Chromium Code Reviews Chromium Code Reviews
Issue 919203002:
Linux Sandbox: add resource limits to NaCl (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <sys/prctl.h> | 9 #include <sys/prctl.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| 11 #include <sys/types.h> | 11 #include <sys/types.h> |
| 12 #include <unistd.h> | 12 #include <unistd.h> |
| 13 | 13 |
| 14 #include <limits> | |
| 15 | |
| 14 #include "base/basictypes.h" | 16 #include "base/basictypes.h" |
| 15 #include "base/callback.h" | 17 #include "base/callback.h" |
| 16 #include "base/command_line.h" | 18 #include "base/command_line.h" |
| 17 #include "base/compiler_specific.h" | 19 #include "base/compiler_specific.h" |
| 18 #include "base/files/scoped_file.h" | 20 #include "base/files/scoped_file.h" |
| 19 #include "base/logging.h" | 21 #include "base/logging.h" |
| 20 #include "base/memory/scoped_ptr.h" | 22 #include "base/memory/scoped_ptr.h" |
| 21 #include "base/posix/eintr_wrapper.h" | 23 #include "base/posix/eintr_wrapper.h" |
| 22 #include "build/build_config.h" | 24 #include "build/build_config.h" |
| 23 #include "components/nacl/common/nacl_switches.h" | 25 #include "components/nacl/common/nacl_switches.h" |
| 24 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" | 26 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" |
| 25 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 27 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
| 26 #include "content/public/common/content_switches.h" | 28 #include "content/public/common/content_switches.h" |
| 27 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 29 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 28 #include "sandbox/linux/services/credentials.h" | 30 #include "sandbox/linux/services/credentials.h" |
| 29 #include "sandbox/linux/services/namespace_sandbox.h" | 31 #include "sandbox/linux/services/namespace_sandbox.h" |
| 30 #include "sandbox/linux/services/proc_util.h" | 32 #include "sandbox/linux/services/proc_util.h" |
| 33 #include "sandbox/linux/services/resource_limits.h" | |
| 31 #include "sandbox/linux/services/thread_helpers.h" | 34 #include "sandbox/linux/services/thread_helpers.h" |
| 32 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 35 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
| 33 | 36 |
| 34 namespace nacl { | 37 namespace nacl { |
| 35 | 38 |
| 36 namespace { | 39 namespace { |
| 37 | 40 |
| 38 // This is a poor man's check on whether we are sandboxed. | 41 // This is a poor man's check on whether we are sandboxed. |
| 39 bool IsSandboxed() { | 42 bool IsSandboxed() { |
| 40 int proc_fd = open("/proc/self/exe", O_RDONLY); | 43 int proc_fd = open("/proc/self/exe", O_RDONLY); |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 62 } | 65 } |
| 63 | 66 |
| 64 if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { | 67 if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { |
| 65 PLOG(ERROR) << "Failed to set non-dumpable flag"; | 68 PLOG(ERROR) << "Failed to set non-dumpable flag"; |
| 66 return false; | 69 return false; |
| 67 } | 70 } |
| 68 | 71 |
| 69 return prctl(PR_GET_DUMPABLE) == 0; | 72 return prctl(PR_GET_DUMPABLE) == 0; |
| 70 } | 73 } |
| 71 | 74 |
| 75 void RestrictAddressSpaceUsage() { | |
| 76 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ | |
| 77 defined(THREAD_SANITIZER) | |
| 78 // Sanitizers need to reserve huge chunks of the address space. | |
| 79 return; | |
| 80 #endif | |
| 81 | |
| 82 // Add a limit to the brk() heap that would prevent allocations that can't be | |
| 83 // indexed by an int. This helps working around typical security bugs. | |
| 84 // This could almost certainly be set to zero. GLibc's allocator and others | |
| 85 // would fall-back to mmap if brk() fails. | |
| 86 const rlim_t kNewDataSegmentMaxSize = std::numeric_limits<int>::max(); | |
| 87 CHECK(sandbox::ResourceLimits::Lower(RLIMIT_DATA, kNewDataSegmentMaxSize)); | |
| 88 | |
| 89 #if defined(ARCH_CPU_64_BITS) | |
| 90 // NaCl's x86-64 sandbox allocated 88GB address of space during startup: | |
| 91 // - The main sandbox is 4GB | |
| 92 // - There are two guard regions of 40GB each. | |
| 93 // - 4GB are allocated extra to have a 4GB-aligned address. | |
| 94 // See https://crbug.com/455839 | |
| 95 // | |
| 96 // Set the limit to 128 GB and have some margin. | |
| 97 const rlim_t kNewAddressSpaceLimit = 1UL << 37; | |
| 98 #else | |
| 99 // Some architectures such as X86 allow 32 bits processes to switch to 64 | |
| 100 // bits when running under 64 bits kerneks. Set a limit in case this happens. | |
|
Mark Seaborn
2015/02/13 18:33:41
Typo: "kernels"
jln (very slow on Chromium)
2015/02/13 18:58:29
Done.
| |
| 101 const rlim_t kNewAddressSpaceLimit = std::numeric_limits<uint32_t>::max(); | |
| 102 #endif | |
| 103 CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit)); | |
| 104 } | |
| 105 | |
| 72 } // namespace | 106 } // namespace |
| 73 | 107 |
| 74 NaClSandbox::NaClSandbox() | 108 NaClSandbox::NaClSandbox() |
| 75 : layer_one_enabled_(false), | 109 : layer_one_enabled_(false), |
| 76 layer_one_sealed_(false), | 110 layer_one_sealed_(false), |
| 77 layer_two_enabled_(false), | 111 layer_two_enabled_(false), |
| 78 layer_two_is_nonsfi_(false), | 112 layer_two_is_nonsfi_(false), |
| 79 proc_fd_(-1), | 113 proc_fd_(-1), |
| 80 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { | 114 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { |
| 81 proc_fd_.reset( | 115 proc_fd_.reset( |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 146 CHECK_EQ(expected_num_fds, sandbox::ProcUtil::CountOpenFds(proc_fd_.get())); | 180 CHECK_EQ(expected_num_fds, sandbox::ProcUtil::CountOpenFds(proc_fd_.get())); |
| 147 } | 181 } |
| 148 | 182 |
| 149 void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { | 183 void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { |
| 150 // seccomp-bpf only applies to the current thread, so it's critical to only | 184 // seccomp-bpf only applies to the current thread, so it's critical to only |
| 151 // have a single thread running here. | 185 // have a single thread running here. |
| 152 DCHECK(!layer_one_sealed_); | 186 DCHECK(!layer_one_sealed_); |
| 153 CHECK(IsSingleThreaded()); | 187 CHECK(IsSingleThreaded()); |
| 154 CheckForExpectedNumberOfOpenFds(); | 188 CheckForExpectedNumberOfOpenFds(); |
| 155 | 189 |
| 190 RestrictAddressSpaceUsage(); | |
| 191 | |
| 156 base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get())); | 192 base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get())); |
| 157 | 193 |
| 158 if (uses_nonsfi_mode) { | 194 if (uses_nonsfi_mode) { |
| 159 layer_two_enabled_ = | 195 layer_two_enabled_ = |
| 160 nacl::nonsfi::InitializeBPFSandbox(proc_self_task.Pass()); | 196 nacl::nonsfi::InitializeBPFSandbox(proc_self_task.Pass()); |
| 161 layer_two_is_nonsfi_ = true; | 197 layer_two_is_nonsfi_ = true; |
| 162 } else { | 198 } else { |
| 163 layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_self_task.Pass()); | 199 layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_self_task.Pass()); |
| 164 } | 200 } |
| 165 } | 201 } |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 198 static const char kNoBpfMsg[] = | 234 static const char kNoBpfMsg[] = |
| 199 "The seccomp-bpf sandbox is not engaged for NaCl:"; | 235 "The seccomp-bpf sandbox is not engaged for NaCl:"; |
| 200 if (can_be_no_sandbox) | 236 if (can_be_no_sandbox) |
| 201 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; | 237 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; |
| 202 else | 238 else |
| 203 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; | 239 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; |
| 204 } | 240 } |
| 205 } | 241 } |
| 206 | 242 |
| 207 } // namespace nacl | 243 } // namespace nacl |
| OLD | NEW |
