Chromium Code Reviews Chromium Code Reviews
Issue 99133015:
Linux Sandbox: split the GPU policies to their own file. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: content/common/sandbox_linux/sandbox_bpf_gpu_policy_linux.cc |
| diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_linux/sandbox_bpf_gpu_policy_linux.cc |
| similarity index 39% |
| copy from content/common/sandbox_seccomp_bpf_linux.cc |
| copy to content/common/sandbox_linux/sandbox_bpf_gpu_policy_linux.cc |
| index 484fe734a09094133f0f98226ed0e8ff56423fb3..12fdd353c6f024054aed7f48358c82a7f6c5fda3 100644 |
| --- a/content/common/sandbox_seccomp_bpf_linux.cc |
| +++ b/content/common/sandbox_linux/sandbox_bpf_gpu_policy_linux.cc |
| @@ -1,52 +1,32 @@ |
| -// Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| +// Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| -#include <asm/unistd.h> |
| +#include "content/common/sandbox_linux/sandbox_bpf_gpu_policy_linux.h" |
| + |
| #include <dlfcn.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| -#include <linux/net.h> |
| -#include <signal.h> |
| -#include <string.h> |
| -#include <sys/ioctl.h> |
| -#include <sys/mman.h> |
| -#include <sys/prctl.h> |
| #include <sys/socket.h> |
| #include <sys/stat.h> |
| #include <sys/types.h> |
| -#include <ucontext.h> |
| #include <unistd.h> |
| +#include <string> |
| #include <vector> |
| -#include "base/basictypes.h" |
| #include "base/command_line.h" |
| +#include "base/compiler_specific.h" |
| #include "base/logging.h" |
| -#include "build/build_config.h" |
| -#include "content/common/sandbox_linux.h" |
| -#include "content/common/sandbox_seccomp_bpf_linux.h" |
| +#include "base/memory/scoped_ptr.h" |
| +#include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" |
| +#include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
| #include "content/public/common/content_switches.h" |
| -#include "sandbox/linux/services/broker_process.h" |
| - |
| -// These are the only architectures supported for now. |
| -#if defined(__i386__) || defined(__x86_64__) || \ |
| - (defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))) |
| -#define SECCOMP_BPF_SANDBOX |
| -#endif |
| - |
| -#if defined(SECCOMP_BPF_SANDBOX) |
| -#include "base/posix/eintr_wrapper.h" |
| -#include "content/common/sandbox_bpf_base_policy_linux.h" |
| -#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| -#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| -#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
| #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
| #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| -#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
| +#include "sandbox/linux/services/broker_process.h" |
| #include "sandbox/linux/services/linux_syscalls.h" |
| -using sandbox::BaselinePolicy; |
| using sandbox::BrokerProcess; |
| using sandbox::ErrorCode; |
| using sandbox::SandboxBPF; |
| @@ -57,7 +37,16 @@ namespace content { |
| namespace { |
| -void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy); |
| +void InitGpuBrokerProcess(bool (*broker_sandboxer_callback)(void), |
| + bool for_chromeos_arm, |
| + const std::vector<std::string>& read_whitelist_extra, |
| + const std::vector<std::string>& write_whitelist_extra, |
| + BrokerProcess** broker_process); |
| + |
| +void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, |
| + std::vector<std::string>* write_whitelist); |
| +bool EnableGpuBrokerPolicyCallback(); |
| +bool EnableArmGpuBrokerPolicyCallback(); |
| inline bool IsChromeOS() { |
| #if defined(OS_CHROMEOS) |
| @@ -91,17 +80,6 @@ inline bool IsArchitectureArm() { |
| #endif |
| } |
| -inline bool IsUsingToolKitGtk() { |
| -#if defined(TOOLKIT_GTK) |
| - return true; |
| -#else |
| - return false; |
| -#endif |
| -} |
| - |
| -// Policies for the GPU process. |
| -// TODO(jln): move to gpu/ |
| - |
| bool IsAcceleratedVideoDecodeEnabled() { |
| // Accelerated video decode is currently enabled on Chrome OS, |
| // but not on Linux: crbug.com/137247. |
| @@ -143,19 +121,32 @@ intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args, |
| class GpuProcessPolicy : public SandboxBPFBasePolicy { |
| public: |
| - explicit GpuProcessPolicy(void* broker_process) |
| - : broker_process_(broker_process) {} |
| + GpuProcessPolicy() : broker_process_(NULL) {} |
| virtual ~GpuProcessPolicy() {} |
| virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| int system_call_number) const OVERRIDE; |
| + virtual bool PreSandboxHook() OVERRIDE; |
| + |
| + protected: |
| + BrokerProcess* broker_process() { return broker_process_; } |
| + void set_broker_process(BrokerProcess* broker_process) { |
|
Jorge Lucangeli Obes
2013/12/12 21:37:21
Is this the correct style for the setter?
Robert Sesek
2013/12/12 21:41:43
Yes, simple accessors use unix_hacker_style and ge
jln (very slow on Chromium)
2013/12/12 22:15:14
Done.
jln (very slow on Chromium)
2013/12/12 22:15:14
Done.
|
| + broker_process_ = broker_process; |
| + } |
| private: |
| - const void* broker_process_; // Non-owning pointer. |
| + // A BrokerProcess is a helper that is started before the sandbox is engaged |
| + // and will serve requests to access files over an IPC. The client of this |
|
Jorge Lucangeli Obes
2013/12/12 21:37:21
I would say "over IPC" or "over an IPC channel".
jln (very slow on Chromium)
2013/12/12 22:15:14
Done.
|
| + // runs from a SIGSYS handler triggered by the seccomp-bpf sandbox. |
| + // This should never be destroyed, as after the sandbox is started it is |
| + // vital to the process. |
| + // This is allocated by PreSandboxHook(), which executes iff the sandbox |
| + // is going to be enabled afterwards. |
| + BrokerProcess* broker_process_; |
| DISALLOW_COPY_AND_ASSIGN(GpuProcessPolicy); |
| }; |
| -// Main policy for x86_64/i386. Extended by ArmGpuProcessPolicy. |
| +// Main policy for x86_64/i386. Extended by CrosArmGpuProcessPolicy. |
| ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| int sysno) const { |
| switch (sysno) { |
| @@ -175,6 +166,7 @@ ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| case __NR_access: |
| case __NR_open: |
| case __NR_openat: |
| + DCHECK(broker_process_); |
| return sandbox->Trap(GpuSIGSYS_Handler, broker_process_); |
| default: |
| if (SyscallSets::IsEventFd(sysno)) |
| @@ -185,9 +177,47 @@ ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| } |
| } |
| +bool GpuProcessPolicy::PreSandboxHook() { |
| + // Warm up resources needed by the policy we're about to enable and |
| + // eventually start a broker process. |
| + const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm(); |
| + DCHECK(!chromeos_arm_gpu); |
|
Jorge Lucangeli Obes
2013/12/12 21:37:21
Maybe add a comment reminding the reader "This pol
jln (very slow on Chromium)
2013/12/12 22:15:14
Done, but not that it's also used on ARM desktop.
|
| + |
| + BrokerProcess* broker_process_temp = NULL; |
| + DCHECK(!broker_process()); |
| + // Create a new broker process. |
| + InitGpuBrokerProcess( |
| + EnableGpuBrokerPolicyCallback, |
| + false /* not for ChromeOS ARM */, |
| + std::vector<std::string>(), // No extra files in whitelist. |
| + std::vector<std::string>(), |
| + &broker_process_temp); |
| + set_broker_process(broker_process_temp); |
| + |
| + if (IsArchitectureX86_64() || IsArchitectureI386()) { |
| + // Accelerated video decode dlopen()'s some shared objects |
| + // inside the sandbox, so preload them now. |
| + if (IsAcceleratedVideoDecodeEnabled()) { |
| + const char* I965DrvVideoPath = NULL; |
| + |
| + if (IsArchitectureX86_64()) { |
| + I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; |
| + } else if (IsArchitectureI386()) { |
| + I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; |
| + } |
| + |
| + dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + } |
| + } |
| + |
| + return true; |
| +} |
| + |
| class GpuBrokerProcessPolicy : public GpuProcessPolicy { |
| public: |
| - GpuBrokerProcessPolicy() : GpuProcessPolicy(NULL) {} |
| + GpuBrokerProcessPolicy() {} |
| virtual ~GpuBrokerProcessPolicy() {} |
| virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| @@ -197,7 +227,7 @@ class GpuBrokerProcessPolicy : public GpuProcessPolicy { |
| DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy); |
| }; |
| -// x86_64/i386. |
| +// x86_64/i386 or desktop ARM. |
| // A GPU broker policy is the same as a GPU policy with open and |
| // openat allowed. |
| ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| @@ -212,23 +242,25 @@ ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| } |
| } |
| -class ArmGpuProcessPolicy : public GpuProcessPolicy { |
| +// This policy is for Chrome OS ARM. |
| +class CrosArmGpuProcessPolicy : public GpuProcessPolicy { |
| public: |
| - explicit ArmGpuProcessPolicy(void* broker_process, bool allow_shmat) |
| - : GpuProcessPolicy(broker_process), allow_shmat_(allow_shmat) {} |
| - virtual ~ArmGpuProcessPolicy() {} |
| + explicit CrosArmGpuProcessPolicy(bool allow_shmat) |
| + : allow_shmat_(allow_shmat) {} |
| + virtual ~CrosArmGpuProcessPolicy() {} |
| virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| int system_call_number) const OVERRIDE; |
| + virtual bool PreSandboxHook() OVERRIDE; |
| private: |
| const bool allow_shmat_; // Allow shmat(2). |
| - DISALLOW_COPY_AND_ASSIGN(ArmGpuProcessPolicy); |
| + DISALLOW_COPY_AND_ASSIGN(CrosArmGpuProcessPolicy); |
| }; |
| // Generic ARM GPU process sandbox, inheriting from GpuProcessPolicy. |
| -ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| - int sysno) const { |
| +ErrorCode CrosArmGpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| + int sysno) const { |
| #if defined(__arm__) |
| if (allow_shmat_ && sysno == __NR_shmat) |
| return ErrorCode(ErrorCode::ERR_ALLOWED); |
| @@ -261,239 +293,76 @@ ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| } |
| } |
| -class ArmGpuBrokerProcessPolicy : public ArmGpuProcessPolicy { |
| +bool CrosArmGpuProcessPolicy::PreSandboxHook() { |
| + DCHECK(IsChromeOS() && IsArchitectureArm()); |
| + // Create a new broker process. |
| + BrokerProcess* broker_process_temp = NULL; |
| + DCHECK(!broker_process()); |
| + |
| + std::vector<std::string> read_whitelist_extra; |
| + std::vector<std::string> write_whitelist_extra; |
| + // Add arm specific files to whitelist in the broker. |
|
Jorge Lucangeli Obes
2013/12/12 21:37:21
ARM-specific
jln (very slow on Chromium)
2013/12/12 22:15:14
Done.
|
| + |
| + AddArmGpuWhitelist(&read_whitelist_extra, &write_whitelist_extra); |
| + InitGpuBrokerProcess(EnableArmGpuBrokerPolicyCallback, |
| + true /* for ChromeOS ARM */, |
| + read_whitelist_extra, |
| + write_whitelist_extra, |
| + &broker_process_temp); |
| + set_broker_process(broker_process_temp); |
| + |
| + // Preload the Mali library. |
| + dlopen("/usr/lib/libmali.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + |
| + // Preload the Tegra libraries. |
| + dlopen("/usr/lib/libnvrm.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("/usr/lib/libnvrm_graphics.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("/usr/lib/libnvos.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("/usr/lib/libnvddk_2d.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("/usr/lib/libardrv_dynamic.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("/usr/lib/libnvwsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("/usr/lib/libnvglsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + dlopen("/usr/lib/libcgdrv.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| + |
| + return true; |
| +} |
| + |
| +class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy { |
| public: |
| - ArmGpuBrokerProcessPolicy() : ArmGpuProcessPolicy(NULL, false) {} |
| - virtual ~ArmGpuBrokerProcessPolicy() {} |
| + CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {} |
| + virtual ~CrosArmGpuBrokerProcessPolicy() {} |
| virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| int system_call_number) const OVERRIDE; |
| private: |
| - DISALLOW_COPY_AND_ASSIGN(ArmGpuBrokerProcessPolicy); |
| + DISALLOW_COPY_AND_ASSIGN(CrosArmGpuBrokerProcessPolicy); |
| }; |
| // A GPU broker policy is the same as a GPU policy with open and |
| // openat allowed. |
| -ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| - int sysno) const { |
| +ErrorCode CrosArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| + int sysno) const { |
| switch (sysno) { |
| case __NR_access: |
| case __NR_open: |
| case __NR_openat: |
| return ErrorCode(ErrorCode::ERR_ALLOWED); |
| default: |
| - return ArmGpuProcessPolicy::EvaluateSyscall(sandbox, sysno); |
| - } |
| -} |
| - |
| -// Policy for renderer and worker processes. |
| -// TODO(jln): move to renderer/ |
| - |
| -class RendererOrWorkerProcessPolicy : public SandboxBPFBasePolicy { |
| - public: |
| - RendererOrWorkerProcessPolicy() {} |
| - virtual ~RendererOrWorkerProcessPolicy() {} |
| - |
| - virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| - int system_call_number) const OVERRIDE; |
| - |
| - private: |
| - DISALLOW_COPY_AND_ASSIGN(RendererOrWorkerProcessPolicy); |
| -}; |
| - |
| -ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| - int sysno) const { |
| - switch (sysno) { |
| - case __NR_clone: |
| - return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox); |
| - case __NR_ioctl: |
| - return sandbox::RestrictIoctl(sandbox); |
| - case __NR_prctl: |
| - return sandbox::RestrictPrctl(sandbox); |
| - // Allow the system calls below. |
| - case __NR_fdatasync: |
| - case __NR_fsync: |
| - case __NR_getpriority: |
| -#if defined(__i386__) || defined(__x86_64__) |
| - case __NR_getrlimit: |
| -#endif |
| -#if defined(__i386__) || defined(__arm__) |
| - case __NR_ugetrlimit: |
| -#endif |
| - case __NR_mremap: // See crbug.com/149834. |
| - case __NR_pread64: |
| - case __NR_pwrite64: |
| - case __NR_sched_getaffinity: |
| - case __NR_sched_get_priority_max: |
| - case __NR_sched_get_priority_min: |
| - case __NR_sched_getparam: |
| - case __NR_sched_getscheduler: |
| - case __NR_sched_setscheduler: |
| - case __NR_setpriority: |
| - case __NR_sysinfo: |
| - case __NR_times: |
| - case __NR_uname: |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| - case __NR_prlimit64: |
| - return ErrorCode(EPERM); // See crbug.com/160157. |
| - default: |
| - if (IsUsingToolKitGtk()) { |
| -#if defined(__x86_64__) || defined(__arm__) |
| - if (SyscallSets::IsSystemVSharedMemory(sysno)) |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| -#endif |
| -#if defined(__i386__) |
| - if (SyscallSets::IsSystemVIpc(sysno)) |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| -#endif |
| - } |
| - |
| - // Default on the content baseline policy. |
| - return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); |
| - } |
| -} |
| - |
| -// Policy for PPAPI plugins. |
| -// TODO(jln): move to ppapi_plugin/. |
| -class FlashProcessPolicy : public SandboxBPFBasePolicy { |
| - public: |
| - FlashProcessPolicy() {} |
| - virtual ~FlashProcessPolicy() {} |
| - |
| - virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| - int system_call_number) const OVERRIDE; |
| - |
| - private: |
| - DISALLOW_COPY_AND_ASSIGN(FlashProcessPolicy); |
| -}; |
| - |
| -ErrorCode FlashProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| - int sysno) const { |
| - switch (sysno) { |
| - case __NR_clone: |
| - return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox); |
| - case __NR_pread64: |
| - case __NR_pwrite64: |
| - case __NR_sched_get_priority_max: |
| - case __NR_sched_get_priority_min: |
| - case __NR_sched_getaffinity: |
| - case __NR_sched_getparam: |
| - case __NR_sched_getscheduler: |
| - case __NR_sched_setscheduler: |
| - case __NR_times: |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| - case __NR_ioctl: |
| - return ErrorCode(ENOTTY); // Flash Access. |
| - default: |
| - if (IsUsingToolKitGtk()) { |
| -#if defined(__x86_64__) || defined(__arm__) |
| - if (SyscallSets::IsSystemVSharedMemory(sysno)) |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| -#endif |
| -#if defined(__i386__) |
| - if (SyscallSets::IsSystemVIpc(sysno)) |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| -#endif |
| - } |
| - |
| - // Default on the baseline policy. |
| - return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); |
| - } |
| -} |
| - |
| -class BlacklistDebugAndNumaPolicy : public SandboxBPFBasePolicy { |
| - public: |
| - BlacklistDebugAndNumaPolicy() {} |
| - virtual ~BlacklistDebugAndNumaPolicy() {} |
| - |
| - virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| - int system_call_number) const OVERRIDE; |
| - |
| - private: |
| - DISALLOW_COPY_AND_ASSIGN(BlacklistDebugAndNumaPolicy); |
| -}; |
| - |
| -ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| - int sysno) const { |
| - if (!SandboxBPF::IsValidSyscallNumber(sysno)) { |
| - // TODO(jln) we should not have to do that in a trivial policy. |
| - return ErrorCode(ENOSYS); |
| - } |
| - if (SyscallSets::IsDebug(sysno) || SyscallSets::IsNuma(sysno)) |
| - return sandbox->Trap(sandbox::CrashSIGSYS_Handler, NULL); |
| - |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| -} |
| - |
| -class AllowAllPolicy : public SandboxBPFBasePolicy { |
| - public: |
| - AllowAllPolicy() {} |
| - virtual ~AllowAllPolicy() {} |
| - |
| - virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| - int system_call_number) const OVERRIDE; |
| - |
| - private: |
| - DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy); |
| -}; |
| - |
| -// Allow all syscalls. |
| -// This will still deny x32 or IA32 calls in 64 bits mode or |
| -// 64 bits system calls in compatibility mode. |
| -ErrorCode AllowAllPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const { |
| - if (!SandboxBPF::IsValidSyscallNumber(sysno)) { |
| - // TODO(jln) we should not have to do that in a trivial policy. |
| - return ErrorCode(ENOSYS); |
| - } else { |
| - return ErrorCode(ErrorCode::ERR_ALLOWED); |
| - } |
| -} |
| - |
| -// If a BPF policy is engaged for |process_type|, run a few sanity checks. |
| -void RunSandboxSanityChecks(const std::string& process_type) { |
| - if (process_type == switches::kRendererProcess || |
| - process_type == switches::kWorkerProcess || |
| - process_type == switches::kGpuProcess || |
| - process_type == switches::kPpapiPluginProcess) { |
| - int syscall_ret; |
| - errno = 0; |
| - |
| - // Without the sandbox, this would EBADF. |
| - syscall_ret = fchmod(-1, 07777); |
| - CHECK_EQ(-1, syscall_ret); |
| - CHECK_EQ(EPERM, errno); |
| - |
| - // Run most of the sanity checks only in DEBUG mode to avoid a perf. |
| - // impact. |
| -#if !defined(NDEBUG) |
| - // open() must be restricted. |
| - syscall_ret = open("/etc/passwd", O_RDONLY); |
| - CHECK_EQ(-1, syscall_ret); |
| - CHECK_EQ(SandboxBPFBasePolicy::GetFSDeniedErrno(), errno); |
| - |
| - // We should never allow the creation of netlink sockets. |
| - syscall_ret = socket(AF_NETLINK, SOCK_DGRAM, 0); |
| - CHECK_EQ(-1, syscall_ret); |
| - CHECK_EQ(EPERM, errno); |
| -#endif // !defined(NDEBUG) |
| + return CrosArmGpuProcessPolicy::EvaluateSyscall(sandbox, sysno); |
| } |
| } |
| bool EnableGpuBrokerPolicyCallback() { |
| - StartSandboxWithPolicy(new GpuBrokerProcessPolicy); |
| - return true; |
| + return SandboxSeccompBPF::StartSandboxWithExternalPolicy( |
| + scoped_ptr<sandbox::SandboxBPFPolicy>(new GpuBrokerProcessPolicy)); |
| } |
| bool EnableArmGpuBrokerPolicyCallback() { |
| - StartSandboxWithPolicy(new ArmGpuBrokerProcessPolicy); |
| - return true; |
| + return SandboxSeccompBPF::StartSandboxWithExternalPolicy( |
| + scoped_ptr<sandbox::SandboxBPFPolicy>(new CrosArmGpuBrokerProcessPolicy)); |
| } |
| -// Files needed by the ARM GPU userspace. |
| -static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; |
| -static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; |
| - |
| void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist, |
| std::vector<std::string>* write_whitelist) { |
| // Device file needed by the ARM GPU userspace. |
| @@ -552,6 +421,10 @@ void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, |
| static const char kXAuthorityPath[] = "/home/chronos/.Xauthority"; |
| static const char kLdSoCache[] = "/etc/ld.so.cache"; |
| + // Files needed by the ARM GPU userspace. |
| + static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; |
| + static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; |
| + |
| read_whitelist->push_back(kXAuthorityPath); |
| read_whitelist->push_back(kLdSoCache); |
| read_whitelist->push_back(kLibGlesPath); |
| @@ -562,7 +435,15 @@ void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, |
| } |
| // Start a broker process to handle open() inside the sandbox. |
| -void InitGpuBrokerProcess(bool for_chromeos_arm, |
| +// |broker_sandboxer_callback| is a callback that will enable a suitable |
| +// sandbox for the broker process itself. |
| +// |read_whitelist_extra| and |write_whitelist_extra| are lists of file |
| +// names that should be whitelisted by the broker process, in addition to |
| +// the basic ones. |
| +void InitGpuBrokerProcess(bool (*broker_sandboxer_callback)(void), |
| + bool for_chromeos_arm, |
| + const std::vector<std::string>& read_whitelist_extra, |
| + const std::vector<std::string>& write_whitelist_extra, |
| BrokerProcess** broker_process) { |
| static const char kDriRcPath[] = "/etc/drirc"; |
| static const char kDriCard0Path[] = "/dev/dri/card0"; |
| @@ -570,234 +451,45 @@ void InitGpuBrokerProcess(bool for_chromeos_arm, |
| CHECK(broker_process); |
| CHECK(*broker_process == NULL); |
| - bool (*sandbox_callback)(void) = NULL; |
| - |
| // All GPU process policies need these files brokered out. |
| std::vector<std::string> read_whitelist; |
| read_whitelist.push_back(kDriCard0Path); |
| read_whitelist.push_back(kDriRcPath); |
| + // Add eventual extra files from read_whitelist_extra. |
| + read_whitelist.insert(read_whitelist.end(), |
| + read_whitelist_extra.begin(), |
| + read_whitelist_extra.end()); |
| std::vector<std::string> write_whitelist; |
| write_whitelist.push_back(kDriCard0Path); |
| - |
| - if (for_chromeos_arm) { |
| - // We shouldn't be using this policy on non-ARM architectures. |
| - DCHECK(IsArchitectureArm()); |
| - AddArmGpuWhitelist(&read_whitelist, &write_whitelist); |
| - sandbox_callback = EnableArmGpuBrokerPolicyCallback; |
| - } else { |
| - sandbox_callback = EnableGpuBrokerPolicyCallback; |
| - } |
| + // Add eventual extra files from write_whitelist_extra. |
| + write_whitelist.insert(write_whitelist.end(), |
| + write_whitelist_extra.begin(), |
| + write_whitelist_extra.end()); |
| *broker_process = new BrokerProcess(SandboxBPFBasePolicy::GetFSDeniedErrno(), |
| read_whitelist, |
| write_whitelist); |
| // Initialize the broker process and give it a sandbox callback. |
| - CHECK((*broker_process)->Init(sandbox_callback)); |
| -} |
| - |
| -// Warms up/preloads resources needed by the policies. |
| -// Eventually start a broker process and return it in broker_process. |
| -void WarmupPolicy(bool chromeos_arm_gpu, |
| - BrokerProcess** broker_process) { |
| - if (!chromeos_arm_gpu) { |
| - // Create a new broker process. |
| - InitGpuBrokerProcess(false /* not for ChromeOS ARM */, broker_process); |
| - |
| - if (IsArchitectureX86_64() || IsArchitectureI386()) { |
| - // Accelerated video decode dlopen()'s some shared objects |
| - // inside the sandbox, so preload them now. |
| - if (IsAcceleratedVideoDecodeEnabled()) { |
| - const char* I965DrvVideoPath = NULL; |
| - |
| - if (IsArchitectureX86_64()) { |
| - I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; |
| - } else if (IsArchitectureI386()) { |
| - I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; |
| - } |
| - |
| - dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - } |
| - } |
| - } else { |
| - // ChromeOS ARM GPU policy. |
| - // Create a new broker process. |
| - InitGpuBrokerProcess(true /* for ChromeOS ARM */, broker_process); |
| - |
| - // Preload the Mali library. |
| - dlopen("/usr/lib/libmali.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - |
| - // Preload the Tegra libraries. |
| - dlopen("/usr/lib/libnvrm.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("/usr/lib/libnvrm_graphics.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("/usr/lib/libnvos.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("/usr/lib/libnvddk_2d.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("/usr/lib/libardrv_dynamic.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("/usr/lib/libnvwsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("/usr/lib/libnvglsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - dlopen("/usr/lib/libcgdrv.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
| - } |
| -} |
| - |
| -void StartGpuProcessSandbox(const CommandLine& command_line, |
| - const std::string& process_type) { |
| - bool chromeos_arm_gpu = false; |
| - bool allow_sysv_shm = false; |
| - |
| - if (process_type == switches::kGpuProcess) { |
| - // On Chrome OS ARM, we need a specific GPU process policy. |
| - if (IsChromeOS() && IsArchitectureArm()) { |
| - chromeos_arm_gpu = true; |
| - if (command_line.HasSwitch(switches::kGpuSandboxAllowSysVShm)) { |
| - allow_sysv_shm = true; |
| - } |
| - } |
| - } |
| - |
| - // This should never be destroyed, as after the sandbox is started it is |
| - // vital to the process. Ownership is transfered to the policies and then to |
| - // the BPF sandbox which will keep it around to service SIGSYS traps from the |
| - // kernel. |
| - BrokerProcess* broker_process = NULL; |
| - // Warm up resources needed by the policy we're about to enable and |
| - // eventually start a broker process. |
| - WarmupPolicy(chromeos_arm_gpu, &broker_process); |
| - |
| - scoped_ptr<SandboxBPFBasePolicy> gpu_policy; |
| - if (chromeos_arm_gpu) { |
| - gpu_policy.reset(new ArmGpuProcessPolicy(broker_process, allow_sysv_shm)); |
| - } else { |
| - gpu_policy.reset(new GpuProcessPolicy(broker_process)); |
| - } |
| - StartSandboxWithPolicy(gpu_policy.release()); |
| -} |
| - |
| -// This function takes ownership of |policy|. |
| -void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy) { |
| - // Starting the sandbox is a one-way operation. The kernel doesn't allow |
| - // us to unload a sandbox policy after it has been started. Nonetheless, |
| - // in order to make the use of the "Sandbox" object easier, we allow for |
| - // the object to be destroyed after the sandbox has been started. Note that |
| - // doing so does not stop the sandbox. |
| - SandboxBPF sandbox; |
| - sandbox.SetSandboxPolicy(policy); |
| - sandbox.StartSandbox(); |
| -} |
| - |
| -void StartNonGpuSandbox(const std::string& process_type) { |
| - scoped_ptr<SandboxBPFBasePolicy> policy; |
| - |
| - if (process_type == switches::kRendererProcess || |
| - process_type == switches::kWorkerProcess) { |
| - policy.reset(new RendererOrWorkerProcessPolicy); |
| - } else if (process_type == switches::kPpapiPluginProcess) { |
| - policy.reset(new FlashProcessPolicy); |
| - } else if (process_type == switches::kUtilityProcess) { |
| - policy.reset(new BlacklistDebugAndNumaPolicy); |
| - } else { |
| - NOTREACHED(); |
| - policy.reset(new AllowAllPolicy); |
| - } |
| - |
| - StartSandboxWithPolicy(policy.release()); |
| -} |
| - |
| -// Initialize the seccomp-bpf sandbox. |
| -bool StartBPFSandbox(const CommandLine& command_line, |
| - const std::string& process_type) { |
| - |
| - if (process_type == switches::kGpuProcess) { |
| - StartGpuProcessSandbox(command_line, process_type); |
| - } else { |
| - StartNonGpuSandbox(process_type); |
| - } |
| - |
| - RunSandboxSanityChecks(process_type); |
| - return true; |
| + CHECK((*broker_process)->Init(broker_sandboxer_callback)); |
| } |
| } // namespace |
| -#endif // SECCOMP_BPF_SANDBOX |
| - |
| -// Is seccomp BPF globally enabled? |
| -bool SandboxSeccompBPF::IsSeccompBPFDesired() { |
| - const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| - if (!command_line.HasSwitch(switches::kNoSandbox) && |
| - !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { |
| - return true; |
| - } else { |
| - return false; |
| - } |
| -} |
| - |
| -bool SandboxSeccompBPF::ShouldEnableSeccompBPF( |
| - const std::string& process_type) { |
| -#if defined(SECCOMP_BPF_SANDBOX) |
| - const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| - if (process_type == switches::kGpuProcess) |
| - return !command_line.HasSwitch(switches::kDisableGpuSandbox); |
| - |
| - return true; |
| -#endif // SECCOMP_BPF_SANDBOX |
| - return false; |
| -} |
| - |
| -bool SandboxSeccompBPF::SupportsSandbox() { |
| -#if defined(SECCOMP_BPF_SANDBOX) |
| - // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton |
| - // here. |
| - SandboxBPF::SandboxStatus bpf_sandbox_status = |
| - SandboxBPF::SupportsSeccompSandbox(-1); |
| - // Kernel support is what we are interested in here. Other status |
| - // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support. |
| - // We make this a negative check, since if there is a bug, we would rather |
| - // "fail closed" (expect a sandbox to be available and try to start it). |
| - if (bpf_sandbox_status != SandboxBPF::STATUS_UNSUPPORTED) { |
| - return true; |
| - } |
| -#endif |
| - return false; |
| -} |
| - |
| -bool SandboxSeccompBPF::StartSandbox(const std::string& process_type) { |
| -#if defined(SECCOMP_BPF_SANDBOX) |
| +scoped_ptr<SandboxBPFBasePolicy> GetGpuProcessSandbox() { |
| const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| - |
| - if (IsSeccompBPFDesired() && // Global switches policy. |
| - ShouldEnableSeccompBPF(process_type) && // Process-specific policy. |
| - SupportsSandbox()) { |
| - // If the kernel supports the sandbox, and if the command line says we |
| - // should enable it, enable it or die. |
| - bool started_sandbox = StartBPFSandbox(command_line, process_type); |
| - CHECK(started_sandbox); |
| - return true; |
| + bool allow_sysv_shm = false; |
| + if (command_line.HasSwitch(switches::kGpuSandboxAllowSysVShm)) { |
| + DCHECK(IsArchitectureArm()); |
| + allow_sysv_shm = true; |
| } |
| -#endif |
| - return false; |
| -} |
| -bool SandboxSeccompBPF::StartSandboxWithExternalPolicy( |
| - scoped_ptr<sandbox::SandboxBPFPolicy> policy) { |
| -#if defined(SECCOMP_BPF_SANDBOX) |
| - if (IsSeccompBPFDesired() && SupportsSandbox()) { |
| - CHECK(policy); |
| - StartSandboxWithPolicy(policy.release()); |
| - return true; |
| + if (IsChromeOS() && IsArchitectureArm()) { |
| + return scoped_ptr<SandboxBPFBasePolicy>( |
| + new CrosArmGpuProcessPolicy(allow_sysv_shm)); |
| + } else { |
| + return scoped_ptr<SandboxBPFBasePolicy>(new GpuProcessPolicy); |
| } |
| -#endif // defined(SECCOMP_BPF_SANDBOX) |
| - return false; |
| -} |
| - |
| -scoped_ptr<sandbox::SandboxBPFPolicy> |
| -SandboxSeccompBPF::GetBaselinePolicy() { |
| -#if defined(SECCOMP_BPF_SANDBOX) |
| - return scoped_ptr<sandbox::SandboxBPFPolicy>(new BaselinePolicy); |
| -#else |
| - return scoped_ptr<sandbox::SandboxBPFPolicy>(); |
| -#endif // defined(SECCOMP_BPF_SANDBOX) |
| } |
| } // namespace content |
