search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Supervised users: Re-check ManagementPolicy when ProfileIsSupervised changes.
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf-helpers / syscall_parameters_restrictions.cc
blob282e72775d3441ba3a101483bd51a2b0b0f6a2f7
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <fcntl.h>
10 #include <linux/net.h>
11 #include <sched.h>
12 #include <signal.h>
13 #include <stdint.h>
14 #include <sys/ioctl.h>
15 #include <sys/mman.h>
16 #include <sys/prctl.h>
17 #include <sys/resource.h>
18 #include <sys/stat.h>
19 #include <sys/time.h>
20 #include <sys/types.h>
21 #include <time.h>
22 #include <unistd.h>
23
24 #include "base/logging.h"
25 #include "base/macros.h"
26 #include "base/time/time.h"
27 #include "build/build_config.h"
28 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
29 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
30 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
31 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
32 #include "sandbox/linux/system_headers/linux_futex.h"
33 #include "sandbox/linux/system_headers/linux_syscalls.h"
34
35 #if defined(OS_ANDROID)
36
37 #if !defined(F_DUPFD_CLOEXEC)
38 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
39 #endif
40
41 // https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/private/bionic_prctl.h
42 #if !defined(PR_SET_VMA)
43 #define PR_SET_VMA 0x53564d41
44 #endif
45
46 // https://android.googlesource.com/platform/system/core/+/lollipop-release/libcutils/sched_policy.c
47 #if !defined(PR_SET_TIMERSLACK_PID)
48 #define PR_SET_TIMERSLACK_PID 41
49 #endif
50
51 #endif // defined(OS_ANDROID)
52
53 #if defined(__arm__) && !defined(MAP_STACK)
54 #define MAP_STACK 0x20000 // Daisy build environment has old headers.
55 #endif
56
57 #if defined(__mips__) && !defined(MAP_STACK)
58 #define MAP_STACK 0x40000
59 #endif
60 namespace {
61
62 inline bool IsArchitectureX86_64() {
63 #if defined(__x86_64__)
64 return true;
65 #else
66 return false;
67 #endif
68 }
69
70 inline bool IsArchitectureI386() {
71 #if defined(__i386__)
72 return true;
73 #else
74 return false;
75 #endif
76 }
77
78 inline bool IsAndroid() {
79 #if defined(OS_ANDROID)
80 return true;
81 #else
82 return false;
83 #endif
84 }
85
86 inline bool IsArchitectureMips() {
87 #if defined(__mips__)
88 return true;
89 #else
90 return false;
91 #endif
92 }
93
94 } // namespace.
95
96 #define CASES SANDBOX_BPF_DSL_CASES
97
98 using sandbox::bpf_dsl::Allow;
99 using sandbox::bpf_dsl::Arg;
100 using sandbox::bpf_dsl::BoolExpr;
101 using sandbox::bpf_dsl::Error;
102 using sandbox::bpf_dsl::If;
103 using sandbox::bpf_dsl::ResultExpr;
104
105 namespace sandbox {
106
107 // Allow Glibc's and Android pthread creation flags, crash on any other
108 // thread creation attempts and EPERM attempts to use neither
109 // CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
110 ResultExpr RestrictCloneToThreadsAndEPERMFork() {
111 const Arg<unsigned long> flags(0);
112
113 // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
114 const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
115 CLONE_SIGHAND | CLONE_THREAD |
116 CLONE_SYSVSEM;
117 const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
118
119 const uint64_t kGlibcPthreadFlags =
120 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
121 CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
122 const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
123
124 const BoolExpr android_test = flags == kAndroidCloneMask ||
125 flags == kObsoleteAndroidCloneMask ||
126 flags == kGlibcPthreadFlags;
127
128 return If(IsAndroid() ? android_test : glibc_test, Allow())
129 .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
130 .Else(CrashSIGSYSClone());
131 }
132
133 ResultExpr RestrictPrctl() {
134 // Will need to add seccomp compositing in the future. PR_SET_PTRACER is
135 // used by breakpad but not needed anymore.
136 const Arg<int> option(0);
137 return Switch(option)
138 .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE),
139 Allow())
140 #if defined(OS_ANDROID)
141 .CASES((PR_SET_VMA, PR_SET_TIMERSLACK_PID), Allow())
142 #endif
143 .Default(CrashSIGSYSPrctl());
144 }
145
146 ResultExpr RestrictIoctl() {
147 const Arg<int> request(1);
148 return Switch(request).CASES((TCGETS, FIONREAD), Allow()).Default(
149 CrashSIGSYSIoctl());
150 }
151
152 ResultExpr RestrictMmapFlags() {
153 // The flags you see are actually the allowed ones, and the variable is a
154 // "denied" mask because of the negation operator.
155 // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
156 // MAP_POPULATE.
157 // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries.
158 const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
159 MAP_STACK | MAP_NORESERVE | MAP_FIXED |
160 MAP_DENYWRITE;
161 const Arg<int> flags(3);
162 return If((flags & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
163 }
164
165 ResultExpr RestrictMprotectFlags() {
166 // The flags you see are actually the allowed ones, and the variable is a
167 // "denied" mask because of the negation operator.
168 // Significantly, we don't permit weird undocumented flags such as
169 // PROT_GROWSDOWN.
170 const uint64_t kAllowedMask = PROT_READ | PROT_WRITE | PROT_EXEC;
171 const Arg<int> prot(2);
172 return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
173 }
174
175 ResultExpr RestrictFcntlCommands() {
176 // We also restrict the flags in F_SETFL. We don't want to permit flags with
177 // a history of trouble such as O_DIRECT. The flags you see are actually the
178 // allowed ones, and the variable is a "denied" mask because of the negation
179 // operator.
180 // Glibc overrides the kernel's O_LARGEFILE value. Account for this.
181 uint64_t kOLargeFileFlag = O_LARGEFILE;
182 if (IsArchitectureX86_64() || IsArchitectureI386() || IsArchitectureMips())
183 kOLargeFileFlag = 0100000;
184
185 const Arg<int> cmd(1);
186 const Arg<long> long_arg(2);
187
188 const uint64_t kAllowedMask = O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC |
189 kOLargeFileFlag | O_CLOEXEC | O_NOATIME;
190 return Switch(cmd)
191 .CASES((F_GETFL,
192 F_GETFD,
193 F_SETFD,
194 F_SETLK,
195 F_SETLKW,
196 F_GETLK,
197 F_DUPFD,
198 F_DUPFD_CLOEXEC),
199 Allow())
200 .Case(F_SETFL,
201 If((long_arg & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS()))
202 .Default(CrashSIGSYS());
203 }
204
205 #if defined(__i386__) || defined(__mips__)
206 ResultExpr RestrictSocketcallCommand() {
207 // Unfortunately, we are unable to restrict the first parameter to
208 // socketpair(2). Whilst initially sounding bad, it's noteworthy that very
209 // few protocols actually support socketpair(2). The scary call that we're
210 // worried about, socket(2), remains blocked.
211 const Arg<int> call(0);
212 return Switch(call)
213 .CASES((SYS_SOCKETPAIR,
214 SYS_SHUTDOWN,
215 SYS_RECV,
216 SYS_SEND,
217 SYS_RECVFROM,
218 SYS_SENDTO,
219 SYS_RECVMSG,
220 SYS_SENDMSG),
221 Allow())
222 .Default(Error(EPERM));
223 }
224 #endif
225
226 ResultExpr RestrictKillTarget(pid_t target_pid, int sysno) {
227 switch (sysno) {
228 case __NR_kill:
229 case __NR_tgkill: {
230 const Arg<pid_t> pid(0);
231 return If(pid == target_pid, Allow()).Else(CrashSIGSYSKill());
232 }
233 case __NR_tkill:
234 return CrashSIGSYSKill();
235 default:
236 NOTREACHED();
237 return CrashSIGSYS();
238 }
239 }
240
241 ResultExpr RestrictFutex() {
242 const uint64_t kAllowedFutexFlags = FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME;
243 const Arg<int> op(1);
244 return Switch(op & ~kAllowedFutexFlags)
245 .CASES((FUTEX_WAIT,
246 FUTEX_WAKE,
247 FUTEX_REQUEUE,
248 FUTEX_CMP_REQUEUE,
249 FUTEX_WAKE_OP,
250 FUTEX_WAIT_BITSET,
251 FUTEX_WAKE_BITSET),
252 Allow())
253 .Default(CrashSIGSYSFutex());
254 }
255
256 ResultExpr RestrictGetSetpriority(pid_t target_pid) {
257 const Arg<int> which(0);
258 const Arg<int> who(1);
259 return If(which == PRIO_PROCESS,
260 If(who == 0 || who == target_pid, Allow()).Else(Error(EPERM)))
261 .Else(CrashSIGSYS());
262 }
263
264 ResultExpr RestrictClockID() {
265 static_assert(4 == sizeof(clockid_t), "clockid_t is not 32bit");
266 const Arg<clockid_t> clockid(0);
267 return If(
268 #if defined(OS_CHROMEOS)
269 // Allow the special clock for Chrome OS used by Chrome tracing.
270 clockid == base::TimeTicks::kClockSystemTrace ||
271 #endif
272 clockid == CLOCK_MONOTONIC ||
273 clockid == CLOCK_PROCESS_CPUTIME_ID ||
274 clockid == CLOCK_REALTIME ||
275 clockid == CLOCK_THREAD_CPUTIME_ID,
276 Allow()).Else(CrashSIGSYS());
277 }
278
279 ResultExpr RestrictSchedTarget(pid_t target_pid, int sysno) {
280 switch (sysno) {
281 case __NR_sched_getaffinity:
282 case __NR_sched_getattr:
283 case __NR_sched_getparam:
284 case __NR_sched_getscheduler:
285 case __NR_sched_rr_get_interval:
286 case __NR_sched_setaffinity:
287 case __NR_sched_setattr:
288 case __NR_sched_setparam:
289 case __NR_sched_setscheduler: {
290 const Arg<pid_t> pid(0);
291 return If(pid == 0 || pid == target_pid, Allow())
292 .Else(RewriteSchedSIGSYS());
293 }
294 default:
295 NOTREACHED();
296 return CrashSIGSYS();
297 }
298 }
299
300 ResultExpr RestrictPrlimit64(pid_t target_pid) {
301 const Arg<pid_t> pid(0);
302 return If(pid == 0 || pid == target_pid, Allow()).Else(CrashSIGSYS());
303 }
304
305 ResultExpr RestrictGetrusage() {
306 const Arg<int> who(0);
307 return If(who == RUSAGE_SELF, Allow()).Else(CrashSIGSYS());
308 }
309
310 } // namespace sandbox.