| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
| 6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
| 10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
| (...skipping 1317 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1328 if (IsSystemVIpc(sysno)) | 1328 if (IsSystemVIpc(sysno)) |
| 1329 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1329 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 1330 #endif | 1330 #endif |
| 1331 | 1331 |
| 1332 // Default on the baseline policy. | 1332 // Default on the baseline policy. |
| 1333 return BaselinePolicy(sysno); | 1333 return BaselinePolicy(sysno); |
| 1334 } | 1334 } |
| 1335 } | 1335 } |
| 1336 | 1336 |
| 1337 ErrorCode BlacklistDebugAndNumaPolicy(int sysno, void *) { | 1337 ErrorCode BlacklistDebugAndNumaPolicy(int sysno, void *) { |
| 1338 if (!Sandbox::isValidSyscallNumber(sysno)) { | 1338 if (!Sandbox::IsValidSyscallNumber(sysno)) { |
| 1339 // TODO(jln) we should not have to do that in a trivial policy. | 1339 // TODO(jln) we should not have to do that in a trivial policy. |
| 1340 return ErrorCode(ENOSYS); | 1340 return ErrorCode(ENOSYS); |
| 1341 } | 1341 } |
| 1342 | 1342 |
| 1343 if (IsDebug(sysno) || IsNuma(sysno)) | 1343 if (IsDebug(sysno) || IsNuma(sysno)) |
| 1344 return Sandbox::Trap(CrashSIGSYS_Handler, NULL); | 1344 return Sandbox::Trap(CrashSIGSYS_Handler, NULL); |
| 1345 | 1345 |
| 1346 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1346 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 1347 } | 1347 } |
| 1348 | 1348 |
| 1349 // Allow all syscalls. | 1349 // Allow all syscalls. |
| 1350 // This will still deny x32 or IA32 calls in 64 bits mode or | 1350 // This will still deny x32 or IA32 calls in 64 bits mode or |
| 1351 // 64 bits system calls in compatibility mode. | 1351 // 64 bits system calls in compatibility mode. |
| 1352 ErrorCode AllowAllPolicy(int sysno, void *) { | 1352 ErrorCode AllowAllPolicy(int sysno, void *) { |
| 1353 if (!Sandbox::isValidSyscallNumber(sysno)) { | 1353 if (!Sandbox::IsValidSyscallNumber(sysno)) { |
| 1354 // TODO(jln) we should not have to do that in a trivial policy. | 1354 // TODO(jln) we should not have to do that in a trivial policy. |
| 1355 return ErrorCode(ENOSYS); | 1355 return ErrorCode(ENOSYS); |
| 1356 } else { | 1356 } else { |
| 1357 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1357 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 1358 } | 1358 } |
| 1359 } | 1359 } |
| 1360 | 1360 |
| 1361 // Warms up/preloads resources needed by the policies. | 1361 // Warms up/preloads resources needed by the policies. |
| 1362 void WarmupPolicy(Sandbox::EvaluateSyscall policy) { | 1362 void WarmupPolicy(Sandbox::EvaluateSyscall policy) { |
| 1363 #if defined(__x86_64__) | 1363 #if defined(__x86_64__) |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1411 | 1411 |
| 1412 // Initialize the seccomp-bpf sandbox. | 1412 // Initialize the seccomp-bpf sandbox. |
| 1413 bool StartBpfSandbox(const CommandLine& command_line, | 1413 bool StartBpfSandbox(const CommandLine& command_line, |
| 1414 const std::string& process_type) { | 1414 const std::string& process_type) { |
| 1415 Sandbox::EvaluateSyscall SyscallPolicy = | 1415 Sandbox::EvaluateSyscall SyscallPolicy = |
| 1416 GetProcessSyscallPolicy(command_line, process_type); | 1416 GetProcessSyscallPolicy(command_line, process_type); |
| 1417 | 1417 |
| 1418 // Warms up resources needed by the policy we're about to enable. | 1418 // Warms up resources needed by the policy we're about to enable. |
| 1419 WarmupPolicy(SyscallPolicy); | 1419 WarmupPolicy(SyscallPolicy); |
| 1420 | 1420 |
| 1421 Sandbox::setSandboxPolicy(SyscallPolicy, NULL); | 1421 Sandbox::SetSandboxPolicy(SyscallPolicy, NULL); |
| 1422 Sandbox::startSandbox(); | 1422 Sandbox::StartSandbox(); |
| 1423 | 1423 |
| 1424 return true; | 1424 return true; |
| 1425 } | 1425 } |
| 1426 | 1426 |
| 1427 } // namespace | 1427 } // namespace |
| 1428 | 1428 |
| 1429 #endif // SECCOMP_BPF_SANDBOX | 1429 #endif // SECCOMP_BPF_SANDBOX |
| 1430 | 1430 |
| 1431 namespace content { | 1431 namespace content { |
| 1432 | 1432 |
| (...skipping 18 matching lines...) Expand all Loading... |
| 1451 return true; | 1451 return true; |
| 1452 #endif // SECCOMP_BPF_SANDBOX | 1452 #endif // SECCOMP_BPF_SANDBOX |
| 1453 return false; | 1453 return false; |
| 1454 } | 1454 } |
| 1455 | 1455 |
| 1456 bool SandboxSeccompBpf::SupportsSandbox() { | 1456 bool SandboxSeccompBpf::SupportsSandbox() { |
| 1457 #if defined(SECCOMP_BPF_SANDBOX) | 1457 #if defined(SECCOMP_BPF_SANDBOX) |
| 1458 // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton | 1458 // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton |
| 1459 // here. | 1459 // here. |
| 1460 Sandbox::SandboxStatus bpf_sandbox_status = | 1460 Sandbox::SandboxStatus bpf_sandbox_status = |
| 1461 Sandbox::supportsSeccompSandbox(-1); | 1461 Sandbox::SupportsSeccompSandbox(-1); |
| 1462 // Kernel support is what we are interested in here. Other status | 1462 // Kernel support is what we are interested in here. Other status |
| 1463 // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support. | 1463 // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support. |
| 1464 // We make this a negative check, since if there is a bug, we would rather | 1464 // We make this a negative check, since if there is a bug, we would rather |
| 1465 // "fail closed" (expect a sandbox to be available and try to start it). | 1465 // "fail closed" (expect a sandbox to be available and try to start it). |
| 1466 if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) { | 1466 if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) { |
| 1467 return true; | 1467 return true; |
| 1468 } | 1468 } |
| 1469 #endif | 1469 #endif |
| 1470 return false; | 1470 return false; |
| 1471 } | 1471 } |
| 1472 | 1472 |
| 1473 bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { | 1473 bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { |
| 1474 #if defined(SECCOMP_BPF_SANDBOX) | 1474 #if defined(SECCOMP_BPF_SANDBOX) |
| 1475 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 1475 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 1476 | 1476 |
| 1477 if (IsSeccompBpfDesired() && // Global switches policy. | 1477 if (IsSeccompBpfDesired() && // Global switches policy. |
| 1478 ShouldEnableSeccompBpf(process_type) && // Process-specific policy. | 1478 ShouldEnableSeccompBpf(process_type) && // Process-specific policy. |
| 1479 SupportsSandbox()) { | 1479 SupportsSandbox()) { |
| 1480 // If the kernel supports the sandbox, and if the command line says we | 1480 // If the kernel supports the sandbox, and if the command line says we |
| 1481 // should enable it, enable it or die. | 1481 // should enable it, enable it or die. |
| 1482 bool started_sandbox = StartBpfSandbox(command_line, process_type); | 1482 bool started_sandbox = StartBpfSandbox(command_line, process_type); |
| 1483 CHECK(started_sandbox); | 1483 CHECK(started_sandbox); |
| 1484 return true; | 1484 return true; |
| 1485 } | 1485 } |
| 1486 #endif | 1486 #endif |
| 1487 return false; | 1487 return false; |
| 1488 } | 1488 } |
| 1489 | 1489 |
| 1490 } // namespace content | 1490 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 11411254:
SECCOMP-BPF: Added supported for inspection system call arguments from BPF filters. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src