| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
| 6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
| 10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
| (...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 94 *addr = '\0'; | 94 *addr = '\0'; |
| 95 // In case we hit a mapped address, hit the null page with just the syscall, | 95 // In case we hit a mapped address, hit the null page with just the syscall, |
| 96 // for paranoia. | 96 // for paranoia. |
| 97 syscall &= 0xfffUL; | 97 syscall &= 0xfffUL; |
| 98 addr = reinterpret_cast<volatile char*>(syscall); | 98 addr = reinterpret_cast<volatile char*>(syscall); |
| 99 *addr = '\0'; | 99 *addr = '\0'; |
| 100 for (;;) | 100 for (;;) |
| 101 _exit(1); | 101 _exit(1); |
| 102 } | 102 } |
| 103 | 103 |
| 104 // TODO(jln): rewrite reporting functions. |
| 105 intptr_t ReportCloneFailure(const struct arch_seccomp_data& args, void* aux) { |
| 106 // "flags" in the first argument in the kernel's clone(). |
| 107 // Mark as volatile to be able to find the value on the stack in a minidump. |
| 108 #if !defined(NDEBUG) |
| 109 RAW_LOG(ERROR, __FILE__":**CRASHING**:clone() failure\n"); |
| 110 #endif |
| 111 volatile uint64_t clone_flags = args.args[0]; |
| 112 volatile char* addr = |
| 113 reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF); |
| 114 *addr = '\0'; |
| 115 // Hit the NULL page if this fails to fault. |
| 116 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF); |
| 117 *addr = '\0'; |
| 118 for (;;) |
| 119 _exit(1); |
| 120 } |
| 121 |
| 104 bool IsAcceleratedVideoDecodeEnabled() { | 122 bool IsAcceleratedVideoDecodeEnabled() { |
| 105 // Accelerated video decode is currently enabled on Chrome OS, | 123 // Accelerated video decode is currently enabled on Chrome OS, |
| 106 // but not on Linux: crbug.com/137247. | 124 // but not on Linux: crbug.com/137247. |
| 107 bool is_enabled = IsChromeOS(); | 125 bool is_enabled = IsChromeOS(); |
| 108 | 126 |
| 109 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 127 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 110 is_enabled = is_enabled && | 128 is_enabled = is_enabled && |
| 111 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode); | 129 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode); |
| 112 | 130 |
| 113 return is_enabled; | 131 return is_enabled; |
| (...skipping 1115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1229 ErrorCode GpuBrokerProcessPolicy(int sysno, void*) { | 1247 ErrorCode GpuBrokerProcessPolicy(int sysno, void*) { |
| 1230 switch(sysno) { | 1248 switch(sysno) { |
| 1231 case __NR_open: | 1249 case __NR_open: |
| 1232 case __NR_openat: | 1250 case __NR_openat: |
| 1233 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1251 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 1234 default: | 1252 default: |
| 1235 return GpuProcessPolicy(sysno, NULL); | 1253 return GpuProcessPolicy(sysno, NULL); |
| 1236 } | 1254 } |
| 1237 } | 1255 } |
| 1238 | 1256 |
| 1257 // Allow clone for threads, crash if anything else is attempted. |
| 1258 ErrorCode RestrictCloneToThreads() { |
| 1259 // Glibc's pthread. |
| 1260 return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| 1261 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | |
| 1262 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | |
| 1263 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, |
| 1264 ErrorCode(ErrorCode::ERR_ALLOWED), |
| 1265 Sandbox::Trap(ReportCloneFailure, NULL)); |
| 1266 } |
| 1267 |
| 1239 ErrorCode RendererOrWorkerProcessPolicy(int sysno, void *) { | 1268 ErrorCode RendererOrWorkerProcessPolicy(int sysno, void *) { |
| 1240 switch (sysno) { | 1269 switch (sysno) { |
| 1270 case __NR_clone: |
| 1271 #if defined(__x86_64__) && defined(OS_LINUX) |
| 1272 // TODO(jln): extend to other architectures. |
| 1273 return RestrictCloneToThreads(); |
| 1274 #endif |
| 1241 case __NR_ioctl: // TODO(jln) investigate legitimate use in the renderer | 1275 case __NR_ioctl: // TODO(jln) investigate legitimate use in the renderer |
| 1242 // and see if alternatives can be used. | 1276 // and see if alternatives can be used. |
| 1243 case __NR_fdatasync: | 1277 case __NR_fdatasync: |
| 1244 case __NR_fsync: | 1278 case __NR_fsync: |
| 1245 #if defined(__i386__) || defined(__x86_64__) | 1279 #if defined(__i386__) || defined(__x86_64__) |
| 1246 case __NR_getrlimit: | 1280 case __NR_getrlimit: |
| 1247 #endif | 1281 #endif |
| 1248 case __NR_mremap: // See crbug.com/149834. | 1282 case __NR_mremap: // See crbug.com/149834. |
| 1249 case __NR_pread64: | 1283 case __NR_pread64: |
| 1250 case __NR_pwrite64: | 1284 case __NR_pwrite64: |
| (...skipping 242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1493 // should enable it, enable it or die. | 1527 // should enable it, enable it or die. |
| 1494 bool started_sandbox = StartBpfSandbox(command_line, process_type); | 1528 bool started_sandbox = StartBpfSandbox(command_line, process_type); |
| 1495 CHECK(started_sandbox); | 1529 CHECK(started_sandbox); |
| 1496 return true; | 1530 return true; |
| 1497 } | 1531 } |
| 1498 #endif | 1532 #endif |
| 1499 return false; | 1533 return false; |
| 1500 } | 1534 } |
| 1501 | 1535 |
| 1502 } // namespace content | 1536 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12209029:
Linux sandbox: restrict clone() in renderer processes. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src