Chromium Code Reviews Chromium Code Reviews
Issue 494743003:
sandbox: Add support for the new seccomp() system call in kernel 3.17. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <errno.h> | 5 #include <errno.h> |
| 6 #include <pthread.h> | 6 #include <pthread.h> |
| 7 #include <sched.h> | 7 #include <sched.h> |
| 8 #include <signal.h> | 8 #include <signal.h> |
| 9 #include <sys/prctl.h> | 9 #include <sys/prctl.h> |
| 10 #include <sys/ptrace.h> | 10 #include <sys/ptrace.h> |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 21 #endif | 21 #endif |
| 22 #include <linux/futex.h> | 22 #include <linux/futex.h> |
| 23 | 23 |
| 24 #include <ostream> | 24 #include <ostream> |
| 25 | 25 |
| 26 #include "base/bind.h" | 26 #include "base/bind.h" |
| 27 #include "base/logging.h" | 27 #include "base/logging.h" |
| 28 #include "base/macros.h" | 28 #include "base/macros.h" |
| 29 #include "base/memory/scoped_ptr.h" | 29 #include "base/memory/scoped_ptr.h" |
| 30 #include "base/posix/eintr_wrapper.h" | 30 #include "base/posix/eintr_wrapper.h" |
| 31 #include "base/synchronization/waitable_event.h" | |
| 31 #include "build/build_config.h" | 32 #include "build/build_config.h" |
| 32 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 33 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 33 #include "sandbox/linux/seccomp-bpf/syscall.h" | 34 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 34 #include "sandbox/linux/seccomp-bpf/trap.h" | 35 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 35 #include "sandbox/linux/seccomp-bpf/verifier.h" | 36 #include "sandbox/linux/seccomp-bpf/verifier.h" |
| 36 #include "sandbox/linux/services/broker_process.h" | 37 #include "sandbox/linux/services/broker_process.h" |
| 37 #include "sandbox/linux/services/linux_syscalls.h" | 38 #include "sandbox/linux/services/linux_syscalls.h" |
| 38 #include "sandbox/linux/tests/scoped_temporary_file.h" | 39 #include "sandbox/linux/tests/scoped_temporary_file.h" |
| 39 #include "sandbox/linux/tests/unit_tests.h" | 40 #include "sandbox/linux/tests/unit_tests.h" |
| 40 #include "testing/gtest/include/gtest/gtest.h" | 41 #include "testing/gtest/include/gtest/gtest.h" |
| (...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 144 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE { | 145 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE { |
| 145 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); | 146 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); |
| 146 switch (sysno) { | 147 switch (sysno) { |
| 147 case __NR_nanosleep: | 148 case __NR_nanosleep: |
| 148 return ErrorCode(EACCES); | 149 return ErrorCode(EACCES); |
| 149 default: | 150 default: |
| 150 return ErrorCode(ErrorCode::ERR_ALLOWED); | 151 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 151 } | 152 } |
| 152 } | 153 } |
| 153 | 154 |
| 155 static void AssertNanosleepFails() { | |
| 156 const struct timespec ts = {0, 0}; | |
| 157 errno = 0; | |
| 158 BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1); | |
|
jln (very slow on Chromium)
2014/08/21 18:47:09
In theory despite the 0 time you should still hand
Robert Sesek
2014/08/21 20:26:41
Done.
| |
| 159 BPF_ASSERT(errno == EACCES); | |
| 160 } | |
| 161 | |
| 154 private: | 162 private: |
| 155 DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepPolicy); | 163 DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepPolicy); |
| 156 }; | 164 }; |
| 157 | 165 |
| 158 BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { | 166 BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { |
| 159 // nanosleep() should be denied | 167 BlacklistNanosleepPolicy::AssertNanosleepFails(); |
| 160 const struct timespec ts = {0, 0}; | |
| 161 errno = 0; | |
| 162 BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1); | |
| 163 BPF_ASSERT(errno == EACCES); | |
| 164 } | 168 } |
| 165 | 169 |
| 166 // Now do a simple whitelist test | 170 // Now do a simple whitelist test |
| 167 | 171 |
| 168 class WhitelistGetpidPolicy : public SandboxBPFPolicy { | 172 class WhitelistGetpidPolicy : public SandboxBPFPolicy { |
| 169 public: | 173 public: |
| 170 WhitelistGetpidPolicy() {} | 174 WhitelistGetpidPolicy() {} |
| 171 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE { | 175 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE { |
| 172 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); | 176 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); |
| 173 switch (sysno) { | 177 switch (sysno) { |
| (...skipping 1964 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2138 BPF_ASSERT(FullPread64(temp_file.fd(), | 2142 BPF_ASSERT(FullPread64(temp_file.fd(), |
| 2139 read_test_string, | 2143 read_test_string, |
| 2140 sizeof(read_test_string), | 2144 sizeof(read_test_string), |
| 2141 kLargeOffset)); | 2145 kLargeOffset)); |
| 2142 BPF_ASSERT_EQ(0, memcmp(kTestString, read_test_string, sizeof(kTestString))); | 2146 BPF_ASSERT_EQ(0, memcmp(kTestString, read_test_string, sizeof(kTestString))); |
| 2143 BPF_ASSERT(pread_64_was_forwarded); | 2147 BPF_ASSERT(pread_64_was_forwarded); |
| 2144 } | 2148 } |
| 2145 | 2149 |
| 2146 #endif // !defined(OS_ANDROID) | 2150 #endif // !defined(OS_ANDROID) |
| 2147 | 2151 |
| 2152 void* TsyncApplyToTwoThreadsFunc(void* cond_ptr) { | |
| 2153 base::WaitableEvent* event = static_cast<base::WaitableEvent*>(cond_ptr); | |
| 2154 | |
| 2155 // Wait for the main thread to signal that the filter has been applied. | |
| 2156 if (!event->IsSignaled()) { | |
| 2157 event->Wait(); | |
| 2158 } | |
| 2159 | |
| 2160 BPF_ASSERT(event->IsSignaled()); | |
| 2161 | |
| 2162 BlacklistNanosleepPolicy::AssertNanosleepFails(); | |
| 2163 | |
| 2164 return NULL; | |
| 2165 } | |
| 2166 | |
| 2167 SANDBOX_TEST(SandboxBPF, Tsync) { | |
| 2168 if (SandboxBPF::SupportsSeccompThreadFilterSynchronization() != | |
| 2169 SandboxBPF::STATUS_AVAILABLE) { | |
| 2170 return; | |
| 2171 } | |
| 2172 | |
| 2173 base::WaitableEvent event(true, false); | |
| 2174 | |
| 2175 // Create a thread on which to invoke the blocked syscall. | |
| 2176 pthread_t thread; | |
| 2177 BPF_ASSERT_EQ(0, | |
| 2178 pthread_create(&thread, NULL, &TsyncApplyToTwoThreadsFunc, &event)); | |
| 2179 | |
| 2180 // Engage the sandbox. | |
| 2181 SandboxBPF sandbox; | |
| 2182 sandbox.SetSandboxPolicy(new BlacklistNanosleepPolicy()); | |
| 2183 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED)); | |
| 2184 | |
| 2185 // This thread should have the filter applied as well. | |
| 2186 BlacklistNanosleepPolicy::AssertNanosleepFails(); | |
|
jln (very slow on Chromium)
2014/08/21 18:47:09
What I was suggesting was to return a bool and run
Robert Sesek
2014/08/21 20:26:41
I didn't turn it into a function, since I like bei
| |
| 2187 | |
| 2188 // Signal the condition to invoke the system call. | |
| 2189 event.Signal(); | |
| 2190 | |
| 2191 // Wait for the thread to finish. | |
| 2192 BPF_ASSERT_EQ(0, pthread_join(thread, NULL)); | |
| 2193 } | |
| 2194 | |
| 2148 } // namespace | 2195 } // namespace |
| 2149 | 2196 |
| 2150 } // namespace sandbox | 2197 } // namespace sandbox |
| OLD | NEW |
