sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 // Note: any code in this file MUST be async-signal safe.
   6
   7 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
   8
   9 #include <sys/syscall.h>
  10 #include <unistd.h>
  11
  12 #include "base/basictypes.h"
  13 #include "base/logging.h"
  14 #include "base/posix/eintr_wrapper.h"
  15 #include "build/build_config.h"
  16 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
  17 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
  18 #include "sandbox/linux/seccomp-bpf/syscall.h"
  19 #include "sandbox/linux/services/linux_syscalls.h"
  20 #include "sandbox/linux/services/syscall_wrappers.h"
  21
  22 #if defined(__mips__)
  23 // __NR_Linux, is defined in <asm/unistd.h>.
  24 #include <asm/unistd.h>
  25 #endif
  26
  27 #define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure"
  28 #define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure"
  29 #define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure"
  30 #define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure"
  31 #define SECCOMP_MESSAGE_KILL_CONTENT "(tg)kill() failure"
  32 #define SECCOMP_MESSAGE_FUTEX_CONTENT "futex() failure"
  33
  34 namespace {
  35
  36 inline bool IsArchitectureX86_64() {
  37 #if defined(__x86_64__)
  38   return true;
  39 #else
  40   return false;
  41 #endif
  42 }
  43
  44 // Write |error_message| to stderr. Similar to RawLog(), but a bit more careful
  45 // about async-signal safety. |size| is the size to write and should typically
  46 // not include a terminating \0.
  47 void WriteToStdErr(const char* error_message, size_t size) {
  48   while (size > 0) {
  49     // TODO(jln): query the current policy to check if send() is available and
  50     // use it to perform a non-blocking write.
  51     const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size));
  52     // We can't handle any type of error here.
  53     if (ret <= 0 || static_cast<size_t>(ret) > size) break;
  54     size -= ret;
  55     error_message += ret;
  56   }
  57 }
  58
  59 // Invalid syscall values are truncated to zero.
  60 // On architectures where base value is zero (Intel and Arm),
  61 // syscall number is the same as offset from base.
  62 // This function returns values between 0 and 1023 on all architectures.
  63 // On architectures where base value is different than zero (currently only
  64 // Mips), we are truncating valid syscall values to offset from base.
  65 uint32_t SyscallNumberToOffsetFromBase(uint32_t sysno) {
  66 #if defined(__mips__)
  67   // On MIPS syscall numbers are in different range than on x86 and ARM.
  68   // Valid MIPS O32 ABI syscall __NR_syscall will be truncated to zero for
  69   // simplicity.
  70   sysno = sysno - __NR_Linux;
  71 #endif
  72
  73   if (sysno >= 1024)
  74     sysno = 0;
  75
  76   return sysno;
  77 }
  78
  79 // Print a seccomp-bpf failure to handle |sysno| to stderr in an
  80 // async-signal safe way.
  81 void PrintSyscallError(uint32_t sysno) {
  82   if (sysno >= 1024)
  83     sysno = 0;
  84   // TODO(markus): replace with async-signal safe snprintf when available.
  85   const size_t kNumDigits = 4;
  86   char sysno_base10[kNumDigits];
  87   uint32_t rem = sysno;
  88   uint32_t mod = 0;
  89   for (int i = kNumDigits - 1; i >= 0; i--) {
  90     mod = rem % 10;
  91     rem /= 10;
  92     sysno_base10[i] = '0' + mod;
  93   }
  94 #if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
  95   static const char kSeccompErrorPrefix[] = __FILE__
  96       ":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall 4000 + ";
  97 #else
  98   static const char kSeccompErrorPrefix[] =
  99       __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall ";
 100 #endif
 101   static const char kSeccompErrorPostfix[] = "\n";
 102   WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1);
 103   WriteToStdErr(sysno_base10, sizeof(sysno_base10));
 104   WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1);
 105 }
 106
 107 }  // namespace.
 108
 109 namespace sandbox {
 110
 111 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
 112   uint32_t syscall = SyscallNumberToOffsetFromBase(args.nr);
 113
 114   PrintSyscallError(syscall);
 115
 116   // Encode 8-bits of the 1st two arguments too, so we can discern which socket
 117   // type, which fcntl, ... etc., without being likely to hit a mapped
 118   // address.
 119   // Do not encode more bits here without thinking about increasing the
 120   // likelihood of collision with mapped pages.
 121   syscall |= ((args.args[0] & 0xffUL) << 12);
 122   syscall |= ((args.args[1] & 0xffUL) << 20);
 123   // Purposefully dereference the syscall as an address so it'll show up very
 124   // clearly and easily in crash dumps.
 125   volatile char* addr = reinterpret_cast<volatile char*>(syscall);
 126   *addr = '\0';
 127   // In case we hit a mapped address, hit the null page with just the syscall,
 128   // for paranoia.
 129   syscall &= 0xfffUL;
 130   addr = reinterpret_cast<volatile char*>(syscall);
 131   *addr = '\0';
 132   for (;;)
 133     _exit(1);
 134 }
 135
 136 // TODO(jln): refactor the reporting functions.
 137
 138 intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) {
 139   static const char kSeccompCloneError[] =
 140       __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n";
 141   WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1);
 142   // "flags" is the first argument in the kernel's clone().
 143   // Mark as volatile to be able to find the value on the stack in a minidump.
 144   volatile uint64_t clone_flags = args.args[0];
 145   volatile char* addr;
 146   if (IsArchitectureX86_64()) {
 147     addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);
 148     *addr = '\0';
 149   }
 150   // Hit the NULL page if this fails to fault.
 151   addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);
 152   *addr = '\0';
 153   for (;;)
 154     _exit(1);
 155 }
 156
 157 intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args,
 158                             void* /* aux */) {
 159   static const char kSeccompPrctlError[] =
 160       __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n";
 161   WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1);
 162   // Mark as volatile to be able to find the value on the stack in a minidump.
 163   volatile uint64_t option = args.args[0];
 164   volatile char* addr =
 165       reinterpret_cast<volatile char*>(option & 0xFFF);
 166   *addr = '\0';
 167   for (;;)
 168     _exit(1);
 169 }
 170
 171 intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args,
 172                             void* /* aux */) {
 173   static const char kSeccompIoctlError[] =
 174       __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n";
 175   WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1);
 176   // Make "request" volatile so that we can see it on the stack in a minidump.
 177   volatile uint64_t request = args.args[1];
 178   volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF);
 179   *addr = '\0';
 180   // Hit the NULL page if this fails.
 181   addr = reinterpret_cast<volatile char*>(request & 0xFFF);
 182   *addr = '\0';
 183   for (;;)
 184     _exit(1);
 185 }
 186
 187 intptr_t SIGSYSKillFailure(const struct arch_seccomp_data& args,
 188                            void* /* aux */) {
 189    static const char kSeccompKillError[] =
 190       __FILE__":**CRASHING**:" SECCOMP_MESSAGE_KILL_CONTENT "\n";
 191   WriteToStdErr(kSeccompKillError, sizeof(kSeccompKillError) - 1);
 192   // Make "request" volatile so that we can see it on the stack in a minidump.
 193   volatile uint64_t pid = args.args[0];
 194   volatile char* addr = reinterpret_cast<volatile char*>(pid & 0xFFF);
 195   *addr = '\0';
 196   // Hit the NULL page if this fails.
 197   addr = reinterpret_cast<volatile char*>(pid & 0xFFF);
 198   *addr = '\0';
 199   for (;;)
 200     _exit(1);
 201 }
 202
 203 intptr_t SIGSYSFutexFailure(const struct arch_seccomp_data& args,
 204                             void* /* aux */) {
 205   static const char kSeccompFutexError[] =
 206       __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n";
 207   WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1);
 208   volatile int futex_op = args.args[1];
 209   volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF);
 210   *addr = '\0';
 211   for (;;)
 212     _exit(1);
 213 }
 214
 215 intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
 216                             void* aux) {
 217   switch (args.nr) {
 218     case __NR_sched_getaffinity:
 219     case __NR_sched_getattr:
 220     case __NR_sched_getparam:
 221     case __NR_sched_getscheduler:
 222     case __NR_sched_rr_get_interval:
 223     case __NR_sched_setaffinity:
 224     case __NR_sched_setattr:
 225     case __NR_sched_setparam:
 226     case __NR_sched_setscheduler:
 227       const pid_t tid = sys_gettid();
 228       // The first argument is the pid.  If is our thread id, then replace it
 229       // with 0, which is equivalent and allowed by the policy.
 230       if (args.args[0] == static_cast<uint64_t>(tid)) {
 231         return Syscall::Call(args.nr,
 232                              0,
 233                              static_cast<intptr_t>(args.args[1]),
 234                              static_cast<intptr_t>(args.args[2]),
 235                              static_cast<intptr_t>(args.args[3]),
 236                              static_cast<intptr_t>(args.args[4]),
 237                              static_cast<intptr_t>(args.args[5]));
 238       }
 239       break;
 240   }
 241
 242   CrashSIGSYS_Handler(args, aux);
 243
 244   // Should never be reached.
 245   RAW_CHECK(false);
 246   return -ENOSYS;
 247 }
 248
 249 bpf_dsl::ResultExpr CrashSIGSYS() {
 250   return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
 251 }
 252
 253 bpf_dsl::ResultExpr CrashSIGSYSClone() {
 254   return bpf_dsl::Trap(SIGSYSCloneFailure, NULL);
 255 }
 256
 257 bpf_dsl::ResultExpr CrashSIGSYSPrctl() {
 258   return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL);
 259 }
 260
 261 bpf_dsl::ResultExpr CrashSIGSYSIoctl() {
 262   return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL);
 263 }
 264
 265 bpf_dsl::ResultExpr CrashSIGSYSKill() {
 266   return bpf_dsl::Trap(SIGSYSKillFailure, NULL);
 267 }
 268
 269 bpf_dsl::ResultExpr CrashSIGSYSFutex() {
 270   return bpf_dsl::Trap(SIGSYSFutexFailure, NULL);
 271 }
 272
 273 bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
 274   return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
 275 }
 276
 277 const char* GetErrorMessageContentForTests() {
 278   return SECCOMP_MESSAGE_COMMON_CONTENT;
 279 }
 280
 281 const char* GetCloneErrorMessageContentForTests() {
 282   return SECCOMP_MESSAGE_CLONE_CONTENT;
 283 }
 284
 285 const char* GetPrctlErrorMessageContentForTests() {
 286   return SECCOMP_MESSAGE_PRCTL_CONTENT;
 287 }
 288
 289 const char* GetIoctlErrorMessageContentForTests() {
 290   return SECCOMP_MESSAGE_IOCTL_CONTENT;
 291 }
 292
 293 const char* GetKillErrorMessageContentForTests() {
 294   return SECCOMP_MESSAGE_KILL_CONTENT;
 295 }
 296
 297 const char* GetFutexErrorMessageContentForTests() {
 298   return SECCOMP_MESSAGE_FUTEX_CONTENT;
 299 }
 300
 301 }  // namespace sandbox.