| blob | 2bc22e92aa939ba001347f207517417db36c4f90 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <errno.h>
8 #include <linux/filter.h>
9 #include <sys/syscall.h>
11 #include <limits>
30 #if defined(__i386__) || defined(__x86_64__)
32 #else
34 #endif
35 #if defined(__x86_64__) && defined(__ILP32__)
37 #else
39 #endif
42 __NR_rt_sigprocmask,
43 __NR_rt_sigreturn,
44 #if defined(__NR_sigprocmask)
45 __NR_sigprocmask,
46 #endif
47 #if defined(__NR_sigreturn)
48 __NR_sigreturn,
49 #endif
50 };
53 // Common trick; e.g., see http://stackoverflow.com/a/108329.
55 }
61 }
63 // A Trap() handler that returns an "errno" value. The value is encoded
64 // in the "aux" parameter.
66 // TrapFnc functions report error by following the native kernel convention
67 // of returning an exit code in the range of -1..-4096. They do not try to
68 // set errno themselves. The glibc wrapper that triggered the SIGSYS will
69 // ultimately do so for us.
72 }
76 }
82 }
83 }
85 }
92 ErrorCode err;
93 };
101 }
104 }
109 }
111 // If our BPF program has unsafe traps, enable support for them.
113 // As support for unsafe jumps essentially defeats all the security
114 // measures that the sandbox provides, we print a big warning message --
115 // and of course, we make sure to only ever enable this feature if it
116 // is actually requested by the sandbox policy.
119 "Support for UnsafeTrap() has not yet been ported to this "
121 }
127 "Policies that use UnsafeTrap() must unconditionally allow all "
129 }
130 }
133 // We should never be able to get here, as UnsafeTrap() should never
134 // actually return a valid ErrorCode object unless the user set the
135 // CHROME_SANDBOX_DEBUGGING environment variable; and therefore,
136 // "has_unsafe_traps" would always be false. But better double-check
137 // than enabling dangerous code.
139 }
140 }
142 // Assemble the BPF filter program.
146 }
149 // A compiled policy consists of three logical parts:
150 // 1. Check that the "arch" field matches the expected architecture.
151 // 2. If the policy involves unsafe traps, check if the syscall was
152 // invoked by Syscall::Call, and then allow it unconditionally.
153 // 3. Check the system call number and jump to the appropriate compiled
154 // system call policy number.
156 }
159 // If the architecture doesn't match SECCOMP_ARCH, disallow the
160 // system call.
163 SECCOMP_ARCH_IDX,
166 SECCOMP_ARCH,
167 passed,
169 }
172 // If no unsafe traps, then simply return |rest|.
175 }
177 // Allow system calls, if they originate from our magic return address
178 // (which we can query by calling Syscall::Call(-1)).
184 // BPF cannot do native 64-bit comparisons, so we have to compare
185 // both 32-bit halves of the instruction pointer. If they match what
186 // we expect, we return ERR_ALLOWED. If either or both don't match,
187 // we continue evalutating the rest of the sandbox policy.
188 //
189 // For simplicity, we check the full 64-bit instruction pointer even
190 // on 32-bit architectures.
193 SECCOMP_IP_LSB_IDX,
196 low,
199 SECCOMP_IP_MSB_IDX,
202 hi,
204 rest)),
205 rest));
206 }
209 // Evaluate all possible system calls and group their ErrorCodes into
210 // ranges of identical codes.
211 Ranges ranges;
214 // Compile the system call ranges to an optimized BPF jumptable
217 // Grab the system call number, so that we can check it and then
218 // execute the jump table.
221 }
225 // On Intel architectures, verify that system call numbers are in the
226 // expected number range.
230 // The newer x32 API always sets bit 30.
234 // The older i386 and x86-64 APIs clear bit 30 on all system calls.
237 }
238 }
240 // TODO(mdempsky): Similar validation for other architectures?
242 }
245 // Please note that "struct seccomp_data" defines system calls as a signed
246 // int32_t, but BPF instructions always operate on unsigned quantities. We
247 // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
248 // and then verifying that the rest of the number range (both positive and
249 // negative) all return the same ErrorCode.
257 ErrorCode err =
265 }
266 }
268 }
272 // We convert the list of system call ranges into jump table that performs
273 // a binary search over the ranges.
274 // As a sanity check, we need to have at least one distinct ranges for us
275 // to be able to build a jump table.
279 // If we have narrowed things down to a single range object, we can
280 // return from the BPF filter program.
282 }
284 // Pick the range object that is located at the mid point of our list.
285 // We compare our system call number against the lowest valid system call
286 // number in this range object. If our number is lower, it is outside of
287 // this range object. If it is greater or equal, it might be inside.
290 // Sub-divide the list of ranges and continue recursively.
294 }
305 }
306 }
309 // Sanity check that |cond| makes sense.
312 }
316 }
319 }
322 }
326 }
327 // TODO(mdempsky): Reject TP_64BIT on 32-bit platforms. For now we allow it
328 // because some SandboxBPF unit tests exercise it.
333 // We want to emit code to check "(arg & mask) == value" where arg, mask, and
334 // value are 64-bit values, but the BPF machine is only 32-bit. We implement
335 // this by independently testing the upper and lower 32-bits and continuing to
336 // |passed| if both evaluate true, or to |failed| if either evaluate false.
338 UpperHalf,
340 failed);
341 }
344 ArgHalf half,
348 // Special logic for sanity checking the upper 32-bits of 32-bit system
349 // call arguments.
351 // TODO(mdempsky): Compile Unexpected64bitArgument() just per program.
358 // On 32-bit platforms, the upper 32-bits should always be 0:
359 // LDW [upper]
360 // JEQ 0, passed, invalid
363 upper,
366 }
368 // On 64-bit platforms, the upper 32-bits may be 0 or ~0; but we only allow
369 // ~0 if the sign bit of the lower 32-bits is set too:
370 // LDW [upper]
371 // JEQ 0, passed, (next)
372 // JEQ ~0, (next), invalid
373 // LDW [lower]
374 // JSET (1<<31), passed, invalid
375 //
376 // TODO(mdempsky): The JSET instruction could perhaps jump to passed->next
377 // instead, as the first instruction of passed should be "LDW [lower]".
380 upper,
384 passed,
390 lower,
393 passed,
394 invalid_64bit)),
395 invalid_64bit)));
396 }
403 // Emit a suitable instruction sequence for (arg & mask) == value.
405 // For (arg & 0) == 0, just return passed.
409 }
411 // For (arg & ~0) == value, emit:
412 // LDW [idx]
413 // JEQ value, passed, failed
417 idx,
419 }
421 // For (arg & mask) == 0, emit:
422 // LDW [idx]
423 // JSET mask, failed, passed
424 // (Note: failed and passed are intentionally swapped.)
428 idx,
430 }
432 // For (arg & x) == x where x is a single-bit value, emit:
433 // LDW [idx]
434 // JSET mask, passed, failed
438 idx,
440 }
442 // Generic fallback:
443 // LDW [idx]
444 // AND mask
445 // JEQ value, passed, failed
448 idx,
451 mask,
454 }
458 }
462 // When inside an UnsafeTrap() callback, we want to allow all system calls.
463 // This means, we must conditionally disable the sandbox -- and that's not
464 // something that kernel-side BPF filters can do, as they cannot inspect
465 // any state other than the syscall arguments.
466 // But if we redirect all error handlers to user-space, then we can easily
467 // make this decision.
468 // The performance penalty for this extra round-trip to user-space is not
469 // actually that bad, as we only ever pay it for denied system calls; and a
470 // typical program has very few of these.
472 }
475 }
482 }
486 }
491 }
497 }
498 }
500 }
509 width,
510 mask,
511 value,
514 }
518 }