Home | History | Annotate | Download | only in seccomp-bpf-helpers 
      1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
      6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
      7 
      8 #include "build/build_config.h"
      9 
     10 // These are helpers to build seccomp-bpf policies, i.e. policies for a
     11 // sandbox that reduces the Linux kernel's attack surface. They return an
     12 // ErrorCode suitable to restrict certain system call parameters.
     13 
     14 namespace sandbox {
     15 
     16 class ErrorCode;
     17 class SandboxBPF;
     18 
     19 // Allow clone(2) for threads.
     20 // Reject fork(2) attempts with EPERM.
     21 // Don't restrict on ASAN.
     22 // Crash if anything else is attempted.
     23 ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);
     24 
     25 // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.
     26 // Crash if anything else is attempted.
     27 ErrorCode RestrictPrctl(SandboxBPF* sandbox);
     28 
     29 // Allow TCGETS and FIONREAD.
     30 // Crash if anything else is attempted.
     31 ErrorCode RestrictIoctl(SandboxBPF* sandbox);
     32 
     33 // Restrict the flags argument in mmap(2).
     34 // Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
     35 // MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
     36 // Crash if any other flag is used.
     37 ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);
     38 
     39 // Restrict the prot argument in mprotect(2).
     40 // Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
     41 ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);
     42 
     43 // Restrict fcntl(2) cmd argument to:
     44 // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
     45 // F_SETLK, F_SETLKW and F_GETLK.
     46 // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |
     47 // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
     48 ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);
     49 
     50 #if defined(__i386__)
     51 // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
     52 // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
     53 ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);
     54 #endif
     55 
     56 }  // namespace sandbox.
     57 
     58 #endif  // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
     59