Non-SFI mode: Sandbox support for NaCl async-signals.

components/nacl/loader/nonsfi/nonsfi_sandbox.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/net.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
 
 #include "base/basictypes.h"
 #include "base/logging.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "content/public/common/sandbox_init.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/system_headers/linux_futex.h"
+#include "sandbox/linux/system_headers/linux_signal.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 
 // Chrome OS Daisy (ARM) build environment and PNaCl toolchain do not define
 // MAP_STACK.
 #if !defined(MAP_STACK)
 # if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY)
 #  define MAP_STACK 0x20000
 # else
 // Note that, on other architecture, MAP_STACK has different value (e.g. mips'
 // MAP_STACK is 0x40000), though Non-SFI is not supported on such
@@ skipping 41 matching lines @@
 
 ResultExpr RestrictClone() {
   // We allow clone only for new thread creation.
   int clone_flags =
       CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
       CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS;
 #if !defined(OS_NACL_NONSFI)
   clone_flags |= CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
 #endif
   const Arg<int> flags(0);
-  return If(flags == clone_flags, Allow()).Else(CrashSIGSYSClone());
+  // TODO(lhchavez): Add CLONE_PARENT_SETTID unconditionally to the allowed
+  // flags after the NaCl roll.
+  return If(flags == clone_flags ||
+                flags == (clone_flags | CLONE_PARENT_SETTID),
+            Allow()).Else(CrashSIGSYSClone());
 }
 
 ResultExpr RestrictFutexOperation() {
   // TODO(hamaji): Allow only FUTEX_PRIVATE_FLAG futexes.
   const uint64_t kAllowedFutexFlags = FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME;
   const Arg<int> op(1);
   return Switch(op & ~kAllowedFutexFlags)
       .CASES((FUTEX_WAIT,
               FUTEX_WAKE,
               FUTEX_REQUEUE,
@@ skipping 42 matching lines @@
       MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK | MAP_FIXED;
   // When PROT_EXEC is specified, IRT mmap of Non-SFI NaCl helper
   // calls mmap without PROT_EXEC and then adds PROT_EXEC by mprotect,
   // so we do not need to allow PROT_EXEC in mmap.
   const uint64_t kAllowedProtMask = PROT_READ | PROT_WRITE;
   const Arg<int> prot(2), flags(3);
   return If((prot & ~kAllowedProtMask) == 0 && (flags & ~kAllowedFlagMask) == 0,
             Allow()).Else(CrashSIGSYS());
 }
 
+ResultExpr RestrictTgkill() {
+  const Arg<int> tgid(0), tid(1), signum(2);
+  // Only sending SIGUSR1 to a thread in the same process is allowed.
+  return If(tgid == getpid() &&

[jln (very slow on Chromium), 2015/08/17 21:21:11]

Don't use getpid() in policies. This should be a property of the policy itself,
recorded when the object is created.

You can look at sandbox/linux/seccomp-bpf-helpers/baseline_policy.h:policy_pid_

There are several reason for this, but in general we don't want policies to
depend on "environment" (we should be able to construct them out of process for
instance).

[Luis Héctor Chávez, 2015/08/17 22:13:07]

Done.

+            // Arg does not support a greater-than operator, so two separate
+            // checks are needed to ensure tid is positive.
+            tid != 0 &&

[jln (very slow on Chromium), 2015/08/17 21:21:11]

FYI, this check isn't strictly necessary, Linux doesn't allow negative tids
anyways. But I like the paranoia, fine to keep.

[Luis Héctor Chávez, 2015/08/17 22:13:07]

Acknowledged.

+            (tid & (1u << 31)) == 0 &&  // tid is non-negative.
+            signum == LINUX_SIGUSR1,
+            Allow()).Else(CrashSIGSYS());
+}
+
 #if !defined(OS_NACL_NONSFI) && (defined(__x86_64__) || defined(__arm__))
 ResultExpr RestrictSocketpair() {
   // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
   static_assert(AF_UNIX == PF_UNIX, "AF_UNIX must equal PF_UNIX.");
   const Arg<int> domain(0);
   return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS());
 }
 #endif
 
 bool IsGracefullyDenied(int sysno) {
@@ skipping 138 matching lines @@
 #if !defined(OS_NACL_NONSFI)
     // nacl_helper in Non-SFI mode still uses socketpair() internally
     // via libevent.
     // TODO(hidehiko): Remove this when the switching to nacl_helper_nonsfi
     // is completed.
     case __NR_socketpair:
       return RestrictSocketpair();
 #endif
 #endif
 
+    case __NR_tgkill:
+      return RestrictTgkill();
+
     case __NR_brk:
       // The behavior of brk on Linux is different from other system
       // calls. It does not return errno but the current break on
       // failure. glibc thinks brk failed if the return value of brk
       // is less than the requested address (i.e., brk(addr) < addr).
       // So, glibc thinks brk succeeded if we return -EPERM and we
       // need to return zero instead.
       return Error(0);
 
     default:
@@ skipping 13 matching lines @@
           new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy()),
       proc_fd.Pass());
   if (!sandbox_is_initialized)
     return false;
   RunSandboxSanityChecks();
   return true;
 }
 
 }  // namespace nonsfi
 }  // namespace nacl