245 case __NR_sched_getaffinity: | 1275 case __NR_sched_getaffinity: |
1246 case __NR_sched_setscheduler: | 1276 case __NR_sched_setscheduler: |
1247 case __NR_times: | 1277 case __NR_times: |
1248 return playground2::Sandbox::SB_ALLOWED; | 1278 return playground2::Sandbox::SB_ALLOWED; |
1249 case __NR_ioctl: | 1279 case __NR_ioctl: |
1250 return ENOTTY; // Flash Access. | 1280 return ENOTTY; // Flash Access. |
1251 #if defined(__x86_64__) | 1281 #if defined(__x86_64__) |
1252 case __NR_socket: | 1282 case __NR_socket: |
1253 return EACCES; | 1283 return EACCES; |
1254 #endif | 1284 #endif |
1255 default: | 1285 default: |
1256 #if defined(__x86_64__) | 1286 #if defined(__x86_64__) |
1257 // These are under investigation, and hopefully not here for the long | 1287 // These are under investigation, and hopefully not here for the long |
1258 // term. | 1288 // term. |
1259 if (IsAllowedSystemVSharedMemory(sysno)) | 1289 if (IsSystemVSharedMemory(sysno)) |
1260 return playground2::Sandbox::SB_ALLOWED; | 1290 return playground2::Sandbox::SB_ALLOWED; |
1261 #endif | 1291 #endif |
1262 | 1292 |
1263 // Default on the baseline policy. | 1293 // Default on the baseline policy. |
1264 return BaselinePolicy_x86_64(sysno); | 1294 return BaselinePolicy_x86_64(sysno); |
1265 } | 1295 } |
1266 } | 1296 } |
1267 | 1297 |
1268 playground2::Sandbox::ErrorCode BlacklistDebugAndNumaPolicy(int sysno) { | 1298 playground2::Sandbox::ErrorCode BlacklistDebugAndNumaPolicy(int sysno) { |
1269 if (sysno < static_cast<int>(MIN_SYSCALL) || | 1299 if (sysno < static_cast<int>(MIN_SYSCALL) || |
1270 sysno > static_cast<int>(MAX_SYSCALL)) { | 1300 sysno > static_cast<int>(MAX_SYSCALL)) { |
1271 // TODO(jln) we should not have to do that in a trivial policy. | 1301 // TODO(jln) we should not have to do that in a trivial policy. |
1272 return ENOSYS; | 1302 return ENOSYS; |
1273 } | 1303 } |
1274 | 1304 |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1319 else | 1349 else |
1320 return GpuProcessPolicy_x86_64; | 1350 return GpuProcessPolicy_x86_64; |
1321 } | 1351 } |
1322 | 1352 |
1323 if (process_type == switches::kPpapiPluginProcess) { | 1353 if (process_type == switches::kPpapiPluginProcess) { |
1324 // TODO(jln): figure out what to do with non-Flash PPAPI | 1354 // TODO(jln): figure out what to do with non-Flash PPAPI |
1325 // out-of-process plug-ins. | 1355 // out-of-process plug-ins. |
1326 return FlashProcessPolicy_x86_64; | 1356 return FlashProcessPolicy_x86_64; |
1327 } | 1357 } |
1328 | 1358 |
1329 if (process_type == switches::kRendererProcess || | 1359 if (process_type == switches::kRendererProcess) { |
1330 process_type == switches::kWorkerProcess) { | 1360 return RendererProcessPolicy_x86_64; |
1361 } | |
1362 | |
1363 if (process_type == switches::kWorkerProcess) { | |
1331 return BlacklistDebugAndNumaPolicy; | 1364 return BlacklistDebugAndNumaPolicy; |
1332 } | 1365 } |
1333 NOTREACHED(); | 1366 NOTREACHED(); |
1334 // This will be our default if we need one. | 1367 // This will be our default if we need one. |
1335 return AllowAllPolicy; | 1368 return AllowAllPolicy; |
1336 #else | 1369 #else |
1337 // On other architectures (currently IA32 or ARM), | 1370 // On other architectures (currently IA32 or ARM), |
1338 // we only have a small blacklist at the moment. | 1371 // we only have a small blacklist at the moment. |
1339 (void) process_type; | 1372 (void) process_type; |
1340 return BlacklistDebugAndNumaPolicy; | 1373 return BlacklistDebugAndNumaPolicy; |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1405 // Process-specific policy. | 1438 // Process-specific policy. |
1406 ShouldEnableSeccompBpf(process_type) && | 1439 ShouldEnableSeccompBpf(process_type) && |
1407 SupportsSandbox()) { | 1440 SupportsSandbox()) { |
1408 return StartBpfSandbox(command_line, process_type); | 1441 return StartBpfSandbox(command_line, process_type); |
1409 } | 1442 } |
1410 #endif | 1443 #endif |
1411 return false; | 1444 return false; |
1412 } | 1445 } |
1413 | 1446 |
1414 } // namespace content | 1447 } // namespace content |
OLD | NEW |