| blob | eb99d9920009f5c447ed7a321d34b70d343a4b02 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_BPF_H__
6 #define SANDBOX_BPF_H__
8 #include <endian.h>
9 #include <errno.h>
10 #include <fcntl.h>
11 #include <linux/audit.h>
12 #include <linux/filter.h>
13 // #include <linux/seccomp.h>
14 #include <linux/unistd.h>
15 #include <netinet/in.h>
16 #include <netinet/tcp.h>
17 #include <netinet/udp.h>
18 #include <sched.h>
19 #include <signal.h>
20 #include <stddef.h>
21 #include <stdint.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/ioctl.h>
26 #include <sys/ipc.h>
27 #include <sys/mman.h>
28 #include <sys/prctl.h>
29 #include <sys/shm.h>
30 #include <sys/stat.h>
31 #include <sys/types.h>
32 #include <sys/uio.h>
33 #include <sys/wait.h>
34 #include <unistd.h>
36 #include <algorithm>
37 #include <limits>
38 #include <map>
39 #include <utility>
40 #include <vector>
42 #ifndef SECCOMP_BPF_STANDALONE
46 #endif
48 // The Seccomp2 kernel ABI is not part of older versions of glibc.
49 // As we can't break compilation with these versions of the library,
50 // we explicitly define all missing symbols.
52 #ifndef PR_SET_NO_NEW_PRIVS
53 #define PR_SET_NO_NEW_PRIVS 38
54 #define PR_GET_NO_NEW_PRIVS 39
55 #endif
56 #ifndef IPC_64
57 #define IPC_64 0x0100
58 #endif
59 #ifndef SECCOMP_MODE_FILTER
60 #define SECCOMP_MODE_DISABLED 0
61 #define SECCOMP_MODE_STRICT 1
71 #endif
72 #define SECCOMP_DENY_ERRNO EPERM
73 #ifndef SYS_SECCOMP
74 #define SYS_SECCOMP 1
75 #endif
77 // Impose some reasonable maximum BPF program size. Realistically, the
78 // kernel probably has much lower limits. But by limiting to less than
79 // 30 bits, we can ease requirements on some of our data types.
80 #define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
82 #if defined(__i386__)
83 #define MIN_SYSCALL 0u
84 #define MAX_SYSCALL 1024u
85 #define SECCOMP_ARCH AUDIT_ARCH_I386
87 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
88 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_EAX)
89 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_EAX)
90 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_EIP)
91 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_EBX)
92 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_ECX)
93 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_EDX)
94 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_ESI)
95 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_EDI)
96 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_EBP)
98 #elif defined(__x86_64__)
99 #define MIN_SYSCALL 0u
100 #define MAX_SYSCALL 1024u
101 #define SECCOMP_ARCH AUDIT_ARCH_X86_64
103 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
104 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX)
105 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX)
106 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_RIP)
107 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_RDI)
108 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_RSI)
109 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_RDX)
110 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_R10)
111 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_R8)
112 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_R9)
114 #elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
115 // ARM EABI includes "ARM private" system calls starting at |__ARM_NR_BASE|,
116 // and a "ghost syscall private to the kernel", cmpxchg,
117 // at |__ARM_NR_BASE+0x00fff0|.
118 // See </arch/arm/include/asm/unistd.h> in the Linux kernel.
119 #define MIN_SYSCALL ((unsigned int)__NR_SYSCALL_BASE)
120 #define MAX_SYSCALL ((unsigned int)__ARM_NR_BASE + 0x00ffffu)
121 // <linux/audit.h> includes <linux/elf-em.h>, which does not define EM_ARM.
122 // <linux/elf.h> only includes <asm/elf.h> if we're in the kernel.
123 # if !defined(EM_ARM)
124 # define EM_ARM 40
125 # endif
126 #define SECCOMP_ARCH AUDIT_ARCH_ARM
128 // ARM sigcontext_t is different from i386/x86_64.
129 // See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
130 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
131 // ARM EABI syscall convention.
132 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, r0)
133 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, r7)
134 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, pc)
135 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, r0)
136 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, r1)
137 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, r2)
138 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, r3)
139 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, r4)
140 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, r5)
142 #else
143 #error Unsupported target platform
145 #endif
152 };
158 };
160 #ifdef SECCOMP_BPF_STANDALONE
161 #define arraysize(x) sizeof(x)/sizeof(*(x)))
162 #define HANDLE_EINTR TEMP_FAILURE_RETRY
163 #define DISALLOW_IMPLICIT_CONSTRUCTORS(TypeName) \
164 TypeName(); \
165 TypeName(const TypeName&); \
166 void operator=(const TypeName&)
167 #endif
179 STATUS_ENABLED // The sandbox is now active
180 };
191 };
193 // TrapFnc is a pointer to a function that handles Seccomp traps in
194 // user-space. The seccomp policy can request that a trap handler gets
195 // installed; it does so by returning a suitable ErrorCode() from the
196 // syscallEvaluator. See the ErrorCode() constructor for how to pass in
197 // the function pointer.
198 // Please note that TrapFnc is executed from signal context and must be
199 // async-signal safe:
200 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
206 // We can either wrap a symbolic ErrorCode (i.e. enum values), an errno
207 // value (in the range 1..4095), or a pointer to a TrapFnc callback
208 // handling a SECCOMP_RET_TRAP trap.
209 // All of these different values are stored in the "err_" field. So, code
210 // that is using the ErrorCode class typically operates on a single 32bit
211 // field.
212 // This is not only quiet efficient, it also makes the API really easy to
213 // use.
233 }
234 }
236 // If we are wrapping a callback, we must assign a unique id. This id is
237 // how the kernel tells us which one of our different SECCOMP_RET_TRAP
238 // cases has been triggered.
239 // The getTrapId() function assigns one unique id (starting at 1) for
240 // each distinct pair of TrapFnc and auxiliary data.
246 }
248 // Destructor doesn't need to do anything.
251 // Always return the value that goes into the BPF filter program.
255 // Fields needed for SECCOMP_RET_TRAP callbacks
257 TrapFnc fnc_;
260 // 32bit field used for all possible types of ErrorCode values
262 };
267 OP_HAS_BITS, OP_DOES_NOT_HAVE_BITS
268 };
272 Operation op;
274 ErrorCode passed;
275 ErrorCode failed;
276 };
283 // There are a lot of reasons why the Seccomp sandbox might not be available.
284 // This could be because the kernel does not support Seccomp mode, or it
285 // could be because another sandbox is already active.
286 // "proc_fd" should be a file descriptor for "/proc", or -1 if not
287 // provided by the caller.
290 // The sandbox needs to be able to access files in "/proc/self". If this
291 // directory is not accessible when "startSandbox()" gets called, the caller
292 // can provide an already opened file descriptor by calling "setProcFd()".
293 // The sandbox becomes the new owner of this file descriptor and will
294 // eventually close it when "startSandbox()" executes.
297 // The system call evaluator function is called with the system
298 // call number. It can decide to allow the system call unconditionally
299 // by returning "0"; it can deny the system call unconditionally by
300 // returning an appropriate "errno" value; or it can request inspection
301 // of system call argument(s) by returning a suitable combination of
302 // SB_INSPECT_ARG_x bits.
303 // The system argument evaluator is called (if needed) to query additional
304 // constraints for the system call arguments. In the vast majority of
305 // cases, it will set a "Constraint" that forces a new "errno" value.
306 // But for more complex filters, it is possible to return another mask
307 // of SB_INSPECT_ARG_x bits.
309 EvaluateArguments argumentEvaluator);
311 // This is the main public entry point. It finds all system calls that
312 // need rewriting, sets up the resources needed by the sandbox, and
313 // enters Seccomp mode.
317 // Print an error message and terminate the program. Used for fatal errors.
320 #ifndef SECCOMP_BPF_STANDALONE
322 // LOG(FATAL) is not neccessarily async-signal safe. It would be
323 // better to always use the code for the SECCOMP_BPF_STANDALONE case.
324 // But that prevents the logging and reporting infrastructure from
325 // picking up sandbox related crashes.
326 // For now, in picking between two evils, we decided in favor of
327 // LOG(FATAL). In the long run, we probably want to rewrite this code
328 // to be async-signal safe.
331 #endif
332 {
333 // If there is no logging infrastructure in place, we just write error
334 // messages to stderr.
335 // We also write to stderr, if we are called in a child process from
336 // supportsSeccompSandbox(). This makes sure we can actually do the
337 // correct logging from the parent process, which is more likely to
338 // have access to logging infrastructure.
341 }
342 }
344 // exit_group() should exit our program. After all, it is defined as a
345 // function that doesn't return. But things can theoretically go wrong.
346 // Especially, since we are dealing with system call filters. Continuing
347 // execution would be very bad in most cases where die() gets called.
348 // So, if there is no way for us to ask for the program to exit, the next
349 // best thing we can do is to loop indefinitely. Maybe, somebody will
350 // notice and file a bug...
353 }
354 }
356 // Get a file descriptor pointing to "/proc", if currently available.
367 }
369 ErrorCode err;
370 };
376 };
389 EvaluateSyscall syscallEvaluator,
394 EvaluateArguments argumentEvaluator);
414 };