Make clone(2) restrictions work on ARM.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 1230 matching lines @@
 #if defined(__arm__)
       IsArmPciConfig(sysno) ||
 #endif
       IsTimer(sysno)) {
     return true;
   } else {
     return false;
   }
 }
 
-ErrorCode RestrictMmapFlags(Sandbox *sandbox) {
+ErrorCode RestrictMmapFlags(Sandbox* sandbox) {

[Chris Evans, 2013/05/29 19:54:13]

There's quite a bit of style cleanup in this patch. Generally, it's nice to
separate these into separate CLs from functional changes but we can let it slide
this time ;-)

   // The flags you see are actually the allowed ones, and the variable is a
   // "denied" mask because of the negation operator.
   // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
   // MAP_POPULATE.
   uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
                            MAP_STACK | MAP_NORESERVE | MAP_FIXED);
   return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                        denied_mask,
                        sandbox->Trap(CrashSIGSYS_Handler, NULL),
                        ErrorCode(ErrorCode::ERR_ALLOWED));
 }
 
-ErrorCode RestrictMprotectFlags(Sandbox *sandbox) {
+ErrorCode RestrictMprotectFlags(Sandbox* sandbox) {
   // The flags you see are actually the allowed ones, and the variable is a
   // "denied" mask because of the negation operator.
   // Significantly, we don't permit weird undocumented flags such as
   // PROT_GROWSDOWN.
   uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC);
   return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                        denied_mask,
                        sandbox->Trap(CrashSIGSYS_Handler, NULL),
                        ErrorCode(ErrorCode::ERR_ALLOWED));
 }
 
-ErrorCode RestrictFcntlCommands(Sandbox *sandbox) {
+ErrorCode RestrictFcntlCommands(Sandbox* sandbox) {
   // For now, we're only sure this will work on x64. This is because of the
   // use of TP_64BIT for a "long" argument. Ideally, the seccomp API would
   // have a TP_LONG or TP_SIZET type.
   DCHECK(IsArchitectureX86_64());
   // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
   // F_SETLK, F_SETLKW and F_GETLK.
   // We also restrict the flags in F_SETFL. We don't want to permit flags with
   // a history of trouble such as O_DIRECT. The flags you see are actually the
   // allowed ones, and the variable is a "denied" mask because of the negation
   // operator.
@@ skipping 30 matching lines @@
                        ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(1, ErrorCode::TP_32BIT,
                        ErrorCode::OP_EQUAL, F_GETLK,
                        ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(1, ErrorCode::TP_32BIT,
                        ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC,
                        ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Trap(CrashSIGSYS_Handler, NULL))))))))));
 }
 
-ErrorCode BaselinePolicy(Sandbox *sandbox, int sysno) {
+ErrorCode BaselinePolicy(Sandbox* sandbox, int sysno) {
   if (IsBaselinePolicyAllowed(sysno)) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 
 #if defined(__i386__)
   // socketcall(2) should be tightened.
   if (IsSocketCall(sysno)) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 #endif
@@ skipping 63 matching lines @@
   if (IsBaselinePolicyWatched(sysno)) {
     // Previously unseen syscalls. TODO(jln): some of these should
     // be denied gracefully right away.
     return sandbox->Trap(CrashSIGSYS_Handler, NULL);
   }
   // In any other case crash the program with our SIGSYS handler.
   return sandbox->Trap(CrashSIGSYS_Handler, NULL);
 }
 
 // Main policy for x86_64/i386. Extended by ArmMaliGpuProcessPolicy.
-ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno,
-                           void *broker_process) {
+ErrorCode GpuProcessPolicy(Sandbox* sandbox, int sysno,
+                           void* broker_process) {
   switch(sysno) {
     case __NR_ioctl:
 #if defined(__i386__) || defined(__x86_64__)
     // The Nvidia driver uses flags not in the baseline policy
     // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
     case __NR_mmap:
 #endif
     // We also hit this on the linux_chromeos bot but don't yet know what
     // weird flags were involved.
     case __NR_mprotect:
@@ skipping 14 matching lines @@
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 
       // Default on the baseline policy.
       return BaselinePolicy(sandbox, sysno);
   }
 }
 
 // x86_64/i386.
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
-ErrorCode GpuBrokerProcessPolicy(Sandbox *sandbox, int sysno, void *aux) {
+ErrorCode GpuBrokerProcessPolicy(Sandbox* sandbox, int sysno, void* aux) {
   // "aux" would typically be NULL, when called from
   // "EnableGpuBrokerPolicyCallBack"
   switch(sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return GpuProcessPolicy(sandbox, sysno, aux);
   }
 }
 
 // ARM Mali GPU process sandbox, inheriting from GpuProcessPolicy.
-ErrorCode ArmMaliGpuProcessPolicy(Sandbox *sandbox, int sysno,
-                                  void *broker_process) {
+ErrorCode ArmMaliGpuProcessPolicy(Sandbox* sandbox, int sysno,
+                                  void* broker_process) {
   switch(sysno) {
 #if defined(__arm__)
     // ARM GPU sandbox is started earlier so we need to allow networking
     // in the sandbox.
     // TODO(jorgelo): tighten this (crbug.com/235609).
     case __NR_connect:
     case __NR_getpeername:
     case __NR_getsockname:
     case __NR_socket:
     case __NR_socketpair:
     case __NR_sysinfo:
     case __NR_uname:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif  // defined(__arm__)
     default:
       if (IsAdvancedScheduler(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 
       // Default to the generic GPU policy.
       return GpuProcessPolicy(sandbox, sysno, broker_process);
   }
 }
 
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
-ErrorCode ArmMaliGpuBrokerProcessPolicy(Sandbox *sandbox,
-                                        int sysno, void *aux) {
+ErrorCode ArmMaliGpuBrokerProcessPolicy(Sandbox* sandbox,
+                                        int sysno, void* aux) {
   // "aux" would typically be NULL, when called from
   // "EnableGpuBrokerPolicyCallBack"
   switch(sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return ArmMaliGpuProcessPolicy(sandbox, sysno, aux);
   }
 }
 
 // Allow clone(2) for threads.
 // Reject fork(2) attempts with EPERM.
 // Crash if anything else is attempted.
 // Don't restrict on ASAN.
 ErrorCode RestrictCloneToThreadsAndEPERMFork(Sandbox* sandbox) {
   // Glibc's pthread.
   if (!RunningOnASAN()) {
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
                          CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
                          CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          CLONE_PARENT_SETTID | SIGCHLD,
                          ErrorCode(EPERM),
-           sandbox->Trap(SIGSYSCloneFailure, NULL)));
+           // ARM
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+                         CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD,
+                         ErrorCode(EPERM),
+           sandbox->Trap(SIGSYSCloneFailure, NULL))));
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
-ErrorCode RestrictPrctl(Sandbox *sandbox) {
+ErrorCode RestrictPrctl(Sandbox* sandbox) {
   // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. Will need to add
   // seccomp compositing in the future.
   // PR_SET_PTRACER is used by breakpad but not needed anymore.
   return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                        PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                        PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                        PR_GET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Trap(SIGSYSPrctlFailure, NULL))));
 }
 
-ErrorCode RestrictIoctl(Sandbox *sandbox) {
+ErrorCode RestrictIoctl(Sandbox* sandbox) {
   // Allow TCGETS and FIONREAD, trap to SIGSYSIoctlFailure otherwise.
   return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS,
                        ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD,
                        ErrorCode(ErrorCode::ERR_ALLOWED),
                        sandbox->Trap(SIGSYSIoctlFailure, NULL)));
 }
 
-ErrorCode RendererOrWorkerProcessPolicy(Sandbox *sandbox, int sysno, void *) {
+ErrorCode RendererOrWorkerProcessPolicy(Sandbox* sandbox, int sysno, void*) {
   switch (sysno) {
     case __NR_clone:
       return RestrictCloneToThreadsAndEPERMFork(sandbox);
     case __NR_ioctl:
       return RestrictIoctl(sandbox);
     case __NR_prctl:
       return RestrictPrctl(sandbox);
     // Allow the system calls below.
     case __NR_fdatasync:
     case __NR_fsync:
@@ skipping 27 matching lines @@
         if (IsSystemVIpc(sysno))
           return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
       }
 
       // Default on the baseline policy.
       return BaselinePolicy(sandbox, sysno);
   }
 }
 
-ErrorCode FlashProcessPolicy(Sandbox *sandbox, int sysno, void *) {
+ErrorCode FlashProcessPolicy(Sandbox* sandbox, int sysno, void*) {
   switch (sysno) {
     case __NR_clone:

[Chris Evans, 2013/05/29 19:54:13]

Do you hapen to have a 32-bit Chrome OS build handy to confirm it's ok?

[Jorge Lucangeli Obes, 2013/05/29 19:57:22]

Yeah, I tested both x86 and ARM.

-#if defined(__x86_64__)
-      // TODO(jorgelo): enable this on other platforms.
       return RestrictCloneToThreadsAndEPERMFork(sandbox);
-#endif
     case __NR_sched_get_priority_max:
     case __NR_sched_get_priority_min:
     case __NR_sched_getaffinity:
     case __NR_sched_getparam:
     case __NR_sched_getscheduler:
     case __NR_sched_setscheduler:
     case __NR_times:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     case __NR_ioctl:
       return ErrorCode(ENOTTY);  // Flash Access.
     default:
       if (IsUsingToolKitGtk()) {
 #if defined(__x86_64__) || defined(__arm__)
         if (IsSystemVSharedMemory(sysno))
           return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
 #if defined(__i386__)
         if (IsSystemVIpc(sysno))
           return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
       }
 
       // Default on the baseline policy.
       return BaselinePolicy(sandbox, sysno);
   }
 }
 
-ErrorCode BlacklistDebugAndNumaPolicy(Sandbox *sandbox, int sysno, void *) {
+ErrorCode BlacklistDebugAndNumaPolicy(Sandbox* sandbox, int sysno, void*) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // TODO(jln) we should not have to do that in a trivial policy.
     return ErrorCode(ENOSYS);
   }
 
   if (IsDebug(sysno) || IsNuma(sysno))
     return sandbox->Trap(CrashSIGSYS_Handler, NULL);
 
   return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
 // Allow all syscalls.
 // This will still deny x32 or IA32 calls in 64 bits mode or
 // 64 bits system calls in compatibility mode.
-ErrorCode AllowAllPolicy(Sandbox *, int sysno, void *) {
+ErrorCode AllowAllPolicy(Sandbox*, int sysno, void*) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // TODO(jln) we should not have to do that in a trivial policy.
     return ErrorCode(ENOSYS);
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 bool EnableGpuBrokerPolicyCallback() {
   StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL);
@@ skipping 216 matching lines @@
     // should enable it, enable it or die.
     bool started_sandbox = StartBpfSandbox(command_line, process_type);
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
 }  // namespace content