Chromium Code Reviews Chromium Code Reviews
Issue 270613008:
Linux sandbox: always restrict clone() in baseline policy. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc |
| diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc |
| index 2f4640130b9335f444360df0e167bf7a2b28043d..29c591035972264ed4765f6dde198591c4efb881 100644 |
| --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc |
| +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc |
| @@ -19,6 +19,7 @@ |
| #include "base/basictypes.h" |
| #include "base/logging.h" |
| +#include "build/build_config.h" |
| #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" |
| #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| @@ -51,25 +52,53 @@ inline bool IsArchitectureI386() { |
| #endif |
| } |
| +inline bool IsAndroid() { |
| +#if defined(OS_ANDROID) |
| + return true; |
| +#else |
| + return false; |
| +#endif |
| +} |
| + |
| } // namespace. |
| namespace sandbox { |
| +// Allow Glibc's and Android pthread creation flags, crash on any other |
| +// thread creation attempts and EPERM attempts to use neither |
| +// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations. |
| ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) { |
| - // Glibc's pthread. |
| - return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| - CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | |
| - CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | |
| - CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, |
| - ErrorCode(ErrorCode::ERR_ALLOWED), |
| - sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| - CLONE_PARENT_SETTID | SIGCHLD, |
| - ErrorCode(EPERM), |
| - // ARM |
| - sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| - CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, |
| - ErrorCode(EPERM), |
| - sandbox->Trap(SIGSYSCloneFailure, NULL)))); |
| + if (!IsAndroid()) { |
| + const uint64_t kGlibcPthreadFlags = |
| + CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD | |
| + CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | |
| + CLONE_CHILD_CLEARTID; |
| + |
| + return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| + kGlibcPthreadFlags, |
| + ErrorCode(ErrorCode::ERR_ALLOWED), |
| + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, |
|
mdempsky
2014/05/08 21:42:42
This fallback case is shared between !Android and
jln (very slow on Chromium)
2014/05/08 21:52:03
I'll punt for now as we've not done that before an
|
| + CLONE_VM | CLONE_THREAD, |
| + sandbox->Trap(SIGSYSCloneFailure, NULL), |
| + ErrorCode(EPERM))); |
| + } else { |
| + const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES | |
| + CLONE_SIGHAND | CLONE_THREAD | |
| + CLONE_SYSVSEM; |
| + const uint64_t kObsoleteAndroidCloneMask = |
| + kAndroidCloneMask | CLONE_DETACHED; |
| + |
| + return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| + kAndroidCloneMask, |
| + ErrorCode(ErrorCode::ERR_ALLOWED), |
| + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, |
| + kObsoleteAndroidCloneMask, |
| + ErrorCode(ErrorCode::ERR_ALLOWED), |
| + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, |
| + CLONE_VM | CLONE_THREAD, |
| + sandbox->Trap(SIGSYSCloneFailure, NULL), |
| + ErrorCode(EPERM)))); |
| + } |
| } |
| ErrorCode RestrictPrctl(SandboxBPF* sandbox) { |
