1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include <asm/unistd.h> 6 #include <dlfcn.h> 7 #include <errno.h> 8 #include <fcntl.h> 9 #include <linux/audit.h> 10 #include <linux/filter.h> 11 #include <linux/net.h> 12 #include <signal.h> 13 #include <string.h> 14 #include <sys/ioctl.h> 15 #include <sys/mman.h> 16 #include <sys/prctl.h> 17 #include <sys/socket.h> 18 #include <sys/stat.h> 19 #include <sys/types.h> 20 #include <ucontext.h> 21 #include <unistd.h> 22 23 #include <vector> 24 25 #if defined(__arm__) && !defined(MAP_STACK) 26 #define MAP_STACK 0x20000 // Daisy build environment has old headers. 27 #endif 28 29 #include "base/basictypes.h" 30 #include "base/bind.h" 31 #include "base/callback.h" 32 #include "base/command_line.h" 33 #include "base/logging.h" 34 #include "build/build_config.h" 35 #include "content/common/sandbox_linux.h" 36 #include "content/common/sandbox_seccomp_bpf_linux.h" 37 #include "content/public/common/content_switches.h" 38 #include "sandbox/linux/services/broker_process.h" 39 40 // These are the only architectures supported for now. 41 #if defined(__i386__) || defined(__x86_64__) || \ 42 (defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))) 43 #define SECCOMP_BPF_SANDBOX 44 #endif 45 46 #if defined(SECCOMP_BPF_SANDBOX) 47 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" 48 #include "sandbox/linux/services/linux_syscalls.h" 49 50 using playground2::arch_seccomp_data; 51 using playground2::ErrorCode; 52 using playground2::Sandbox; 53 using sandbox::BrokerProcess; 54 55 namespace { 56 57 void StartSandboxWithPolicy(Sandbox::EvaluateSyscall syscall_policy, 58 BrokerProcess* broker_process); 59 60 inline bool RunningOnASAN() { 61 #if defined(ADDRESS_SANITIZER) 62 return true; 63 #else 64 return false; 65 #endif 66 } 67 68 inline bool IsChromeOS() { 69 #if defined(OS_CHROMEOS) 70 return true; 71 #else 72 return false; 73 #endif 74 } 75 76 inline bool IsArchitectureX86_64() { 77 #if defined(__x86_64__) 78 return true; 79 #else 80 return false; 81 #endif 82 } 83 84 inline bool IsArchitectureI386() { 85 #if defined(__i386__) 86 return true; 87 #else 88 return false; 89 #endif 90 } 91 92 inline bool IsArchitectureArm() { 93 #if defined(__arm__) 94 return true; 95 #else 96 return false; 97 #endif 98 } 99 100 inline bool IsUsingToolKitGtk() { 101 #if defined(TOOLKIT_GTK) 102 return true; 103 #else 104 return false; 105 #endif 106 } 107 108 // Write |error_message| to stderr. Similar to RawLog(), but a bit more careful 109 // about async-signal safety. |size| is the size to write and should typically 110 // not include a terminating \0. 111 void WriteToStdErr(const char* error_message, size_t size) { 112 while (size > 0) { 113 // TODO(jln): query the current policy to check if send() is available and 114 // use it to perform a non blocking write. 115 const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size)); 116 // We can't handle any type of error here. 117 if (ret <= 0 || static_cast<size_t>(ret) > size) break; 118 size -= ret; 119 error_message += ret; 120 } 121 } 122 123 // Print a seccomp-bpf failure to handle |sysno| to stderr in an 124 // async-signal safe way. 125 void PrintSyscallError(uint32_t sysno) { 126 if (sysno >= 1024) 127 sysno = 0; 128 // TODO(markus): replace with async-signal safe snprintf when available. 129 const size_t kNumDigits = 4; 130 char sysno_base10[kNumDigits]; 131 uint32_t rem = sysno; 132 uint32_t mod = 0; 133 for (int i = kNumDigits - 1; i >= 0; i--) { 134 mod = rem % 10; 135 rem /= 10; 136 sysno_base10[i] = '0' + mod; 137 } 138 static const char kSeccompErrorPrefix[] = 139 __FILE__":**CRASHING**:seccomp-bpf failure in syscall "; 140 static const char kSeccompErrorPostfix[] = "\n"; 141 WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1); 142 WriteToStdErr(sysno_base10, sizeof(sysno_base10)); 143 WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1); 144 } 145 146 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { 147 uint32_t syscall = args.nr; 148 if (syscall >= 1024) 149 syscall = 0; 150 PrintSyscallError(syscall); 151 152 // Encode 8-bits of the 1st two arguments too, so we can discern which socket 153 // type, which fcntl, ... etc., without being likely to hit a mapped 154 // address. 155 // Do not encode more bits here without thinking about increasing the 156 // likelihood of collision with mapped pages. 157 syscall |= ((args.args[0] & 0xffUL) << 12); 158 syscall |= ((args.args[1] & 0xffUL) << 20); 159 // Purposefully dereference the syscall as an address so it'll show up very 160 // clearly and easily in crash dumps. 161 volatile char* addr = reinterpret_cast<volatile char*>(syscall); 162 *addr = '\0'; 163 // In case we hit a mapped address, hit the null page with just the syscall, 164 // for paranoia. 165 syscall &= 0xfffUL; 166 addr = reinterpret_cast<volatile char*>(syscall); 167 *addr = '\0'; 168 for (;;) 169 _exit(1); 170 } 171 172 // TODO(jln): rewrite reporting functions. 173 intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { 174 // "flags" in the first argument in the kernel's clone(). 175 // Mark as volatile to be able to find the value on the stack in a minidump. 176 #if !defined(NDEBUG) 177 RAW_LOG(ERROR, __FILE__":**CRASHING**:clone() failure\n"); 178 #endif 179 volatile uint64_t clone_flags = args.args[0]; 180 volatile char* addr; 181 if (IsArchitectureX86_64()) { 182 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF); 183 *addr = '\0'; 184 } 185 // Hit the NULL page if this fails to fault. 186 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF); 187 *addr = '\0'; 188 for (;;) 189 _exit(1); 190 } 191 192 // TODO(jln): rewrite reporting functions. 193 intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, 194 void* /* aux */) { 195 // Mark as volatile to be able to find the value on the stack in a minidump. 196 #if !defined(NDEBUG) 197 RAW_LOG(ERROR, __FILE__":**CRASHING**:prctl() failure\n"); 198 #endif 199 volatile uint64_t option = args.args[0]; 200 volatile char* addr = 201 reinterpret_cast<volatile char*>(option & 0xFFF); 202 *addr = '\0'; 203 for (;;) 204 _exit(1); 205 } 206 207 intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, 208 void* /* aux */) { 209 // Make "request" volatile so that we can see it on the stack in a minidump. 210 #if !defined(NDEBUG) 211 RAW_LOG(ERROR, __FILE__":**CRASHING**:ioctl() failure\n"); 212 #endif 213 volatile uint64_t request = args.args[1]; 214 volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF); 215 *addr = '\0'; 216 // Hit the NULL page if this fails. 217 addr = reinterpret_cast<volatile char*>(request & 0xFFF); 218 *addr = '\0'; 219 for (;;) 220 _exit(1); 221 } 222 223 bool IsAcceleratedVideoDecodeEnabled() { 224 // Accelerated video decode is currently enabled on Chrome OS, 225 // but not on Linux: crbug.com/137247. 226 bool is_enabled = IsChromeOS(); 227 228 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 229 is_enabled = is_enabled && 230 !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode); 231 232 return is_enabled; 233 } 234 235 intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args, 236 void* aux_broker_process) { 237 RAW_CHECK(aux_broker_process); 238 BrokerProcess* broker_process = 239 static_cast<BrokerProcess*>(aux_broker_process); 240 switch (args.nr) { 241 case __NR_access: 242 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]), 243 static_cast<int>(args.args[1])); 244 case __NR_open: 245 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]), 246 static_cast<int>(args.args[1])); 247 case __NR_openat: 248 // Allow using openat() as open(). 249 if (static_cast<int>(args.args[0]) == AT_FDCWD) { 250 return 251 broker_process->Open(reinterpret_cast<const char*>(args.args[1]), 252 static_cast<int>(args.args[2])); 253 } else { 254 return -EPERM; 255 } 256 default: 257 RAW_CHECK(false); 258 return -ENOSYS; 259 } 260 } 261 262 // The functions below cover all existing i386, x86_64, and ARM system calls; 263 // excluding syscalls made obsolete in ARM EABI. 264 // The implicitly defined sets form a partition of the sets of 265 // system calls. 266 267 // TODO(jln) we need to restrict the first parameter! 268 bool IsKill(int sysno) { 269 switch (sysno) { 270 case __NR_kill: 271 case __NR_tkill: 272 case __NR_tgkill: 273 return true; 274 default: 275 return false; 276 } 277 } 278 279 bool IsAllowedGettime(int sysno) { 280 switch (sysno) { 281 case __NR_clock_gettime: 282 case __NR_gettimeofday: 283 #if defined(__i386__) || defined(__x86_64__) 284 case __NR_time: 285 #endif 286 return true; 287 case __NR_adjtimex: // Privileged. 288 case __NR_clock_adjtime: // Privileged. 289 case __NR_clock_getres: // Could be allowed. 290 case __NR_clock_nanosleep: // Could be allowed. 291 case __NR_clock_settime: // Privileged. 292 #if defined(__i386__) 293 case __NR_ftime: // Obsolete. 294 #endif 295 case __NR_settimeofday: // Privileged. 296 #if defined(__i386__) 297 case __NR_stime: 298 #endif 299 default: 300 return false; 301 } 302 } 303 304 bool IsCurrentDirectory(int sysno) { 305 switch (sysno) { 306 case __NR_getcwd: 307 case __NR_chdir: 308 case __NR_fchdir: 309 return true; 310 default: 311 return false; 312 } 313 } 314 315 bool IsUmask(int sysno) { 316 switch (sysno) { 317 case __NR_umask: 318 return true; 319 default: 320 return false; 321 } 322 } 323 324 // System calls that directly access the file system. They might acquire 325 // a new file descriptor or otherwise perform an operation directly 326 // via a path. 327 // Both EPERM and ENOENT are valid errno unless otherwise noted in comment. 328 bool IsFileSystem(int sysno) { 329 switch (sysno) { 330 case __NR_access: // EPERM not a valid errno. 331 case __NR_chmod: 332 case __NR_chown: 333 #if defined(__i386__) || defined(__arm__) 334 case __NR_chown32: 335 #endif 336 case __NR_creat: 337 case __NR_execve: 338 case __NR_faccessat: // EPERM not a valid errno. 339 case __NR_fchmodat: 340 case __NR_fchownat: // Should be called chownat ? 341 #if defined(__x86_64__) 342 case __NR_newfstatat: // fstatat(). EPERM not a valid errno. 343 #elif defined(__i386__) || defined(__arm__) 344 case __NR_fstatat64: 345 #endif 346 case __NR_futimesat: // Should be called utimesat ? 347 case __NR_lchown: 348 #if defined(__i386__) || defined(__arm__) 349 case __NR_lchown32: 350 #endif 351 case __NR_link: 352 case __NR_linkat: 353 case __NR_lookup_dcookie: // ENOENT not a valid errno. 354 case __NR_lstat: // EPERM not a valid errno. 355 #if defined(__i386__) 356 case __NR_oldlstat: 357 #endif 358 #if defined(__i386__) || defined(__arm__) 359 case __NR_lstat64: 360 #endif 361 case __NR_mkdir: 362 case __NR_mkdirat: 363 case __NR_mknod: 364 case __NR_mknodat: 365 case __NR_open: 366 case __NR_openat: 367 case __NR_readlink: // EPERM not a valid errno. 368 case __NR_readlinkat: 369 case __NR_rename: 370 case __NR_renameat: 371 case __NR_rmdir: 372 case __NR_stat: // EPERM not a valid errno. 373 #if defined(__i386__) 374 case __NR_oldstat: 375 #endif 376 #if defined(__i386__) || defined(__arm__) 377 case __NR_stat64: 378 #endif 379 case __NR_statfs: // EPERM not a valid errno. 380 #if defined(__i386__) || defined(__arm__) 381 case __NR_statfs64: 382 #endif 383 case __NR_symlink: 384 case __NR_symlinkat: 385 case __NR_truncate: 386 #if defined(__i386__) || defined(__arm__) 387 case __NR_truncate64: 388 #endif 389 case __NR_unlink: 390 case __NR_unlinkat: 391 case __NR_uselib: // Neither EPERM, nor ENOENT are valid errno. 392 case __NR_ustat: // Same as above. Deprecated. 393 #if defined(__i386__) || defined(__x86_64__) 394 case __NR_utime: 395 #endif 396 case __NR_utimensat: // New. 397 case __NR_utimes: 398 return true; 399 default: 400 return false; 401 } 402 } 403 404 bool IsAllowedFileSystemAccessViaFd(int sysno) { 405 switch (sysno) { 406 case __NR_fstat: 407 #if defined(__i386__) || defined(__arm__) 408 case __NR_fstat64: 409 #endif 410 return true; 411 // TODO(jln): these should be denied gracefully as well (moved below). 412 #if defined(__i386__) || defined(__x86_64__) 413 case __NR_fadvise64: // EPERM not a valid errno. 414 #endif 415 #if defined(__i386__) 416 case __NR_fadvise64_64: 417 #endif 418 #if defined(__arm__) 419 case __NR_arm_fadvise64_64: 420 #endif 421 case __NR_fdatasync: // EPERM not a valid errno. 422 case __NR_flock: // EPERM not a valid errno. 423 case __NR_fstatfs: // Give information about the whole filesystem. 424 #if defined(__i386__) || defined(__arm__) 425 case __NR_fstatfs64: 426 #endif 427 case __NR_fsync: // EPERM not a valid errno. 428 #if defined(__i386__) 429 case __NR_oldfstat: 430 #endif 431 #if defined(__i386__) || defined(__x86_64__) 432 case __NR_sync_file_range: // EPERM not a valid errno. 433 #elif defined(__arm__) 434 case __NR_arm_sync_file_range: // EPERM not a valid errno. 435 #endif 436 default: 437 return false; 438 } 439 } 440 441 // EPERM is a good errno for any of these. 442 bool IsDeniedFileSystemAccessViaFd(int sysno) { 443 switch (sysno) { 444 case __NR_fallocate: 445 case __NR_fchmod: 446 case __NR_fchown: 447 case __NR_ftruncate: 448 #if defined(__i386__) || defined(__arm__) 449 case __NR_fchown32: 450 case __NR_ftruncate64: 451 #endif 452 case __NR_getdents: // EPERM not a valid errno. 453 case __NR_getdents64: // EPERM not a valid errno. 454 #if defined(__i386__) 455 case __NR_readdir: 456 #endif 457 return true; 458 default: 459 return false; 460 } 461 } 462 463 bool IsGetSimpleId(int sysno) { 464 switch (sysno) { 465 case __NR_capget: 466 case __NR_getegid: 467 case __NR_geteuid: 468 case __NR_getgid: 469 case __NR_getgroups: 470 case __NR_getpid: 471 case __NR_getppid: 472 case __NR_getresgid: 473 case __NR_getsid: 474 case __NR_gettid: 475 case __NR_getuid: 476 case __NR_getresuid: 477 #if defined(__i386__) || defined(__arm__) 478 case __NR_getegid32: 479 case __NR_geteuid32: 480 case __NR_getgid32: 481 case __NR_getgroups32: 482 case __NR_getresgid32: 483 case __NR_getresuid32: 484 case __NR_getuid32: 485 #endif 486 return true; 487 default: 488 return false; 489 } 490 } 491 492 bool IsProcessPrivilegeChange(int sysno) { 493 switch (sysno) { 494 case __NR_capset: 495 #if defined(__i386__) || defined(__x86_64__) 496 case __NR_ioperm: // Intel privilege. 497 case __NR_iopl: // Intel privilege. 498 #endif 499 case __NR_setfsgid: 500 case __NR_setfsuid: 501 case __NR_setgid: 502 case __NR_setgroups: 503 case __NR_setregid: 504 case __NR_setresgid: 505 case __NR_setresuid: 506 case __NR_setreuid: 507 case __NR_setuid: 508 #if defined(__i386__) || defined(__arm__) 509 case __NR_setfsgid32: 510 case __NR_setfsuid32: 511 case __NR_setgid32: 512 case __NR_setgroups32: 513 case __NR_setregid32: 514 case __NR_setresgid32: 515 case __NR_setresuid32: 516 case __NR_setreuid32: 517 case __NR_setuid32: 518 #endif 519 return true; 520 default: 521 return false; 522 } 523 } 524 525 bool IsProcessGroupOrSession(int sysno) { 526 switch (sysno) { 527 case __NR_setpgid: 528 case __NR_getpgrp: 529 case __NR_setsid: 530 case __NR_getpgid: 531 return true; 532 default: 533 return false; 534 } 535 } 536 537 bool IsAllowedSignalHandling(int sysno) { 538 switch (sysno) { 539 case __NR_rt_sigaction: 540 case __NR_rt_sigprocmask: 541 case __NR_rt_sigreturn: 542 #if defined(__i386__) || defined(__arm__) 543 case __NR_sigaction: 544 case __NR_sigprocmask: 545 case __NR_sigreturn: 546 #endif 547 return true; 548 case __NR_rt_sigpending: 549 case __NR_rt_sigqueueinfo: 550 case __NR_rt_sigsuspend: 551 case __NR_rt_sigtimedwait: 552 case __NR_rt_tgsigqueueinfo: 553 case __NR_sigaltstack: 554 case __NR_signalfd: 555 case __NR_signalfd4: 556 #if defined(__i386__) || defined(__arm__) 557 case __NR_sigpending: 558 case __NR_sigsuspend: 559 #endif 560 #if defined(__i386__) 561 case __NR_signal: 562 case __NR_sgetmask: // Obsolete. 563 case __NR_ssetmask: 564 #endif 565 default: 566 return false; 567 } 568 } 569 570 bool IsAllowedOperationOnFd(int sysno) { 571 switch (sysno) { 572 case __NR_close: 573 case __NR_dup: 574 case __NR_dup2: 575 case __NR_dup3: 576 #if defined(__x86_64__) || defined(__arm__) 577 case __NR_shutdown: 578 #endif 579 return true; 580 case __NR_fcntl: 581 #if defined(__i386__) || defined(__arm__) 582 case __NR_fcntl64: 583 #endif 584 default: 585 return false; 586 } 587 } 588 589 bool IsKernelInternalApi(int sysno) { 590 switch (sysno) { 591 case __NR_restart_syscall: 592 #if defined(__arm__) 593 case __ARM_NR_cmpxchg: 594 #endif 595 return true; 596 default: 597 return false; 598 } 599 } 600 601 // This should be thought through in conjunction with IsFutex(). 602 bool IsAllowedProcessStartOrDeath(int sysno) { 603 switch (sysno) { 604 case __NR_clone: // TODO(jln): restrict flags. 605 case __NR_exit: 606 case __NR_exit_group: 607 case __NR_wait4: 608 case __NR_waitid: 609 #if defined(__i386__) 610 case __NR_waitpid: 611 #endif 612 return true; 613 case __NR_setns: // Privileged. 614 case __NR_fork: 615 #if defined(__i386__) || defined(__x86_64__) 616 case __NR_get_thread_area: 617 case __NR_set_thread_area: 618 #endif 619 case __NR_set_tid_address: 620 case __NR_unshare: 621 case __NR_vfork: 622 default: 623 return false; 624 } 625 } 626 627 // It's difficult to restrict those, but there is attack surface here. 628 bool IsFutex(int sysno) { 629 switch (sysno) { 630 case __NR_futex: 631 case __NR_get_robust_list: 632 case __NR_set_robust_list: 633 return true; 634 default: 635 return false; 636 } 637 } 638 639 bool IsAllowedEpoll(int sysno) { 640 switch (sysno) { 641 case __NR_epoll_create: 642 case __NR_epoll_create1: 643 case __NR_epoll_ctl: 644 case __NR_epoll_wait: 645 return true; 646 default: 647 #if defined(__x86_64__) 648 case __NR_epoll_ctl_old: 649 #endif 650 case __NR_epoll_pwait: 651 #if defined(__x86_64__) 652 case __NR_epoll_wait_old: 653 #endif 654 return false; 655 } 656 } 657 658 bool IsAllowedGetOrModifySocket(int sysno) { 659 switch (sysno) { 660 case __NR_pipe: 661 case __NR_pipe2: 662 return true; 663 default: 664 #if defined(__x86_64__) || defined(__arm__) 665 case __NR_socketpair: // We will want to inspect its argument. 666 #endif 667 return false; 668 } 669 } 670 671 bool IsDeniedGetOrModifySocket(int sysno) { 672 switch (sysno) { 673 #if defined(__x86_64__) || defined(__arm__) 674 case __NR_accept: 675 case __NR_accept4: 676 case __NR_bind: 677 case __NR_connect: 678 case __NR_socket: 679 case __NR_listen: 680 return true; 681 #endif 682 default: 683 return false; 684 } 685 } 686 687 #if defined(__i386__) 688 // Big multiplexing system call for sockets. 689 bool IsSocketCall(int sysno) { 690 switch (sysno) { 691 case __NR_socketcall: 692 return true; 693 default: 694 return false; 695 } 696 } 697 #endif 698 699 #if defined(__x86_64__) || defined(__arm__) 700 bool IsNetworkSocketInformation(int sysno) { 701 switch (sysno) { 702 case __NR_getpeername: 703 case __NR_getsockname: 704 case __NR_getsockopt: 705 case __NR_setsockopt: 706 return true; 707 default: 708 return false; 709 } 710 } 711 #endif 712 713 bool IsAllowedAddressSpaceAccess(int sysno) { 714 switch (sysno) { 715 case __NR_brk: 716 case __NR_mlock: 717 case __NR_munlock: 718 case __NR_munmap: 719 return true; 720 case __NR_madvise: 721 case __NR_mincore: 722 case __NR_mlockall: 723 #if defined(__i386__) || defined(__x86_64__) 724 case __NR_mmap: 725 #endif 726 #if defined(__i386__) || defined(__arm__) 727 case __NR_mmap2: 728 #endif 729 #if defined(__i386__) || defined(__x86_64__) 730 case __NR_modify_ldt: 731 #endif 732 case __NR_mprotect: 733 case __NR_mremap: 734 case __NR_msync: 735 case __NR_munlockall: 736 case __NR_readahead: 737 case __NR_remap_file_pages: 738 #if defined(__i386__) 739 case __NR_vm86: 740 case __NR_vm86old: 741 #endif 742 default: 743 return false; 744 } 745 } 746 747 bool IsAllowedGeneralIo(int sysno) { 748 switch (sysno) { 749 case __NR_lseek: 750 #if defined(__i386__) || defined(__arm__) 751 case __NR__llseek: 752 #endif 753 case __NR_poll: 754 case __NR_ppoll: 755 case __NR_pselect6: 756 case __NR_read: 757 case __NR_readv: 758 #if defined(__arm__) 759 case __NR_recv: 760 #endif 761 #if defined(__x86_64__) || defined(__arm__) 762 case __NR_recvfrom: // Could specify source. 763 case __NR_recvmsg: // Could specify source. 764 #endif 765 #if defined(__i386__) || defined(__x86_64__) 766 case __NR_select: 767 #endif 768 #if defined(__i386__) || defined(__arm__) 769 case __NR__newselect: 770 #endif 771 #if defined(__arm__) 772 case __NR_send: 773 #endif 774 #if defined(__x86_64__) || defined(__arm__) 775 case __NR_sendmsg: // Could specify destination. 776 case __NR_sendto: // Could specify destination. 777 #endif 778 case __NR_write: 779 case __NR_writev: 780 return true; 781 case __NR_ioctl: // Can be very powerful. 782 case __NR_pread64: 783 case __NR_preadv: 784 case __NR_pwrite64: 785 case __NR_pwritev: 786 case __NR_recvmmsg: // Could specify source. 787 case __NR_sendfile: 788 #if defined(__i386__) || defined(__arm__) 789 case __NR_sendfile64: 790 #endif 791 case __NR_sendmmsg: // Could specify destination. 792 case __NR_splice: 793 case __NR_tee: 794 case __NR_vmsplice: 795 default: 796 return false; 797 } 798 } 799 800 bool IsAllowedPrctl(int sysno) { 801 switch (sysno) { 802 case __NR_prctl: 803 return true; 804 default: 805 #if defined(__x86_64__) 806 case __NR_arch_prctl: 807 #endif 808 return false; 809 } 810 } 811 812 bool IsAllowedBasicScheduler(int sysno) { 813 switch (sysno) { 814 case __NR_sched_yield: 815 case __NR_pause: 816 case __NR_nanosleep: 817 return true; 818 case __NR_getpriority: 819 #if defined(__i386__) || defined(__arm__) 820 case __NR_nice: 821 #endif 822 case __NR_setpriority: 823 default: 824 return false; 825 } 826 } 827 828 bool IsAdminOperation(int sysno) { 829 switch (sysno) { 830 #if defined(__i386__) || defined(__arm__) 831 case __NR_bdflush: 832 #endif 833 case __NR_kexec_load: 834 case __NR_reboot: 835 case __NR_setdomainname: 836 case __NR_sethostname: 837 case __NR_syslog: 838 return true; 839 default: 840 return false; 841 } 842 } 843 844 bool IsKernelModule(int sysno) { 845 switch (sysno) { 846 #if defined(__i386__) || defined(__x86_64__) 847 case __NR_create_module: 848 case __NR_get_kernel_syms: // Should ENOSYS. 849 case __NR_query_module: 850 #endif 851 case __NR_delete_module: 852 case __NR_init_module: 853 return true; 854 default: 855 return false; 856 } 857 } 858 859 bool IsGlobalFSViewChange(int sysno) { 860 switch (sysno) { 861 case __NR_pivot_root: 862 case __NR_chroot: 863 case __NR_sync: 864 return true; 865 default: 866 return false; 867 } 868 } 869 870 bool IsFsControl(int sysno) { 871 switch (sysno) { 872 case __NR_mount: 873 case __NR_nfsservctl: 874 case __NR_quotactl: 875 case __NR_swapoff: 876 case __NR_swapon: 877 #if defined(__i386__) 878 case __NR_umount: 879 #endif 880 case __NR_umount2: 881 return true; 882 default: 883 return false; 884 } 885 } 886 887 bool IsNuma(int sysno) { 888 switch (sysno) { 889 case __NR_get_mempolicy: 890 case __NR_getcpu: 891 case __NR_mbind: 892 #if defined(__i386__) || defined(__x86_64__) 893 case __NR_migrate_pages: 894 #endif 895 case __NR_move_pages: 896 case __NR_set_mempolicy: 897 return true; 898 default: 899 return false; 900 } 901 } 902 903 bool IsMessageQueue(int sysno) { 904 switch (sysno) { 905 case __NR_mq_getsetattr: 906 case __NR_mq_notify: 907 case __NR_mq_open: 908 case __NR_mq_timedreceive: 909 case __NR_mq_timedsend: 910 case __NR_mq_unlink: 911 return true; 912 default: 913 return false; 914 } 915 } 916 917 bool IsGlobalProcessEnvironment(int sysno) { 918 switch (sysno) { 919 case __NR_acct: // Privileged. 920 #if defined(__i386__) || defined(__x86_64__) 921 case __NR_getrlimit: 922 #endif 923 #if defined(__i386__) || defined(__arm__) 924 case __NR_ugetrlimit: 925 #endif 926 #if defined(__i386__) 927 case __NR_ulimit: 928 #endif 929 case __NR_getrusage: 930 case __NR_personality: // Can change its personality as well. 931 case __NR_prlimit64: // Like setrlimit / getrlimit. 932 case __NR_setrlimit: 933 case __NR_times: 934 return true; 935 default: 936 return false; 937 } 938 } 939 940 bool IsDebug(int sysno) { 941 switch (sysno) { 942 case __NR_ptrace: 943 case __NR_process_vm_readv: 944 case __NR_process_vm_writev: 945 #if defined(__i386__) || defined(__x86_64__) 946 case __NR_kcmp: 947 #endif 948 return true; 949 default: 950 return false; 951 } 952 } 953 954 bool IsGlobalSystemStatus(int sysno) { 955 switch (sysno) { 956 case __NR__sysctl: 957 case __NR_sysfs: 958 case __NR_sysinfo: 959 case __NR_uname: 960 #if defined(__i386__) 961 case __NR_olduname: 962 case __NR_oldolduname: 963 #endif 964 return true; 965 default: 966 return false; 967 } 968 } 969 970 bool IsEventFd(int sysno) { 971 switch (sysno) { 972 case __NR_eventfd: 973 case __NR_eventfd2: 974 return true; 975 default: 976 return false; 977 } 978 } 979 980 // Asynchronous I/O API. 981 bool IsAsyncIo(int sysno) { 982 switch (sysno) { 983 case __NR_io_cancel: 984 case __NR_io_destroy: 985 case __NR_io_getevents: 986 case __NR_io_setup: 987 case __NR_io_submit: 988 return true; 989 default: 990 return false; 991 } 992 } 993 994 bool IsKeyManagement(int sysno) { 995 switch (sysno) { 996 case __NR_add_key: 997 case __NR_keyctl: 998 case __NR_request_key: 999 return true; 1000 default: 1001 return false; 1002 } 1003 } 1004 1005 #if defined(__x86_64__) || defined(__arm__) 1006 bool IsSystemVSemaphores(int sysno) { 1007 switch (sysno) { 1008 case __NR_semctl: 1009 case __NR_semget: 1010 case __NR_semop: 1011 case __NR_semtimedop: 1012 return true; 1013 default: 1014 return false; 1015 } 1016 } 1017 #endif 1018 1019 #if defined(__x86_64__) || defined(__arm__) 1020 // These give a lot of ambient authority and bypass the setuid sandbox. 1021 bool IsSystemVSharedMemory(int sysno) { 1022 switch (sysno) { 1023 case __NR_shmat: 1024 case __NR_shmctl: 1025 case __NR_shmdt: 1026 case __NR_shmget: 1027 return true; 1028 default: 1029 return false; 1030 } 1031 } 1032 #endif 1033 1034 #if defined(__x86_64__) || defined(__arm__) 1035 bool IsSystemVMessageQueue(int sysno) { 1036 switch (sysno) { 1037 case __NR_msgctl: 1038 case __NR_msgget: 1039 case __NR_msgrcv: 1040 case __NR_msgsnd: 1041 return true; 1042 default: 1043 return false; 1044 } 1045 } 1046 #endif 1047 1048 #if defined(__i386__) 1049 // Big system V multiplexing system call. 1050 bool IsSystemVIpc(int sysno) { 1051 switch (sysno) { 1052 case __NR_ipc: 1053 return true; 1054 default: 1055 return false; 1056 } 1057 } 1058 #endif 1059 1060 bool IsAnySystemV(int sysno) { 1061 #if defined(__x86_64__) || defined(__arm__) 1062 return IsSystemVMessageQueue(sysno) || 1063 IsSystemVSemaphores(sysno) || 1064 IsSystemVSharedMemory(sysno); 1065 #elif defined(__i386__) 1066 return IsSystemVIpc(sysno); 1067 #endif 1068 } 1069 1070 bool IsAdvancedScheduler(int sysno) { 1071 switch (sysno) { 1072 case __NR_ioprio_get: // IO scheduler. 1073 case __NR_ioprio_set: 1074 case __NR_sched_get_priority_max: 1075 case __NR_sched_get_priority_min: 1076 case __NR_sched_getaffinity: 1077 case __NR_sched_getparam: 1078 case __NR_sched_getscheduler: 1079 case __NR_sched_rr_get_interval: 1080 case __NR_sched_setaffinity: 1081 case __NR_sched_setparam: 1082 case __NR_sched_setscheduler: 1083 return true; 1084 default: 1085 return false; 1086 } 1087 } 1088 1089 bool IsInotify(int sysno) { 1090 switch (sysno) { 1091 case __NR_inotify_add_watch: 1092 case __NR_inotify_init: 1093 case __NR_inotify_init1: 1094 case __NR_inotify_rm_watch: 1095 return true; 1096 default: 1097 return false; 1098 } 1099 } 1100 1101 bool IsFaNotify(int sysno) { 1102 switch (sysno) { 1103 case __NR_fanotify_init: 1104 case __NR_fanotify_mark: 1105 return true; 1106 default: 1107 return false; 1108 } 1109 } 1110 1111 bool IsTimer(int sysno) { 1112 switch (sysno) { 1113 case __NR_getitimer: 1114 #if defined(__i386__) || defined(__x86_64__) 1115 case __NR_alarm: 1116 #endif 1117 case __NR_setitimer: 1118 return true; 1119 default: 1120 return false; 1121 } 1122 } 1123 1124 bool IsAdvancedTimer(int sysno) { 1125 switch (sysno) { 1126 case __NR_timer_create: 1127 case __NR_timer_delete: 1128 case __NR_timer_getoverrun: 1129 case __NR_timer_gettime: 1130 case __NR_timer_settime: 1131 case __NR_timerfd_create: 1132 case __NR_timerfd_gettime: 1133 case __NR_timerfd_settime: 1134 return true; 1135 default: 1136 return false; 1137 } 1138 } 1139 1140 bool IsExtendedAttributes(int sysno) { 1141 switch (sysno) { 1142 case __NR_fgetxattr: 1143 case __NR_flistxattr: 1144 case __NR_fremovexattr: 1145 case __NR_fsetxattr: 1146 case __NR_getxattr: 1147 case __NR_lgetxattr: 1148 case __NR_listxattr: 1149 case __NR_llistxattr: 1150 case __NR_lremovexattr: 1151 case __NR_lsetxattr: 1152 case __NR_removexattr: 1153 case __NR_setxattr: 1154 return true; 1155 default: 1156 return false; 1157 } 1158 } 1159 1160 // Various system calls that need to be researched. 1161 // TODO(jln): classify this better. 1162 bool IsMisc(int sysno) { 1163 switch (sysno) { 1164 case __NR_name_to_handle_at: 1165 case __NR_open_by_handle_at: 1166 case __NR_perf_event_open: 1167 case __NR_syncfs: 1168 case __NR_vhangup: 1169 // The system calls below are not implemented. 1170 #if defined(__i386__) || defined(__x86_64__) 1171 case __NR_afs_syscall: 1172 #endif 1173 #if defined(__i386__) 1174 case __NR_break: 1175 #endif 1176 #if defined(__i386__) || defined(__x86_64__) 1177 case __NR_getpmsg: 1178 #endif 1179 #if defined(__i386__) 1180 case __NR_gtty: 1181 case __NR_idle: 1182 case __NR_lock: 1183 case __NR_mpx: 1184 case __NR_prof: 1185 case __NR_profil: 1186 #endif 1187 #if defined(__i386__) || defined(__x86_64__) 1188 case __NR_putpmsg: 1189 #endif 1190 #if defined(__x86_64__) 1191 case __NR_security: 1192 #endif 1193 #if defined(__i386__) 1194 case __NR_stty: 1195 #endif 1196 #if defined(__x86_64__) 1197 case __NR_tuxcall: 1198 #endif 1199 case __NR_vserver: 1200 return true; 1201 default: 1202 return false; 1203 } 1204 } 1205 1206 #if defined(__arm__) 1207 bool IsArmPciConfig(int sysno) { 1208 switch (sysno) { 1209 case __NR_pciconfig_iobase: 1210 case __NR_pciconfig_read: 1211 case __NR_pciconfig_write: 1212 return true; 1213 default: 1214 return false; 1215 } 1216 } 1217 1218 bool IsArmPrivate(int sysno) { 1219 switch (sysno) { 1220 case __ARM_NR_breakpoint: 1221 case __ARM_NR_cacheflush: 1222 case __ARM_NR_set_tls: 1223 case __ARM_NR_usr26: 1224 case __ARM_NR_usr32: 1225 return true; 1226 default: 1227 return false; 1228 } 1229 } 1230 #endif // defined(__arm__) 1231 1232 // End of the system call sets section. 1233 1234 bool IsBaselinePolicyAllowed(int sysno) { 1235 if (IsAllowedAddressSpaceAccess(sysno) || 1236 IsAllowedBasicScheduler(sysno) || 1237 IsAllowedEpoll(sysno) || 1238 IsAllowedFileSystemAccessViaFd(sysno) || 1239 IsAllowedGeneralIo(sysno) || 1240 IsAllowedGetOrModifySocket(sysno) || 1241 IsAllowedGettime(sysno) || 1242 IsAllowedPrctl(sysno) || 1243 IsAllowedProcessStartOrDeath(sysno) || 1244 IsAllowedSignalHandling(sysno) || 1245 IsFutex(sysno) || 1246 IsGetSimpleId(sysno) || 1247 IsKernelInternalApi(sysno) || 1248 #if defined(__arm__) 1249 IsArmPrivate(sysno) || 1250 #endif 1251 IsKill(sysno) || 1252 IsAllowedOperationOnFd(sysno)) { 1253 return true; 1254 } else { 1255 return false; 1256 } 1257 } 1258 1259 // System calls that will trigger the crashing SIGSYS handler. 1260 bool IsBaselinePolicyWatched(int sysno) { 1261 if (IsAdminOperation(sysno) || 1262 IsAdvancedScheduler(sysno) || 1263 IsAdvancedTimer(sysno) || 1264 IsAsyncIo(sysno) || 1265 IsDebug(sysno) || 1266 IsEventFd(sysno) || 1267 IsExtendedAttributes(sysno) || 1268 IsFaNotify(sysno) || 1269 IsFsControl(sysno) || 1270 IsGlobalFSViewChange(sysno) || 1271 IsGlobalProcessEnvironment(sysno) || 1272 IsGlobalSystemStatus(sysno) || 1273 IsInotify(sysno) || 1274 IsKernelModule(sysno) || 1275 IsKeyManagement(sysno) || 1276 IsMessageQueue(sysno) || 1277 IsMisc(sysno) || 1278 #if defined(__x86_64__) 1279 IsNetworkSocketInformation(sysno) || 1280 #endif 1281 IsNuma(sysno) || 1282 IsProcessGroupOrSession(sysno) || 1283 IsProcessPrivilegeChange(sysno) || 1284 #if defined(__i386__) 1285 IsSocketCall(sysno) || // We'll need to handle this properly to build 1286 // a x86_32 policy. 1287 #endif 1288 #if defined(__arm__) 1289 IsArmPciConfig(sysno) || 1290 #endif 1291 IsTimer(sysno)) { 1292 return true; 1293 } else { 1294 return false; 1295 } 1296 } 1297 1298 ErrorCode RestrictMmapFlags(Sandbox* sandbox) { 1299 // The flags you see are actually the allowed ones, and the variable is a 1300 // "denied" mask because of the negation operator. 1301 // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as 1302 // MAP_POPULATE. 1303 // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. 1304 uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | 1305 MAP_STACK | MAP_NORESERVE | MAP_FIXED | 1306 MAP_DENYWRITE); 1307 return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1308 denied_mask, 1309 sandbox->Trap(CrashSIGSYS_Handler, NULL), 1310 ErrorCode(ErrorCode::ERR_ALLOWED)); 1311 } 1312 1313 ErrorCode RestrictMprotectFlags(Sandbox* sandbox) { 1314 // The flags you see are actually the allowed ones, and the variable is a 1315 // "denied" mask because of the negation operator. 1316 // Significantly, we don't permit weird undocumented flags such as 1317 // PROT_GROWSDOWN. 1318 uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); 1319 return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1320 denied_mask, 1321 sandbox->Trap(CrashSIGSYS_Handler, NULL), 1322 ErrorCode(ErrorCode::ERR_ALLOWED)); 1323 } 1324 1325 ErrorCode RestrictFcntlCommands(Sandbox* sandbox) { 1326 // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, 1327 // F_SETLK, F_SETLKW and F_GETLK. 1328 // We also restrict the flags in F_SETFL. We don't want to permit flags with 1329 // a history of trouble such as O_DIRECT. The flags you see are actually the 1330 // allowed ones, and the variable is a "denied" mask because of the negation 1331 // operator. 1332 // Glibc overrides the kernel's O_LARGEFILE value. Account for this. 1333 int kOLargeFileFlag = O_LARGEFILE; 1334 if (IsArchitectureX86_64() || IsArchitectureI386()) 1335 kOLargeFileFlag = 0100000; 1336 1337 // TODO(jln): add TP_LONG/TP_SIZET types. 1338 ErrorCode::ArgType mask_long_type; 1339 if (sizeof(long) == 8) 1340 mask_long_type = ErrorCode::TP_64BIT; 1341 else if (sizeof(long) == 4) 1342 mask_long_type = ErrorCode::TP_32BIT; 1343 else 1344 NOTREACHED(); 1345 1346 unsigned long denied_mask = ~(O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC | 1347 kOLargeFileFlag | O_CLOEXEC | O_NOATIME); 1348 return sandbox->Cond(1, ErrorCode::TP_32BIT, 1349 ErrorCode::OP_EQUAL, F_GETFL, 1350 ErrorCode(ErrorCode::ERR_ALLOWED), 1351 sandbox->Cond(1, ErrorCode::TP_32BIT, 1352 ErrorCode::OP_EQUAL, F_SETFL, 1353 sandbox->Cond(2, mask_long_type, 1354 ErrorCode::OP_HAS_ANY_BITS, denied_mask, 1355 sandbox->Trap(CrashSIGSYS_Handler, NULL), 1356 ErrorCode(ErrorCode::ERR_ALLOWED)), 1357 sandbox->Cond(1, ErrorCode::TP_32BIT, 1358 ErrorCode::OP_EQUAL, F_GETFD, 1359 ErrorCode(ErrorCode::ERR_ALLOWED), 1360 sandbox->Cond(1, ErrorCode::TP_32BIT, 1361 ErrorCode::OP_EQUAL, F_SETFD, 1362 ErrorCode(ErrorCode::ERR_ALLOWED), 1363 sandbox->Cond(1, ErrorCode::TP_32BIT, 1364 ErrorCode::OP_EQUAL, F_DUPFD, 1365 ErrorCode(ErrorCode::ERR_ALLOWED), 1366 sandbox->Cond(1, ErrorCode::TP_32BIT, 1367 ErrorCode::OP_EQUAL, F_SETLK, 1368 ErrorCode(ErrorCode::ERR_ALLOWED), 1369 sandbox->Cond(1, ErrorCode::TP_32BIT, 1370 ErrorCode::OP_EQUAL, F_SETLKW, 1371 ErrorCode(ErrorCode::ERR_ALLOWED), 1372 sandbox->Cond(1, ErrorCode::TP_32BIT, 1373 ErrorCode::OP_EQUAL, F_GETLK, 1374 ErrorCode(ErrorCode::ERR_ALLOWED), 1375 sandbox->Cond(1, ErrorCode::TP_32BIT, 1376 ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC, 1377 ErrorCode(ErrorCode::ERR_ALLOWED), 1378 sandbox->Trap(CrashSIGSYS_Handler, NULL)))))))))); 1379 } 1380 1381 #if defined(__i386__) 1382 ErrorCode RestrictSocketcallCommand(Sandbox* sandbox) { 1383 // Allow the same individual syscalls as we do on ARM or x86_64. 1384 // The main difference is that we're unable to restrict the first parameter 1385 // to socketpair(2). Whilst initially sounding bad, it's noteworthy that very 1386 // few protocols actually support socketpair(2). The scary call that we're 1387 // worried about, socket(2), remains blocked. 1388 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1389 SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED), 1390 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1391 SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED), 1392 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1393 SYS_RECV, ErrorCode(ErrorCode::ERR_ALLOWED), 1394 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1395 SYS_SENDTO, ErrorCode(ErrorCode::ERR_ALLOWED), 1396 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1397 SYS_RECVFROM, ErrorCode(ErrorCode::ERR_ALLOWED), 1398 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1399 SYS_SHUTDOWN, ErrorCode(ErrorCode::ERR_ALLOWED), 1400 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1401 SYS_SENDMSG, ErrorCode(ErrorCode::ERR_ALLOWED), 1402 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1403 SYS_RECVMSG, ErrorCode(ErrorCode::ERR_ALLOWED), 1404 ErrorCode(EPERM))))))))); 1405 } 1406 #endif 1407 1408 ErrorCode BaselinePolicy(Sandbox* sandbox, int sysno) { 1409 if (IsBaselinePolicyAllowed(sysno)) { 1410 return ErrorCode(ErrorCode::ERR_ALLOWED); 1411 } 1412 1413 #if defined(__x86_64__) || defined(__arm__) 1414 if (sysno == __NR_socketpair) { 1415 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. 1416 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); 1417 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, 1418 ErrorCode(ErrorCode::ERR_ALLOWED), 1419 sandbox->Trap(CrashSIGSYS_Handler, NULL)); 1420 } 1421 #endif 1422 1423 if (sysno == __NR_madvise) { 1424 // Only allow MADV_DONTNEED (aka MADV_FREE). 1425 return sandbox->Cond(2, ErrorCode::TP_32BIT, 1426 ErrorCode::OP_EQUAL, MADV_DONTNEED, 1427 ErrorCode(ErrorCode::ERR_ALLOWED), 1428 ErrorCode(EPERM)); 1429 } 1430 1431 #if defined(__i386__) || defined(__x86_64__) 1432 if (sysno == __NR_mmap) 1433 return RestrictMmapFlags(sandbox); 1434 #endif 1435 1436 #if defined(__i386__) || defined(__arm__) 1437 if (sysno == __NR_mmap2) 1438 return RestrictMmapFlags(sandbox); 1439 #endif 1440 1441 if (sysno == __NR_mprotect) 1442 return RestrictMprotectFlags(sandbox); 1443 1444 if (sysno == __NR_fcntl) 1445 return RestrictFcntlCommands(sandbox); 1446 1447 #if defined(__i386__) || defined(__arm__) 1448 if (sysno == __NR_fcntl64) 1449 return RestrictFcntlCommands(sandbox); 1450 #endif 1451 1452 if (IsFileSystem(sysno) || IsCurrentDirectory(sysno)) { 1453 return ErrorCode(EPERM); 1454 } 1455 1456 if (IsAnySystemV(sysno)) { 1457 return ErrorCode(EPERM); 1458 } 1459 1460 if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) || 1461 IsDeniedGetOrModifySocket(sysno)) { 1462 return ErrorCode(EPERM); 1463 } 1464 1465 #if defined(__i386__) 1466 if (IsSocketCall(sysno)) 1467 return RestrictSocketcallCommand(sandbox); 1468 #endif 1469 1470 if (IsBaselinePolicyWatched(sysno)) { 1471 // Previously unseen syscalls. TODO(jln): some of these should 1472 // be denied gracefully right away. 1473 return sandbox->Trap(CrashSIGSYS_Handler, NULL); 1474 } 1475 // In any other case crash the program with our SIGSYS handler. 1476 return sandbox->Trap(CrashSIGSYS_Handler, NULL); 1477 } 1478 1479 // The BaselinePolicy only takes two arguments. BaselinePolicyWithAux 1480 // allows us to conform to the BPF compiler's policy type. 1481 ErrorCode BaselinePolicyWithAux(Sandbox* sandbox, int sysno, void* aux) { 1482 CHECK(!aux); 1483 return BaselinePolicy(sandbox, sysno); 1484 } 1485 1486 // Main policy for x86_64/i386. Extended by ArmGpuProcessPolicy. 1487 ErrorCode GpuProcessPolicy(Sandbox* sandbox, int sysno, 1488 void* broker_process) { 1489 switch (sysno) { 1490 case __NR_ioctl: 1491 #if defined(__i386__) || defined(__x86_64__) 1492 // The Nvidia driver uses flags not in the baseline policy 1493 // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT) 1494 case __NR_mmap: 1495 #endif 1496 // We also hit this on the linux_chromeos bot but don't yet know what 1497 // weird flags were involved. 1498 case __NR_mprotect: 1499 case __NR_sched_getaffinity: 1500 case __NR_sched_setaffinity: 1501 case __NR_setpriority: 1502 return ErrorCode(ErrorCode::ERR_ALLOWED); 1503 case __NR_access: 1504 case __NR_open: 1505 case __NR_openat: 1506 return sandbox->Trap(GpuSIGSYS_Handler, broker_process); 1507 default: 1508 if (IsEventFd(sysno)) 1509 return ErrorCode(ErrorCode::ERR_ALLOWED); 1510 1511 // Default on the baseline policy. 1512 return BaselinePolicy(sandbox, sysno); 1513 } 1514 } 1515 1516 // x86_64/i386. 1517 // A GPU broker policy is the same as a GPU policy with open and 1518 // openat allowed. 1519 ErrorCode GpuBrokerProcessPolicy(Sandbox* sandbox, int sysno, void* aux) { 1520 // "aux" would typically be NULL, when called from 1521 // "EnableGpuBrokerPolicyCallBack" 1522 switch (sysno) { 1523 case __NR_access: 1524 case __NR_open: 1525 case __NR_openat: 1526 return ErrorCode(ErrorCode::ERR_ALLOWED); 1527 default: 1528 return GpuProcessPolicy(sandbox, sysno, aux); 1529 } 1530 } 1531 1532 // Generic ARM GPU process sandbox, inheriting from GpuProcessPolicy. 1533 ErrorCode ArmGpuProcessPolicy(Sandbox* sandbox, int sysno, 1534 void* broker_process) { 1535 switch (sysno) { 1536 #if defined(__arm__) 1537 // ARM GPU sandbox is started earlier so we need to allow networking 1538 // in the sandbox. 1539 case __NR_connect: 1540 case __NR_getpeername: 1541 case __NR_getsockname: 1542 case __NR_sysinfo: 1543 case __NR_uname: 1544 return ErrorCode(ErrorCode::ERR_ALLOWED); 1545 // Allow only AF_UNIX for |domain|. 1546 case __NR_socket: 1547 case __NR_socketpair: 1548 return sandbox->Cond(0, ErrorCode::TP_32BIT, 1549 ErrorCode::OP_EQUAL, AF_UNIX, 1550 ErrorCode(ErrorCode::ERR_ALLOWED), 1551 ErrorCode(EPERM)); 1552 #endif // defined(__arm__) 1553 default: 1554 if (IsAdvancedScheduler(sysno)) 1555 return ErrorCode(ErrorCode::ERR_ALLOWED); 1556 1557 // Default to the generic GPU policy. 1558 return GpuProcessPolicy(sandbox, sysno, broker_process); 1559 } 1560 } 1561 1562 // Same as above but with shmat allowed, inheriting from GpuProcessPolicy. 1563 ErrorCode ArmGpuProcessPolicyWithShmat(Sandbox* sandbox, int sysno, 1564 void* broker_process) { 1565 #if defined(__arm__) 1566 if (sysno == __NR_shmat) 1567 return ErrorCode(ErrorCode::ERR_ALLOWED); 1568 #endif // defined(__arm__) 1569 1570 return ArmGpuProcessPolicy(sandbox, sysno, broker_process); 1571 } 1572 1573 // A GPU broker policy is the same as a GPU policy with open and 1574 // openat allowed. 1575 ErrorCode ArmGpuBrokerProcessPolicy(Sandbox* sandbox, 1576 int sysno, void* aux) { 1577 // "aux" would typically be NULL, when called from 1578 // "EnableGpuBrokerPolicyCallBack" 1579 switch (sysno) { 1580 case __NR_access: 1581 case __NR_open: 1582 case __NR_openat: 1583 return ErrorCode(ErrorCode::ERR_ALLOWED); 1584 default: 1585 return ArmGpuProcessPolicy(sandbox, sysno, aux); 1586 } 1587 } 1588 1589 // Allow clone(2) for threads. 1590 // Reject fork(2) attempts with EPERM. 1591 // Crash if anything else is attempted. 1592 // Don't restrict on ASAN. 1593 ErrorCode RestrictCloneToThreadsAndEPERMFork(Sandbox* sandbox) { 1594 // Glibc's pthread. 1595 if (!RunningOnASAN()) { 1596 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1597 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | 1598 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | 1599 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, 1600 ErrorCode(ErrorCode::ERR_ALLOWED), 1601 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1602 CLONE_PARENT_SETTID | SIGCHLD, 1603 ErrorCode(EPERM), 1604 // ARM 1605 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1606 CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, 1607 ErrorCode(EPERM), 1608 sandbox->Trap(SIGSYSCloneFailure, NULL)))); 1609 } else { 1610 return ErrorCode(ErrorCode::ERR_ALLOWED); 1611 } 1612 } 1613 1614 ErrorCode RestrictPrctl(Sandbox* sandbox) { 1615 // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. Will need to add 1616 // seccomp compositing in the future. 1617 // PR_SET_PTRACER is used by breakpad but not needed anymore. 1618 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1619 PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED), 1620 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1621 PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), 1622 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1623 PR_GET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), 1624 sandbox->Trap(SIGSYSPrctlFailure, NULL)))); 1625 } 1626 1627 ErrorCode RestrictIoctl(Sandbox* sandbox) { 1628 // Allow TCGETS and FIONREAD, trap to SIGSYSIoctlFailure otherwise. 1629 return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS, 1630 ErrorCode(ErrorCode::ERR_ALLOWED), 1631 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD, 1632 ErrorCode(ErrorCode::ERR_ALLOWED), 1633 sandbox->Trap(SIGSYSIoctlFailure, NULL))); 1634 } 1635 1636 ErrorCode RendererOrWorkerProcessPolicy(Sandbox* sandbox, int sysno, void*) { 1637 switch (sysno) { 1638 case __NR_clone: 1639 return RestrictCloneToThreadsAndEPERMFork(sandbox); 1640 case __NR_ioctl: 1641 return RestrictIoctl(sandbox); 1642 case __NR_prctl: 1643 return RestrictPrctl(sandbox); 1644 // Allow the system calls below. 1645 case __NR_fdatasync: 1646 case __NR_fsync: 1647 case __NR_getpriority: 1648 #if defined(__i386__) || defined(__x86_64__) 1649 case __NR_getrlimit: 1650 #endif 1651 #if defined(__i386__) || defined(__arm__) 1652 case __NR_ugetrlimit: 1653 #endif 1654 case __NR_mremap: // See crbug.com/149834. 1655 case __NR_pread64: 1656 case __NR_pwrite64: 1657 case __NR_sched_getaffinity: 1658 case __NR_sched_get_priority_max: 1659 case __NR_sched_get_priority_min: 1660 case __NR_sched_getparam: 1661 case __NR_sched_getscheduler: 1662 case __NR_sched_setscheduler: 1663 case __NR_setpriority: 1664 case __NR_sysinfo: 1665 case __NR_times: 1666 case __NR_uname: 1667 return ErrorCode(ErrorCode::ERR_ALLOWED); 1668 case __NR_prlimit64: 1669 return ErrorCode(EPERM); // See crbug.com/160157. 1670 default: 1671 if (IsUsingToolKitGtk()) { 1672 #if defined(__x86_64__) || defined(__arm__) 1673 if (IsSystemVSharedMemory(sysno)) 1674 return ErrorCode(ErrorCode::ERR_ALLOWED); 1675 #endif 1676 #if defined(__i386__) 1677 if (IsSystemVIpc(sysno)) 1678 return ErrorCode(ErrorCode::ERR_ALLOWED); 1679 #endif 1680 } 1681 1682 // Default on the baseline policy. 1683 return BaselinePolicy(sandbox, sysno); 1684 } 1685 } 1686 1687 ErrorCode FlashProcessPolicy(Sandbox* sandbox, int sysno, void*) { 1688 switch (sysno) { 1689 case __NR_clone: 1690 return RestrictCloneToThreadsAndEPERMFork(sandbox); 1691 case __NR_pread64: 1692 case __NR_pwrite64: 1693 case __NR_sched_get_priority_max: 1694 case __NR_sched_get_priority_min: 1695 case __NR_sched_getaffinity: 1696 case __NR_sched_getparam: 1697 case __NR_sched_getscheduler: 1698 case __NR_sched_setscheduler: 1699 case __NR_times: 1700 return ErrorCode(ErrorCode::ERR_ALLOWED); 1701 case __NR_ioctl: 1702 return ErrorCode(ENOTTY); // Flash Access. 1703 default: 1704 if (IsUsingToolKitGtk()) { 1705 #if defined(__x86_64__) || defined(__arm__) 1706 if (IsSystemVSharedMemory(sysno)) 1707 return ErrorCode(ErrorCode::ERR_ALLOWED); 1708 #endif 1709 #if defined(__i386__) 1710 if (IsSystemVIpc(sysno)) 1711 return ErrorCode(ErrorCode::ERR_ALLOWED); 1712 #endif 1713 } 1714 1715 // Default on the baseline policy. 1716 return BaselinePolicy(sandbox, sysno); 1717 } 1718 } 1719 1720 ErrorCode BlacklistDebugAndNumaPolicy(Sandbox* sandbox, int sysno, void*) { 1721 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1722 // TODO(jln) we should not have to do that in a trivial policy. 1723 return ErrorCode(ENOSYS); 1724 } 1725 1726 if (IsDebug(sysno) || IsNuma(sysno)) 1727 return sandbox->Trap(CrashSIGSYS_Handler, NULL); 1728 1729 return ErrorCode(ErrorCode::ERR_ALLOWED); 1730 } 1731 1732 // Allow all syscalls. 1733 // This will still deny x32 or IA32 calls in 64 bits mode or 1734 // 64 bits system calls in compatibility mode. 1735 ErrorCode AllowAllPolicy(Sandbox*, int sysno, void*) { 1736 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1737 // TODO(jln) we should not have to do that in a trivial policy. 1738 return ErrorCode(ENOSYS); 1739 } else { 1740 return ErrorCode(ErrorCode::ERR_ALLOWED); 1741 } 1742 } 1743 1744 // If a BPF policy is engaged for |process_type|, run a few sanity checks. 1745 void RunSandboxSanityChecks(const std::string& process_type) { 1746 if (process_type == switches::kRendererProcess || 1747 process_type == switches::kWorkerProcess || 1748 process_type == switches::kGpuProcess || 1749 process_type == switches::kPpapiPluginProcess) { 1750 int syscall_ret; 1751 errno = 0; 1752 1753 // Without the sandbox, this would EBADF. 1754 syscall_ret = fchmod(-1, 07777); 1755 CHECK_EQ(-1, syscall_ret); 1756 CHECK_EQ(EPERM, errno); 1757 1758 // Run most of the sanity checks only in DEBUG mode to avoid a perf. 1759 // impact. 1760 #if !defined(NDEBUG) 1761 // open() must be restricted. 1762 syscall_ret = open("/etc/passwd", O_RDONLY); 1763 CHECK_EQ(-1, syscall_ret); 1764 CHECK_EQ(EPERM, errno); 1765 1766 // We should never allow the creation of netlink sockets. 1767 syscall_ret = socket(AF_NETLINK, SOCK_DGRAM, 0); 1768 CHECK_EQ(-1, syscall_ret); 1769 CHECK_EQ(EPERM, errno); 1770 #endif // !defined(NDEBUG) 1771 } 1772 } 1773 1774 bool EnableGpuBrokerPolicyCallback() { 1775 StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL); 1776 return true; 1777 } 1778 1779 bool EnableArmGpuBrokerPolicyCallback() { 1780 StartSandboxWithPolicy(ArmGpuBrokerProcessPolicy, NULL); 1781 return true; 1782 } 1783 1784 // Files needed by the ARM GPU userspace. 1785 static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; 1786 static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; 1787 1788 void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist, 1789 std::vector<std::string>* write_whitelist) { 1790 // Device file needed by the ARM GPU userspace. 1791 static const char kMali0Path[] = "/dev/mali0"; 1792 1793 // Devices needed for video decode acceleration on ARM. 1794 static const char kDevMfcDecPath[] = "/dev/mfc-dec"; 1795 static const char kDevGsc1Path[] = "/dev/gsc1"; 1796 1797 read_whitelist->push_back(kMali0Path); 1798 read_whitelist->push_back(kDevMfcDecPath); 1799 read_whitelist->push_back(kDevGsc1Path); 1800 1801 write_whitelist->push_back(kMali0Path); 1802 write_whitelist->push_back(kDevMfcDecPath); 1803 write_whitelist->push_back(kDevGsc1Path); 1804 } 1805 1806 void AddArmTegraGpuWhitelist(std::vector<std::string>* read_whitelist, 1807 std::vector<std::string>* write_whitelist) { 1808 // Device files needed by the Tegra GPU userspace. 1809 static const char kDevNvhostCtrlPath[] = "/dev/nvhost-ctrl"; 1810 static const char kDevNvhostGr2dPath[] = "/dev/nvhost-gr2d"; 1811 static const char kDevNvhostGr3dPath[] = "/dev/nvhost-gr3d"; 1812 static const char kDevNvhostIspPath[] = "/dev/nvhost-isp"; 1813 static const char kDevNvhostViPath[] = "/dev/nvhost-vi"; 1814 static const char kDevNvmapPath[] = "/dev/nvmap"; 1815 static const char kDevTegraSemaPath[] = "/dev/tegra_sema"; 1816 1817 read_whitelist->push_back(kDevNvhostCtrlPath); 1818 read_whitelist->push_back(kDevNvhostGr2dPath); 1819 read_whitelist->push_back(kDevNvhostGr3dPath); 1820 read_whitelist->push_back(kDevNvhostIspPath); 1821 read_whitelist->push_back(kDevNvhostViPath); 1822 read_whitelist->push_back(kDevNvmapPath); 1823 read_whitelist->push_back(kDevTegraSemaPath); 1824 1825 write_whitelist->push_back(kDevNvhostCtrlPath); 1826 write_whitelist->push_back(kDevNvhostGr2dPath); 1827 write_whitelist->push_back(kDevNvhostGr3dPath); 1828 write_whitelist->push_back(kDevNvhostIspPath); 1829 write_whitelist->push_back(kDevNvhostViPath); 1830 write_whitelist->push_back(kDevNvmapPath); 1831 write_whitelist->push_back(kDevTegraSemaPath); 1832 } 1833 1834 void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, 1835 std::vector<std::string>* write_whitelist) { 1836 // On ARM we're enabling the sandbox before the X connection is made, 1837 // so we need to allow access to |.Xauthority|. 1838 static const char kXAuthorityPath[] = "/home/chronos/.Xauthority"; 1839 static const char kLdSoCache[] = "/etc/ld.so.cache"; 1840 1841 read_whitelist->push_back(kXAuthorityPath); 1842 read_whitelist->push_back(kLdSoCache); 1843 read_whitelist->push_back(kLibGlesPath); 1844 read_whitelist->push_back(kLibEglPath); 1845 1846 AddArmMaliGpuWhitelist(read_whitelist, write_whitelist); 1847 AddArmTegraGpuWhitelist(read_whitelist, write_whitelist); 1848 } 1849 1850 // Start a broker process to handle open() inside the sandbox. 1851 void InitGpuBrokerProcess(Sandbox::EvaluateSyscall gpu_policy, 1852 BrokerProcess** broker_process) { 1853 static const char kDriRcPath[] = "/etc/drirc"; 1854 static const char kDriCard0Path[] = "/dev/dri/card0"; 1855 1856 CHECK(broker_process); 1857 CHECK(*broker_process == NULL); 1858 1859 bool (*sandbox_callback)(void) = NULL; 1860 1861 // All GPU process policies need these files brokered out. 1862 std::vector<std::string> read_whitelist; 1863 read_whitelist.push_back(kDriCard0Path); 1864 read_whitelist.push_back(kDriRcPath); 1865 1866 std::vector<std::string> write_whitelist; 1867 write_whitelist.push_back(kDriCard0Path); 1868 1869 if (gpu_policy == ArmGpuProcessPolicy || 1870 gpu_policy == ArmGpuProcessPolicyWithShmat) { 1871 // We shouldn't be using this policy on non-ARM architectures. 1872 CHECK(IsArchitectureArm()); 1873 AddArmGpuWhitelist(&read_whitelist, &write_whitelist); 1874 sandbox_callback = EnableArmGpuBrokerPolicyCallback; 1875 } else if (gpu_policy == GpuProcessPolicy) { 1876 sandbox_callback = EnableGpuBrokerPolicyCallback; 1877 } else { 1878 // We shouldn't be initializing a GPU broker process without a GPU process 1879 // policy. 1880 NOTREACHED(); 1881 } 1882 1883 *broker_process = new BrokerProcess(read_whitelist, write_whitelist); 1884 // Initialize the broker process and give it a sandbox callback. 1885 CHECK((*broker_process)->Init(sandbox_callback)); 1886 } 1887 1888 // Warms up/preloads resources needed by the policies. 1889 // Eventually start a broker process and return it in broker_process. 1890 void WarmupPolicy(Sandbox::EvaluateSyscall policy, 1891 BrokerProcess** broker_process) { 1892 if (policy == GpuProcessPolicy) { 1893 // Create a new broker process. 1894 InitGpuBrokerProcess(policy, broker_process); 1895 1896 if (IsArchitectureX86_64() || IsArchitectureI386()) { 1897 // Accelerated video decode dlopen()'s a shared object 1898 // inside the sandbox, so preload it now. 1899 if (IsAcceleratedVideoDecodeEnabled()) { 1900 const char* I965DrvVideoPath = NULL; 1901 1902 if (IsArchitectureX86_64()) { 1903 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; 1904 } else if (IsArchitectureI386()) { 1905 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; 1906 } 1907 1908 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1909 } 1910 } 1911 } else if (policy == ArmGpuProcessPolicy || 1912 policy == ArmGpuProcessPolicyWithShmat) { 1913 // Create a new broker process. 1914 InitGpuBrokerProcess(policy, broker_process); 1915 1916 // Preload the GL libraries. These are in the read whitelist but we have to 1917 // preload them anyways to work around ld.so bugs. See crbug.com/268439. 1918 dlopen(kLibGlesPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1919 dlopen(kLibEglPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1920 1921 // Preload the Tegra libraries. 1922 dlopen("/usr/lib/libnvrm.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1923 dlopen("/usr/lib/libnvrm_graphics.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1924 dlopen("/usr/lib/libnvos.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1925 dlopen("/usr/lib/libnvddk_2d.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1926 dlopen("/usr/lib/libardrv_dynamic.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1927 dlopen("/usr/lib/libnvwsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1928 dlopen("/usr/lib/libnvglsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1929 dlopen("/usr/lib/libcgdrv.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1930 } 1931 } 1932 1933 Sandbox::EvaluateSyscall GetProcessSyscallPolicy( 1934 const CommandLine& command_line, 1935 const std::string& process_type) { 1936 if (process_type == switches::kGpuProcess) { 1937 // On Chrome OS ARM, we need a specific GPU process policy. 1938 if (IsChromeOS() && IsArchitectureArm()) { 1939 if (command_line.HasSwitch(switches::kGpuSandboxAllowSysVShm)) 1940 return ArmGpuProcessPolicyWithShmat; 1941 else 1942 return ArmGpuProcessPolicy; 1943 } 1944 else 1945 return GpuProcessPolicy; 1946 } 1947 1948 if (process_type == switches::kPpapiPluginProcess) { 1949 // TODO(jln): figure out what to do with non-Flash PPAPI 1950 // out-of-process plug-ins. 1951 return FlashProcessPolicy; 1952 } 1953 1954 if (process_type == switches::kRendererProcess || 1955 process_type == switches::kWorkerProcess) { 1956 return RendererOrWorkerProcessPolicy; 1957 } 1958 1959 if (process_type == switches::kUtilityProcess) { 1960 return BlacklistDebugAndNumaPolicy; 1961 } 1962 1963 NOTREACHED(); 1964 // This will be our default if we need one. 1965 return AllowAllPolicy; 1966 } 1967 1968 // broker_process can be NULL if there is no need for one. 1969 void StartSandboxWithPolicy(Sandbox::EvaluateSyscall syscall_policy, 1970 BrokerProcess* broker_process) { 1971 // Starting the sandbox is a one-way operation. The kernel doesn't allow 1972 // us to unload a sandbox policy after it has been started. Nonetheless, 1973 // in order to make the use of the "Sandbox" object easier, we allow for 1974 // the object to be destroyed after the sandbox has been started. Note that 1975 // doing so does not stop the sandbox. 1976 Sandbox sandbox; 1977 sandbox.SetSandboxPolicy(syscall_policy, broker_process); 1978 sandbox.StartSandbox(); 1979 } 1980 1981 // Initialize the seccomp-bpf sandbox. 1982 bool StartBpfSandbox(const CommandLine& command_line, 1983 const std::string& process_type) { 1984 Sandbox::EvaluateSyscall syscall_policy = 1985 GetProcessSyscallPolicy(command_line, process_type); 1986 1987 BrokerProcess* broker_process = NULL; 1988 // Warm up resources needed by the policy we're about to enable and 1989 // eventually start a broker process. 1990 WarmupPolicy(syscall_policy, &broker_process); 1991 1992 StartSandboxWithPolicy(syscall_policy, broker_process); 1993 1994 RunSandboxSanityChecks(process_type); 1995 1996 return true; 1997 } 1998 1999 } // namespace 2000 2001 #endif // SECCOMP_BPF_SANDBOX 2002 2003 namespace content { 2004 2005 // Is seccomp BPF globally enabled? 2006 bool SandboxSeccompBpf::IsSeccompBpfDesired() { 2007 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 2008 if (!command_line.HasSwitch(switches::kNoSandbox) && 2009 !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { 2010 return true; 2011 } else { 2012 return false; 2013 } 2014 } 2015 2016 bool SandboxSeccompBpf::ShouldEnableSeccompBpf( 2017 const std::string& process_type) { 2018 #if defined(SECCOMP_BPF_SANDBOX) 2019 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 2020 if (process_type == switches::kGpuProcess) 2021 return !command_line.HasSwitch(switches::kDisableGpuSandbox); 2022 2023 return true; 2024 #endif // SECCOMP_BPF_SANDBOX 2025 return false; 2026 } 2027 2028 bool SandboxSeccompBpf::SupportsSandbox() { 2029 #if defined(SECCOMP_BPF_SANDBOX) 2030 // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton 2031 // here. 2032 Sandbox::SandboxStatus bpf_sandbox_status = 2033 Sandbox::SupportsSeccompSandbox(-1); 2034 // Kernel support is what we are interested in here. Other status 2035 // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support. 2036 // We make this a negative check, since if there is a bug, we would rather 2037 // "fail closed" (expect a sandbox to be available and try to start it). 2038 if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) { 2039 return true; 2040 } 2041 #endif 2042 return false; 2043 } 2044 2045 bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { 2046 #if defined(SECCOMP_BPF_SANDBOX) 2047 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 2048 2049 if (IsSeccompBpfDesired() && // Global switches policy. 2050 ShouldEnableSeccompBpf(process_type) && // Process-specific policy. 2051 SupportsSandbox()) { 2052 // If the kernel supports the sandbox, and if the command line says we 2053 // should enable it, enable it or die. 2054 bool started_sandbox = StartBpfSandbox(command_line, process_type); 2055 CHECK(started_sandbox); 2056 return true; 2057 } 2058 #endif 2059 return false; 2060 } 2061 2062 bool SandboxSeccompBpf::StartSandboxWithExternalPolicy( 2063 playground2::BpfSandboxPolicy policy) { 2064 #if defined(SECCOMP_BPF_SANDBOX) 2065 if (IsSeccompBpfDesired() && SupportsSandbox()) { 2066 CHECK(policy); 2067 StartSandboxWithPolicy(policy, NULL); 2068 return true; 2069 } 2070 #endif // defined(SECCOMP_BPF_SANDBOX) 2071 return false; 2072 } 2073 2074 #if defined(SECCOMP_BPF_SANDBOX) 2075 playground2::BpfSandboxPolicyCallback SandboxSeccompBpf::GetBaselinePolicy() { 2076 return base::Bind(&BaselinePolicyWithAux); 2077 } 2078 #endif // defined(SECCOMP_BPF_SANDBOX) 2079 2080 } // namespace content 2081
