OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
(...skipping 1251 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1262 if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) || | 1262 if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) || |
1263 IsDeniedGetOrModifySocket(sysno)) { | 1263 IsDeniedGetOrModifySocket(sysno)) { |
1264 return ErrorCode(EPERM); | 1264 return ErrorCode(EPERM); |
1265 } | 1265 } |
1266 | 1266 |
1267 if (IsBaselinePolicyWatched(sysno)) { | 1267 if (IsBaselinePolicyWatched(sysno)) { |
1268 // Previously unseen syscalls. TODO(jln): some of these should | 1268 // Previously unseen syscalls. TODO(jln): some of these should |
1269 // be denied gracefully right away. | 1269 // be denied gracefully right away. |
1270 return sandbox->Trap(CrashSIGSYS_Handler, NULL); | 1270 return sandbox->Trap(CrashSIGSYS_Handler, NULL); |
1271 } | 1271 } |
1272 // In any other case crash the program with our SIGSYS handler | 1272 // In any other case crash the program with our SIGSYS handler. |
1273 return sandbox->Trap(CrashSIGSYS_Handler, NULL); | 1273 return sandbox->Trap(CrashSIGSYS_Handler, NULL); |
1274 } | 1274 } |
1275 | 1275 |
1276 // x86_64/i386 for now. Needs to be adapted and tested for ARM. | 1276 // x86_64/i386. |
1277 ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno, | 1277 ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno, |
1278 void *broker_process) { | 1278 void *broker_process) { |
1279 switch(sysno) { | 1279 switch(sysno) { |
1280 case __NR_ioctl: | 1280 case __NR_ioctl: |
1281 case __NR_sched_getaffinity: | 1281 case __NR_sched_getaffinity: |
1282 case __NR_sched_setaffinity: | 1282 case __NR_sched_setaffinity: |
1283 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1283 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1284 case __NR_open: | 1284 case __NR_open: |
1285 case __NR_openat: | 1285 case __NR_openat: |
1286 return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); | 1286 return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); |
1287 default: | 1287 default: |
1288 #if defined(__x86_64__) || defined(__arm__) | 1288 #if defined(__x86_64__) || defined(__arm__) |
1289 if (IsSystemVSharedMemory(sysno)) | 1289 if (IsSystemVSharedMemory(sysno)) |
1290 return ErrorCode(EACCES); | 1290 return ErrorCode(EACCES); |
1291 #endif | 1291 #endif |
1292 if (IsEventFd(sysno)) | 1292 if (IsEventFd(sysno)) |
1293 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1293 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1294 | 1294 |
1295 // Default on the baseline policy. | 1295 // Default on the baseline policy. |
1296 return BaselinePolicy(sandbox, sysno); | 1296 return BaselinePolicy(sandbox, sysno); |
1297 } | 1297 } |
1298 } | 1298 } |
1299 | 1299 |
1300 // x86_64/i386 for now. Needs to be adapted and tested for ARM. | 1300 // x86_64/i386. |
1301 // A GPU broker policy is the same as a GPU policy with open and | 1301 // A GPU broker policy is the same as a GPU policy with open and |
1302 // openat allowed. | 1302 // openat allowed. |
1303 ErrorCode GpuBrokerProcessPolicy(Sandbox *sandbox, int sysno, void *aux) { | 1303 ErrorCode GpuBrokerProcessPolicy(Sandbox *sandbox, int sysno, void *aux) { |
1304 // "aux" would typically be NULL, when called from | 1304 // "aux" would typically be NULL, when called from |
1305 // "EnableGpuBrokerPolicyCallBack" | 1305 // "EnableGpuBrokerPolicyCallBack" |
1306 switch(sysno) { | 1306 switch(sysno) { |
1307 case __NR_open: | 1307 case __NR_open: |
1308 case __NR_openat: | 1308 case __NR_openat: |
1309 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1309 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1310 default: | 1310 default: |
1311 return GpuProcessPolicy(sandbox, sysno, aux); | 1311 return GpuProcessPolicy(sandbox, sysno, aux); |
1312 } | 1312 } |
1313 } | 1313 } |
1314 | 1314 |
| 1315 // ARM Mali GPU process sandbox. |
| 1316 ErrorCode ArmMaliGpuProcessPolicy(Sandbox *sandbox, int sysno, |
| 1317 void *broker_process) { |
| 1318 switch(sysno) { |
| 1319 case __NR_ioctl: |
| 1320 #if defined(__arm__) |
| 1321 case __NR_access: // TODO(jorgelo): broker this out (crbug.com/232077). |
| 1322 // ARM GPU sandbox is started earlier so we need to allow networking |
| 1323 // in the sandbox. |
| 1324 // TODO(jorgelo): tighten this up. |
| 1325 case __NR_connect: |
| 1326 case __NR_getpeername: |
| 1327 case __NR_getsockname: |
| 1328 case __NR_socket: |
| 1329 case __NR_socketpair: |
| 1330 case __NR_sysinfo: |
| 1331 case __NR_uname: |
| 1332 #endif // defined(__arm__) |
| 1333 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 1334 case __NR_open: |
| 1335 case __NR_openat: |
| 1336 return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); |
| 1337 default: |
| 1338 #if defined(__arm__) |
| 1339 if (IsSystemVSharedMemory(sysno)) |
| 1340 return ErrorCode(EACCES); |
| 1341 #endif |
| 1342 if (IsAdvancedScheduler(sysno) || IsEventFd(sysno)) |
| 1343 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 1344 |
| 1345 // Default on the baseline policy. |
| 1346 return BaselinePolicy(sandbox, sysno); |
| 1347 } |
| 1348 } |
| 1349 |
| 1350 // A GPU broker policy is the same as a GPU policy with open and |
| 1351 // openat allowed. |
| 1352 ErrorCode ArmMaliGpuBrokerProcessPolicy(Sandbox *sandbox, |
| 1353 int sysno, void *aux) { |
| 1354 // "aux" would typically be NULL, when called from |
| 1355 // "EnableGpuBrokerPolicyCallBack" |
| 1356 switch(sysno) { |
| 1357 case __NR_open: |
| 1358 case __NR_openat: |
| 1359 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 1360 default: |
| 1361 return ArmMaliGpuProcessPolicy(sandbox, sysno, aux); |
| 1362 } |
| 1363 } |
| 1364 |
1315 // Allow clone for threads, crash if anything else is attempted. | 1365 // Allow clone for threads, crash if anything else is attempted. |
1316 // Don't restrict on ASAN. | 1366 // Don't restrict on ASAN. |
1317 ErrorCode RestrictCloneToThreads(Sandbox *sandbox) { | 1367 ErrorCode RestrictCloneToThreads(Sandbox *sandbox) { |
1318 // Glibc's pthread. | 1368 // Glibc's pthread. |
1319 if (!RunningOnASAN()) { | 1369 if (!RunningOnASAN()) { |
1320 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 1370 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
1321 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | | 1371 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | |
1322 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | | 1372 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | |
1323 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, | 1373 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, |
1324 ErrorCode(ErrorCode::ERR_ALLOWED), | 1374 ErrorCode(ErrorCode::ERR_ALLOWED), |
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1446 // 64 bits system calls in compatibility mode. | 1496 // 64 bits system calls in compatibility mode. |
1447 ErrorCode AllowAllPolicy(Sandbox *, int sysno, void *) { | 1497 ErrorCode AllowAllPolicy(Sandbox *, int sysno, void *) { |
1448 if (!Sandbox::IsValidSyscallNumber(sysno)) { | 1498 if (!Sandbox::IsValidSyscallNumber(sysno)) { |
1449 // TODO(jln) we should not have to do that in a trivial policy. | 1499 // TODO(jln) we should not have to do that in a trivial policy. |
1450 return ErrorCode(ENOSYS); | 1500 return ErrorCode(ENOSYS); |
1451 } else { | 1501 } else { |
1452 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1502 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1453 } | 1503 } |
1454 } | 1504 } |
1455 | 1505 |
1456 bool EnableGpuBrokerPolicyCallBack() { | 1506 bool EnableGpuBrokerPolicyCallback() { |
1457 StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL); | 1507 StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL); |
1458 return true; | 1508 return true; |
1459 } | 1509 } |
1460 | 1510 |
| 1511 bool EnableArmMaliGpuBrokerPolicyCallback() { |
| 1512 StartSandboxWithPolicy(ArmMaliGpuBrokerProcessPolicy, NULL); |
| 1513 return true; |
| 1514 } |
| 1515 |
| 1516 void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist, |
| 1517 std::vector<std::string>* write_whitelist) { |
| 1518 // On ARM we're enabling the sandbox before the X connection is made, |
| 1519 // so we need to allow access to |.Xauthority|. |
| 1520 static const char kXAutorityPath[] = "/home/chronos/.Xauthority"; |
| 1521 |
| 1522 // Devices and files needed by the ARM GPU userspace. |
| 1523 static const char kMali0Path[] = "/dev/mali0"; |
| 1524 static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; |
| 1525 static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; |
| 1526 |
| 1527 // Devices needed for video decode acceleration on ARM. |
| 1528 static const char kDevMfcDecPath[] = "/dev/mfc-dec"; |
| 1529 static const char kDevGsc1Path[] = "/dev/gsc1"; |
| 1530 |
| 1531 read_whitelist->push_back(kXAutorityPath); |
| 1532 read_whitelist->push_back(kMali0Path); |
| 1533 read_whitelist->push_back(kLibGlesPath); |
| 1534 read_whitelist->push_back(kLibEglPath); |
| 1535 read_whitelist->push_back(kDevMfcDecPath); |
| 1536 read_whitelist->push_back(kDevGsc1Path); |
| 1537 |
| 1538 write_whitelist->push_back(kMali0Path); |
| 1539 write_whitelist->push_back(kDevMfcDecPath); |
| 1540 write_whitelist->push_back(kDevGsc1Path); |
| 1541 } |
| 1542 |
1461 // Start a broker process to handle open() inside the sandbox. | 1543 // Start a broker process to handle open() inside the sandbox. |
1462 void InitGpuBrokerProcess(BrokerProcess** broker_process) { | 1544 void InitGpuBrokerProcess(Sandbox::EvaluateSyscall gpu_policy, |
| 1545 BrokerProcess** broker_process) { |
1463 static const char kDriRcPath[] = "/etc/drirc"; | 1546 static const char kDriRcPath[] = "/etc/drirc"; |
1464 static const char kDriCard0Path[] = "/dev/dri/card0"; | 1547 static const char kDriCard0Path[] = "/dev/dri/card0"; |
1465 | 1548 |
1466 CHECK(broker_process); | 1549 CHECK(broker_process); |
1467 CHECK(*broker_process == NULL); | 1550 CHECK(*broker_process == NULL); |
1468 | 1551 |
| 1552 bool (*sandbox_callback)(void) = NULL; |
| 1553 |
| 1554 // All GPU process policies need these files brokered out. |
1469 std::vector<std::string> read_whitelist; | 1555 std::vector<std::string> read_whitelist; |
1470 read_whitelist.push_back(kDriCard0Path); | 1556 read_whitelist.push_back(kDriCard0Path); |
1471 read_whitelist.push_back(kDriRcPath); | 1557 read_whitelist.push_back(kDriRcPath); |
| 1558 |
1472 std::vector<std::string> write_whitelist; | 1559 std::vector<std::string> write_whitelist; |
1473 write_whitelist.push_back(kDriCard0Path); | 1560 write_whitelist.push_back(kDriCard0Path); |
1474 | 1561 |
| 1562 if (gpu_policy == ArmMaliGpuProcessPolicy) { |
| 1563 // We shouldn't be using this policy on non-ARM architectures. |
| 1564 CHECK(IsArchitectureArm()); |
| 1565 |
| 1566 AddArmMaliGpuWhitelist(&read_whitelist, &write_whitelist); |
| 1567 sandbox_callback = EnableArmMaliGpuBrokerPolicyCallback; |
| 1568 } else if (gpu_policy == GpuProcessPolicy) { |
| 1569 sandbox_callback = EnableGpuBrokerPolicyCallback; |
| 1570 } else { |
| 1571 // We shouldn't be initializing a GPU broker process without a GPU process |
| 1572 // policy. |
| 1573 NOTREACHED(); |
| 1574 } |
| 1575 |
1475 *broker_process = new BrokerProcess(read_whitelist, write_whitelist); | 1576 *broker_process = new BrokerProcess(read_whitelist, write_whitelist); |
1476 // Initialize the broker process and give it a sandbox call back. | 1577 // Initialize the broker process and give it a sandbox callback. |
1477 CHECK((*broker_process)->Init(EnableGpuBrokerPolicyCallBack)); | 1578 CHECK((*broker_process)->Init(sandbox_callback)); |
1478 } | 1579 } |
1479 | 1580 |
1480 // Warms up/preloads resources needed by the policies. | 1581 // Warms up/preloads resources needed by the policies. |
1481 // Eventually start a broker process and return it in broker_process. | 1582 // Eventually start a broker process and return it in broker_process. |
1482 void WarmupPolicy(Sandbox::EvaluateSyscall policy, | 1583 void WarmupPolicy(Sandbox::EvaluateSyscall policy, |
1483 BrokerProcess** broker_process) { | 1584 BrokerProcess** broker_process) { |
1484 if (policy == GpuProcessPolicy) { | 1585 if (policy == GpuProcessPolicy) { |
| 1586 // Create a new broker process. |
| 1587 InitGpuBrokerProcess(policy, broker_process); |
| 1588 |
1485 if (IsArchitectureX86_64() || IsArchitectureI386()) { | 1589 if (IsArchitectureX86_64() || IsArchitectureI386()) { |
1486 // Create a new broker process. | |
1487 InitGpuBrokerProcess(broker_process); | |
1488 | |
1489 // Accelerated video decode dlopen()'s a shared object | 1590 // Accelerated video decode dlopen()'s a shared object |
1490 // inside the sandbox, so preload it now. | 1591 // inside the sandbox, so preload it now. |
1491 if (IsAcceleratedVideoDecodeEnabled()) { | 1592 if (IsAcceleratedVideoDecodeEnabled()) { |
1492 const char* I965DrvVideoPath = NULL; | 1593 const char* I965DrvVideoPath = NULL; |
1493 | 1594 |
1494 if (IsArchitectureX86_64()) { | 1595 if (IsArchitectureX86_64()) { |
1495 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; | 1596 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; |
1496 } else if (IsArchitectureI386()) { | 1597 } else if (IsArchitectureI386()) { |
1497 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; | 1598 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; |
1498 } | 1599 } |
1499 | 1600 |
1500 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 1601 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
1501 } | 1602 } |
1502 } | 1603 } |
| 1604 } else if (policy == ArmMaliGpuProcessPolicy) { |
| 1605 // Create a new broker process. |
| 1606 InitGpuBrokerProcess(policy, broker_process); |
1503 } | 1607 } |
1504 } | 1608 } |
1505 | 1609 |
1506 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( | 1610 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( |
1507 const CommandLine& command_line, | 1611 const CommandLine& command_line, |
1508 const std::string& process_type) { | 1612 const std::string& process_type) { |
1509 if (process_type == switches::kGpuProcess) { | 1613 if (process_type == switches::kGpuProcess) { |
1510 // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. | 1614 // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. |
1511 // However, we don't yet enable the more restrictive GPU process policy | 1615 if (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox)) |
1512 // on ARM. | 1616 return BlacklistDebugAndNumaPolicy; |
1513 if (IsArchitectureArm() || | 1617 // On Chrome OS ARM, we need a specific GPU process policy. |
1514 (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox))) | 1618 // TODO(jorgelo): switch to ArmMaliGpuProcessPolicy. |
| 1619 else if (IsChromeOS() && IsArchitectureArm()) |
1515 return BlacklistDebugAndNumaPolicy; | 1620 return BlacklistDebugAndNumaPolicy; |
1516 else | 1621 else |
1517 return GpuProcessPolicy; | 1622 return GpuProcessPolicy; |
1518 } | 1623 } |
1519 | 1624 |
1520 if (process_type == switches::kPpapiPluginProcess) { | 1625 if (process_type == switches::kPpapiPluginProcess) { |
1521 // TODO(jln): figure out what to do with non-Flash PPAPI | 1626 // TODO(jln): figure out what to do with non-Flash PPAPI |
1522 // out-of-process plug-ins. | 1627 // out-of-process plug-ins. |
1523 return FlashProcessPolicy; | 1628 return FlashProcessPolicy; |
1524 } | 1629 } |
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1623 // should enable it, enable it or die. | 1728 // should enable it, enable it or die. |
1624 bool started_sandbox = StartBpfSandbox(command_line, process_type); | 1729 bool started_sandbox = StartBpfSandbox(command_line, process_type); |
1625 CHECK(started_sandbox); | 1730 CHECK(started_sandbox); |
1626 return true; | 1731 return true; |
1627 } | 1732 } |
1628 #endif | 1733 #endif |
1629 return false; | 1734 return false; |
1630 } | 1735 } |
1631 | 1736 |
1632 } // namespace content | 1737 } // namespace content |
OLD | NEW |