Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(329)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/nacl/nacl_sandbox_linux.cc

Issue 19980003: NaCl: enable a real seccomp-bpf sandbox. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 7 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « chrome/nacl/OWNERS ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/nacl/nacl_sandbox_linux.h" 5 #include "chrome/nacl/nacl_sandbox_linux.h"
6 6
7 #include <signal.h> 7 #include <signal.h>
8 #include <sys/ptrace.h> 8 #include <sys/ptrace.h>
9 9
10 #include "base/callback.h" 10 #include "base/callback.h"
11 #include "base/compiler_specific.h" 11 #include "base/compiler_specific.h"
12 #include "base/logging.h" 12 #include "base/logging.h"
13 #include "content/public/common/sandbox_init.h" 13 #include "content/public/common/sandbox_init.h"
14 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" 14 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
15 #include "sandbox/linux/services/linux_syscalls.h" 15 #include "sandbox/linux/services/linux_syscalls.h"
16 16
17 using playground2::ErrorCode; 17 using playground2::ErrorCode;
18 using playground2::Sandbox; 18 using playground2::Sandbox;
19 19
20 namespace { 20 namespace {
21 21
22 // This policy does very little: 22 #if defined(__x86_64__) || defined(__arm__)
Mark Seaborn 2013/07/22 23:45:24 Can you add a comment about why there's an #if her
jln (very slow on Chromium) 2013/07/23 00:18:16 Added a comment. This looks quite ugly indeed, bu
23 // - Any invalid system call for the current architecture is handled by 23 bool IsSystemVSharedMemory(int sysno) {
24 // the baseline policy. 24 switch (sysno) {
25 // - ptrace() is denied. 25 case __NR_shmat:
26 // - Anything else is allowed. 26 case __NR_shmctl:
27 // Note that the seccomp-bpf sandbox always prevents cross-architecture 27 case __NR_shmdt:
28 // system calls (on x86, long/compatibility/x32). 28 case __NR_shmget:
29 // So even this trivial policy has a security benefit. 29 return true;
30 default:
31 return false;
32 }
33 }
34 #endif
35
36 #if defined(__i386__)
37 // Big system V multiplexing system call.
38 bool IsSystemVIpc(int sysno) {
39 switch (sysno) {
40 case __NR_ipc:
41 return true;
42 default:
43 return false;
44 }
45 }
46 #endif
47
30 ErrorCode NaClBpfSandboxPolicy( 48 ErrorCode NaClBpfSandboxPolicy(
31 playground2::Sandbox* sb, int sysnum, void* aux) { 49 playground2::Sandbox* sb, int sysno, void* aux) {
32 const playground2::BpfSandboxPolicyCallback baseline_policy = 50 const playground2::BpfSandboxPolicyCallback baseline_policy =
33 content::GetBpfSandboxBaselinePolicy(); 51 content::GetBpfSandboxBaselinePolicy();
34 if (!playground2::Sandbox::IsValidSyscallNumber(sysnum)) { 52 switch (sysno) {
35 return baseline_policy.Run(sb, sysnum, aux); 53 // TODO: jln: figure out what in NaClGdbDebugStubTest.Breakpoint
36 } 54 // needs the 4 following system calls.
37 switch (sysnum) { 55 #if defined(__x86_64__) || defined(__arm__)
56 case __NR_accept:
Mark Seaborn 2013/07/22 23:45:24 It's used by native_client/src/trusted/debug_stub/
jln (very slow on Chromium) 2013/07/23 00:18:16 Done.
57 case __NR_setsockopt:
58 #elif defined(__i386__)
59 case __NR_socketcall:
60 #endif
61 case __NR_rt_sigtimedwait:
Mark Seaborn 2013/07/22 23:45:24 Can you comment that this is used by the sigwait()
jln (very slow on Chromium) 2013/07/23 00:18:16 Done.
62 #if defined(__i386__)
63 // Needed on i386 to set-up the custom segments.
64 case __NR_modify_ldt:
65 #endif
66 // NaClAddrSpaceBeforeAlloc needs this.
67 case __NR_prlimit64:
68 // NaCl uses custom signal stacks.
69 case __NR_sigaltstack:
70 // Below is fairly similar to the policy for a Chromium renderer.
71 // TODO(jln): restrict clone(), ioctl() and prctl().
72 case __NR_ioctl:
Mark Seaborn 2013/07/22 23:45:24 I don't think NaCl uses ioctl(). Does it work to
jln (very slow on Chromium) 2013/07/23 00:18:16 This needs to be restricted (via parameters) like
73 #if defined(__i386__) || defined(__x86_64__)
74 case __NR_getrlimit:
75 #endif
76 #if defined(__i386__) || defined(__arm__)
77 case __NR_ugetrlimit:
78 #endif
79 case __NR_pread64:
80 case __NR_pwrite64:
81 case __NR_sched_get_priority_max:
Mark Seaborn 2013/07/22 23:45:24 I don't know whether any of these sched_* calls ar
jln (very slow on Chromium) 2013/07/23 00:18:16 Not sure what needs it (it's something in glibc II
82 case __NR_sched_get_priority_min:
83 case __NR_sched_getaffinity:
84 case __NR_sched_getparam:
85 case __NR_sched_getscheduler:
86 case __NR_sched_setscheduler:
87 case __NR_setpriority:
88 case __NR_sysinfo:
89 case __NR_uname:
90 return ErrorCode(ErrorCode::ERR_ALLOWED);
38 case __NR_ptrace: 91 case __NR_ptrace:
39 return ErrorCode(EPERM); 92 return ErrorCode(EPERM);
40 default: 93 default:
41 return ErrorCode(ErrorCode::ERR_ALLOWED); 94 // TODO(jln): look into getting rid of System V shared memory.
Mark Seaborn 2013/07/22 23:45:24 Does Chromium have the renderer use X's SysV share
jln (very slow on Chromium) 2013/07/23 00:18:16 We don't need Sys V shm in Chromium on Aura, but w
Mark Seaborn 2013/07/23 17:13:03 OK, can you put that information into a comment, p
95 #if defined(__x86_64__) || defined(__arm__)
96 if (IsSystemVSharedMemory(sysno))
97 return ErrorCode(ErrorCode::ERR_ALLOWED);
98 #elif defined(__i386__)
99 if (IsSystemVIpc(sysno))
100 return ErrorCode(ErrorCode::ERR_ALLOWED);
101 #endif
102 return baseline_policy.Run(sb, sysno, aux);
42 } 103 }
43 NOTREACHED(); 104 NOTREACHED();
44 // GCC wants this. 105 // GCC wants this.
45 return ErrorCode(EPERM); 106 return ErrorCode(EPERM);
46 } 107 }
47 108
48 void RunSandboxSanityChecks() { 109 void RunSandboxSanityChecks() {
49 errno = 0; 110 errno = 0;
50 // Make a ptrace request with an invalid PID. 111 // Make a ptrace request with an invalid PID.
51 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL); 112 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
(...skipping 11 matching lines...) Expand all
63 RunSandboxSanityChecks(); 124 RunSandboxSanityChecks();
64 // TODO(jln): Find a way to fix this. 125 // TODO(jln): Find a way to fix this.
65 // The sandbox' SIGSYS handler trips NaCl, so we disable it. 126 // The sandbox' SIGSYS handler trips NaCl, so we disable it.
66 // If SIGSYS is triggered it'll now execute the default action 127 // If SIGSYS is triggered it'll now execute the default action
67 // (CORE). This will make it hard to track down bugs and sandbox violations. 128 // (CORE). This will make it hard to track down bugs and sandbox violations.
68 CHECK(signal(SIGSYS, SIG_DFL) != SIG_ERR); 129 CHECK(signal(SIGSYS, SIG_DFL) != SIG_ERR);
69 return true; 130 return true;
70 } 131 }
71 return false; 132 return false;
72 } 133 }
OLDNEW
« no previous file with comments | « chrome/nacl/OWNERS ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698