chrome/nacl/nacl_sandbox_linux.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/nacl/nacl_sandbox_linux.h"
   6
   7 #include <signal.h>
   8 #include <sys/ptrace.h>
   9
  10 #include "base/callback.h"
  11 #include "base/compiler_specific.h"
  12 #include "base/logging.h"
  13 #include "content/public/common/sandbox_init.h"
  14 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
  15 #include "sandbox/linux/services/linux_syscalls.h"
  16
  17 using playground2::ErrorCode;
  18 using playground2::Sandbox;
  19
  20 namespace {
  21
  22 // This policy does very little:
  23 // - Any invalid system call for the current architecture is handled by
  24 //   the baseline policy.
  25 // - ptrace() is denied.
  26 // - Anything else is allowed.
  27 // Note that the seccomp-bpf sandbox always prevents cross-architecture
  28 // system calls (on x86, long/compatibility/x32).
  29 // So even this trivial policy has a security benefit.
  30 ErrorCode NaClBpfSandboxPolicy(
  31     playground2::Sandbox* sb, int sysnum, void* aux) {
  32   const playground2::BpfSandboxPolicyCallback baseline_policy =
  33       content::GetBpfSandboxBaselinePolicy();
  34   if (!playground2::Sandbox::IsValidSyscallNumber(sysnum)) {
  35     return baseline_policy.Run(sb, sysnum, aux);
  36   }
  37   switch (sysnum) {
  38     case __NR_ptrace:
  39       return ErrorCode(EPERM);
  40     default:
  41       return ErrorCode(ErrorCode::ERR_ALLOWED);
  42   }
  43   NOTREACHED();
  44   // GCC wants this.
  45   return ErrorCode(EPERM);
  46 }
  47
  48 void RunSandboxSanityChecks() {
  49   errno = 0;
  50   // Make a ptrace request with an invalid PID.
  51   long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
  52   CHECK_EQ(-1, ptrace_ret);
  53   // Without the sandbox on, this ptrace call would ESRCH instead.
  54   CHECK_EQ(EPERM, errno);
  55 }
  56
  57 }  // namespace
  58
  59 bool InitializeBpfSandbox() {
  60   bool sandbox_is_initialized =
  61       content::InitializeSandbox(NaClBpfSandboxPolicy);
  62   if (sandbox_is_initialized) {
  63     RunSandboxSanityChecks();
  64     // TODO(jln): Find a way to fix this.
  65     // The sandbox' SIGSYS handler trips NaCl, so we disable it.
  66     // If SIGSYS is triggered it'll now execute the default action
  67     // (CORE). This will make it hard to track down bugs and sandbox violations.
  68     CHECK(signal(SIGSYS, SIG_DFL) != SIG_ERR);
  69     return true;
  70   }
  71   return false;
  72 }