Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1394)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/nacl/nacl_sandbox_linux.cc

Issue 19980003: NaCl: enable a real seccomp-bpf sandbox. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Address Mark's comments. Disable the sandbox on ARM. Created 7 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/nacl/OWNERS ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/nacl/nacl_sandbox_linux.cc
diff --git a/chrome/nacl/nacl_sandbox_linux.cc b/chrome/nacl/nacl_sandbox_linux.cc
index 19585eaf26d693bbd8daeb85194820ba90774d6f..f8bcdbf67ec5906b05da3df60aa240bd37c3ffd8 100644
--- a/chrome/nacl/nacl_sandbox_linux.cc
+++ b/chrome/nacl/nacl_sandbox_linux.cc
@@ -10,6 +10,7 @@
#include "base/callback.h"
#include "base/compiler_specific.h"
#include "base/logging.h"
+#include "build/build_config.h"
#include "content/public/common/sandbox_init.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/services/linux_syscalls.h"
@@ -19,26 +20,103 @@ using playground2::Sandbox;
namespace {
-// This policy does very little:
-// - Any invalid system call for the current architecture is handled by
-// the baseline policy.
-// - ptrace() is denied.
-// - Anything else is allowed.
-// Note that the seccomp-bpf sandbox always prevents cross-architecture
-// system calls (on x86, long/compatibility/x32).
-// So even this trivial policy has a security benefit.
+inline bool IsPlatformX86() {
+#if defined(__x86_64__) || defined(__i386__)
+ return true;
+#else
+ return false;
+#endif
+}
+
+// On ARM and x86_64, System V shared memory calls have each their own system
+// call, while on i386 they are multiplexed.
+#if defined(__x86_64__) || defined(__arm__)
+bool IsSystemVSharedMemory(int sysno) {
+ switch (sysno) {
+ case __NR_shmat:
+ case __NR_shmctl:
+ case __NR_shmdt:
+ case __NR_shmget:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif
+
+#if defined(__i386__)
+// Big system V multiplexing system call.
+bool IsSystemVIpc(int sysno) {
+ switch (sysno) {
+ case __NR_ipc:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif
+
ErrorCode NaClBpfSandboxPolicy(
- playground2::Sandbox* sb, int sysnum, void* aux) {
+ playground2::Sandbox* sb, int sysno, void* aux) {
const playground2::BpfSandboxPolicyCallback baseline_policy =
content::GetBpfSandboxBaselinePolicy();
- if (!playground2::Sandbox::IsValidSyscallNumber(sysnum)) {
- return baseline_policy.Run(sb, sysnum, aux);
- }
- switch (sysnum) {
+ switch (sysno) {
+ // TODO(jln): NaCl's GDB debug stub uses the following socket system calls,
+ // see if it can be restricted a bit.
+#if defined(__x86_64__) || defined(__arm__)
+ // transport_common.cc needs this.
+ case __NR_accept:
+ case __NR_setsockopt:
+#elif defined(__i386__)
+ case __NR_socketcall:
+#endif
+ // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is
+ // used by NaCl's GDB debug stub."
Mark Seaborn 2013/07/23 23:02:17 Remove closing quote here.
jln (very slow on Chromium) 2013/07/23 23:24:24 Oops, done, thanks!
+ case __NR_rt_sigtimedwait:
+#if defined(__i386__)
+ // Needed on i386 to set-up the custom segments.
+ case __NR_modify_ldt:
+#endif
+ // NaClAddrSpaceBeforeAlloc needs prlimit64.
+ case __NR_prlimit64:
+ // NaCl uses custom signal stacks.
+ case __NR_sigaltstack:
+ // Below is fairly similar to the policy for a Chromium renderer.
+ // TODO(jln): restrict clone(), ioctl() and prctl().
+ case __NR_ioctl:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_getrlimit:
+#endif
+#if defined(__i386__) || defined(__arm__)
+ case __NR_ugetrlimit:
+#endif
+ case __NR_pread64:
+ case __NR_pwrite64:
+ case __NR_sched_get_priority_max:
+ case __NR_sched_get_priority_min:
+ case __NR_sched_getaffinity:
+ case __NR_sched_getparam:
+ case __NR_sched_getscheduler:
+ case __NR_sched_setscheduler:
+ case __NR_setpriority:
+ case __NR_sysinfo:
+ case __NR_uname:
+ return ErrorCode(ErrorCode::ERR_ALLOWED);
case __NR_ptrace:
return ErrorCode(EPERM);
default:
- return ErrorCode(ErrorCode::ERR_ALLOWED);
+ // TODO(jln): look into getting rid of System V shared memory:
+ // platform_qualify/linux/sysv_shm_and_mmap.c makes it a requirement, but
+ // it may not be needed in all cases. Chromium renderers don't need
+ // System V shared memory on Aura.
+#if defined(__x86_64__) || defined(__arm__)
+ if (IsSystemVSharedMemory(sysno))
+ return ErrorCode(ErrorCode::ERR_ALLOWED);
+#elif defined(__i386__)
+ if (IsSystemVIpc(sysno))
+ return ErrorCode(ErrorCode::ERR_ALLOWED);
+#endif
+ return baseline_policy.Run(sb, sysno, aux);
}
NOTREACHED();
// GCC wants this.
@@ -57,6 +135,9 @@ void RunSandboxSanityChecks() {
} // namespace
bool InitializeBpfSandbox() {
+ // TODO(jln): enable the sandbox on ARM as well.
+ if (!IsPlatformX86())
+ return false;
bool sandbox_is_initialized =
content::InitializeSandbox(NaClBpfSandboxPolicy);
if (sandbox_is_initialized) {
« no previous file with comments | « chrome/nacl/OWNERS ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698