Added support for greylisting of system calls.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 
 namespace {
 
 void WriteFailedStderrSetupMessage(int out_fd) {
   const char* error_string = strerror(errno);
   static const char msg[] = "Failed to set up stderr: ";
   if (HANDLE_EINTR(write(out_fd, msg, sizeof(msg)-1)) > 0 && error_string &&
       HANDLE_EINTR(write(out_fd, error_string, strlen(error_string))) > 0 &&
@@ skipping 295 matching lines @@
   for (SyscallIterator iter(true); !iter.Done(); ) {
     uint32_t sysnum = iter.Next();
     if (!isDenied(syscallEvaluator(sysnum, aux))) {
       SANDBOX_DIE("Policies should deny system calls that are outside the "
                   "expected range (typically MIN_SYSCALL..MAX_SYSCALL)");
     }
   }
   return;
 }
 
+void Sandbox::CheckForUnsafeErrorCodes(Instruction *insn, void *aux) {
+  if (BPF_CLASS(insn->code) == BPF_RET &&
+      insn->k >  SECCOMP_RET_TRAP &&
+      insn->k <= SECCOMP_RET_TRAP+trapArraySize_) {

[jln (very slow on Chromium), 2012/11/20 01:08:31]

Better to do insn->k - SECCOMP_RET_TRAP <= trapArraySize_ to avoid int overflow
completely.

+    const ErrorCode& err = trapArray_[insn->k - SECCOMP_RET_TRAP - 1];
+    if (!err.safe_) {
+      bool *is_unsafe = static_cast<bool *>(aux);
+      *is_unsafe = true;
+    }
+  }
+}
+
+void Sandbox::RedirectToUserspace(Instruction *insn, void *aux) {
+  // When inside an UnsafeTrap() callback, we want to allow all system calls.
+  // This means, we must conditionally disable the sandbox -- and that's not
+  // something that kernel-side BPF filters can do, as they cannot inspect
+  // any state other than the syscall arguments.
+  // But if we redirect all error handlers to user-space, then we can easily
+  // make this decision.
+  // The performance penalty for this extra round-trip to user-space is not
+  // actually that bad, as we only ever pay it for denied system calls; and a
+  // typical program has very few of these.
+  if (BPF_CLASS(insn->code) == BPF_RET &&
+      (insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
+    insn->k = Trap(ReturnErrno,
+                   reinterpret_cast<void *>(insn->k & SECCOMP_RET_DATA)).err();
+  }
+}
+
+ErrorCode Sandbox::RedirectToUserspaceEvalWrapper(int sysnum, void *aux) {
+  // We need to replicate the behavior of RedirectToUserspace(), so that our
+  // Verifier can still work correctly.
+  Evaluators *evaluators = reinterpret_cast<Evaluators *>(aux);
+  const std::pair<EvaluateSyscall, void *>& evaluator = *evaluators->begin();
+  ErrorCode err = evaluator.first(sysnum, evaluator.second);
+  if ((err.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
+    return Trap(ReturnErrno,
+                reinterpret_cast<void *>(err.err() & SECCOMP_RET_DATA));
+  }
+  return err;
+}
+
 void Sandbox::setSandboxPolicy(EvaluateSyscall syscallEvaluator, void *aux) {
   if (status_ == STATUS_ENABLED) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
   policySanityChecks(syscallEvaluator, aux);
   evaluators_.push_back(std::make_pair(syscallEvaluator, aux));
 }
 
 void Sandbox::installFilter(bool quiet) {
   // Verify that the user pushed a policy.
   if (evaluators_.empty()) {
   filter_failed:
     SANDBOX_DIE("Failed to configure system call filters");
   }
 
   // Set new SIGSYS handler
   struct sigaction sa;
   memset(&sa, 0, sizeof(sa));
-  sa.sa_sigaction = &sigSys;
-  sa.sa_flags = SA_SIGINFO;
+  sa.sa_sigaction = sigSys;
+  sa.sa_flags = SA_SIGINFO | SA_NODEFER;
   if (sigaction(SIGSYS, &sa, NULL) < 0) {
     goto filter_failed;
   }
 
   // Unmask SIGSYS
   sigset_t mask;
   if (sigemptyset(&mask) ||
       sigaddset(&mask, SIGSYS) ||
       sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
     goto filter_failed;
@@ skipping 10 matching lines @@
   if (!gen) {
     SANDBOX_DIE("Out of memory");
   }
 
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
   // system call.
   Instruction *tail;
   Instruction *head =
     gen->MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
                          offsetof(struct arch_seccomp_data, arch),
+  tail =
     gen->MakeInstruction(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH,
-  tail =
-    // Grab the system call number, so that we can implement jump tables.
-    gen->MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
-                         offsetof(struct arch_seccomp_data, nr)),
+                         NULL,
     gen->MakeInstruction(BPF_RET+BPF_K,
                          Kill(
                            "Invalid audit architecture in BPF filter").err_)));
 
-  // On Intel architectures, verify that system call numbers are in the
-  // expected number range. The older i386 and x86-64 APIs clear bit 30
-  // on all system calls. The newer x32 API always sets bit 30.
-#if defined(__i386__) || defined(__x86_64__)
-  Instruction *invalidX32 =
-    gen->MakeInstruction(BPF_RET+BPF_K,
-                         Kill("Illegal mixing of system call ABIs").err_);
-  Instruction *checkX32 =
-#if defined(__x86_64__) && defined(__ILP32__)
-    gen->MakeInstruction(BPF_JMP+BPF_JSET+BPF_K, 0x40000000, 0, invalidX32);
-#else
-    gen->MakeInstruction(BPF_JMP+BPF_JSET+BPF_K, 0x40000000, invalidX32, 0);
-#endif
-    gen->JoinInstructions(tail, checkX32);
-    tail = checkX32;
-#endif
-
-
   {
     // Evaluate all possible system calls and group their ErrorCodes into
     // ranges of identical codes.
     Ranges ranges;
     findRanges(&ranges);
 
     // Compile the system call ranges to an optimized BPF jumptable
     Instruction *jumptable =
       assembleJumpTable(gen, ranges.begin(), ranges.end());
 
+    // If there is at least one UnsafeTrap() in our program, the entire sandbox
+    // is unsafe. We need to modify the program so that all non-
+    // SECCOMP_RET_ALLOW ErrorCodes are handled in user-space. This will then
+    // allow us to temporarily disable sandboxing rules inside of callbacks to
+    // UnsafeTrap().
+    has_unsafe_traps_ = false;
+    gen->Traverse(jumptable, CheckForUnsafeErrorCodes, &has_unsafe_traps_);
+
+    // Grab the system call number, so that we can implement jump tables.
+    Instruction *load_nr =
+      gen->MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
+                           offsetof(struct arch_seccomp_data, nr));
+
+    // If our BPF program has unsafe jumps, enable support for them. This
+    // test happens very early in the BPF filter program. Even before we
+    // consider looking at system call numbers.
+    // As support for unsafe jumps essentially defeats all the security
+    // measures that the sandbox provides, we print a big warning message --
+    // and of course, we make sure to only ever enable this feature if it
+    // is actually requested by the sandbox policy.
+    if (has_unsafe_traps_) {
+      if (Syscall(-1) == -1 && errno == ENOSYS) {
+        SANDBOX_DIE("Support for UnsafeTrap() has not yet been ported to this "
+                    "architecture");
+      }
+
+      EvaluateSyscall evaluateSyscall = evaluators_.begin()->first;
+      void *aux                       = evaluators_.begin()->second;
+      if (!evaluateSyscall(__NR_rt_sigprocmask, aux).
+            Equals(ErrorCode(ErrorCode::ERR_ALLOWED)) ||
+          !evaluateSyscall(__NR_rt_sigreturn, aux).
+            Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
+#if defined(__NR_sigprocmask)
+       || !evaluateSyscall(__NR_sigprocmask, aux).
+            Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
+#endif
+#if defined(__NR_sigreturn)
+       || !evaluateSyscall(__NR_sigreturn, aux).
+            Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
+#endif
+          ) {
+        SANDBOX_DIE("Invalid seccomp policy; if using UnsafeTrap(), you must "
+                    "unconditionally allow sigreturn() and sigprocmask()");
+      }
+
+      SANDBOX_INFO("WARNING! Disabling sandbox for debugging purposes");
+      gen->Traverse(jumptable, RedirectToUserspace, NULL);
+
+      // Allow system calls, if they originate from our magic return address
+      // (which we can query by calling Syscall(-1)).
+      uintptr_t syscall_entry_point = static_cast<uintptr_t>(Syscall(-1));
+      uint32_t low = static_cast<uint32_t>(syscall_entry_point);
+#if __SIZEOF_POINTER__ > 4
+      uint32_t hi  = static_cast<uint32_t>(syscall_entry_point >> 32);
+#endif
+
+      // BPF cannot do native 64bit comparisons. On 64bit architectures, we
+      // have to compare both 32bit halfs of the instruction pointer. If they
+      // match what we expect, we return ERR_ALLOWED. If either or both don't
+      // match, we continue evalutating the rest of the sandbox policy.
+      Instruction *escape_hatch =
+        gen->MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
+                             offsetof(struct arch_seccomp_data,
+                                      instruction_pointer) +
+                             (__SIZEOF_POINTER__ > 4 &&
+                              __BYTE_ORDER == __BIG_ENDIAN ? 4 : 0),

[jln (very slow on Chromium), 2012/11/20 01:08:31]

As agreed offline, please add an #error on __BIG_ENDIAN since this is completely
untested.

+        gen->MakeInstruction(BPF_JMP+BPF_JEQ+BPF_K, low,
+#if __SIZEOF_POINTER__ > 4
+        gen->MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
+                             offsetof(struct arch_seccomp_data,
+                                      instruction_pointer) +
+                             (__BYTE_ORDER == __BIG_ENDIAN ? 0 : 4),
+        gen->MakeInstruction(BPF_JMP+BPF_JEQ+BPF_K, hi,
+#endif
+        gen->MakeInstruction(BPF_RET+BPF_K, ErrorCode(ErrorCode::ERR_ALLOWED)),
+#if __SIZEOF_POINTER__ > 4
+                             load_nr)),
+#endif
+                             load_nr));
+      gen->JoinInstructions(tail, escape_hatch);
+    } else {
+      gen->JoinInstructions(tail, load_nr);
+    }
+    tail = load_nr;
+
+    // On Intel architectures, verify that system call numbers are in the
+    // expected number range. The older i386 and x86-64 APIs clear bit 30
+    // on all system calls. The newer x32 API always sets bit 30.
+#if defined(__i386__) || defined(__x86_64__)
+    Instruction *invalidX32 =
+      gen->MakeInstruction(BPF_RET+BPF_K,
+                           Kill("Illegal mixing of system call ABIs").err_);
+    Instruction *checkX32 =
+#if defined(__x86_64__) && defined(__ILP32__)
+      gen->MakeInstruction(BPF_JMP+BPF_JSET+BPF_K, 0x40000000, 0, invalidX32);
+#else
+      gen->MakeInstruction(BPF_JMP+BPF_JSET+BPF_K, 0x40000000, invalidX32, 0);
+#endif
+      gen->JoinInstructions(tail, checkX32);
+      tail = checkX32;
+#endif
+
     // Append jump table to our pre-amble
     gen->JoinInstructions(tail, jumptable);
   }
 
   // Turn the DAG into a vector of instructions.
   Program *program = new Program();
   gen->Compile(head, program);
   delete gen;
 
   // Make sure compilation resulted in BPF program that executes
   // correctly. Otherwise, there is an internal error in our BPF compiler.
   // There is really nothing the caller can do until the bug is fixed.
 #ifndef NDEBUG
-  const char *err = NULL;
-  if (!Verifier::VerifyBPF(*program, evaluators_, &err)) {
-    SANDBOX_DIE(err);
+  {
+    // If we previously rewrote the BPF program so that it calls user-space
+    // whenever we return an "errno" value from the filter, then we have to
+    // wrap our system call evaluator to perform the same operation. Otherwise,
+    // the verifier would also report a mismatch in return codes.
+    Evaluators redirected_evaluators;
+    redirected_evaluators.push_back(
+      std::make_pair(RedirectToUserspaceEvalWrapper, &evaluators_));

[jln (very slow on Chromium), 2012/11/20 01:08:31]

nit: two more spaces for indent.

+
+    const char *err = NULL;
+    if (!Verifier::VerifyBPF(*program,
+            has_unsafe_traps_ ? redirected_evaluators : evaluators_, &err)) {

[jln (very slow on Chromium), 2012/11/20 01:08:31]

Nit: ident arguments together.

+      SANDBOX_DIE(err);
+    }
   }
 #endif
 
   // We want to be very careful in not imposing any requirements on the
   // policies that are set with setSandboxPolicy(). This means, as soon as
   // the sandbox is active, we shouldn't be relying on libraries that could
   // be making system calls. This, for example, means we should avoid
   // using the heap and we should avoid using STL functions.
   // Temporarily copy the contents of the "program" vector into a
   // stack-allocated array; and then explicitly destroy that object.
   // This makes sure we don't ex- or implicitly call new/delete after we
   // installed the BPF filter program in the kernel. Depending on the
   // system memory allocator that is in effect, these operators can result
   // in system calls to things like munmap() or brk().
   struct sock_filter bpf[program->size()];
   const struct sock_fprog prog = {
     static_cast<unsigned short>(program->size()), bpf };
   memcpy(bpf, &(*program)[0], sizeof(bpf));
   delete program;
 
   // Release memory that is no longer needed
   evaluators_.clear();
-  errMap_.clear();
 
 #if defined(SECCOMP_BPF_VALGRIND_HACKS)
   // Valgrind is really not happy about our sandbox. Disable it when running
   // in Valgrind. This feature is dangerous and should never be enabled by
   // default. We protect it behind a pre-processor option.
   if (!RUNNING_ON_VALGRIND)
 #endif
   {
     // Install BPF filter program
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@@ skipping 96 matching lines @@
   struct arch_sigsys sigsys;
   memcpy(&sigsys, &info->_sifields, sizeof(sigsys));
 
   // Some more sanity checks.
   if (sigsys.ip != reinterpret_cast<void *>(SECCOMP_IP(ctx)) ||
       sigsys.nr != static_cast<int>(SECCOMP_SYSCALL(ctx)) ||
       sigsys.arch != SECCOMP_ARCH) {
     goto sigsys_err;
   }
 
-  // Copy the seccomp-specific data into a arch_seccomp_data structure. This
-  // is what we are showing to TrapFnc callbacks that the system call evaluator
-  // registered with the sandbox.
-  struct arch_seccomp_data data = {
-    sigsys.nr,
-    SECCOMP_ARCH,
-    reinterpret_cast<uint64_t>(sigsys.ip),
-    {
-      static_cast<uint64_t>(SECCOMP_PARM1(ctx)),
-      static_cast<uint64_t>(SECCOMP_PARM2(ctx)),
-      static_cast<uint64_t>(SECCOMP_PARM3(ctx)),
-      static_cast<uint64_t>(SECCOMP_PARM4(ctx)),
-      static_cast<uint64_t>(SECCOMP_PARM5(ctx)),
-      static_cast<uint64_t>(SECCOMP_PARM6(ctx))
+  // We need to tell whether we are performing a "normal" callback, or
+  // whether we were called recursively from within a UnsafeTrap() callback.
+  // This is a little tricky to do, because we need to somehow get access to
+  // per-thread data from within a signal context. Normal TLS storage is not
+  // safely accessible at this time. We could roll our own, but that involves
+  // a lot of complexity. Instead, we co-opt one bit in the signal mask.
+  // If BUS is blocked, we assume that we have been called recursively.
+  // There is a possibility for collision with other code that needs to do
+  // this, but in practice the risks are low.
+  intptr_t rc;
+  if (has_unsafe_traps_ &&
+      sigismember(&ctx->uc_sigmask, SIGBUS)) {

[jln (very slow on Chromium), 2012/11/20 01:08:31]

This is pretty hack-ish. It's ok-ish since it's a debugging feature.

Maybe it could be made a bit more clear by wrapping this into 
SetIsInSigSysHandler() / GetIsInSigSysHandler() functions?

+    errno = old_errno;
+    if (sigsys.nr == __NR_clone) {
+      SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler");
     }
-  };
+    rc = Syscall(sigsys.nr,
+                 SECCOMP_PARM1(ctx), SECCOMP_PARM2(ctx),
+                 SECCOMP_PARM3(ctx), SECCOMP_PARM4(ctx),
+                 SECCOMP_PARM5(ctx), SECCOMP_PARM6(ctx));
+  } else {
+    const ErrorCode& err = trapArray_[info->si_errno - 1];
+    if (!err.safe_) {
+      sigset_t mask;
+      sigemptyset(&mask);
+      sigaddset(&mask, SIGBUS);
+      sigprocmask(SIG_BLOCK, &mask, NULL);
+    }
 
-  // Now call the TrapFnc callback associated with this particular instance
-  // of SECCOMP_RET_TRAP.
-  const ErrorCode& err = trapArray_[info->si_errno - 1];
-  intptr_t rc          = err.fnc_(data, err.aux_);
+    // Copy the seccomp-specific data into a arch_seccomp_data structure. This
+    // is what we are showing to TrapFnc callbacks that the system call
+    // evaluator registered with the sandbox.
+    struct arch_seccomp_data data = {
+      sigsys.nr,
+      SECCOMP_ARCH,
+      reinterpret_cast<uint64_t>(sigsys.ip),
+      {
+        static_cast<uint64_t>(SECCOMP_PARM1(ctx)),
+        static_cast<uint64_t>(SECCOMP_PARM2(ctx)),
+        static_cast<uint64_t>(SECCOMP_PARM3(ctx)),
+        static_cast<uint64_t>(SECCOMP_PARM4(ctx)),
+        static_cast<uint64_t>(SECCOMP_PARM5(ctx)),
+        static_cast<uint64_t>(SECCOMP_PARM6(ctx))
+      }
+    };
+
+    // Now call the TrapFnc callback associated with this particular instance
+    // of SECCOMP_RET_TRAP.
+    rc = err.fnc_(data, err.aux_);
+  }
 
   // Update the CPU register that stores the return code of the system call
   // that we just handled, and restore "errno" to the value that it had
   // before entering the signal handler.
   SECCOMP_RESULT(ctx) = static_cast<greg_t>(rc);
   errno               = old_errno;
 
   return;
 }
 
-ErrorCode Sandbox::Trap(ErrorCode::TrapFnc fnc, const void *aux) {
+bool Sandbox::TrapKey::operator<(const Sandbox::TrapKey& o) const {
+  if (fnc != o.fnc) {
+    return fnc < o.fnc;
+  } else if (aux != o.aux) {
+    return aux < o.aux;
+  } else {
+    return safe < o.safe;
+  }
+}
+
+ErrorCode Sandbox::MakeTrap(ErrorCode::TrapFnc fnc, const void *aux,
+                            bool safe) {
   // Each unique pair of TrapFnc and auxiliary data make up a distinct instance
   // of a SECCOMP_RET_TRAP.
-  std::pair<ErrorCode::TrapFnc, const void *> key(fnc, aux);
+  TrapKey key(fnc, aux, safe);
   TrapIds::const_iterator iter = trapIds_.find(key);
   uint16_t id;
   if (iter != trapIds_.end()) {
     // We have seen this pair before. Return the same id that we assigned
     // earlier.
     id = iter->second;
   } else {
     // This is a new pair. Remember it and assign a new id.
     // Please note that we have to store traps in memory that doesn't get
     // deallocated when the program is shutting down. A memory leak is
     // intentional, because we might otherwise not be able to execute
     // system calls part way through the program shutting down
     if (!traps_) {
       traps_ = new Traps();
     }
     if (traps_->size() >= SECCOMP_RET_DATA) {
       // In practice, this is pretty much impossible to trigger, as there
       // are other kernel limitations that restrict overall BPF program sizes.
       SANDBOX_DIE("Too many SECCOMP_RET_TRAP callback instances");
     }
     id = traps_->size() + 1;
 
-    traps_->push_back(ErrorCode(fnc, aux, id));
+    traps_->push_back(ErrorCode(fnc, aux, safe, id));
     trapIds_[key] = id;
 
     // We want to access the traps_ vector from our signal handler. But
     // we are not assured that doing so is async-signal safe. On the other
     // hand, C++ guarantees that the contents of a vector is stored in a
     // contiguous C-style array.
     // So, we look up the address and size of this array outside of the
     // signal handler, where we can safely do so.
     trapArray_     = &(*traps_)[0];
     trapArraySize_ = id;
+    return traps_->back();
   }
 
-  ErrorCode err = ErrorCode(fnc, aux, id);
-  return errMap_[err.err()] = err;
+  return ErrorCode(fnc, aux, safe, id);
+}
+
+ErrorCode Sandbox::Trap(ErrorCode::TrapFnc fnc, const void *aux) {
+  return MakeTrap(fnc, aux, true);

[jln (very slow on Chromium), 2012/11/20 01:08:31]

Add a comment near true "/* Safe trap */"

+}
+
+ErrorCode Sandbox::UnsafeTrap(ErrorCode::TrapFnc fnc, const void *aux) {
+  return MakeTrap(fnc, aux, false);

[jln (very slow on Chromium), 2012/11/20 01:08:31]

Same here.

+}
+
+intptr_t Sandbox::ReturnErrno(const struct arch_seccomp_data&, void *aux) {
+  int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
+  return -err;
 }
 
 intptr_t Sandbox::bpfFailure(const struct arch_seccomp_data&, void *aux) {
   SANDBOX_DIE(static_cast<char *>(aux));
 }
 
 ErrorCode Sandbox::Kill(const char *msg) {
   return Trap(bpfFailure, const_cast<char *>(msg));
 }
 
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
 int    Sandbox::proc_fd_                = -1;
 Sandbox::Evaluators Sandbox::evaluators_;
-Sandbox::ErrMap Sandbox::errMap_;
 Sandbox::Traps *Sandbox::traps_         = NULL;
 Sandbox::TrapIds Sandbox::trapIds_;
 ErrorCode *Sandbox::trapArray_          = NULL;
 size_t Sandbox::trapArraySize_          = 0;
+  bool Sandbox::has_unsafe_traps_       = false;
 
 }  // namespace