Don't preload rarely seen large images
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf-helpers / baseline_policy.cc
blob8c679a3d41ad5ff10e02fdc6fdc58b508efb7615
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
7 #include <errno.h>
8 #include <sys/mman.h>
9 #include <sys/socket.h>
10 #include <sys/syscall.h>
11 #include <sys/types.h>
12 #include <unistd.h>
14 #include "base/logging.h"
15 #include "build/build_config.h"
16 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
17 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
18 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
19 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
20 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
21 #include "sandbox/linux/services/syscall_wrappers.h"
22 #include "sandbox/linux/system_headers/linux_syscalls.h"
24 // Changing this implementation will have an effect on *all* policies.
25 // Currently this means: Renderer/Worker, GPU, Flash and NaCl.
27 using sandbox::bpf_dsl::Allow;
28 using sandbox::bpf_dsl::Arg;
29 using sandbox::bpf_dsl::Error;
30 using sandbox::bpf_dsl::If;
31 using sandbox::bpf_dsl::ResultExpr;
33 namespace sandbox {
35 namespace {
37 bool IsBaselinePolicyAllowed(int sysno) {
38 return SyscallSets::IsAllowedAddressSpaceAccess(sysno) ||
39 SyscallSets::IsAllowedBasicScheduler(sysno) ||
40 SyscallSets::IsAllowedEpoll(sysno) ||
41 SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) ||
42 SyscallSets::IsAllowedFutex(sysno) ||
43 SyscallSets::IsAllowedGeneralIo(sysno) ||
44 SyscallSets::IsAllowedGetOrModifySocket(sysno) ||
45 SyscallSets::IsAllowedGettime(sysno) ||
46 SyscallSets::IsAllowedProcessStartOrDeath(sysno) ||
47 SyscallSets::IsAllowedSignalHandling(sysno) ||
48 SyscallSets::IsGetSimpleId(sysno) ||
49 SyscallSets::IsKernelInternalApi(sysno) ||
50 #if defined(__arm__)
51 SyscallSets::IsArmPrivate(sysno) ||
52 #endif
53 #if defined(__mips__)
54 SyscallSets::IsMipsPrivate(sysno) ||
55 #endif
56 SyscallSets::IsAllowedOperationOnFd(sysno);
59 // System calls that will trigger the crashing SIGSYS handler.
60 bool IsBaselinePolicyWatched(int sysno) {
61 return SyscallSets::IsAdminOperation(sysno) ||
62 SyscallSets::IsAdvancedScheduler(sysno) ||
63 SyscallSets::IsAdvancedTimer(sysno) ||
64 SyscallSets::IsAsyncIo(sysno) ||
65 SyscallSets::IsDebug(sysno) ||
66 SyscallSets::IsEventFd(sysno) ||
67 SyscallSets::IsExtendedAttributes(sysno) ||
68 SyscallSets::IsFaNotify(sysno) ||
69 SyscallSets::IsFsControl(sysno) ||
70 SyscallSets::IsGlobalFSViewChange(sysno) ||
71 SyscallSets::IsGlobalProcessEnvironment(sysno) ||
72 SyscallSets::IsGlobalSystemStatus(sysno) ||
73 SyscallSets::IsInotify(sysno) ||
74 SyscallSets::IsKernelModule(sysno) ||
75 SyscallSets::IsKeyManagement(sysno) ||
76 SyscallSets::IsKill(sysno) ||
77 SyscallSets::IsMessageQueue(sysno) ||
78 SyscallSets::IsMisc(sysno) ||
79 #if defined(__x86_64__)
80 SyscallSets::IsNetworkSocketInformation(sysno) ||
81 #endif
82 SyscallSets::IsNuma(sysno) ||
83 SyscallSets::IsPrctl(sysno) ||
84 SyscallSets::IsProcessGroupOrSession(sysno) ||
85 #if defined(__i386__) || defined(__mips__)
86 SyscallSets::IsSocketCall(sysno) ||
87 #endif
88 #if defined(__arm__)
89 SyscallSets::IsArmPciConfig(sysno) ||
90 #endif
91 #if defined(__mips__)
92 SyscallSets::IsMipsMisc(sysno) ||
93 #endif
94 SyscallSets::IsTimer(sysno);
97 // |fs_denied_errno| is the errno return for denied filesystem access.
98 ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
99 pid_t current_pid,
100 int sysno) {
101 #if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
102 defined(MEMORY_SANITIZER)
103 // TCGETS is required by the sanitizers on failure.
104 if (sysno == __NR_ioctl) {
105 return RestrictIoctl();
108 if (sysno == __NR_sched_getaffinity) {
109 return Allow();
112 // Used when RSS limiting is enabled in sanitizers.
113 if (sysno == __NR_getrusage) {
114 return RestrictGetrusage();
117 if (sysno == __NR_sigaltstack) {
118 // Required for better stack overflow detection in ASan. Disallowed in
119 // non-ASan builds.
120 return Allow();
122 #endif // defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) ||
123 // defined(MEMORY_SANITIZER)
125 if (IsBaselinePolicyAllowed(sysno)) {
126 return Allow();
129 #if defined(OS_ANDROID)
130 // Needed for thread creation.
131 if (sysno == __NR_sigaltstack)
132 return Allow();
133 #endif
135 if (sysno == __NR_clock_gettime) {
136 return RestrictClockID();
139 if (sysno == __NR_clone) {
140 return RestrictCloneToThreadsAndEPERMFork();
143 if (sysno == __NR_fcntl)
144 return RestrictFcntlCommands();
146 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
147 if (sysno == __NR_fcntl64)
148 return RestrictFcntlCommands();
149 #endif
151 #if !defined(__aarch64__)
152 // fork() is never used as a system call (clone() is used instead), but we
153 // have seen it in fallback code on Android.
154 if (sysno == __NR_fork) {
155 return Error(EPERM);
157 #endif
159 if (sysno == __NR_futex)
160 return RestrictFutex();
162 if (sysno == __NR_set_robust_list)
163 return Error(EPERM);
165 if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
166 return RestrictGetSetpriority(current_pid);
168 if (sysno == __NR_madvise) {
169 // Only allow MADV_DONTNEED (aka MADV_FREE).
170 const Arg<int> advice(2);
171 return If(advice == MADV_DONTNEED, Allow()).Else(Error(EPERM));
174 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
175 defined(__aarch64__)
176 if (sysno == __NR_mmap)
177 return RestrictMmapFlags();
178 #endif
180 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
181 if (sysno == __NR_mmap2)
182 return RestrictMmapFlags();
183 #endif
185 if (sysno == __NR_mprotect)
186 return RestrictMprotectFlags();
188 if (sysno == __NR_prctl)
189 return RestrictPrctl();
191 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
192 defined(__aarch64__)
193 if (sysno == __NR_socketpair) {
194 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
195 static_assert(AF_UNIX == PF_UNIX,
196 "af_unix and pf_unix should not be different");
197 const Arg<int> domain(0);
198 return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS());
200 #endif
202 if (SyscallSets::IsKill(sysno)) {
203 return RestrictKillTarget(current_pid, sysno);
206 if (SyscallSets::IsFileSystem(sysno) ||
207 SyscallSets::IsCurrentDirectory(sysno)) {
208 return Error(fs_denied_errno);
211 if (SyscallSets::IsSeccomp(sysno))
212 return Error(EPERM);
214 if (SyscallSets::IsAnySystemV(sysno)) {
215 return Error(EPERM);
218 if (SyscallSets::IsUmask(sysno) ||
219 SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) ||
220 SyscallSets::IsDeniedGetOrModifySocket(sysno) ||
221 SyscallSets::IsProcessPrivilegeChange(sysno)) {
222 return Error(EPERM);
225 #if defined(__i386__) || defined(__mips__)
226 if (SyscallSets::IsSocketCall(sysno))
227 return RestrictSocketcallCommand();
228 #endif
230 if (IsBaselinePolicyWatched(sysno)) {
231 // Previously unseen syscalls. TODO(jln): some of these should
232 // be denied gracefully right away.
233 return CrashSIGSYS();
236 // In any other case crash the program with our SIGSYS handler.
237 return CrashSIGSYS();
240 } // namespace.
242 // Unfortunately C++03 doesn't allow delegated constructors.
243 // Call other constructor when C++11 lands.
244 BaselinePolicy::BaselinePolicy() : BaselinePolicy(EPERM) {}
246 BaselinePolicy::BaselinePolicy(int fs_denied_errno)
247 : fs_denied_errno_(fs_denied_errno), policy_pid_(sys_getpid()) {
250 BaselinePolicy::~BaselinePolicy() {
251 // Make sure that this policy is created, used and destroyed by a single
252 // process.
253 DCHECK_EQ(sys_getpid(), policy_pid_);
256 ResultExpr BaselinePolicy::EvaluateSyscall(int sysno) const {
257 // Sanity check that we're only called with valid syscall numbers.
258 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
259 // Make sure that this policy is used in the creating process.
260 if (1 == sysno) {
261 DCHECK_EQ(sys_getpid(), policy_pid_);
263 return EvaluateSyscallImpl(fs_denied_errno_, policy_pid_, sysno);
266 ResultExpr BaselinePolicy::InvalidSyscall() const {
267 return CrashSIGSYS();
270 } // namespace sandbox.