sandbox: Add support for the new seccomp() system call in kernel 3.17.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 
 // Some headers on Android are missing cdefs: crbug.com/172337.
 // (We can't use OS_ANDROID here since build_config.h is not included).
 #if defined(ANDROID)
 #include <sys/cdefs.h>
@@ skipping 12 matching lines @@
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
+#include "sandbox/linux/services/linux_syscalls.h"
 
 namespace sandbox {
 
 namespace {
 
 const int kExpectedExitCode = 100;
 
 int popcount(uint32_t x) {
   return __builtin_popcount(x);
 }
@@ skipping 328 matching lines @@
 }
 
 bool SandboxBPF::KernelSupportSeccompBPF() {
   return RunFunctionInPolicy(ProbeProcess,
                              scoped_ptr<SandboxBPFPolicy>(new ProbePolicy())) &&
          RunFunctionInPolicy(
              TryVsyscallProcess,
              scoped_ptr<SandboxBPFPolicy>(new AllowAllPolicy()));
 }
 
+// static
 SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
   // It the sandbox is currently active, we clearly must have support for
   // sandboxing.
   if (status_ == STATUS_ENABLED) {
     return status_;
   }
 
   // Even if the sandbox was previously available, something might have
   // changed in our run-time environment. Check one more time.
   if (status_ == STATUS_AVAILABLE) {
@@ skipping 35 matching lines @@
     // environment that is visible to the sandbox is always guaranteed to be
     // single-threaded. Let's check here whether the caller is single-
     // threaded. Otherwise, we mark the sandbox as temporarily unavailable.
     if (status_ == STATUS_AVAILABLE && !IsSingleThreaded(proc_fd)) {
       status_ = STATUS_UNAVAILABLE;
     }
   }
   return status_;
 }
 
+// static
+SandboxBPF::SandboxStatus
+SandboxBPF::SupportsSeccompThreadFilterSynchronization() {
+  int rv = syscall(__NR_seccomp);

[jln (very slow on Chromium), 2014/08/20 21:34:20]

Do you want to add a comment saying that synchronization and the syscall have
been added together?

[Robert Sesek, 2014/08/21 16:50:18]

Done.

+
+  // The system call should have failed with EINVAL.
+  if (rv != -1)
+    return STATUS_UNKNOWN;

[jln (very slow on Chromium), 2014/08/20 21:34:20]

Maybe add a NOTREACHED() here?

[Robert Sesek, 2014/08/21 16:50:17]

Done.

+
+  if (errno == EINVAL)
+    return STATUS_AVAILABLE;
+
+  // errno is probably ENOSYS, indicating the system call is not available.
+  return STATUS_UNSUPPORTED;

[jln (very slow on Chromium), 2014/08/20 21:34:20]

DCHECK(ENOSYS == errno) maybe?

[Robert Sesek, 2014/08/21 16:50:18]

Done.

+}
+
 void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
 
 bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
   CHECK(thread_state == PROCESS_SINGLE_THREADED ||
         thread_state == PROCESS_MULTI_THREADED);
 
   if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
     SANDBOX_DIE(
         "Trying to start sandbox, even though it is known to be "
         "unavailable");
     return false;
   } else if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE(
         "Cannot repeatedly start sandbox. Create a separate Sandbox "
         "object instead.");
     return false;
   }
   if (proc_fd_ < 0) {
     proc_fd_ = open("/proc", O_RDONLY | O_DIRECTORY);
   }
   if (proc_fd_ < 0) {

[jln (very slow on Chromium), 2014/08/20 21:34:20]

Ugh I need to get rid of this(always pass a file descriptor).

[Robert Sesek, 2014/08/21 16:50:18]

Acknowledged.

     // For now, continue in degraded mode, if we can't access /proc.
     // In the future, we might want to tighten this requirement.
   }
 
-  if (thread_state == PROCESS_SINGLE_THREADED && !IsSingleThreaded(proc_fd_)) {
-    SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
-    return false;
+  if (SupportsSeccompThreadFilterSynchronization() == STATUS_AVAILABLE) {
+    // The kernel supports the seccomp system call, so use that code path.
+    thread_state = PROCESS_MULTI_THREADED;

[jln (very slow on Chromium), 2014/08/20 21:34:20]

I would still want us to crash if the caller passes PROCESS_SINGLE_THREADED from
a multi-threaded process.

It may be best to save the result of
SupportsSeccompThreadFilterSynchronization() in a auxiliary const bool instead.

Then decide whether to call the old or new interface based on that bool.

[Robert Sesek, 2014/08/21 16:50:18]

I actually think SandboxThreadState should just go away, since we have an easy
way to test whether or not a system supports tsync. Back when we thought the
interface was going to be prctl(), this wasn't the case.

[jln (very slow on Chromium), 2014/08/21 18:47:09]

At a high level, paranoia dictates to carefully assert that the situation is
exactly as the caller think it is. This is especially true while TSYNC is not a
strict Chrome run-time requirement. I can imagine this changing in a year or so.
In more details:

- I think the caller should always know whether it is monothreaded or
multithreaded. And we should enforce this with a sanity check.
a. Callers that use PROCESS_SINGLE_THREADED are guaranteed to lead to a working
sandbox on every kernel, not just the ones with TSYNC. This is especially
important / useful on Linux (presumably we'll have TSYNC everywhere on Chrome
OS).
b. More problems can exist with multi-threaded initialization. Other threads
could race to open new resources that are not accounted for (moving "open
resources" sanity checks to after the sandbox is engaged is tricky in some
cases, even though we already to it for most file descriptors).

- Thread detection is not very reliable. It would be easy to make an error where
thread detection is not working at all, except on bots / machines with TSYNC
support.

For instance, for security reasons, we only have /proc available after the
setuid sandbox is engaged in DEBUG mode.

In this case, we would be in a situation where this code would detect multiple
threads but not fail because of TSYNC on our bots, but wouldn't detect existing
threads in the field where TSYNC is not available.

- We are dicussing the possibiliy of convoluted CFI + seccomp sandboxes where
one thread would be "trusted" and not under seccomp-bpf. To support this, we may
want to add a new PROCESS_UNTRUSTED_THREAD or something along these lines to
engage seccomp-bpf on one thread in a multi-threaded process.

+  } else {
+    // The kernel doesn't support the seccomp system call, so the process
+    // must not be multi-threaded.
+    if (!IsSingleThreaded(proc_fd_) || thread_state == PROCESS_MULTI_THREADED) {
+      SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
+      return false;
+    }
   }
 
   // We no longer need access to any files in /proc. We want to do this
   // before installing the filters, just in case that our policy denies
   // close().
   if (proc_fd_ >= 0) {
     if (IGNORE_EINTR(close(proc_fd_))) {
       SANDBOX_DIE("Failed to close file descriptor for /proc");
       return false;
     }
@@ skipping 46 matching lines @@
   memcpy(bpf, &(*program)[0], sizeof(bpf));
   delete program;
 
   // Make an attempt to release memory that is no longer needed here, rather
   // than in the destructor. Try to avoid as much as possible to presume of
   // what will be possible to do in the new (sandboxed) execution environment.
   delete conds_;
   conds_ = NULL;
   policy_.reset();
 
-  // Install BPF filter program
-  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-    SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to enable no-new-privs");
+  // Install BPF filter program. If the thread state indicates multi-threading

[jln (very slow on Chromium), 2014/08/20 21:34:20]

Should we still try to enable NO_NEW_PRIV via prctl first? This granularity
could be useful in understanding failures (also it makes the code below a bit
less nested).

[Robert Sesek, 2014/08/21 16:50:18]

Done.

+  // support, then the kernel hass the seccomp system call. Otherwise, fall
+  // back on prctl, which requires the process to be single-threaded.
+  if (thread_state == PROCESS_MULTI_THREADED) {
+    int rv = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
+        SECCOMP_FILTER_FLAG_TSYNC, (const char*)&prog);
+    if (rv) {
+      SANDBOX_DIE(quiet_ ? NULL :
+          "Kernel refuses to turn on and synchronize threads for BPF filters");
+    }
   } else {
-    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-      SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to turn on BPF filters");
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+      SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to enable no-new-privs");
+    } else {
+      if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+        SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to turn on BPF filters");
+      }
     }
   }
 
-  // TODO(rsesek): Always try to engage the sandbox with the
-  // PROCESS_MULTI_THREADED path first, and if that fails, assert that the
-  // process IsSingleThreaded() or SANDBOX_DIE.
-
-  if (thread_state == PROCESS_MULTI_THREADED) {
-    // TODO(rsesek): Move these to a more reasonable place once the kernel
-    // patch has landed upstream and these values are formalized.
-    #define PR_SECCOMP_EXT 41
-    #define SECCOMP_EXT_ACT 1
-    #define SECCOMP_EXT_ACT_TSYNC 1
-    if (prctl(PR_SECCOMP_EXT, SECCOMP_EXT_ACT, SECCOMP_EXT_ACT_TSYNC, 0, 0)) {
-      SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to synchronize threadgroup "
-                                  "BPF filters.");
-    }
-  }
-
   sandbox_has_started_ = true;
 }
 
 SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) {
 #if !defined(NDEBUG)
   force_verification = true;
 #endif
 
   // Verify that the user pushed a policy.
   DCHECK(policy_);
@@ skipping 460 matching lines @@
                    &*conds_->insert(failed).first);
 }
 
 ErrorCode SandboxBPF::Kill(const char* msg) {
   return Trap(BPFFailure, const_cast<char*>(msg));
 }
 
 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
 
 }  // namespace sandbox