OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // Note: any code in this file MUST be async-signal safe. | 5 // Note: any code in this file MUST be async-signal safe. |
6 | 6 |
7 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 7 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
8 | 8 |
| 9 #include <sys/syscall.h> |
9 #include <unistd.h> | 10 #include <unistd.h> |
10 | 11 |
11 #include "base/basictypes.h" | 12 #include "base/basictypes.h" |
| 13 #include "base/logging.h" |
12 #include "base/posix/eintr_wrapper.h" | 14 #include "base/posix/eintr_wrapper.h" |
13 #include "build/build_config.h" | 15 #include "build/build_config.h" |
14 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 16 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 17 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 18 #include "sandbox/linux/services/linux_syscalls.h" |
15 | 19 |
16 #if defined(__mips__) | 20 #if defined(__mips__) |
17 // __NR_Linux, is defined in <asm/unistd.h>. | 21 // __NR_Linux, is defined in <asm/unistd.h>. |
18 #include <asm/unistd.h> | 22 #include <asm/unistd.h> |
19 #endif | 23 #endif |
20 | 24 |
21 #define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure" | 25 #define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure" |
22 #define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure" | 26 #define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure" |
23 #define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure" | 27 #define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure" |
24 #define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure" | 28 #define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure" |
(...skipping 174 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
199 static const char kSeccompFutexError[] = | 203 static const char kSeccompFutexError[] = |
200 __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n"; | 204 __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n"; |
201 WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1); | 205 WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1); |
202 volatile int futex_op = args.args[1]; | 206 volatile int futex_op = args.args[1]; |
203 volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF); | 207 volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF); |
204 *addr = '\0'; | 208 *addr = '\0'; |
205 for (;;) | 209 for (;;) |
206 _exit(1); | 210 _exit(1); |
207 } | 211 } |
208 | 212 |
| 213 intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args, |
| 214 void* aux) { |
| 215 switch (args.nr) { |
| 216 case __NR_sched_getaffinity: |
| 217 case __NR_sched_getattr: |
| 218 case __NR_sched_getparam: |
| 219 case __NR_sched_getscheduler: |
| 220 case __NR_sched_rr_get_interval: |
| 221 case __NR_sched_setaffinity: |
| 222 case __NR_sched_setattr: |
| 223 case __NR_sched_setparam: |
| 224 case __NR_sched_setscheduler: |
| 225 const pid_t tid = syscall(__NR_gettid); |
| 226 // The first argument is the pid. If is our thread id, then replace it |
| 227 // with 0, which is equivalent and allowed by the policy. |
| 228 if (args.args[0] == static_cast<uint64_t>(tid)) { |
| 229 return Syscall::Call(args.nr, |
| 230 0, |
| 231 static_cast<intptr_t>(args.args[1]), |
| 232 static_cast<intptr_t>(args.args[2]), |
| 233 static_cast<intptr_t>(args.args[3]), |
| 234 static_cast<intptr_t>(args.args[4]), |
| 235 static_cast<intptr_t>(args.args[5])); |
| 236 } |
| 237 break; |
| 238 } |
| 239 |
| 240 CrashSIGSYS_Handler(args, aux); |
| 241 |
| 242 // Should never be reached. |
| 243 RAW_CHECK(false); |
| 244 return -ENOSYS; |
| 245 } |
| 246 |
209 bpf_dsl::ResultExpr CrashSIGSYS() { | 247 bpf_dsl::ResultExpr CrashSIGSYS() { |
210 return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); | 248 return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); |
211 } | 249 } |
212 | 250 |
213 bpf_dsl::ResultExpr CrashSIGSYSClone() { | 251 bpf_dsl::ResultExpr CrashSIGSYSClone() { |
214 return bpf_dsl::Trap(SIGSYSCloneFailure, NULL); | 252 return bpf_dsl::Trap(SIGSYSCloneFailure, NULL); |
215 } | 253 } |
216 | 254 |
217 bpf_dsl::ResultExpr CrashSIGSYSPrctl() { | 255 bpf_dsl::ResultExpr CrashSIGSYSPrctl() { |
218 return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL); | 256 return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL); |
219 } | 257 } |
220 | 258 |
221 bpf_dsl::ResultExpr CrashSIGSYSIoctl() { | 259 bpf_dsl::ResultExpr CrashSIGSYSIoctl() { |
222 return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL); | 260 return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL); |
223 } | 261 } |
224 | 262 |
225 bpf_dsl::ResultExpr CrashSIGSYSKill() { | 263 bpf_dsl::ResultExpr CrashSIGSYSKill() { |
226 return bpf_dsl::Trap(SIGSYSKillFailure, NULL); | 264 return bpf_dsl::Trap(SIGSYSKillFailure, NULL); |
227 } | 265 } |
228 | 266 |
229 bpf_dsl::ResultExpr CrashSIGSYSFutex() { | 267 bpf_dsl::ResultExpr CrashSIGSYSFutex() { |
230 return bpf_dsl::Trap(SIGSYSFutexFailure, NULL); | 268 return bpf_dsl::Trap(SIGSYSFutexFailure, NULL); |
231 } | 269 } |
232 | 270 |
| 271 bpf_dsl::ResultExpr RewriteSchedSIGSYS() { |
| 272 return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); |
| 273 } |
| 274 |
233 const char* GetErrorMessageContentForTests() { | 275 const char* GetErrorMessageContentForTests() { |
234 return SECCOMP_MESSAGE_COMMON_CONTENT; | 276 return SECCOMP_MESSAGE_COMMON_CONTENT; |
235 } | 277 } |
236 | 278 |
237 const char* GetCloneErrorMessageContentForTests() { | 279 const char* GetCloneErrorMessageContentForTests() { |
238 return SECCOMP_MESSAGE_CLONE_CONTENT; | 280 return SECCOMP_MESSAGE_CLONE_CONTENT; |
239 } | 281 } |
240 | 282 |
241 const char* GetPrctlErrorMessageContentForTests() { | 283 const char* GetPrctlErrorMessageContentForTests() { |
242 return SECCOMP_MESSAGE_PRCTL_CONTENT; | 284 return SECCOMP_MESSAGE_PRCTL_CONTENT; |
243 } | 285 } |
244 | 286 |
245 const char* GetIoctlErrorMessageContentForTests() { | 287 const char* GetIoctlErrorMessageContentForTests() { |
246 return SECCOMP_MESSAGE_IOCTL_CONTENT; | 288 return SECCOMP_MESSAGE_IOCTL_CONTENT; |
247 } | 289 } |
248 | 290 |
249 const char* GetKillErrorMessageContentForTests() { | 291 const char* GetKillErrorMessageContentForTests() { |
250 return SECCOMP_MESSAGE_KILL_CONTENT; | 292 return SECCOMP_MESSAGE_KILL_CONTENT; |
251 } | 293 } |
252 | 294 |
253 const char* GetFutexErrorMessageContentForTests() { | 295 const char* GetFutexErrorMessageContentForTests() { |
254 return SECCOMP_MESSAGE_FUTEX_CONTENT; | 296 return SECCOMP_MESSAGE_FUTEX_CONTENT; |
255 } | 297 } |
256 | 298 |
257 } // namespace sandbox. | 299 } // namespace sandbox. |
OLD | NEW |