1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "mojo/runner/linux_sandbox.h"
8 #include <sys/syscall.h>
10 #include "base/bind.h"
11 #include "base/debug/leak_annotations.h"
12 #include "base/posix/eintr_wrapper.h"
13 #include "base/rand_util.h"
14 #include "base/sys_info.h"
15 #include "sandbox/linux/bpf_dsl/policy.h"
16 #include "sandbox/linux/bpf_dsl/trap_registry.h"
17 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
18 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
19 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
20 #include "sandbox/linux/services/credentials.h"
21 #include "sandbox/linux/services/namespace_sandbox.h"
22 #include "sandbox/linux/services/proc_util.h"
23 #include "sandbox/linux/services/thread_helpers.h"
25 using sandbox::syscall_broker::BrokerFilePermission
;
31 intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data
& args
,
34 const sandbox::syscall_broker::BrokerProcess
* broker_process
=
35 static_cast<const sandbox::syscall_broker::BrokerProcess
*>(aux
);
38 return broker_process
->Access(reinterpret_cast<const char*>(args
.args
[0]),
39 static_cast<int>(args
.args
[1]));
41 return broker_process
->Open(reinterpret_cast<const char*>(args
.args
[0]),
42 static_cast<int>(args
.args
[1]));
44 if (static_cast<int>(args
.args
[0]) == AT_FDCWD
) {
45 return broker_process
->Access(
46 reinterpret_cast<const char*>(args
.args
[1]),
47 static_cast<int>(args
.args
[2]));
52 // Allow using openat() as open().
53 if (static_cast<int>(args
.args
[0]) == AT_FDCWD
) {
54 return broker_process
->Open(reinterpret_cast<const char*>(args
.args
[1]),
55 static_cast<int>(args
.args
[2]));
65 class SandboxPolicy
: public sandbox::bpf_dsl::Policy
{
67 explicit SandboxPolicy(sandbox::syscall_broker::BrokerProcess
* broker_process
)
68 : broker_process_(broker_process
) {}
69 ~SandboxPolicy() override
{}
71 // Overridden from sandbox::bpf_dsl::Policy:
72 sandbox::bpf_dsl::ResultExpr
EvaluateSyscall(int sysno
) const override
{
73 // This policy is only advisory/for noticing FS access for the moment.
79 return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler
, broker_process_
);
82 return sandbox::bpf_dsl::Allow();
87 const sandbox::syscall_broker::BrokerProcess
* broker_process_
;
88 DISALLOW_COPY_AND_ASSIGN(SandboxPolicy
);
93 LinuxSandbox::LinuxSandbox(const std::vector
<BrokerFilePermission
>& permissions
)
94 : broker_(new sandbox::syscall_broker::BrokerProcess(EPERM
, permissions
)) {
96 base::Bind
<bool (*)()>(&sandbox::Credentials::DropAllCapabilities
));
97 policy_
.reset(new SandboxPolicy(broker_
.get()));
100 LinuxSandbox::~LinuxSandbox() {}
102 void LinuxSandbox::Warmup() {
103 proc_fd_
= sandbox::ProcUtil::OpenProc();
106 // Verify that we haven't started threads or grabbed directory file
108 sandbox::ThreadHelpers::AssertSingleThreaded(proc_fd_
.get());
109 CHECK(!sandbox::ProcUtil::HasOpenDirectory(proc_fd_
.get()));
112 void LinuxSandbox::EngageNamespaceSandbox() {
114 CHECK_EQ(1, getpid());
115 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace());
116 CHECK(sandbox::Credentials::MoveToNewUserNS());
117 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_
.get()));
118 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_
.get()));
121 void LinuxSandbox::EngageSeccompSandbox() {
123 sandbox::SandboxBPF
sandbox(policy_
.release());
124 base::ScopedFD
proc_fd(HANDLE_EINTR(
125 openat(proc_fd_
.get(), ".", O_RDONLY
| O_DIRECTORY
| O_CLOEXEC
)));
126 CHECK(proc_fd
.is_valid());
127 sandbox
.SetProcFd(proc_fd
.Pass());
129 sandbox
.StartSandbox(sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED
))
130 << "Starting the process with a sandbox failed. Missing kernel support.";
132 // The Broker is now bound to this process and should only be destroyed when
133 // the process exits or is killed.
134 ANNOTATE_LEAKING_OBJECT_PTR(broker_
.release());
137 void LinuxSandbox::Seal() {
141 } // namespace mandoline