| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
| 6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
| 10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 // These are the only architectures supported for now. | 31 // These are the only architectures supported for now. |
| 32 #if defined(__i386__) || defined(__x86_64__) || \ | 32 #if defined(__i386__) || defined(__x86_64__) || \ |
| 33 (defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))) | 33 (defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))) |
| 34 #define SECCOMP_BPF_SANDBOX | 34 #define SECCOMP_BPF_SANDBOX |
| 35 #endif | 35 #endif |
| 36 | 36 |
| 37 #if defined(SECCOMP_BPF_SANDBOX) | 37 #if defined(SECCOMP_BPF_SANDBOX) |
| 38 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 38 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 39 #include "sandbox/linux/services/linux_syscalls.h" | 39 #include "sandbox/linux/services/linux_syscalls.h" |
| 40 | 40 |
| 41 using content::LinuxSandbox; |
| 41 using playground2::arch_seccomp_data; | 42 using playground2::arch_seccomp_data; |
| 42 using playground2::ErrorCode; | 43 using playground2::ErrorCode; |
| 43 using playground2::Sandbox; | 44 using playground2::Sandbox; |
| 44 using sandbox::BrokerProcess; | 45 using sandbox::BrokerProcess; |
| 45 | 46 |
| 46 namespace { | 47 namespace { |
| 47 | 48 |
| 48 void StartSandboxWithPolicy(Sandbox::EvaluateSyscall syscall_policy, | 49 void StartSandboxWithPolicy(Sandbox::EvaluateSyscall syscall_policy, |
| 49 BrokerProcess* broker_process); | 50 BrokerProcess* broker_process); |
| 50 | 51 |
| (...skipping 1447 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1498 } | 1499 } |
| 1499 | 1500 |
| 1500 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 1501 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| 1501 } | 1502 } |
| 1502 } | 1503 } |
| 1503 } | 1504 } |
| 1504 } | 1505 } |
| 1505 | 1506 |
| 1506 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( | 1507 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( |
| 1507 const CommandLine& command_line, | 1508 const CommandLine& command_line, |
| 1508 const std::string& process_type) { | 1509 LinuxSandbox::SandboxConfig sandbox_config) { |
| 1509 if (process_type == switches::kGpuProcess) { | 1510 if (sandbox_config == LinuxSandbox::SANDBOX_CONFIG_GPU) { |
| 1510 // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. | 1511 // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. |
| 1511 // However, we don't yet enable the more restrictive GPU process policy | 1512 // However, we don't yet enable the more restrictive GPU process policy |
| 1512 // on ARM. | 1513 // on ARM. |
| 1513 if (IsArchitectureArm() || | 1514 if (IsArchitectureArm() || |
| 1514 (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox))) | 1515 (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox))) |
| 1515 return BlacklistDebugAndNumaPolicy; | 1516 return BlacklistDebugAndNumaPolicy; |
| 1516 else | 1517 else |
| 1517 return GpuProcessPolicy; | 1518 return GpuProcessPolicy; |
| 1518 } | 1519 } |
| 1519 | 1520 |
| 1520 if (process_type == switches::kPpapiPluginProcess) { | 1521 if (sandbox_config == LinuxSandbox::SANDBOX_CONFIG_PPAPI) { |
| 1521 // TODO(jln): figure out what to do with non-Flash PPAPI | 1522 // TODO(jln): figure out what to do with non-Flash PPAPI |
| 1522 // out-of-process plug-ins. | 1523 // out-of-process plug-ins. |
| 1523 return FlashProcessPolicy; | 1524 return FlashProcessPolicy; |
| 1524 } | 1525 } |
| 1525 | 1526 |
| 1526 if (process_type == switches::kRendererProcess || | 1527 if (sandbox_config == LinuxSandbox::SANDBOX_CONFIG_RENDERER || |
| 1527 process_type == switches::kWorkerProcess) { | 1528 sandbox_config == LinuxSandbox::SANDBOX_CONFIG_WORKER) { |
| 1528 return RendererOrWorkerProcessPolicy; | 1529 return RendererOrWorkerProcessPolicy; |
| 1529 } | 1530 } |
| 1530 | 1531 |
| 1531 if (process_type == switches::kUtilityProcess) { | 1532 if (sandbox_config == LinuxSandbox::SANDBOX_CONFIG_UTILITY) { |
| 1532 return BlacklistDebugAndNumaPolicy; | 1533 return BlacklistDebugAndNumaPolicy; |
| 1533 } | 1534 } |
| 1534 | 1535 |
| 1535 NOTREACHED(); | 1536 NOTREACHED(); |
| 1536 // This will be our default if we need one. | 1537 // This will be our default if we need one. |
| 1537 return AllowAllPolicy; | 1538 return AllowAllPolicy; |
| 1538 } | 1539 } |
| 1539 | 1540 |
| 1540 // broker_process can be NULL if there is no need for one. | 1541 // broker_process can be NULL if there is no need for one. |
| 1541 void StartSandboxWithPolicy(Sandbox::EvaluateSyscall syscall_policy, | 1542 void StartSandboxWithPolicy(Sandbox::EvaluateSyscall syscall_policy, |
| 1542 BrokerProcess* broker_process) { | 1543 BrokerProcess* broker_process) { |
| 1543 // Starting the sandbox is a one-way operation. The kernel doesn't allow | 1544 // Starting the sandbox is a one-way operation. The kernel doesn't allow |
| 1544 // us to unload a sandbox policy after it has been started. Nonetheless, | 1545 // us to unload a sandbox policy after it has been started. Nonetheless, |
| 1545 // in order to make the use of the "Sandbox" object easier, we allow for | 1546 // in order to make the use of the "Sandbox" object easier, we allow for |
| 1546 // the object to be destroyed after the sandbox has been started. Note that | 1547 // the object to be destroyed after the sandbox has been started. Note that |
| 1547 // doing so does not stop the sandbox. | 1548 // doing so does not stop the sandbox. |
| 1548 Sandbox sandbox; | 1549 Sandbox sandbox; |
| 1549 sandbox.SetSandboxPolicy(syscall_policy, broker_process); | 1550 sandbox.SetSandboxPolicy(syscall_policy, broker_process); |
| 1550 sandbox.StartSandbox(); | 1551 sandbox.StartSandbox(); |
| 1551 } | 1552 } |
| 1552 | 1553 |
| 1553 // Initialize the seccomp-bpf sandbox. | 1554 // Initialize the seccomp-bpf sandbox. |
| 1554 bool StartBpfSandbox(const CommandLine& command_line, | 1555 bool StartBpfSandbox(const CommandLine& command_line, |
| 1555 const std::string& process_type) { | 1556 LinuxSandbox::SandboxConfig sandbox_config) { |
| 1556 Sandbox::EvaluateSyscall syscall_policy = | 1557 Sandbox::EvaluateSyscall syscall_policy = |
| 1557 GetProcessSyscallPolicy(command_line, process_type); | 1558 GetProcessSyscallPolicy(command_line, sandbox_config); |
| 1558 | 1559 |
| 1559 BrokerProcess* broker_process = NULL; | 1560 BrokerProcess* broker_process = NULL; |
| 1560 // Warm up resources needed by the policy we're about to enable and | 1561 // Warm up resources needed by the policy we're about to enable and |
| 1561 // eventually start a broker process. | 1562 // eventually start a broker process. |
| 1562 WarmupPolicy(syscall_policy, &broker_process); | 1563 WarmupPolicy(syscall_policy, &broker_process); |
| 1563 | 1564 |
| 1564 StartSandboxWithPolicy(syscall_policy, broker_process); | 1565 StartSandboxWithPolicy(syscall_policy, broker_process); |
| 1565 | 1566 |
| 1566 return true; | 1567 return true; |
| 1567 } | 1568 } |
| 1568 | 1569 |
| 1569 } // namespace | 1570 } // namespace |
| 1570 | 1571 |
| 1571 #endif // SECCOMP_BPF_SANDBOX | 1572 #endif // SECCOMP_BPF_SANDBOX |
| 1572 | 1573 |
| 1573 namespace content { | 1574 namespace content { |
| 1574 | 1575 |
| 1575 // Is seccomp BPF globally enabled? | 1576 // Is seccomp BPF globally enabled? |
| 1576 bool SandboxSeccompBpf::IsSeccompBpfDesired() { | 1577 bool SandboxSeccompBpf::IsSeccompBpfDesired() { |
| 1577 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 1578 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 1578 if (!command_line.HasSwitch(switches::kNoSandbox) && | 1579 if (!command_line.HasSwitch(switches::kNoSandbox) && |
| 1579 !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { | 1580 !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { |
| 1580 return true; | 1581 return true; |
| 1581 } else { | 1582 } else { |
| 1582 return false; | 1583 return false; |
| 1583 } | 1584 } |
| 1584 } | 1585 } |
| 1585 | 1586 |
| 1586 bool SandboxSeccompBpf::ShouldEnableSeccompBpf( | 1587 bool SandboxSeccompBpf::ShouldEnableSeccompBpf( |
| 1587 const std::string& process_type) { | 1588 LinuxSandbox::SandboxConfig sandbox_config) { |
| 1588 #if defined(SECCOMP_BPF_SANDBOX) | 1589 #if defined(SECCOMP_BPF_SANDBOX) |
| 1589 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 1590 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 1590 if (process_type == switches::kGpuProcess) | 1591 if (sandbox_config == LinuxSandbox::SANDBOX_CONFIG_GPU) |
| 1591 return !command_line.HasSwitch(switches::kDisableGpuSandbox); | 1592 return !command_line.HasSwitch(switches::kDisableGpuSandbox); |
| 1592 | 1593 |
| 1593 return true; | 1594 return true; |
| 1594 #endif // SECCOMP_BPF_SANDBOX | 1595 #endif // SECCOMP_BPF_SANDBOX |
| 1595 return false; | 1596 return false; |
| 1596 } | 1597 } |
| 1597 | 1598 |
| 1598 bool SandboxSeccompBpf::SupportsSandbox() { | 1599 bool SandboxSeccompBpf::SupportsSandbox() { |
| 1599 #if defined(SECCOMP_BPF_SANDBOX) | 1600 #if defined(SECCOMP_BPF_SANDBOX) |
| 1600 // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton | 1601 // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton |
| 1601 // here. | 1602 // here. |
| 1602 Sandbox::SandboxStatus bpf_sandbox_status = | 1603 Sandbox::SandboxStatus bpf_sandbox_status = |
| 1603 Sandbox::SupportsSeccompSandbox(-1); | 1604 Sandbox::SupportsSeccompSandbox(-1); |
| 1604 // Kernel support is what we are interested in here. Other status | 1605 // Kernel support is what we are interested in here. Other status |
| 1605 // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support. | 1606 // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support. |
| 1606 // We make this a negative check, since if there is a bug, we would rather | 1607 // We make this a negative check, since if there is a bug, we would rather |
| 1607 // "fail closed" (expect a sandbox to be available and try to start it). | 1608 // "fail closed" (expect a sandbox to be available and try to start it). |
| 1608 if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) { | 1609 if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) { |
| 1609 return true; | 1610 return true; |
| 1610 } | 1611 } |
| 1611 #endif | 1612 #endif |
| 1612 return false; | 1613 return false; |
| 1613 } | 1614 } |
| 1614 | 1615 |
| 1615 bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { | 1616 bool SandboxSeccompBpf::StartSandbox( |
| 1617 LinuxSandbox::SandboxConfig sandbox_config) { |
| 1616 #if defined(SECCOMP_BPF_SANDBOX) | 1618 #if defined(SECCOMP_BPF_SANDBOX) |
| 1617 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 1619 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 1618 | 1620 |
| 1619 if (IsSeccompBpfDesired() && // Global switches policy. | 1621 if (IsSeccompBpfDesired() && // Global switches policy. |
| 1620 ShouldEnableSeccompBpf(process_type) && // Process-specific policy. | 1622 ShouldEnableSeccompBpf(sandbox_config) && // Process-specific policy. |
| 1621 SupportsSandbox()) { | 1623 SupportsSandbox()) { |
| 1622 // If the kernel supports the sandbox, and if the command line says we | 1624 // If the kernel supports the sandbox, and if the command line says we |
| 1623 // should enable it, enable it or die. | 1625 // should enable it, enable it or die. |
| 1624 bool started_sandbox = StartBpfSandbox(command_line, process_type); | 1626 bool started_sandbox = StartBpfSandbox(command_line, sandbox_config); |
| 1625 CHECK(started_sandbox); | 1627 CHECK(started_sandbox); |
| 1626 return true; | 1628 return true; |
| 1627 } | 1629 } |
| 1628 #endif | 1630 #endif |
| 1629 return false; | 1631 return false; |
| 1630 } | 1632 } |
| 1631 | 1633 |
| 1632 } // namespace content | 1634 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 13814027:
Linux: make current InitializeSandbox() private. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src