1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
10 #include "build/build_config.h"
11 #include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"
12 #include "sandbox/sandbox_export.h"
14 // These are helpers to build seccomp-bpf policies, i.e. policies for a
15 // sandbox that reduces the Linux kernel's attack surface. They return a
16 // bpf_dsl::ResultExpr suitable to restrict certain system call parameters.
20 // Allow clone(2) for threads.
21 // Reject fork(2) attempts with EPERM.
22 // Don't restrict on ASAN.
23 // Crash if anything else is attempted.
24 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictCloneToThreadsAndEPERMFork();
26 // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.
27 // Crash if anything else is attempted.
28 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictPrctl();
30 // Allow TCGETS and FIONREAD.
31 // Crash if anything else is attempted.
32 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictIoctl();
34 // Restrict the flags argument in mmap(2).
35 // Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
36 // MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
37 // Crash if any other flag is used.
38 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictMmapFlags();
40 // Restrict the prot argument in mprotect(2).
41 // Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
42 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictMprotectFlags();
44 // Restrict fcntl(2) cmd argument to:
45 // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
46 // F_SETLK, F_SETLKW and F_GETLK.
47 // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |
48 // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
49 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictFcntlCommands();
51 #if defined(__i386__) || defined(__mips__)
52 // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
53 // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
54 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictSocketcallCommand();
57 // Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or
58 // kill iff the first parameter is |target_pid|, crashing otherwise or if
60 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictKillTarget(pid_t target_pid
,
63 // Crash if FUTEX_CMP_REQUEUE_PI is used in the second argument of futex(2).
64 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictFutex();
66 // Crash if |which| is not PRIO_PROCESS. EPERM if |who| is not 0, neither
67 // |target_pid| while calling setpriority(2) / getpriority(2).
68 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictGetSetpriority(pid_t target_pid
);
70 // Restricts |pid| for sched_* syscalls which take a pid as the first argument.
71 // We only allow calling these syscalls if the pid argument is equal to the pid
72 // of the sandboxed process or 0 (indicating the current thread). The following
73 // syscalls are supported:
75 // sched_getaffinity(), sched_getattr(), sched_getparam(), sched_getscheduler(),
76 // sched_rr_get_interval(), sched_setaffinity(), sched_setattr(),
77 // sched_setparam(), sched_setscheduler()
78 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictSchedTarget(pid_t target_pid
,
81 // Restricts the |pid| argument of prlimit64 to 0 (meaning the calling process)
83 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictPrlimit64(pid_t target_pid
);
85 // Restricts the |who| argument of getrusage to RUSAGE_SELF (meaning the calling
87 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictGetrusage();
89 // Restrict |clk_id| for clock_getres(), clock_gettime() and clock_settime().
90 // We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID,
91 // CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID. In particular, this disallows
92 // access to arbitrary per-{process,thread} CPU-time clock IDs (such as those
93 // returned by {clock,pthread}_getcpuclockid), which can leak information
94 // about the state of the host OS.
95 // On Chrome OS, base::TraceTicks::kClockSystemTrace is also allowed.
96 SANDBOX_EXPORT
bpf_dsl::ResultExpr
RestrictClockID();
98 } // namespace sandbox.
100 #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_