Linux: add a seccomp-bpf sandbox for renderers

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 888 matching lines @@
     case __NR_semtimedop:
       return true;
     default:
       return false;
   }
 }
 #endif
 
 #if defined(__x86_64__)
 // These give a lot of ambient authority and bypass the setuid sandbox.
-bool IsAllowedSystemVSharedMemory(int sysno) {
+bool IsSystemVSharedMemory(int sysno) {
   switch (sysno) {
     case __NR_shmat:
     case __NR_shmctl:
     case __NR_shmdt:
+    case __NR_shmget:
       return true;
-    case __NR_shmget:
     default:
       return false;
   }
 }
 #endif
 
 #if defined(__x86_64__)
 bool IsSystemVMessageQueue(int sysno) {
   switch (sysno) {
     case __NR_msgctl:
@@ skipping 206 matching lines @@
   } else {
     return false;
   }
 }
 
 // System calls that will trigger the crashing sigsys handler.
 bool IsBaselinePolicyWatched_x86_64(int sysno) {
   if (IsAdminOperation(sysno) ||
       IsAdvancedScheduler(sysno) ||
       IsAdvancedTimer(sysno) ||
-#if defined(__x86_64__)
-      IsAllowedSystemVSharedMemory(sysno) ||
-#endif
       IsAsyncIo(sysno) ||
       IsDebug(sysno) ||
       IsEventFd(sysno) ||
       IsExtendedAttributes(sysno) ||
       IsFaNotify(sysno) ||
       IsFsControl(sysno) ||
       IsGlobalFSViewChange(sysno) ||
       IsGlobalProcessEnvironment(sysno) ||
       IsGlobalSystemStatus(sysno) ||
       IsInotify(sysno) ||
       IsKernelModule(sysno) ||
       IsKeyManagement(sysno) ||
       IsMessageQueue(sysno) ||
       IsMisc(sysno) ||
 #if defined(__x86_64__)
       IsNetworkSocketInformation(sysno) ||
 #endif
       IsNuma(sysno) ||
       IsProcessGroupOrSession(sysno) ||
       IsProcessPrivilegeChange(sysno) ||
 #if defined(__i386__)
       IsSocketCall(sysno) ||  // We'll need to handle this properly to build
                               // a x86_32 policy.
 #endif
 #if defined(__x86_64__)
       IsSystemVMessageQueue(sysno) ||
       IsSystemVSemaphores(sysno) ||
+      IsSystemVSharedMemory(sysno) ||
 #elif defined(__i386__)
       IsSystemVIpc(sysno) ||
 #endif
 #if defined(__arm__)
       IsArmPciConfig(sysno) ||
 #endif
       IsTimer(sysno)) {
     return true;
   } else {
     return false;
@@ skipping 50 matching lines @@
       }
     default:
       if (IsEventFd(sysno))
         return playground2::Sandbox::SB_ALLOWED;
 
       // Default on the baseline policy.
       return BaselinePolicy_x86_64(sysno);
   }
 }
 
+playground2::Sandbox::ErrorCode RendererProcessPolicy_x86_64(int sysno) {
+  switch (sysno) {
+    case __NR_ioctl:
+      return ENOTTY;

[Jorge Lucangeli Obes, 2012/08/29 23:57:51]

We were doing this in the Flash policy because we knew that the ioctl being
called was for a TTY. The man page for ioctl sort-of suggests that ENOTTY would
be OK for any ioctl call, but it might be kinda weird to get ENOTTY for some
ioctl calls, wouldn't it?

[jln (very slow on Chromium), 2012/08/30 00:05:32]

I was considering EINVAL, but I think ENOTTY is the proper one:

- It seems like a strange name, but it exists for historical reasons.
- ENOTTY is what the kernel returns for "unrecognized ioctl".

There is even a comment in ioctl.c saying the EINVAL is wrong. I checked :)

+    case __NR_fdatasync:

[Chris Evans, 2012/08/30 00:08:26]

It sort of feels like sync_file_range fits into this little logical group?

I don't know if it adds much surface (e.g. OOB ranges, negative or huge ints,
etc)

[jln (very slow on Chromium), 2012/08/30 00:29:15]

Yes, it really depends on our strategy. In the same way, I didn't allow the
whole IsAdvancedScheduler (and allowed specific system calls instead) and didn't
put pread64/pwrite64 in the main I/O PSS to be conservative and err on the side
of attack surface reduction, which is why this policy doesn't look as "nice" as
the other ones.

This sandbox could be really robust (in terms of not crashing / stopping
working) if we didn't have to take attack surface reduction into account.

In other words, we have multiple dimensions:

1. What system calls allow the process to do (system call semantics)
2. Attack surface reduction

It's hard to juggle with the two. We could achieve (2) without breaking the
kernel API by relying heavily on brokers, but it comes with a performance
impact.

Sometimes I think about a way to express PSS where I could add "tags" to account
for the second dimension. I don't like that currently we're mixing the two
dimensions in how the sets are defined.

My current attempt at reconciling these aspects are the "IsAllowedXXXX" sets,
where it's still clear what constitutes the whole logical "set", and what's
carved out for attack surface reduction.

For instance if you look at IsAllowedAddressSpaceAccess(), it's clear that
mremap() belongs to the same set as mmap(), even though we exclude it for attack
surface reduction reasons.

I think we should see what happens. If things break often, we should err more on
the side of "strict PSS" and less attack surface reduction, or on the side of
brokering things out.

That's why I've been so adamant that we get good test coverage.

Another thing we could do is to have "two levels" of BPF sandboxes. The first
level for a sandbox that only looks a system calls "semantics", the second level
for attack surface reduction.
The second level could run some basic tests before the sandbox gets enabled, so
that we don't enable it if it'd lead to a crash.

Julien

+    case __NR_fsync:
+#if defined(__i386__) || defined(__x86_64__)
+    case __NR_getrlimit:
+#endif
+    case __NR_pread64:
+    case __NR_pwrite64:
+    case __NR_sched_get_priority_max:
+    case __NR_sched_get_priority_min:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_setscheduler:
+    case __NR_setpriority:
+    case __NR_sysinfo:
+    case __NR_times:
+    case __NR_uname:
+      return playground2::Sandbox::SB_ALLOWED;
+    default:
+#if defined(__x86_64__)
+      if (IsSystemVSharedMemory(sysno))
+        return playground2::Sandbox::SB_ALLOWED;
+#endif
+
+      // Default on the baseline policy.
+      return BaselinePolicy_x86_64(sysno);
+  }
+}
+
 // x86_64 only for now. Needs to be adapted and tested for i386.
 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
   switch (sysno) {
     case __NR_sched_getaffinity:
     case __NR_sched_setscheduler:
     case __NR_times:
       return playground2::Sandbox::SB_ALLOWED;
     case __NR_ioctl:
       return ENOTTY;  // Flash Access.
 #if defined(__x86_64__)
     case __NR_socket:
       return EACCES;
 #endif
     default:
 #if defined(__x86_64__)
       // These are under investigation, and hopefully not here for the long
       // term.
-      if (IsAllowedSystemVSharedMemory(sysno))
+      if (IsSystemVSharedMemory(sysno))
         return playground2::Sandbox::SB_ALLOWED;
 #endif
 
       // Default on the baseline policy.
-      return  BaselinePolicy_x86_64(sysno);
+      return BaselinePolicy_x86_64(sysno);
   }
 }
 
 playground2::Sandbox::ErrorCode BlacklistDebugAndNumaPolicy(int sysno) {
   if (sysno < static_cast<int>(MIN_SYSCALL) ||
       sysno > static_cast<int>(MAX_SYSCALL)) {
     // TODO(jln) we should not have to do that in a trivial policy.
     return ENOSYS;
   }
 
@@ skipping 44 matching lines @@
     else
       return GpuProcessPolicy_x86_64;
   }
 
   if (process_type == switches::kPpapiPluginProcess) {
     // TODO(jln): figure out what to do with non-Flash PPAPI
     // out-of-process plug-ins.
     return FlashProcessPolicy_x86_64;
   }
 
-  if (process_type == switches::kRendererProcess ||
-      process_type == switches::kWorkerProcess) {
+  if (process_type == switches::kRendererProcess) {
+    return RendererProcessPolicy_x86_64;
+  }
+
+  if (process_type == switches::kWorkerProcess) {
     return BlacklistDebugAndNumaPolicy;
   }
   NOTREACHED();
   // This will be our default if we need one.
   return AllowAllPolicy;
 #else
   // On other architectures (currently IA32 or ARM),
   // we only have a small blacklist at the moment.
   (void) process_type;
   return BlacklistDebugAndNumaPolicy;
@@ skipping 64 matching lines @@
       // Process-specific policy.
       ShouldEnableSeccompBpf(process_type) &&
       SupportsSandbox()) {
     return StartBpfSandbox(command_line, process_type);
   }
 #endif
   return false;
 }
 
 }  // namespace content