Permission message rules: Each rule must have >= 1 required permissions
[chromium-blink-merge.git] / sandbox / linux / services / syscall_wrappers.cc
blob1984288d78906d1b9e69cbcd3c2cb5c2b5e1c8e4
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/linux/services/syscall_wrappers.h"
7 #include <pthread.h>
8 #include <sched.h>
9 #include <setjmp.h>
10 #include <sys/resource.h>
11 #include <sys/syscall.h>
12 #include <sys/time.h>
13 #include <sys/types.h>
14 #include <unistd.h>
15 #include <cstring>
17 #include "base/compiler_specific.h"
18 #include "base/logging.h"
19 #include "base/third_party/valgrind/valgrind.h"
20 #include "build/build_config.h"
21 #include "sandbox/linux/system_headers/capability.h"
22 #include "sandbox/linux/system_headers/linux_signal.h"
23 #include "sandbox/linux/system_headers/linux_syscalls.h"
25 namespace sandbox {
27 pid_t sys_getpid(void) {
28 return syscall(__NR_getpid);
31 pid_t sys_gettid(void) {
32 return syscall(__NR_gettid);
35 long sys_clone(unsigned long flags,
36 decltype(nullptr) child_stack,
37 pid_t* ptid,
38 pid_t* ctid,
39 decltype(nullptr) tls) {
40 const bool clone_tls_used = flags & CLONE_SETTLS;
41 const bool invalid_ctid =
42 (flags & (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID)) && !ctid;
43 const bool invalid_ptid = (flags & CLONE_PARENT_SETTID) && !ptid;
45 // We do not support CLONE_VM.
46 const bool clone_vm_used = flags & CLONE_VM;
47 if (clone_tls_used || invalid_ctid || invalid_ptid || clone_vm_used) {
48 RAW_LOG(FATAL, "Invalid usage of sys_clone");
51 if (ptid) MSAN_UNPOISON(ptid, sizeof(*ptid));
52 if (ctid) MSAN_UNPOISON(ctid, sizeof(*ctid));
53 // See kernel/fork.c in Linux. There is different ordering of sys_clone
54 // parameters depending on CONFIG_CLONE_BACKWARDS* configuration options.
55 #if defined(ARCH_CPU_X86_64)
56 return syscall(__NR_clone, flags, child_stack, ptid, ctid, tls);
57 #elif defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARM_FAMILY) || \
58 defined(ARCH_CPU_MIPS_FAMILY) || defined(ARCH_CPU_MIPS64_FAMILY)
59 // CONFIG_CLONE_BACKWARDS defined.
60 return syscall(__NR_clone, flags, child_stack, ptid, tls, ctid);
61 #endif
64 long sys_clone(unsigned long flags) {
65 return sys_clone(flags, nullptr, nullptr, nullptr, nullptr);
68 void sys_exit_group(int status) {
69 syscall(__NR_exit_group, status);
72 int sys_seccomp(unsigned int operation,
73 unsigned int flags,
74 const struct sock_fprog* args) {
75 return syscall(__NR_seccomp, operation, flags, args);
78 int sys_prlimit64(pid_t pid,
79 int resource,
80 const struct rlimit64* new_limit,
81 struct rlimit64* old_limit) {
82 int res = syscall(__NR_prlimit64, pid, resource, new_limit, old_limit);
83 if (res == 0 && old_limit) MSAN_UNPOISON(old_limit, sizeof(*old_limit));
84 return res;
87 int sys_capget(cap_hdr* hdrp, cap_data* datap) {
88 int res = syscall(__NR_capget, hdrp, datap);
89 if (res == 0) {
90 if (hdrp) MSAN_UNPOISON(hdrp, sizeof(*hdrp));
91 if (datap) MSAN_UNPOISON(datap, sizeof(*datap));
93 return res;
96 int sys_capset(cap_hdr* hdrp, const cap_data* datap) {
97 return syscall(__NR_capset, hdrp, datap);
100 int sys_getresuid(uid_t* ruid, uid_t* euid, uid_t* suid) {
101 int res;
102 #if defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARMEL)
103 // On 32-bit x86 or 32-bit arm, getresuid supports 16bit values only.
104 // Use getresuid32 instead.
105 res = syscall(__NR_getresuid32, ruid, euid, suid);
106 #else
107 res = syscall(__NR_getresuid, ruid, euid, suid);
108 #endif
109 if (res == 0) {
110 if (ruid) MSAN_UNPOISON(ruid, sizeof(*ruid));
111 if (euid) MSAN_UNPOISON(euid, sizeof(*euid));
112 if (suid) MSAN_UNPOISON(suid, sizeof(*suid));
114 return res;
117 int sys_getresgid(gid_t* rgid, gid_t* egid, gid_t* sgid) {
118 int res;
119 #if defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARMEL)
120 // On 32-bit x86 or 32-bit arm, getresgid supports 16bit values only.
121 // Use getresgid32 instead.
122 res = syscall(__NR_getresgid32, rgid, egid, sgid);
123 #else
124 res = syscall(__NR_getresgid, rgid, egid, sgid);
125 #endif
126 if (res == 0) {
127 if (rgid) MSAN_UNPOISON(rgid, sizeof(*rgid));
128 if (egid) MSAN_UNPOISON(egid, sizeof(*egid));
129 if (sgid) MSAN_UNPOISON(sgid, sizeof(*sgid));
131 return res;
134 int sys_chroot(const char* path) {
135 return syscall(__NR_chroot, path);
138 int sys_unshare(int flags) {
139 return syscall(__NR_unshare, flags);
142 int sys_sigprocmask(int how, const sigset_t* set, decltype(nullptr) oldset) {
143 // In some toolchain (in particular Android and PNaCl toolchain),
144 // sigset_t is 32 bits, but the Linux ABI uses more.
145 LinuxSigSet linux_value;
146 std::memset(&linux_value, 0, sizeof(LinuxSigSet));
147 std::memcpy(&linux_value, set, std::min(sizeof(sigset_t),
148 sizeof(LinuxSigSet)));
150 return syscall(__NR_rt_sigprocmask, how, &linux_value, nullptr,
151 sizeof(linux_value));
154 #if (defined(MEMORY_SANITIZER) || defined(THREAD_SANITIZER) || \
155 (defined(ARCH_CPU_X86_64) && !defined(__clang__))) && \
156 !defined(OS_NACL_NONSFI)
157 // If MEMORY_SANITIZER or THREAD_SANITIZER is enabled, it is necessary to call
158 // sigaction() here, rather than the direct syscall (sys_sigaction() defined
159 // by ourselves).
160 // It is because, if MEMORY_SANITIZER or THREAD_SANITIZER is enabled, sigaction
161 // is wrapped, and |act->sa_handler| is injected in order to unpoisonize the
162 // memory passed via callback's arguments for MEMORY_SANITIZER, or handle
163 // signals to check thread consistency for THREAD_SANITIZER. Please see
164 // msan_interceptors.cc and tsan_interceptors.cc for more details.
165 // So, specifically, if MEMORY_SANITIZER is enabled while the direct syscall is
166 // used, as MEMORY_SANITIZER does not know about it, sigaction() invocation in
167 // other places would be broken (in more precise, returned |oldact| would have
168 // a broken |sa_handler| callback).
169 // Practically, it would break NaCl's signal handler installation.
170 // cf) native_client/src/trusted/service_runtime/linux/nacl_signal.c.
171 // As for THREAD_SANITIZER, the intercepted signal handlers are processed more
172 // in other libc functions' interceptors (such as for raise()), so that it
173 // would not work properly.
175 // Also on x86_64 architecture, we need naked function for rt_sigreturn.
176 // However, there is no simple way to define it with GCC. Note that the body
177 // of function is actually very small (only two instructions), but we need to
178 // define much debug information in addition, otherwise backtrace() used by
179 // base::StackTrace would not work so that some tests would fail.
181 // When this is built with PNaCl toolchain, we should always use sys_sigaction
182 // below, because sigaction() provided by the toolchain is incompatible with
183 // Linux's ABI. So, otherwise, it would just fail. Note that it is not
184 // necessary to think about sigaction() invocation in other places even with
185 // MEMORY_SANITIZER or THREAD_SANITIZER, because it would just fail there.
186 int sys_sigaction(int signum,
187 const struct sigaction* act,
188 struct sigaction* oldact) {
189 return sigaction(signum, act, oldact);
191 #else
192 // On X86_64 arch, it is necessary to set sa_restorer always.
193 #if defined(ARCH_CPU_X86_64)
194 #if !defined(SA_RESTORER)
195 #define SA_RESTORER 0x04000000
196 #endif
198 // rt_sigreturn is a special system call that interacts with the user land
199 // stack. Thus, here prologue must not be created, which implies syscall()
200 // does not work properly, too. Note that rt_sigreturn will never return.
201 static __attribute__((naked)) void sys_rt_sigreturn() {
202 // Just invoke rt_sigreturn system call.
203 asm volatile ("syscall\n"
204 :: "a"(__NR_rt_sigreturn));
206 #endif
208 int sys_sigaction(int signum,
209 const struct sigaction* act,
210 struct sigaction* oldact) {
211 LinuxSigAction linux_act = {};
212 if (act) {
213 linux_act.kernel_handler = act->sa_handler;
214 std::memcpy(&linux_act.sa_mask, &act->sa_mask,
215 std::min(sizeof(linux_act.sa_mask), sizeof(act->sa_mask)));
216 linux_act.sa_flags = act->sa_flags;
218 #if defined(ARCH_CPU_X86_64)
219 if (!(linux_act.sa_flags & SA_RESTORER)) {
220 linux_act.sa_flags |= SA_RESTORER;
221 linux_act.sa_restorer = sys_rt_sigreturn;
223 #endif
226 LinuxSigAction linux_oldact = {};
227 int result = syscall(__NR_rt_sigaction, signum, act ? &linux_act : nullptr,
228 oldact ? &linux_oldact : nullptr,
229 sizeof(LinuxSigSet));
231 if (result == 0 && oldact) {
232 oldact->sa_handler = linux_oldact.kernel_handler;
233 sigemptyset(&oldact->sa_mask);
234 std::memcpy(&oldact->sa_mask, &linux_oldact.sa_mask,
235 std::min(sizeof(linux_act.sa_mask), sizeof(act->sa_mask)));
236 oldact->sa_flags = linux_oldact.sa_flags;
238 return result;
241 #endif // defined(MEMORY_SANITIZER)
243 } // namespace sandbox