Linux: add a seccomp-bpf sandbox for renderers

content/common/sandbox_seccomp_bpf_linux.cc

Index: content/common/sandbox_seccomp_bpf_linux.cc
diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc
index 37d52612b3412658f37106c277cbcc5db6c276d0..497996b0e2fe6d1c00c206dad39142ebdaa0c165 100644
--- a/content/common/sandbox_seccomp_bpf_linux.cc
+++ b/content/common/sandbox_seccomp_bpf_linux.cc
@@ -906,13 +906,13 @@ bool IsSystemVSemaphores(int sysno) {
 
 #if defined(__x86_64__)
 // These give a lot of ambient authority and bypass the setuid sandbox.
-bool IsAllowedSystemVSharedMemory(int sysno) {
+bool IsSystemVSharedMemory(int sysno) {
   switch (sysno) {
     case __NR_shmat:
     case __NR_shmctl:
     case __NR_shmdt:
-      return true;
     case __NR_shmget:
+      return true;
     default:
       return false;
   }
@@ -1139,9 +1139,6 @@ bool IsBaselinePolicyWatched_x86_64(int sysno) {
   if (IsAdminOperation(sysno) ||
       IsAdvancedScheduler(sysno) ||
       IsAdvancedTimer(sysno) ||
-#if defined(__x86_64__)
-      IsAllowedSystemVSharedMemory(sysno) ||
-#endif
       IsAsyncIo(sysno) ||
       IsDebug(sysno) ||
       IsEventFd(sysno) ||
@@ -1169,6 +1166,7 @@ bool IsBaselinePolicyWatched_x86_64(int sysno) {
 #if defined(__x86_64__)
       IsSystemVMessageQueue(sysno) ||
       IsSystemVSemaphores(sysno) ||
+      IsSystemVSharedMemory(sysno) ||
 #elif defined(__i386__)
       IsSystemVIpc(sysno) ||
 #endif
@@ -1239,6 +1237,38 @@ playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
   }
 }
 
+playground2::Sandbox::ErrorCode RendererProcessPolicy_x86_64(int sysno) {
+  switch (sysno) {
+    case __NR_ioctl:
+      return ENOTTY;

[Jorge Lucangeli Obes, 2012/08/29 23:57:51]

We were doing this in the Flash policy because we knew that the ioctl being
called was for a TTY. The man page for ioctl sort-of suggests that ENOTTY would
be OK for any ioctl call, but it might be kinda weird to get ENOTTY for some
ioctl calls, wouldn't it?

[jln (very slow on Chromium), 2012/08/30 00:05:32]

I was considering EINVAL, but I think ENOTTY is the proper one:

- It seems like a strange name, but it exists for historical reasons.
- ENOTTY is what the kernel returns for "unrecognized ioctl".

There is even a comment in ioctl.c saying the EINVAL is wrong. I checked :)

+    case __NR_fdatasync:

[Chris Evans, 2012/08/30 00:08:26]

It sort of feels like sync_file_range fits into this little logical group?

I don't know if it adds much surface (e.g. OOB ranges, negative or huge ints,
etc)

[jln (very slow on Chromium), 2012/08/30 00:29:15]

Yes, it really depends on our strategy. In the same way, I didn't allow the
whole IsAdvancedScheduler (and allowed specific system calls instead) and didn't
put pread64/pwrite64 in the main I/O PSS to be conservative and err on the side
of attack surface reduction, which is why this policy doesn't look as "nice" as
the other ones.

This sandbox could be really robust (in terms of not crashing / stopping
working) if we didn't have to take attack surface reduction into account.

In other words, we have multiple dimensions:

1. What system calls allow the process to do (system call semantics)
2. Attack surface reduction

It's hard to juggle with the two. We could achieve (2) without breaking the
kernel API by relying heavily on brokers, but it comes with a performance
impact.

Sometimes I think about a way to express PSS where I could add "tags" to account
for the second dimension. I don't like that currently we're mixing the two
dimensions in how the sets are defined.

My current attempt at reconciling these aspects are the "IsAllowedXXXX" sets,
where it's still clear what constitutes the whole logical "set", and what's
carved out for attack surface reduction.

For instance if you look at IsAllowedAddressSpaceAccess(), it's clear that
mremap() belongs to the same set as mmap(), even though we exclude it for attack
surface reduction reasons.

I think we should see what happens. If things break often, we should err more on
the side of "strict PSS" and less attack surface reduction, or on the side of
brokering things out.

That's why I've been so adamant that we get good test coverage.

Another thing we could do is to have "two levels" of BPF sandboxes. The first
level for a sandbox that only looks a system calls "semantics", the second level
for attack surface reduction.
The second level could run some basic tests before the sandbox gets enabled, so
that we don't enable it if it'd lead to a crash.

Julien

+    case __NR_fsync:
+#if defined(__i386__) || defined(__x86_64__)
+    case __NR_getrlimit:
+#endif
+    case __NR_pread64:
+    case __NR_pwrite64:
+    case __NR_sched_get_priority_max:
+    case __NR_sched_get_priority_min:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_setscheduler:
+    case __NR_setpriority:
+    case __NR_sysinfo:
+    case __NR_times:
+    case __NR_uname:
+      return playground2::Sandbox::SB_ALLOWED;
+    default:
+#if defined(__x86_64__)
+      if (IsSystemVSharedMemory(sysno))
+        return playground2::Sandbox::SB_ALLOWED;
+#endif
+
+      // Default on the baseline policy.
+      return BaselinePolicy_x86_64(sysno);
+  }
+}
+
 // x86_64 only for now. Needs to be adapted and tested for i386.
 playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
   switch (sysno) {
@@ -1256,12 +1286,12 @@ playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
 #if defined(__x86_64__)
       // These are under investigation, and hopefully not here for the long
       // term.
-      if (IsAllowedSystemVSharedMemory(sysno))
+      if (IsSystemVSharedMemory(sysno))
         return playground2::Sandbox::SB_ALLOWED;
 #endif
 
       // Default on the baseline policy.
-      return  BaselinePolicy_x86_64(sysno);
+      return BaselinePolicy_x86_64(sysno);
   }
 }
 
@@ -1326,8 +1356,11 @@ playground2::Sandbox::EvaluateSyscall GetProcessSyscallPolicy(
     return FlashProcessPolicy_x86_64;
   }
 
-  if (process_type == switches::kRendererProcess ||
-      process_type == switches::kWorkerProcess) {
+  if (process_type == switches::kRendererProcess) {
+    return RendererProcessPolicy_x86_64;
+  }
+
+  if (process_type == switches::kWorkerProcess) {
     return BlacklistDebugAndNumaPolicy;
   }
   NOTREACHED();