sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc - Issue 270613008: Linux sandbox: always restrict clone() in baseline policy.

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

Issue 270613008: Linux sandbox: always restrict clone() in baseline policy. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc ('K') | « sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc ('k') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"	5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"

6	6

7 #include <errno.h>	7 #include <errno.h>

8 #include <fcntl.h>	8 #include <fcntl.h>

9 #include <fcntl.h>	9 #include <fcntl.h>

10 #include <linux/net.h>	10 #include <linux/net.h>

11 #include <sched.h>	11 #include <sched.h>

12 #include <signal.h>	12 #include <signal.h>

13 #include <sys/ioctl.h>	13 #include <sys/ioctl.h>

14 #include <sys/mman.h>	14 #include <sys/mman.h>

15 #include <sys/prctl.h>	15 #include <sys/prctl.h>

16 #include <sys/stat.h>	16 #include <sys/stat.h>

17 #include <sys/types.h>	17 #include <sys/types.h>

18 #include <unistd.h>	18 #include <unistd.h>

19	19

20 #include "base/basictypes.h"	20 #include "base/basictypes.h"

21 #include "base/logging.h"	21 #include "base/logging.h"

	22 #include "build/build_config.h"

22 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"	23 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"

23 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"	24 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"

24 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"	25 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

25	26

26 #if defined(OS_ANDROID)	27 #if defined(OS_ANDROID)

27 #if !defined(F_DUPFD_CLOEXEC)	28 #if !defined(F_DUPFD_CLOEXEC)

28 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)	29 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)

29 #endif	30 #endif

30 #endif	31 #endif

31	32

(...skipping 12 matching lines...) Expand all Loading...
44 }	45 }

45	46

46 inline bool IsArchitectureI386() {	47 inline bool IsArchitectureI386() {

47 #if defined(__i386__)	48 #if defined(__i386__)

48 return true;	49 return true;

49 #else	50 #else

50 return false;	51 return false;

51 #endif	52 #endif

52 }	53 }

53	54

	55 inline bool IsAndroid() {

	56 #if defined(OS_ANDROID)

	57 return true;

	58 #else

	59 return false;

	60 #endif

	61 }

	62

54 } // namespace.	63 } // namespace.

55	64

56 namespace sandbox {	65 namespace sandbox {

57	66

	67 // Allow Glibc's and Android pthread creation flags, crash on any other

	68 // thread creation attempts and EPERM attempts to use neither

	69 // CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.

58 ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) {	70 ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) {

59 // Glibc's pthread.	71 if (!IsAndroid()) {

60 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,	72 const uint64_t kGlibcPthreadFlags =

61 CLONE_VM \| CLONE_FS \| CLONE_FILES \| CLONE_SIGHAND \|	73 CLONE_VM \| CLONE_FS \| CLONE_FILES \| CLONE_SIGHAND \| CLONE_THREAD \|

62 CLONE_THREAD \| CLONE_SYSVSEM \| CLONE_SETTLS \|	74 CLONE_SYSVSEM \| CLONE_SETTLS \| CLONE_PARENT_SETTID \|

63 CLONE_PARENT_SETTID \| CLONE_CHILD_CLEARTID,	75 CLONE_CHILD_CLEARTID;

64 ErrorCode(ErrorCode::ERR_ALLOWED),	76

65 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,	77 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

66 CLONE_PARENT_SETTID \| SIGCHLD,	78 kGlibcPthreadFlags,

67 ErrorCode(EPERM),	79 ErrorCode(ErrorCode::ERR_ALLOWED),

68 // ARM	80 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
	mdempsky 2014/05/08 21:42:42 This fallback case is shared between !Android and This fallback case is shared between !Android and Android. Maybe worth pulling out as const ErrorCode fallback = sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, CLONE_VM \| CLONE_THREAD, sandbox->Trap(SIGSYSCloneFailure, NULL), ErrorCode(EPERM))); and then referencing that in both cases? Not sure if this is any better, or even if it will work. At your discretion. jln (very slow on Chromium) 2014/05/08 21:52:03 I'll punt for now as we've not done that before an Show quoted text On 2014/05/08 21:42:42, mdempsky wrote: > Not sure if this is any better, or even if it will work. At your discretion. I'll punt for now as we've not done that before and I'm not 100% sure it's tested (even though I can't imagine why it wouldn't work).
69 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,	81 CLONE_VM \| CLONE_THREAD,

70 CLONE_CHILD_SETTID \| CLONE_CHILD_CLEARTID \| SIGCHLD,	82 sandbox->Trap(SIGSYSCloneFailure, NULL),

71 ErrorCode(EPERM),	83 ErrorCode(EPERM)));

72 sandbox->Trap(SIGSYSCloneFailure, NULL))));	84 } else {

	85 const uint64_t kAndroidCloneMask = CLONE_VM \| CLONE_FS \| CLONE_FILES \|

	86 CLONE_SIGHAND \| CLONE_THREAD \|

	87 CLONE_SYSVSEM;

	88 const uint64_t kObsoleteAndroidCloneMask =

	89 kAndroidCloneMask \| CLONE_DETACHED;

	90

	91 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

	92 kAndroidCloneMask,

	93 ErrorCode(ErrorCode::ERR_ALLOWED),

	94 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

	95 kObsoleteAndroidCloneMask,

	96 ErrorCode(ErrorCode::ERR_ALLOWED),

	97 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,

	98 CLONE_VM \| CLONE_THREAD,

	99 sandbox->Trap(SIGSYSCloneFailure, NULL),

	100 ErrorCode(EPERM))));

	101 }

73 }	102 }

74	103

75 ErrorCode RestrictPrctl(SandboxBPF* sandbox) {	104 ErrorCode RestrictPrctl(SandboxBPF* sandbox) {

76 // Will need to add seccomp compositing in the future. PR_SET_PTRACER is	105 // Will need to add seccomp compositing in the future. PR_SET_PTRACER is

77 // used by breakpad but not needed anymore.	106 // used by breakpad but not needed anymore.

78 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,	107 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

79 PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED),	108 PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED),

80 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,	109 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

81 PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED),	110 PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED),

82 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,	111 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

(...skipping 128 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
211 sandbox->Trap(SIGSYSKillFailure, NULL));	240 sandbox->Trap(SIGSYSKillFailure, NULL));

212 case __NR_tkill:	241 case __NR_tkill:

213 return sandbox->Trap(SIGSYSKillFailure, NULL);	242 return sandbox->Trap(SIGSYSKillFailure, NULL);

214 default:	243 default:

215 NOTREACHED();	244 NOTREACHED();

216 return sandbox->Trap(CrashSIGSYS_Handler, NULL);	245 return sandbox->Trap(CrashSIGSYS_Handler, NULL);

217 }	246 }

218 }	247 }

219	248

220 } // namespace sandbox.	249 } // namespace sandbox.

OLD	NEW