sandbox: Add support for the new seccomp() system call in kernel 3.17.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 
 // Some headers on Android are missing cdefs: crbug.com/172337.
 // (We can't use OS_ANDROID here since build_config.h is not included).
 #if defined(ANDROID)
 #include <sys/cdefs.h>
@@ skipping 12 matching lines @@
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
+#include "sandbox/linux/services/linux_syscalls.h"
 
 namespace sandbox {
 
 namespace {
 
 const int kExpectedExitCode = 100;
 
 int popcount(uint32_t x) {
   return __builtin_popcount(x);
 }
@@ skipping 328 matching lines @@
 }
 
 bool SandboxBPF::KernelSupportSeccompBPF() {
   return RunFunctionInPolicy(ProbeProcess,
                              scoped_ptr<SandboxBPFPolicy>(new ProbePolicy())) &&
          RunFunctionInPolicy(
              TryVsyscallProcess,
              scoped_ptr<SandboxBPFPolicy>(new AllowAllPolicy()));
 }
 
+// static
 SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
   // It the sandbox is currently active, we clearly must have support for
   // sandboxing.
   if (status_ == STATUS_ENABLED) {
     return status_;
   }
 
   // Even if the sandbox was previously available, something might have
   // changed in our run-time environment. Check one more time.
   if (status_ == STATUS_AVAILABLE) {
@@ skipping 35 matching lines @@
     // environment that is visible to the sandbox is always guaranteed to be
     // single-threaded. Let's check here whether the caller is single-
     // threaded. Otherwise, we mark the sandbox as temporarily unavailable.
     if (status_ == STATUS_AVAILABLE && !IsSingleThreaded(proc_fd)) {
       status_ = STATUS_UNAVAILABLE;
     }
   }
   return status_;
 }
 
+// static
+SandboxBPF::SandboxStatus
+SandboxBPF::SupportsSeccompThreadFilterSynchronization() {
+  // Applying NO_NEW_PRIVS, a BPF filter, and synchronizing the filter across
+  // the thread group are all handled atomically by this syscall.
+  int rv = syscall(__NR_seccomp);

[jln (very slow on Chromium), 2014/08/21 21:04:42]

Let's pass the NULL parameters explicitly. I'm not sure every libc guarantees 0
for missing parameters.

[Robert Sesek, 2014/08/25 17:17:26]

Done.

[Robert Sesek, 2014/08/25 17:49:01]

Actually not done, I couldn't get this to work on Android.

+
+  // The system call should have failed with EINVAL.
+  if (rv != -1) {
+    NOTREACHED();
+    return STATUS_UNKNOWN;
+  }
+
+  if (errno == EINVAL)
+    return STATUS_AVAILABLE;
+
+  // errno is probably ENOSYS, indicating the system call is not available.
+  DPCHECK(errno == ENOSYS);
+  return STATUS_UNSUPPORTED;
+}
+
 void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
 
 bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
   CHECK(thread_state == PROCESS_SINGLE_THREADED ||
         thread_state == PROCESS_MULTI_THREADED);
 
   if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
     SANDBOX_DIE(
         "Trying to start sandbox, even though it is known to be "
         "unavailable");
     return false;
   } else if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE(
         "Cannot repeatedly start sandbox. Create a separate Sandbox "
         "object instead.");
     return false;
   }
   if (proc_fd_ < 0) {
     proc_fd_ = open("/proc", O_RDONLY | O_DIRECTORY);
   }
   if (proc_fd_ < 0) {
     // For now, continue in degraded mode, if we can't access /proc.
     // In the future, we might want to tighten this requirement.
   }
 
-  if (thread_state == PROCESS_SINGLE_THREADED && !IsSingleThreaded(proc_fd_)) {
-    SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
+  if (thread_state == PROCESS_SINGLE_THREADED) {
+    if (!IsSingleThreaded(proc_fd_)) {
+      SANDBOX_DIE("Cannot start sandbox; process is already multi-threaded");
+      return false;
+    }
+  } else if (thread_state == PROCESS_MULTI_THREADED) {
+    if (IsSingleThreaded(proc_fd_)) {
+      SANDBOX_DIE("Cannot start sandbox; "

[jln (very slow on Chromium), 2014/08/21 21:04:41]

This is fine, but I feel much less strongly about this. Being able to say "This
process *could* be multithreaded" could be useful.

[Robert Sesek, 2014/08/25 17:17:26]

Done.

+                  "process is not multi-threaded when reported as such");
+      return false;
+    }
+    if (SupportsSeccompThreadFilterSynchronization() != STATUS_AVAILABLE) {
+      SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing "
+                  "filters for a threadgroup");
+      return false;
+    }
+  } else {
+    SANDBOX_DIE("NOTREACHED()");
     return false;
   }
 
   // We no longer need access to any files in /proc. We want to do this
   // before installing the filters, just in case that our policy denies
   // close().
   if (proc_fd_ >= 0) {
     if (IGNORE_EINTR(close(proc_fd_))) {
       SANDBOX_DIE("Failed to close file descriptor for /proc");
       return false;
@@ skipping 47 matching lines @@
   memcpy(bpf, &(*program)[0], sizeof(bpf));
   delete program;
 
   // Make an attempt to release memory that is no longer needed here, rather
   // than in the destructor. Try to avoid as much as possible to presume of
   // what will be possible to do in the new (sandboxed) execution environment.
   delete conds_;
   conds_ = NULL;
   policy_.reset();
 
-  // Install BPF filter program
   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
     SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to enable no-new-privs");
+  }
+
+  // Install BPF filter program. If the thread state indicates multi-threading
+  // support, then the kernel hass the seccomp system call. Otherwise, fall
+  // back on prctl, which requires the process to be single-threaded.
+  if (thread_state == PROCESS_MULTI_THREADED) {

[jln (very slow on Chromium), 2014/08/21 21:04:42]

It's a very nice safeguard to always use TSYNC and the new interface when it's
available. 

This condition should depend on the result of
SupportsSeccompThreadFilterSynchronization(), not on PROCESS_MULTI_THREADED.

[Robert Sesek, 2014/08/25 17:17:26]

Done.

+    int rv = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
+        SECCOMP_FILTER_FLAG_TSYNC, reinterpret_cast<const char*>(&prog));
+    if (rv) {
+      SANDBOX_DIE(quiet_ ? NULL :
+          "Kernel refuses to turn on and synchronize threads for BPF filters");
+    }
   } else {
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
       SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to turn on BPF filters");
     }
   }
 
-  // TODO(rsesek): Always try to engage the sandbox with the
-  // PROCESS_MULTI_THREADED path first, and if that fails, assert that the
-  // process IsSingleThreaded() or SANDBOX_DIE.
-
-  if (thread_state == PROCESS_MULTI_THREADED) {
-    // TODO(rsesek): Move these to a more reasonable place once the kernel
-    // patch has landed upstream and these values are formalized.
-    #define PR_SECCOMP_EXT 41
-    #define SECCOMP_EXT_ACT 1
-    #define SECCOMP_EXT_ACT_TSYNC 1
-    if (prctl(PR_SECCOMP_EXT, SECCOMP_EXT_ACT, SECCOMP_EXT_ACT_TSYNC, 0, 0)) {
-      SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to synchronize threadgroup "
-                                  "BPF filters.");
-    }
-  }
-
   sandbox_has_started_ = true;
 }
 
 SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) {
 #if !defined(NDEBUG)
   force_verification = true;
 #endif
 
   // Verify that the user pushed a policy.
   DCHECK(policy_);
@@ skipping 460 matching lines @@
                    &*conds_->insert(failed).first);
 }
 
 ErrorCode SandboxBPF::Kill(const char* msg) {
   return Trap(BPFFailure, const_cast<char*>(msg));
 }
 
 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
 
 }  // namespace sandbox