OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <fcntl.h> | 8 #include <fcntl.h> |
9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
(...skipping 1251 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1262 if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) || | 1262 if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) || |
1263 IsDeniedGetOrModifySocket(sysno)) { | 1263 IsDeniedGetOrModifySocket(sysno)) { |
1264 return ErrorCode(EPERM); | 1264 return ErrorCode(EPERM); |
1265 } | 1265 } |
1266 | 1266 |
1267 if (IsBaselinePolicyWatched(sysno)) { | 1267 if (IsBaselinePolicyWatched(sysno)) { |
1268 // Previously unseen syscalls. TODO(jln): some of these should | 1268 // Previously unseen syscalls. TODO(jln): some of these should |
1269 // be denied gracefully right away. | 1269 // be denied gracefully right away. |
1270 return sandbox->Trap(CrashSIGSYS_Handler, NULL); | 1270 return sandbox->Trap(CrashSIGSYS_Handler, NULL); |
1271 } | 1271 } |
1272 // In any other case crash the program with our SIGSYS handler | 1272 // In any other case crash the program with our SIGSYS handler. |
1273 return sandbox->Trap(CrashSIGSYS_Handler, NULL); | 1273 return sandbox->Trap(CrashSIGSYS_Handler, NULL); |
1274 } | 1274 } |
1275 | 1275 |
1276 // x86_64/i386 for now. Needs to be adapted and tested for ARM. | 1276 // x86_64/i386. |
1277 ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno, | 1277 ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno, |
1278 void *broker_process) { | 1278 void *broker_process) { |
1279 switch(sysno) { | 1279 switch(sysno) { |
1280 case __NR_ioctl: | 1280 case __NR_ioctl: |
1281 case __NR_sched_getaffinity: | 1281 case __NR_sched_getaffinity: |
1282 case __NR_sched_setaffinity: | 1282 case __NR_sched_setaffinity: |
1283 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1283 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1284 case __NR_open: | 1284 case __NR_open: |
1285 case __NR_openat: | 1285 case __NR_openat: |
1286 return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); | 1286 return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); |
1287 default: | 1287 default: |
1288 #if defined(__x86_64__) || defined(__arm__) | 1288 #if defined(__x86_64__) || defined(__arm__) |
1289 if (IsSystemVSharedMemory(sysno)) | 1289 if (IsSystemVSharedMemory(sysno)) |
1290 return ErrorCode(EACCES); | 1290 return ErrorCode(EACCES); |
1291 #endif | 1291 #endif |
1292 if (IsEventFd(sysno)) | 1292 if (IsEventFd(sysno)) |
1293 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1293 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1294 | 1294 |
1295 // Default on the baseline policy. | 1295 // Default on the baseline policy. |
1296 return BaselinePolicy(sandbox, sysno); | 1296 return BaselinePolicy(sandbox, sysno); |
1297 } | 1297 } |
1298 } | 1298 } |
1299 | 1299 |
1300 // x86_64/i386 for now. Needs to be adapted and tested for ARM. | 1300 // x86_64/i386. |
1301 // A GPU broker policy is the same as a GPU policy with open and | 1301 // A GPU broker policy is the same as a GPU policy with open and |
1302 // openat allowed. | 1302 // openat allowed. |
1303 ErrorCode GpuBrokerProcessPolicy(Sandbox *sandbox, int sysno, void *aux) { | 1303 ErrorCode GpuBrokerProcessPolicy(Sandbox *sandbox, int sysno, void *aux) { |
1304 // "aux" would typically be NULL, when called from | 1304 // "aux" would typically be NULL, when called from |
1305 // "EnableGpuBrokerPolicyCallBack" | 1305 // "EnableGpuBrokerPolicyCallBack" |
1306 switch(sysno) { | 1306 switch(sysno) { |
1307 case __NR_open: | 1307 case __NR_open: |
1308 case __NR_openat: | 1308 case __NR_openat: |
1309 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1309 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1310 default: | 1310 default: |
1311 return GpuProcessPolicy(sandbox, sysno, aux); | 1311 return GpuProcessPolicy(sandbox, sysno, aux); |
1312 } | 1312 } |
1313 } | 1313 } |
1314 | 1314 |
1315 // ARM Mali GPU process sandbox. | |
1316 ErrorCode ArmMaliGpuProcessPolicy(Sandbox *sandbox, int sysno, | |
1317 void *broker_process) { | |
1318 switch(sysno) { | |
1319 case __NR_ioctl: | |
1320 #if defined(__arm__) | |
1321 // ARM GPU sandbox is started earlier so we need to allow more stuff. | |
jln (very slow on Chromium)
2013/04/23 02:22:47
Maybe add a clear comment: this means that network
Jorge Lucangeli Obes
2013/04/23 17:20:41
I think we might be able to, but I'd rather get FS
| |
1322 case __NR_access: | |
jln (very slow on Chromium)
2013/04/23 02:22:47
As discussed, let's get rid of that once you can ;
Jorge Lucangeli Obes
2013/04/23 17:20:41
Added TODO. Since this CL does *not* enable the sa
| |
1323 case __NR_socket: | |
1324 case __NR_socketpair: | |
1325 case __NR_connect: | |
1326 case __NR_getpeername: | |
jln (very slow on Chromium)
2013/04/23 02:22:47
Please sort!
Jorge Lucangeli Obes
2013/04/23 17:20:41
Done.
| |
1327 case __NR_getsockname: | |
1328 case __NR_sysinfo: | |
1329 case __NR_uname: | |
1330 #endif // defined(__arm__) | |
1331 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
1332 case __NR_open: | |
1333 case __NR_openat: | |
1334 return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); | |
1335 default: | |
1336 #if defined(__arm__) | |
1337 if (IsSystemVSharedMemory(sysno)) | |
1338 return ErrorCode(EACCES); | |
1339 | |
1340 if (IsAdvancedScheduler(sysno)) | |
jln (very slow on Chromium)
2013/04/23 02:22:47
This one should compile on all architectures (I'm
Jorge Lucangeli Obes
2013/04/23 17:20:41
Done.
| |
1341 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
1342 #endif | |
1343 if (IsEventFd(sysno)) | |
1344 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
1345 | |
1346 // Default on the baseline policy. | |
1347 return BaselinePolicy(sandbox, sysno); | |
1348 } | |
1349 } | |
1350 | |
1351 // A GPU broker policy is the same as a GPU policy with open and | |
1352 // openat allowed. | |
1353 ErrorCode ArmMaliGpuBrokerProcessPolicy(Sandbox *sandbox, | |
1354 int sysno, void *aux) { | |
1355 // "aux" would typically be NULL, when called from | |
1356 // "EnableGpuBrokerPolicyCallBack" | |
1357 switch(sysno) { | |
1358 case __NR_open: | |
1359 case __NR_openat: | |
1360 return ErrorCode(ErrorCode::ERR_ALLOWED); | |
1361 default: | |
1362 return ArmMaliGpuProcessPolicy(sandbox, sysno, aux); | |
1363 } | |
1364 } | |
1365 | |
1315 // Allow clone for threads, crash if anything else is attempted. | 1366 // Allow clone for threads, crash if anything else is attempted. |
1316 // Don't restrict on ASAN. | 1367 // Don't restrict on ASAN. |
1317 ErrorCode RestrictCloneToThreads(Sandbox *sandbox) { | 1368 ErrorCode RestrictCloneToThreads(Sandbox *sandbox) { |
1318 // Glibc's pthread. | 1369 // Glibc's pthread. |
1319 if (!RunningOnASAN()) { | 1370 if (!RunningOnASAN()) { |
1320 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, | 1371 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
1321 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | | 1372 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | |
1322 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | | 1373 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | |
1323 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, | 1374 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, |
1324 ErrorCode(ErrorCode::ERR_ALLOWED), | 1375 ErrorCode(ErrorCode::ERR_ALLOWED), |
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1446 // 64 bits system calls in compatibility mode. | 1497 // 64 bits system calls in compatibility mode. |
1447 ErrorCode AllowAllPolicy(Sandbox *, int sysno, void *) { | 1498 ErrorCode AllowAllPolicy(Sandbox *, int sysno, void *) { |
1448 if (!Sandbox::IsValidSyscallNumber(sysno)) { | 1499 if (!Sandbox::IsValidSyscallNumber(sysno)) { |
1449 // TODO(jln) we should not have to do that in a trivial policy. | 1500 // TODO(jln) we should not have to do that in a trivial policy. |
1450 return ErrorCode(ENOSYS); | 1501 return ErrorCode(ENOSYS); |
1451 } else { | 1502 } else { |
1452 return ErrorCode(ErrorCode::ERR_ALLOWED); | 1503 return ErrorCode(ErrorCode::ERR_ALLOWED); |
1453 } | 1504 } |
1454 } | 1505 } |
1455 | 1506 |
1456 bool EnableGpuBrokerPolicyCallBack() { | 1507 bool EnableGpuBrokerPolicyCallback() { |
1457 StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL); | 1508 StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL); |
1458 return true; | 1509 return true; |
1459 } | 1510 } |
1460 | 1511 |
1512 bool EnableArmMaliGpuBrokerPolicyCallback() { | |
1513 StartSandboxWithPolicy(ArmMaliGpuBrokerProcessPolicy, NULL); | |
1514 return true; | |
1515 } | |
1516 | |
1517 void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist, | |
1518 std::vector<std::string>* write_whitelist) { | |
1519 // On ARM we're enabling the sandbox before the X connection is made, | |
1520 // so we need to allow access to |.Xauthority|. | |
1521 static const char kXAutorityPath[] = "/home/chronos/.Xauthority"; | |
1522 | |
1523 // Devices and files needed by the ARM GPU userspace. | |
1524 static const char kMali0Path[] = "/dev/mali0"; | |
1525 static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; | |
1526 static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; | |
1527 | |
1528 // Devices needed for video decode acceleration on ARM. | |
1529 static const char kDevMfcDecPath[] = "/dev/mfc-dec"; | |
1530 static const char kDevGsc1Path[] = "/dev/gsc1"; | |
1531 | |
1532 read_whitelist->push_back(kXAutorityPath); | |
1533 read_whitelist->push_back(kMali0Path); | |
1534 read_whitelist->push_back(kLibGlesPath); | |
1535 read_whitelist->push_back(kLibEglPath); | |
1536 read_whitelist->push_back(kDevMfcDecPath); | |
1537 read_whitelist->push_back(kDevGsc1Path); | |
1538 | |
1539 write_whitelist->push_back(kMali0Path); | |
1540 write_whitelist->push_back(kDevMfcDecPath); | |
1541 write_whitelist->push_back(kDevGsc1Path); | |
1542 } | |
1543 | |
1461 // Start a broker process to handle open() inside the sandbox. | 1544 // Start a broker process to handle open() inside the sandbox. |
1462 void InitGpuBrokerProcess(BrokerProcess** broker_process) { | 1545 void InitGpuBrokerProcess(Sandbox::EvaluateSyscall gpu_policy, |
1546 BrokerProcess** broker_process) { | |
1463 static const char kDriRcPath[] = "/etc/drirc"; | 1547 static const char kDriRcPath[] = "/etc/drirc"; |
1464 static const char kDriCard0Path[] = "/dev/dri/card0"; | 1548 static const char kDriCard0Path[] = "/dev/dri/card0"; |
1465 | 1549 |
1466 CHECK(broker_process); | 1550 CHECK(broker_process); |
1467 CHECK(*broker_process == NULL); | 1551 CHECK(*broker_process == NULL); |
1468 | 1552 |
1553 bool (*sandbox_callback)(void) = EnableGpuBrokerPolicyCallback; | |
jln (very slow on Chromium)
2013/04/23 02:22:47
It's confusing, I'd just initialize it to NULL, an
Jorge Lucangeli Obes
2013/04/23 17:20:41
Done.
| |
1554 | |
1469 std::vector<std::string> read_whitelist; | 1555 std::vector<std::string> read_whitelist; |
1470 read_whitelist.push_back(kDriCard0Path); | 1556 read_whitelist.push_back(kDriCard0Path); |
jln (very slow on Chromium)
2013/04/23 02:22:47
Are these needed for Mali ? If not, put them clear
Jorge Lucangeli Obes
2013/04/23 17:20:41
Yep, they're needed for both.
| |
1471 read_whitelist.push_back(kDriRcPath); | 1557 read_whitelist.push_back(kDriRcPath); |
1558 | |
1472 std::vector<std::string> write_whitelist; | 1559 std::vector<std::string> write_whitelist; |
1473 write_whitelist.push_back(kDriCard0Path); | 1560 write_whitelist.push_back(kDriCard0Path); |
1474 | 1561 |
1562 if (IsArchitectureArm() && gpu_policy == ArmMaliGpuProcessPolicy) { | |
jln (very slow on Chromium)
2013/04/23 02:22:47
I think the right choice is if(gpu_policy == XX) {
Jorge Lucangeli Obes
2013/04/23 17:20:41
Done.
| |
1563 AddArmMaliGpuWhitelist(&read_whitelist, &write_whitelist); | |
1564 sandbox_callback = EnableArmMaliGpuBrokerPolicyCallback; | |
1565 } | |
1566 | |
1475 *broker_process = new BrokerProcess(read_whitelist, write_whitelist); | 1567 *broker_process = new BrokerProcess(read_whitelist, write_whitelist); |
1476 // Initialize the broker process and give it a sandbox call back. | 1568 // Initialize the broker process and give it a sandbox callback. |
1477 CHECK((*broker_process)->Init(EnableGpuBrokerPolicyCallBack)); | 1569 CHECK((*broker_process)->Init(sandbox_callback)); |
1478 } | 1570 } |
1479 | 1571 |
1480 // Warms up/preloads resources needed by the policies. | 1572 // Warms up/preloads resources needed by the policies. |
1481 // Eventually start a broker process and return it in broker_process. | 1573 // Eventually start a broker process and return it in broker_process. |
1482 void WarmupPolicy(Sandbox::EvaluateSyscall policy, | 1574 void WarmupPolicy(Sandbox::EvaluateSyscall policy, |
1483 BrokerProcess** broker_process) { | 1575 BrokerProcess** broker_process) { |
1484 if (policy == GpuProcessPolicy) { | 1576 if (policy == GpuProcessPolicy) { |
1577 // Create a new broker process. | |
1578 InitGpuBrokerProcess(policy, broker_process); | |
1579 | |
1485 if (IsArchitectureX86_64() || IsArchitectureI386()) { | 1580 if (IsArchitectureX86_64() || IsArchitectureI386()) { |
1486 // Create a new broker process. | |
1487 InitGpuBrokerProcess(broker_process); | |
1488 | |
1489 // Accelerated video decode dlopen()'s a shared object | 1581 // Accelerated video decode dlopen()'s a shared object |
1490 // inside the sandbox, so preload it now. | 1582 // inside the sandbox, so preload it now. |
1491 if (IsAcceleratedVideoDecodeEnabled()) { | 1583 if (IsAcceleratedVideoDecodeEnabled()) { |
1492 const char* I965DrvVideoPath = NULL; | 1584 const char* I965DrvVideoPath = NULL; |
1493 | 1585 |
1494 if (IsArchitectureX86_64()) { | 1586 if (IsArchitectureX86_64()) { |
1495 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; | 1587 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; |
1496 } else if (IsArchitectureI386()) { | 1588 } else if (IsArchitectureI386()) { |
1497 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; | 1589 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; |
1498 } | 1590 } |
1499 | 1591 |
1500 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 1592 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
1501 } | 1593 } |
1502 } | 1594 } |
1595 } else if (policy == ArmMaliGpuProcessPolicy) { | |
1596 // Create a new broker process. | |
1597 InitGpuBrokerProcess(policy, broker_process); | |
1503 } | 1598 } |
1504 } | 1599 } |
1505 | 1600 |
1506 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( | 1601 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( |
1507 const CommandLine& command_line, | 1602 const CommandLine& command_line, |
1508 const std::string& process_type) { | 1603 const std::string& process_type) { |
1509 if (process_type == switches::kGpuProcess) { | 1604 if (process_type == switches::kGpuProcess) { |
1510 // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. | 1605 // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. |
1511 // However, we don't yet enable the more restrictive GPU process policy | 1606 if (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox)) |
1512 // on ARM. | |
1513 if (IsArchitectureArm() || | |
1514 (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox))) | |
1515 return BlacklistDebugAndNumaPolicy; | 1607 return BlacklistDebugAndNumaPolicy; |
1608 // On Chrome OS ARM, we need a specific GPU process policy. | |
1609 else if (IsChromeOS() && IsArchitectureArm()) | |
1610 return ArmMaliGpuProcessPolicy; | |
1516 else | 1611 else |
1517 return GpuProcessPolicy; | 1612 return GpuProcessPolicy; |
1518 } | 1613 } |
1519 | 1614 |
1520 if (process_type == switches::kPpapiPluginProcess) { | 1615 if (process_type == switches::kPpapiPluginProcess) { |
1521 // TODO(jln): figure out what to do with non-Flash PPAPI | 1616 // TODO(jln): figure out what to do with non-Flash PPAPI |
1522 // out-of-process plug-ins. | 1617 // out-of-process plug-ins. |
1523 return FlashProcessPolicy; | 1618 return FlashProcessPolicy; |
1524 } | 1619 } |
1525 | 1620 |
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1623 // should enable it, enable it or die. | 1718 // should enable it, enable it or die. |
1624 bool started_sandbox = StartBpfSandbox(command_line, process_type); | 1719 bool started_sandbox = StartBpfSandbox(command_line, process_type); |
1625 CHECK(started_sandbox); | 1720 CHECK(started_sandbox); |
1626 return true; | 1721 return true; |
1627 } | 1722 } |
1628 #endif | 1723 #endif |
1629 return false; | 1724 return false; |
1630 } | 1725 } |
1631 | 1726 |
1632 } // namespace content | 1727 } // namespace content |
OLD | NEW |