Chromium Code Reviews Chromium Code Reviews
Issue 260793003:
[MIPS] Add seccomp bpf support (Closed)
Base URL: https://git.chromium.org/git/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <errno.h> | 5 #include <errno.h> |
| 6 #include <pthread.h> | 6 #include <pthread.h> |
| 7 #include <sched.h> | 7 #include <sched.h> |
| 8 #include <sys/prctl.h> | 8 #include <sys/prctl.h> |
| 9 #include <sys/syscall.h> | 9 #include <sys/syscall.h> |
| 10 #include <sys/time.h> | 10 #include <sys/time.h> |
| 11 #include <sys/types.h> | 11 #include <sys/types.h> |
| 12 #include <sys/utsname.h> | 12 #include <sys/utsname.h> |
| 13 #include <unistd.h> | 13 #include <unistd.h> |
| 14 #include <sys/socket.h> | |
| 14 | 15 |
| 15 #if defined(ANDROID) | 16 #if defined(ANDROID) |
| 16 // Work-around for buggy headers in Android's NDK | 17 // Work-around for buggy headers in Android's NDK |
| 17 #define __user | 18 #define __user |
| 18 #endif | 19 #endif |
| 19 #include <linux/futex.h> | 20 #include <linux/futex.h> |
| 20 | 21 |
| 21 #include <ostream> | 22 #include <ostream> |
| 22 | 23 |
| 23 #include "base/bind.h" | 24 #include "base/bind.h" |
| 24 #include "base/logging.h" | 25 #include "base/logging.h" |
| 25 #include "base/macros.h" | 26 #include "base/macros.h" |
| 26 #include "base/memory/scoped_ptr.h" | 27 #include "base/memory/scoped_ptr.h" |
| 27 #include "build/build_config.h" | 28 #include "build/build_config.h" |
| 28 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 29 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 30 #include "sandbox/linux/seccomp-bpf/kernel_return_value_helpers.h" | |
| 29 #include "sandbox/linux/seccomp-bpf/syscall.h" | 31 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 30 #include "sandbox/linux/seccomp-bpf/trap.h" | 32 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 31 #include "sandbox/linux/seccomp-bpf/verifier.h" | 33 #include "sandbox/linux/seccomp-bpf/verifier.h" |
| 32 #include "sandbox/linux/services/broker_process.h" | 34 #include "sandbox/linux/services/broker_process.h" |
| 33 #include "sandbox/linux/services/linux_syscalls.h" | 35 #include "sandbox/linux/services/linux_syscalls.h" |
| 34 #include "sandbox/linux/tests/unit_tests.h" | 36 #include "sandbox/linux/tests/unit_tests.h" |
| 35 #include "testing/gtest/include/gtest/gtest.h" | 37 #include "testing/gtest/include/gtest/gtest.h" |
| 36 | 38 |
| 37 // Workaround for Android's prctl.h file. | 39 // Workaround for Android's prctl.h file. |
| 38 #ifndef PR_GET_ENDIAN | 40 #ifndef PR_GET_ENDIAN |
| (...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 176 // getpgid() should be denied | 178 // getpgid() should be denied |
| 177 BPF_ASSERT(getpgid(0) == -1); | 179 BPF_ASSERT(getpgid(0) == -1); |
| 178 BPF_ASSERT(errno == ENOMEM); | 180 BPF_ASSERT(errno == ENOMEM); |
| 179 } | 181 } |
| 180 | 182 |
| 181 // A simple blacklist policy, with a SIGSYS handler | 183 // A simple blacklist policy, with a SIGSYS handler |
| 182 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) { | 184 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) { |
| 183 // We also check that the auxiliary data is correct | 185 // We also check that the auxiliary data is correct |
| 184 SANDBOX_ASSERT(aux); | 186 SANDBOX_ASSERT(aux); |
| 185 *(static_cast<int*>(aux)) = kExpectedReturnValue; | 187 *(static_cast<int*>(aux)) = kExpectedReturnValue; |
| 186 return -ENOMEM; | 188 return -ENOMEM; |
|
jln (very slow on Chromium)
2014/06/03 01:00:33
How come this didn't have to be changed?
nedeljko
2014/06/03 15:32:18
It works correctly.
| |
| 187 } | 189 } |
| 188 | 190 |
| 189 ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox, | 191 ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox, |
| 190 int sysno, | 192 int sysno, |
| 191 int* aux) { | 193 int* aux) { |
| 192 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); | 194 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); |
| 193 switch (sysno) { | 195 switch (sysno) { |
| 194 case __NR_nanosleep: | 196 case __NR_nanosleep: |
| 195 return sandbox->Trap(EnomemHandler, aux); | 197 return sandbox->Trap(EnomemHandler, aux); |
| 196 default: | 198 default: |
| (...skipping 446 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 643 | 645 |
| 644 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { | 646 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { |
| 645 // We use the SIGBUS bit in the signal mask as a thread-local boolean | 647 // We use the SIGBUS bit in the signal mask as a thread-local boolean |
| 646 // value in the implementation of UnsafeTrap(). This is obviously a bit | 648 // value in the implementation of UnsafeTrap(). This is obviously a bit |
| 647 // of a hack that could conceivably interfere with code that uses SIGBUS | 649 // of a hack that could conceivably interfere with code that uses SIGBUS |
| 648 // in more traditional ways. This test verifies that basic functionality | 650 // in more traditional ways. This test verifies that basic functionality |
| 649 // of SIGBUS is not impacted, but it is certainly possibly to construe | 651 // of SIGBUS is not impacted, but it is certainly possibly to construe |
| 650 // more complex uses of signals where our use of the SIGBUS mask is not | 652 // more complex uses of signals where our use of the SIGBUS mask is not |
| 651 // 100% transparent. This is expected behavior. | 653 // 100% transparent. This is expected behavior. |
| 652 int fds[2]; | 654 int fds[2]; |
| 653 BPF_ASSERT(pipe(fds) == 0); | 655 BPF_ASSERT(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) == 0); |
| 654 bus_handler_fd_ = fds[1]; | 656 bus_handler_fd_ = fds[1]; |
| 655 struct sigaction sa = {}; | 657 struct sigaction sa = {}; |
| 656 sa.sa_sigaction = SigBusHandler; | 658 sa.sa_sigaction = SigBusHandler; |
| 657 sa.sa_flags = SA_SIGINFO; | 659 sa.sa_flags = SA_SIGINFO; |
| 658 BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0); | 660 BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0); |
| 659 raise(SIGBUS); | 661 raise(SIGBUS); |
| 660 char c = '\000'; | 662 char c = '\000'; |
| 661 BPF_ASSERT(read(fds[0], &c, 1) == 1); | 663 BPF_ASSERT(read(fds[0], &c, 1) == 1); |
| 662 BPF_ASSERT(close(fds[0]) == 0); | 664 BPF_ASSERT(close(fds[0]) == 0); |
| 663 BPF_ASSERT(close(fds[1]) == 0); | 665 BPF_ASSERT(close(fds[1]) == 0); |
| (...skipping 1086 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1750 "%s\n", | 1752 "%s\n", |
| 1751 args.nr, | 1753 args.nr, |
| 1752 (long long)args.args[0], | 1754 (long long)args.args[0], |
| 1753 (long long)args.args[1], | 1755 (long long)args.args[1], |
| 1754 (long long)args.args[2], | 1756 (long long)args.args[2], |
| 1755 (long long)args.args[3], | 1757 (long long)args.args[3], |
| 1756 (long long)args.args[4], | 1758 (long long)args.args[4], |
| 1757 (long long)args.args[5], | 1759 (long long)args.args[5], |
| 1758 msg); | 1760 msg); |
| 1759 } | 1761 } |
| 1760 return -EPERM; | 1762 return ErrnoToKernelRet(EPERM); |
| 1761 } | 1763 } |
| 1762 | 1764 |
| 1763 class PthreadPolicyEquality : public SandboxBPFPolicy { | 1765 class PthreadPolicyEquality : public SandboxBPFPolicy { |
| 1764 public: | 1766 public: |
| 1765 PthreadPolicyEquality() {} | 1767 PthreadPolicyEquality() {} |
| 1766 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, | 1768 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, |
| 1767 int sysno) const OVERRIDE; | 1769 int sysno) const OVERRIDE; |
| 1768 | 1770 |
| 1769 private: | 1771 private: |
| 1770 DISALLOW_COPY_AND_ASSIGN(PthreadPolicyEquality); | 1772 DISALLOW_COPY_AND_ASSIGN(PthreadPolicyEquality); |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1890 // Attempt to fork() a process using clone(). This should fail. We use the | 1892 // Attempt to fork() a process using clone(). This should fail. We use the |
| 1891 // same flags that glibc uses when calling fork(). But we don't actually | 1893 // same flags that glibc uses when calling fork(). But we don't actually |
| 1892 // try calling the fork() implementation in the C run-time library, as | 1894 // try calling the fork() implementation in the C run-time library, as |
| 1893 // run-time libraries other than glibc might call __NR_fork instead of | 1895 // run-time libraries other than glibc might call __NR_fork instead of |
| 1894 // __NR_clone, and that would introduce a bogus test failure. | 1896 // __NR_clone, and that would introduce a bogus test failure. |
| 1895 int pid; | 1897 int pid; |
| 1896 BPF_ASSERT(SandboxSyscall(__NR_clone, | 1898 BPF_ASSERT(SandboxSyscall(__NR_clone, |
| 1897 CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD, | 1899 CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD, |
| 1898 0, | 1900 0, |
| 1899 0, | 1901 0, |
| 1900 &pid) == -EPERM); | 1902 &pid) == ErrnoToKernelRet(EPERM)); |
|
jln (very slow on Chromium)
2014/06/03 01:00:33
This should be -EPERM, no?
SandboxSyscall() alway
nedeljko
2014/06/03 15:32:18
You are correct.
| |
| 1901 } | 1903 } |
| 1902 | 1904 |
| 1903 BPF_TEST_C(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { | 1905 BPF_TEST_C(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { |
| 1904 PthreadTest(); | 1906 PthreadTest(); |
| 1905 } | 1907 } |
| 1906 | 1908 |
| 1907 BPF_TEST_C(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { | 1909 BPF_TEST_C(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { |
| 1908 PthreadTest(); | 1910 PthreadTest(); |
| 1909 } | 1911 } |
| 1910 | 1912 |
| 1911 } // namespace | 1913 } // namespace |
| 1912 | 1914 |
| 1913 } // namespace sandbox | 1915 } // namespace sandbox |
| OLD | NEW |
