search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll libvpx 861f35:1fff3e
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf / trap.cc
blob145e62469cacca37c07aa40916c1d27795082c11
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/seccomp-bpf/trap.h"
6
7 #include <errno.h>
8 #include <signal.h>
9 #include <string.h>
10 #include <sys/syscall.h>
11
12 #include <algorithm>
13 #include <limits>
14
15 #include "base/logging.h"
16 #include "build/build_config.h"
17 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
18 #include "sandbox/linux/seccomp-bpf/die.h"
19 #include "sandbox/linux/seccomp-bpf/syscall.h"
20 #include "sandbox/linux/system_headers/linux_seccomp.h"
21
22 // Android's signal.h doesn't define ucontext etc.
23 #if defined(OS_ANDROID)
24 #include "sandbox/linux/system_headers/android_ucontext.h"
25 #endif
26
27 namespace {
28
29 struct arch_sigsys {
30 void* ip;
31 int nr;
32 unsigned int arch;
33 };
34
35 const int kCapacityIncrement = 20;
36
37 // Unsafe traps can only be turned on, if the user explicitly allowed them
38 // by setting the CHROME_SANDBOX_DEBUGGING environment variable.
39 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING";
40
41 // We need to tell whether we are performing a "normal" callback, or
42 // whether we were called recursively from within a UnsafeTrap() callback.
43 // This is a little tricky to do, because we need to somehow get access to
44 // per-thread data from within a signal context. Normal TLS storage is not
45 // safely accessible at this time. We could roll our own, but that involves
46 // a lot of complexity. Instead, we co-opt one bit in the signal mask.
47 // If BUS is blocked, we assume that we have been called recursively.
48 // There is a possibility for collision with other code that needs to do
49 // this, but in practice the risks are low.
50 // If SIGBUS turns out to be a problem, we could instead co-opt one of the
51 // realtime signals. There are plenty of them. Unfortunately, there is no
52 // way to mark a signal as allocated. So, the potential for collision is
53 // possibly even worse.
54 bool GetIsInSigHandler(const ucontext_t* ctx) {
55 // Note: on Android, sigismember does not take a pointer to const.
56 return sigismember(const_cast<sigset_t*>(&ctx->uc_sigmask), SIGBUS);
57 }
58
59 void SetIsInSigHandler() {
60 sigset_t mask;
61 if (sigemptyset(&mask) || sigaddset(&mask, SIGBUS) ||
62 sigprocmask(SIG_BLOCK, &mask, NULL)) {
63 SANDBOX_DIE("Failed to block SIGBUS");
64 }
65 }
66
67 bool IsDefaultSignalAction(const struct sigaction& sa) {
68 if (sa.sa_flags & SA_SIGINFO || sa.sa_handler != SIG_DFL) {
69 return false;
70 }
71 return true;
72 }
73
74 } // namespace
75
76 namespace sandbox {
77
78 Trap::Trap()
79 : trap_array_(NULL),
80 trap_array_size_(0),
81 trap_array_capacity_(0),
82 has_unsafe_traps_(false) {
83 // Set new SIGSYS handler
84 struct sigaction sa = {};
85 sa.sa_sigaction = SigSysAction;
86 sa.sa_flags = SA_SIGINFO | SA_NODEFER;
87 struct sigaction old_sa;
88 if (sigaction(SIGSYS, &sa, &old_sa) < 0) {
89 SANDBOX_DIE("Failed to configure SIGSYS handler");
90 }
91
92 if (!IsDefaultSignalAction(old_sa)) {
93 static const char kExistingSIGSYSMsg[] =
94 "Existing signal handler when trying to install SIGSYS. SIGSYS needs "
95 "to be reserved for seccomp-bpf.";
96 DLOG(FATAL) << kExistingSIGSYSMsg;
97 LOG(ERROR) << kExistingSIGSYSMsg;
98 }
99
100 // Unmask SIGSYS
101 sigset_t mask;
102 if (sigemptyset(&mask) || sigaddset(&mask, SIGSYS) ||
103 sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
104 SANDBOX_DIE("Failed to configure SIGSYS handler");
105 }
106 }
107
108 bpf_dsl::TrapRegistry* Trap::Registry() {
109 // Note: This class is not thread safe. It is the caller's responsibility
110 // to avoid race conditions. Normally, this is a non-issue as the sandbox
111 // can only be initialized if there are no other threads present.
112 // Also, this is not a normal singleton. Once created, the global trap
113 // object must never be destroyed again.
114 if (!global_trap_) {
115 global_trap_ = new Trap();
116 if (!global_trap_) {
117 SANDBOX_DIE("Failed to allocate global trap handler");
118 }
119 }
120 return global_trap_;
121 }
122
123 void Trap::SigSysAction(int nr, siginfo_t* info, void* void_context) {
124 if (!global_trap_) {
125 RAW_SANDBOX_DIE(
126 "This can't happen. Found no global singleton instance "
127 "for Trap() handling.");
128 }
129 global_trap_->SigSys(nr, info, void_context);
130 }
131
132 void Trap::SigSys(int nr, siginfo_t* info, void* void_context) {
133 // Signal handlers should always preserve "errno". Otherwise, we could
134 // trigger really subtle bugs.
135 const int old_errno = errno;
136
137 // Various sanity checks to make sure we actually received a signal
138 // triggered by a BPF filter. If something else triggered SIGSYS
139 // (e.g. kill()), there is really nothing we can do with this signal.
140 if (nr != SIGSYS || info->si_code != SYS_SECCOMP || !void_context ||
141 info->si_errno <= 0 ||
142 static_cast<size_t>(info->si_errno) > trap_array_size_) {
143 // ATI drivers seem to send SIGSYS, so this cannot be FATAL.
144 // See crbug.com/178166.
145 // TODO(jln): add a DCHECK or move back to FATAL.
146 RAW_LOG(ERROR, "Unexpected SIGSYS received.");
147 errno = old_errno;
148 return;
149 }
150
151 // Obtain the signal context. This, most notably, gives us access to
152 // all CPU registers at the time of the signal.
153 ucontext_t* ctx = reinterpret_cast<ucontext_t*>(void_context);
154
155 // Obtain the siginfo information that is specific to SIGSYS. Unfortunately,
156 // most versions of glibc don't include this information in siginfo_t. So,
157 // we need to explicitly copy it into a arch_sigsys structure.
158 struct arch_sigsys sigsys;
159 memcpy(&sigsys, &info->_sifields, sizeof(sigsys));
160
161 #if defined(__mips__)
162 // When indirect syscall (syscall(__NR_foo, ...)) is made on Mips, the
163 // number in register SECCOMP_SYSCALL(ctx) is always __NR_syscall and the
164 // real number of a syscall (__NR_foo) is in SECCOMP_PARM1(ctx)
165 bool sigsys_nr_is_bad = sigsys.nr != static_cast<int>(SECCOMP_SYSCALL(ctx)) &&
166 sigsys.nr != static_cast<int>(SECCOMP_PARM1(ctx));
167 #else
168 bool sigsys_nr_is_bad = sigsys.nr != static_cast<int>(SECCOMP_SYSCALL(ctx));
169 #endif
170
171 // Some more sanity checks.
172 if (sigsys.ip != reinterpret_cast<void*>(SECCOMP_IP(ctx)) ||
173 sigsys_nr_is_bad || sigsys.arch != SECCOMP_ARCH) {
174 // TODO(markus):
175 // SANDBOX_DIE() can call LOG(FATAL). This is not normally async-signal
176 // safe and can lead to bugs. We should eventually implement a different
177 // logging and reporting mechanism that is safe to be called from
178 // the sigSys() handler.
179 RAW_SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS.");
180 }
181
182 intptr_t rc;
183 if (has_unsafe_traps_ && GetIsInSigHandler(ctx)) {
184 errno = old_errno;
185 if (sigsys.nr == __NR_clone) {
186 RAW_SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler.");
187 }
188 #if defined(__mips__)
189 // Mips supports up to eight arguments for syscall.
190 // However, seccomp bpf can filter only up to six arguments, so using eight
191 // arguments has sense only when using UnsafeTrap() handler.
192 rc = Syscall::Call(SECCOMP_SYSCALL(ctx),
193 SECCOMP_PARM1(ctx),
194 SECCOMP_PARM2(ctx),
195 SECCOMP_PARM3(ctx),
196 SECCOMP_PARM4(ctx),
197 SECCOMP_PARM5(ctx),
198 SECCOMP_PARM6(ctx),
199 SECCOMP_PARM7(ctx),
200 SECCOMP_PARM8(ctx));
201 #else
202 rc = Syscall::Call(SECCOMP_SYSCALL(ctx),
203 SECCOMP_PARM1(ctx),
204 SECCOMP_PARM2(ctx),
205 SECCOMP_PARM3(ctx),
206 SECCOMP_PARM4(ctx),
207 SECCOMP_PARM5(ctx),
208 SECCOMP_PARM6(ctx));
209 #endif // defined(__mips__)
210 } else {
211 const TrapKey& trap = trap_array_[info->si_errno - 1];
212 if (!trap.safe) {
213 SetIsInSigHandler();
214 }
215
216 // Copy the seccomp-specific data into a arch_seccomp_data structure. This
217 // is what we are showing to TrapFnc callbacks that the system call
218 // evaluator registered with the sandbox.
219 struct arch_seccomp_data data = {
220 static_cast<int>(SECCOMP_SYSCALL(ctx)),
221 SECCOMP_ARCH,
222 reinterpret_cast<uint64_t>(sigsys.ip),
223 {static_cast<uint64_t>(SECCOMP_PARM1(ctx)),
224 static_cast<uint64_t>(SECCOMP_PARM2(ctx)),
225 static_cast<uint64_t>(SECCOMP_PARM3(ctx)),
226 static_cast<uint64_t>(SECCOMP_PARM4(ctx)),
227 static_cast<uint64_t>(SECCOMP_PARM5(ctx)),
228 static_cast<uint64_t>(SECCOMP_PARM6(ctx))}};
229
230 // Now call the TrapFnc callback associated with this particular instance
231 // of SECCOMP_RET_TRAP.
232 rc = trap.fnc(data, const_cast<void*>(trap.aux));
233 }
234
235 // Update the CPU register that stores the return code of the system call
236 // that we just handled, and restore "errno" to the value that it had
237 // before entering the signal handler.
238 Syscall::PutValueInUcontext(rc, ctx);
239 errno = old_errno;
240
241 return;
242 }
243
244 bool Trap::TrapKey::operator<(const TrapKey& o) const {
245 if (fnc != o.fnc) {
246 return fnc < o.fnc;
247 } else if (aux != o.aux) {
248 return aux < o.aux;
249 } else {
250 return safe < o.safe;
251 }
252 }
253
254 uint16_t Trap::Add(TrapFnc fnc, const void* aux, bool safe) {
255 if (!safe && !SandboxDebuggingAllowedByUser()) {
256 // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable,
257 // we never return an ErrorCode that is marked as "unsafe". This also
258 // means, the BPF compiler will never emit code that allow unsafe system
259 // calls to by-pass the filter (because they use the magic return address
260 // from Syscall::Call(-1)).
261
262 // This SANDBOX_DIE() can optionally be removed. It won't break security,
263 // but it might make error messages from the BPF compiler a little harder
264 // to understand. Removing the SANDBOX_DIE() allows callers to easily check
265 // whether unsafe traps are supported (by checking whether the returned
266 // ErrorCode is ET_INVALID).
267 SANDBOX_DIE(
268 "Cannot use unsafe traps unless CHROME_SANDBOX_DEBUGGING "
269 "is enabled");
270
271 return 0;
272 }
273
274 // Each unique pair of TrapFnc and auxiliary data make up a distinct instance
275 // of a SECCOMP_RET_TRAP.
276 TrapKey key(fnc, aux, safe);
277
278 // We return unique identifiers together with SECCOMP_RET_TRAP. This allows
279 // us to associate trap with the appropriate handler. The kernel allows us
280 // identifiers in the range from 0 to SECCOMP_RET_DATA (0xFFFF). We want to
281 // avoid 0, as it could be confused for a trap without any specific id.
282 // The nice thing about sequentially numbered identifiers is that we can also
283 // trivially look them up from our signal handler without making any system
284 // calls that might be async-signal-unsafe.
285 // In order to do so, we store all of our traps in a C-style trap_array_.
286
287 TrapIds::const_iterator iter = trap_ids_.find(key);
288 if (iter != trap_ids_.end()) {
289 // We have seen this pair before. Return the same id that we assigned
290 // earlier.
291 return iter->second;
292 }
293
294 // This is a new pair. Remember it and assign a new id.
295 if (trap_array_size_ >= SECCOMP_RET_DATA /* 0xFFFF */ ||
296 trap_array_size_ >= std::numeric_limits<uint16_t>::max()) {
297 // In practice, this is pretty much impossible to trigger, as there
298 // are other kernel limitations that restrict overall BPF program sizes.
299 SANDBOX_DIE("Too many SECCOMP_RET_TRAP callback instances");
300 }
301
302 // Our callers ensure that there are no other threads accessing trap_array_
303 // concurrently (typically this is done by ensuring that we are single-
304 // threaded while the sandbox is being set up). But we nonetheless are
305 // modifying a live data structure that could be accessed any time a
306 // system call is made; as system calls could be triggering SIGSYS.
307 // So, we have to be extra careful that we update trap_array_ atomically.
308 // In particular, this means we shouldn't be using realloc() to resize it.
309 // Instead, we allocate a new array, copy the values, and then switch the
310 // pointer. We only really care about the pointer being updated atomically
311 // and the data that is pointed to being valid, as these are the only
312 // values accessed from the signal handler. It is OK if trap_array_size_
313 // is inconsistent with the pointer, as it is monotonously increasing.
314 // Also, we only care about compiler barriers, as the signal handler is
315 // triggered synchronously from a system call. We don't have to protect
316 // against issues with the memory model or with completely asynchronous
317 // events.
318 if (trap_array_size_ >= trap_array_capacity_) {
319 trap_array_capacity_ += kCapacityIncrement;
320 TrapKey* old_trap_array = trap_array_;
321 TrapKey* new_trap_array = new TrapKey[trap_array_capacity_];
322 std::copy_n(old_trap_array, trap_array_size_, new_trap_array);
323
324 // Language specs are unclear on whether the compiler is allowed to move
325 // the "delete[]" above our preceding assignments and/or memory moves,
326 // iff the compiler believes that "delete[]" doesn't have any other
327 // global side-effects.
328 // We insert optimization barriers to prevent this from happening.
329 // The first barrier is probably not needed, but better be explicit in
330 // what we want to tell the compiler.
331 // The clang developer mailing list couldn't answer whether this is a
332 // legitimate worry; but they at least thought that the barrier is
333 // sufficient to prevent the (so far hypothetical) problem of re-ordering
334 // of instructions by the compiler.
335 //
336 // TODO(mdempsky): Try to clean this up using base/atomicops or C++11
337 // atomics; see crbug.com/414363.
338 asm volatile("" : "=r"(new_trap_array) : "0"(new_trap_array) : "memory");
339 trap_array_ = new_trap_array;
340 asm volatile("" : "=r"(trap_array_) : "0"(trap_array_) : "memory");
341
342 delete[] old_trap_array;
343 }
344
345 uint16_t id = trap_array_size_ + 1;
346 trap_ids_[key] = id;
347 trap_array_[trap_array_size_] = key;
348 trap_array_size_++;
349 return id;
350 }
351
352 bool Trap::SandboxDebuggingAllowedByUser() {
353 const char* debug_flag = getenv(kSandboxDebuggingEnv);
354 return debug_flag && *debug_flag;
355 }
356
357 bool Trap::EnableUnsafeTraps() {
358 if (!has_unsafe_traps_) {
359 // Unsafe traps are a one-way fuse. Once enabled, they can never be turned
360 // off again.
361 // We only allow enabling unsafe traps, if the user explicitly set an
362 // appropriate environment variable. This prevents bugs that accidentally
363 // disable all sandboxing for all users.
364 if (SandboxDebuggingAllowedByUser()) {
365 // We only ever print this message once, when we enable unsafe traps the
366 // first time.
367 SANDBOX_INFO("WARNING! Disabling sandbox for debugging purposes");
368 has_unsafe_traps_ = true;
369 } else {
370 SANDBOX_INFO(
371 "Cannot disable sandbox and use unsafe traps unless "
372 "CHROME_SANDBOX_DEBUGGING is turned on first");
373 }
374 }
375 // Returns the, possibly updated, value of has_unsafe_traps_.
376 return has_unsafe_traps_;
377 }
378
379 Trap* Trap::global_trap_;
380
381 } // namespace sandbox