sandbox/linux/seccomp-bpf/sandbox_bpf.cc - Issue 180783019: [Android] Define a baseline seccomp-bpf sandbox policy.

Side by Side Diff: sandbox/linux/seccomp-bpf/sandbox_bpf.cc

Issue 180783019: [Android] Define a baseline seccomp-bpf sandbox policy. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"	5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

6	6

7 // Some headers on Android are missing cdefs: crbug.com/172337.	7 // Some headers on Android are missing cdefs: crbug.com/172337.

8 // (We can't use OS_ANDROID here since build_config.h is not included).	8 // (We can't use OS_ANDROID here since build_config.h is not included).

9 #if defined(ANDROID)	9 #if defined(ANDROID)

10 #include <sys/cdefs.h>	10 #include <sys/cdefs.h>

(...skipping 77 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
88 time_t current_time;	88 time_t current_time;

89 // time() is implemented as a vsyscall. With an older glibc, with	89 // time() is implemented as a vsyscall. With an older glibc, with

90 // vsyscall=emulate and some versions of the seccomp BPF patch	90 // vsyscall=emulate and some versions of the seccomp BPF patch

91 // we may get SIGKILL-ed. Detect this!	91 // we may get SIGKILL-ed. Detect this!

92 if (time(&current_time) != static_cast<time_t>(-1)) {	92 if (time(&current_time) != static_cast<time_t>(-1)) {

93 syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));	93 syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));

94 }	94 }

95 }	95 }

96	96

97 bool IsSingleThreaded(int proc_fd) {	97 bool IsSingleThreaded(int proc_fd) {

	98 return true;
	Robert Sesek 2014/03/05 18:27:54 Obviously these cannot go in as-is. I can see thre Obviously these cannot go in as-is. I can see three options here: 1) Put this behind a flag. We want seccomp-bpf on Android behind a flag, but I'm not sure where to put this flag since it would need to be accessed by both //content/ and //sandbox/. 2) Just use #if defined(OS_ANDROID) 3) Use the expected prctl() tests for the threadgroup synchronization presence in the kernel, and only call IssingleThreaded() if that test fails. jln (very slow on Chromium) 2014/03/07 01:30:30 Yes, the sandbox:: seccomp-bpf class should suppor Show quoted text On 2014/03/05 18:27:54, rsesek wrote: > 3) Use the expected prctl() tests for the threadgroup synchronization presence > in the kernel, and only call IssingleThreaded() if that test fails. Yes, the sandbox:: seccomp-bpf class should support a StartSandboxWithThreads() that uses the new prctl flag and disables these checks. Later, we'll indeed probably want to simply detect if that flag is available and use it automatically in StartSandbox(). In your test, you did patch the prctl flag in, right? i.e. you're sure that everything has been tested with the sandbox being applied to all threads? Robert Sesek 2014/03/25 21:57:17 OK I'll work on that, then. How do you think Suppo Show quoted text On 2014/03/07 01:30:30, jln wrote: > On 2014/03/05 18:27:54, rsesek wrote: > > 3) Use the expected prctl() tests for the threadgroup synchronization presence > > in the kernel, and only call IssingleThreaded() if that test fails. > > Yes, the sandbox:: seccomp-bpf class should support a StartSandboxWithThreads() > that uses the new prctl flag and disables these checks. OK I'll work on that, then. How do you think SupportsSeccompSandobx() should work, then? It internally fork()s which seems like a bad thing to do as a generic interface when we know we're multithreaded. But I don't know how else we should test for the seccomp extensions. Show quoted text > In your test, you did patch the prctl flag in, right? i.e. you're sure that > everything has been tested with the sandbox being applied to all threads? Yes, I have the kernel patches applied to my AOSP build. jln (very slow on Chromium) 2014/03/31 19:22:32 We could have StartSandboxWithThreads() return a b Show quoted text On 2014/03/25 21:57:17, rsesek wrote: > On 2014/03/07 01:30:30, jln wrote: > > On 2014/03/05 18:27:54, rsesek wrote: > > > 3) Use the expected prctl() tests for the threadgroup synchronization > presence > > > in the kernel, and only call IssingleThreaded() if that test fails. > > > > Yes, the sandbox:: seccomp-bpf class should support a > StartSandboxWithThreads() > > that uses the new prctl flag and disables these checks. > > OK I'll work on that, then. How do you think SupportsSeccompSandobx() should > work, then? It internally fork()s which seems like a bad thing to do as a > generic interface when we know we're multithreaded. But I don't know how else we > should test for the seccomp extensions. We could have StartSandboxWithThreads() return a bool, depending on whether or not it managed to start. For consistency we could change StartSandbox() in a similar way and just make sure that the existing callers CHECK(). Robert Sesek 2014/03/31 19:45:50 OK, that's also what I was thinking, though probab Show quoted text On 2014/03/31 19:22:32, jln wrote: > On 2014/03/25 21:57:17, rsesek wrote: > > On 2014/03/07 01:30:30, jln wrote: > > > On 2014/03/05 18:27:54, rsesek wrote: > > > > 3) Use the expected prctl() tests for the threadgroup synchronization > > presence > > > > in the kernel, and only call IssingleThreaded() if that test fails. > > > > > > Yes, the sandbox:: seccomp-bpf class should support a > > StartSandboxWithThreads() > > > that uses the new prctl flag and disables these checks. > > > > OK I'll work on that, then. How do you think SupportsSeccompSandobx() should > > work, then? It internally fork()s which seems like a bad thing to do as a > > generic interface when we know we're multithreaded. But I don't know how else > we > > should test for the seccomp extensions. > > We could have StartSandboxWithThreads() return a bool, depending on whether or > not it managed to start. > For consistency we could change StartSandbox() in a similar way and just make > sure that the existing callers CHECK(). OK, that's also what I was thinking, though probably return SandboxStatus instead of bool. I'll do that in another CL and make this one just about landing the Android policy, which I'll also move to //content, per your suggestion.
98 if (proc_fd < 0) {	99 if (proc_fd < 0) {

99 // Cannot determine whether program is single-threaded. Hope for	100 // Cannot determine whether program is single-threaded. Hope for

100 // the best...	101 // the best...

101 return true;	102 return true;

102 }	103 }

103	104

104 struct stat sb;	105 struct stat sb;

105 int task = -1;	106 int task = -1;

106 if ((task = openat(proc_fd, "self/task", O_RDONLY \| O_DIRECTORY)) < 0 \|\|	107 if ((task = openat(proc_fd, "self/task", O_RDONLY \| O_DIRECTORY)) < 0 \|\|

107 fstat(task, &sb) != 0 \|\| sb.st_nlink != 3 \|\| IGNORE_EINTR(close(task))) {	108 fstat(task, &sb) != 0 \|\| sb.st_nlink != 3 \|\| IGNORE_EINTR(close(task))) {

(...skipping 138 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
246 }	247 }

247 }	248 }

248	249

249 bool SandboxBPF::IsValidSyscallNumber(int sysnum) {	250 bool SandboxBPF::IsValidSyscallNumber(int sysnum) {

250 return SyscallIterator::IsValid(sysnum);	251 return SyscallIterator::IsValid(sysnum);

251 }	252 }

252	253

253 bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),	254 bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),

254 EvaluateSyscall syscall_evaluator,	255 EvaluateSyscall syscall_evaluator,

255 void* aux) {	256 void* aux) {

	257 return true;

256 // Block all signals before forking a child process. This prevents an	258 // Block all signals before forking a child process. This prevents an

257 // attacker from manipulating our test by sending us an unexpected signal.	259 // attacker from manipulating our test by sending us an unexpected signal.

258 sigset_t old_mask, new_mask;	260 sigset_t old_mask, new_mask;

259 if (sigfillset(&new_mask) \|\| sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {	261 if (sigfillset(&new_mask) \|\| sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {

260 SANDBOX_DIE("sigprocmask() failed");	262 SANDBOX_DIE("sigprocmask() failed");

261 }	263 }

262 int fds[2];	264 int fds[2];

263 if (pipe2(fds, O_NONBLOCK \| O_CLOEXEC)) {	265 if (pipe2(fds, O_NONBLOCK \| O_CLOEXEC)) {

264 SANDBOX_DIE("pipe() failed");	266 SANDBOX_DIE("pipe() failed");

265 }	267 }

(...skipping 747 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1013 &*conds_->insert(failed).first);	1015 &*conds_->insert(failed).first);

1014 }	1016 }

1015	1017

1016 ErrorCode SandboxBPF::Kill(const char* msg) {	1018 ErrorCode SandboxBPF::Kill(const char* msg) {

1017 return Trap(BPFFailure, const_cast<char*>(msg));	1019 return Trap(BPFFailure, const_cast<char*>(msg));

1018 }	1020 }

1019	1021

1020 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;	1022 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;

1021	1023

1022 } // namespace sandbox	1024 } // namespace sandbox

OLD	NEW

« sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.cc ('K') | « sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.cc ('k') | no next file » | no next file with comments »