search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix experimental app list search box disappearing on profile switch.
[chromium-blink-merge.git] / components / nacl / loader / sandbox_linux / nacl_bpf_sandbox_linux.cc
blob50e112ab40b69becfe90eff634d7e0ae08f6ec57
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
6
7 #include "build/build_config.h"
8
9 #if defined(USE_SECCOMP_BPF)
10
11 #include <errno.h>
12 #include <signal.h>
13 #include <sys/ptrace.h>
14 #include <sys/types.h>
15 #include <unistd.h>
16
17 #include "base/basictypes.h"
18 #include "base/callback.h"
19 #include "base/command_line.h"
20 #include "base/compiler_specific.h"
21 #include "base/files/scoped_file.h"
22 #include "base/logging.h"
23
24 #include "components/nacl/common/nacl_switches.h"
25 #include "content/public/common/sandbox_init.h"
26 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
27 #include "sandbox/linux/bpf_dsl/policy.h"
28 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
29 #include "sandbox/linux/system_headers/linux_syscalls.h"
30
31 #endif // defined(USE_SECCOMP_BPF)
32
33 namespace nacl {
34
35 #if defined(USE_SECCOMP_BPF)
36
37 namespace {
38
39 using sandbox::bpf_dsl::Allow;
40 using sandbox::bpf_dsl::Error;
41 using sandbox::bpf_dsl::ResultExpr;
42
43 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::Policy {
44 public:
45 NaClBPFSandboxPolicy()
46 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()),
47 policy_pid_(syscall(__NR_getpid)) {
48 const base::CommandLine* command_line =
49 base::CommandLine::ForCurrentProcess();
50 // nacl_process_host.cc doesn't always enable the debug stub when
51 // kEnableNaClDebug is passed, but it's OK to enable the extra syscalls
52 // whenever kEnableNaClDebug is passed.
53 enable_nacl_debug_ = command_line->HasSwitch(switches::kEnableNaClDebug);
54 }
55 ~NaClBPFSandboxPolicy() override {}
56
57 ResultExpr EvaluateSyscall(int system_call_number) const override;
58 ResultExpr InvalidSyscall() const override {
59 return baseline_policy_->InvalidSyscall();
60 }
61
62 private:
63 scoped_ptr<sandbox::bpf_dsl::Policy> baseline_policy_;
64 bool enable_nacl_debug_;
65 const pid_t policy_pid_;
66
67 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy);
68 };
69
70 ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const {
71 DCHECK(baseline_policy_);
72
73 // EvaluateSyscall must be called from the same process that instantiated the
74 // NaClBPFSandboxPolicy.
75 DCHECK_EQ(policy_pid_, syscall(__NR_getpid));
76
77 // NaCl's GDB debug stub uses the following socket system calls. We only
78 // allow them when --enable-nacl-debug is specified.
79 if (enable_nacl_debug_) {
80 switch (sysno) {
81 // trusted/service_runtime/linux/thread_suspension.c needs sigwait(). Thread
82 // suspension is currently only used in the debug stub.
83 case __NR_rt_sigtimedwait:
84 return Allow();
85 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
86 // transport_common.cc needs this.
87 case __NR_accept:
88 case __NR_setsockopt:
89 return Allow();
90 #elif defined(__i386__)
91 case __NR_socketcall:
92 return Allow();
93 #endif
94 default:
95 break;
96 }
97 }
98
99 switch (sysno) {
100 #if defined(__i386__) || defined(__mips__)
101 // Needed on i386 to set-up the custom segments.
102 case __NR_modify_ldt:
103 #endif
104 // NaCl uses custom signal stacks.
105 case __NR_sigaltstack:
106 // Below is fairly similar to the policy for a Chromium renderer.
107 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
108 case __NR_getrlimit:
109 #endif
110 #if defined(__i386__) || defined(__arm__)
111 case __NR_ugetrlimit:
112 #endif
113 // NaCl runtime uses flock to simulate POSIX behavior for pwrite.
114 case __NR_flock:
115 case __NR_pread64:
116 case __NR_pwrite64:
117 case __NR_sched_get_priority_max:
118 case __NR_sched_get_priority_min:
119 case __NR_sysinfo:
120 // __NR_times needed as clock() is called by CommandBufferHelper, which is
121 // used by NaCl applications that use Pepper's 3D interfaces.
122 // See crbug.com/264856 for details.
123 case __NR_times:
124 case __NR_uname:
125 return Allow();
126 case __NR_ioctl:
127 case __NR_ptrace:
128 return Error(EPERM);
129 case __NR_sched_getaffinity:
130 case __NR_sched_getparam:
131 case __NR_sched_getscheduler:
132 case __NR_sched_setscheduler:
133 return sandbox::RestrictSchedTarget(policy_pid_, sysno);
134 // NaClAddrSpaceBeforeAlloc needs prlimit64.
135 case __NR_prlimit64:
136 return sandbox::RestrictPrlimit64(policy_pid_);
137 // NaCl runtime exposes clock_getres to untrusted code.
138 case __NR_clock_getres:
139 return sandbox::RestrictClockID();
140 default:
141 return baseline_policy_->EvaluateSyscall(sysno);
142 }
143 NOTREACHED();
144 // GCC wants this.
145 return Error(EPERM);
146 }
147
148 void RunSandboxSanityChecks() {
149 errno = 0;
150 // Make a ptrace request with an invalid PID.
151 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
152 CHECK_EQ(-1, ptrace_ret);
153 // Without the sandbox on, this ptrace call would ESRCH instead.
154 CHECK_EQ(EPERM, errno);
155 }
156
157 } // namespace
158
159 #else
160
161 #error "Seccomp-bpf disabled on supported architecture!"
162
163 #endif // defined(USE_SECCOMP_BPF)
164
165 bool InitializeBPFSandbox(base::ScopedFD proc_task_fd) {
166 #if defined(USE_SECCOMP_BPF)
167 bool sandbox_is_initialized = content::InitializeSandbox(
168 scoped_ptr<sandbox::bpf_dsl::Policy>(new NaClBPFSandboxPolicy),
169 proc_task_fd.Pass());
170 if (sandbox_is_initialized) {
171 RunSandboxSanityChecks();
172 return true;
173 }
174 #endif // defined(USE_SECCOMP_BPF)
175 return false;
176 }
177
178 } // namespace nacl