sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
   6
   7 #include <errno.h>
   8 #include <sys/mman.h>
   9 #include <sys/socket.h>
  10 #include <sys/syscall.h>
  11 #include <sys/types.h>
  12 #include <unistd.h>
  13
  14 #include "base/logging.h"
  15 #include "build/build_config.h"
  16 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
  17 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
  18 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
  19 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
  20 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
  21 #include "sandbox/linux/services/syscall_wrappers.h"
  22 #include "sandbox/linux/system_headers/linux_syscalls.h"
  23
  24 // Changing this implementation will have an effect on *all* policies.
  25 // Currently this means: Renderer/Worker, GPU, Flash and NaCl.
  26
  27 using sandbox::bpf_dsl::Allow;
  28 using sandbox::bpf_dsl::Arg;
  29 using sandbox::bpf_dsl::Error;
  30 using sandbox::bpf_dsl::If;
  31 using sandbox::bpf_dsl::ResultExpr;
  32
  33 namespace sandbox {
  34
  35 namespace {
  36
  37 bool IsBaselinePolicyAllowed(int sysno) {
  38   return SyscallSets::IsAllowedAddressSpaceAccess(sysno) ||
  39          SyscallSets::IsAllowedBasicScheduler(sysno) ||
  40          SyscallSets::IsAllowedEpoll(sysno) ||
  41          SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) ||
  42          SyscallSets::IsAllowedFutex(sysno) ||
  43          SyscallSets::IsAllowedGeneralIo(sysno) ||
  44          SyscallSets::IsAllowedGetOrModifySocket(sysno) ||
  45          SyscallSets::IsAllowedGettime(sysno) ||
  46          SyscallSets::IsAllowedProcessStartOrDeath(sysno) ||
  47          SyscallSets::IsAllowedSignalHandling(sysno) ||
  48          SyscallSets::IsGetSimpleId(sysno) ||
  49          SyscallSets::IsKernelInternalApi(sysno) ||
  50 #if defined(__arm__)
  51          SyscallSets::IsArmPrivate(sysno) ||
  52 #endif
  53 #if defined(__mips__)
  54          SyscallSets::IsMipsPrivate(sysno) ||
  55 #endif
  56          SyscallSets::IsAllowedOperationOnFd(sysno);
  57 }
  58
  59 // System calls that will trigger the crashing SIGSYS handler.
  60 bool IsBaselinePolicyWatched(int sysno) {
  61   return SyscallSets::IsAdminOperation(sysno) ||
  62          SyscallSets::IsAdvancedScheduler(sysno) ||
  63          SyscallSets::IsAdvancedTimer(sysno) ||
  64          SyscallSets::IsAsyncIo(sysno) ||
  65          SyscallSets::IsDebug(sysno) ||
  66          SyscallSets::IsEventFd(sysno) ||
  67          SyscallSets::IsExtendedAttributes(sysno) ||
  68          SyscallSets::IsFaNotify(sysno) ||
  69          SyscallSets::IsFsControl(sysno) ||
  70          SyscallSets::IsGlobalFSViewChange(sysno) ||
  71          SyscallSets::IsGlobalProcessEnvironment(sysno) ||
  72          SyscallSets::IsGlobalSystemStatus(sysno) ||
  73          SyscallSets::IsInotify(sysno) ||
  74          SyscallSets::IsKernelModule(sysno) ||
  75          SyscallSets::IsKeyManagement(sysno) ||
  76          SyscallSets::IsKill(sysno) ||
  77          SyscallSets::IsMessageQueue(sysno) ||
  78          SyscallSets::IsMisc(sysno) ||
  79 #if defined(__x86_64__)
  80          SyscallSets::IsNetworkSocketInformation(sysno) ||
  81 #endif
  82          SyscallSets::IsNuma(sysno) ||
  83          SyscallSets::IsPrctl(sysno) ||
  84          SyscallSets::IsProcessGroupOrSession(sysno) ||
  85 #if defined(__i386__) || defined(__mips__)
  86          SyscallSets::IsSocketCall(sysno) ||
  87 #endif
  88 #if defined(__arm__)
  89          SyscallSets::IsArmPciConfig(sysno) ||
  90 #endif
  91 #if defined(__mips__)
  92          SyscallSets::IsMipsMisc(sysno) ||
  93 #endif
  94          SyscallSets::IsTimer(sysno);
  95 }
  96
  97 // |fs_denied_errno| is the errno return for denied filesystem access.
  98 ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
  99                                pid_t current_pid,
 100                                int sysno) {
 101 #if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
 102     defined(MEMORY_SANITIZER)
 103   // TCGETS is required by the sanitizers on failure.
 104   if (sysno == __NR_ioctl) {
 105     return RestrictIoctl();
 106   }
 107
 108   if (sysno == __NR_sched_getaffinity) {
 109     return Allow();
 110   }
 111
 112   // Used when RSS limiting is enabled in sanitizers.
 113   if (sysno == __NR_getrusage) {
 114     return RestrictGetrusage();
 115   }
 116
 117   if (sysno == __NR_sigaltstack) {
 118     // Required for better stack overflow detection in ASan. Disallowed in
 119     // non-ASan builds.
 120     return Allow();
 121   }
 122 #endif  // defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) ||
 123         // defined(MEMORY_SANITIZER)
 124
 125   if (IsBaselinePolicyAllowed(sysno)) {
 126     return Allow();
 127   }
 128
 129 #if defined(OS_ANDROID)
 130   // Needed for thread creation.
 131   if (sysno == __NR_sigaltstack)
 132     return Allow();
 133 #endif
 134
 135   if (sysno == __NR_clock_gettime) {
 136     return RestrictClockID();
 137   }
 138
 139   if (sysno == __NR_clone) {
 140     return RestrictCloneToThreadsAndEPERMFork();
 141   }
 142
 143   if (sysno == __NR_fcntl)
 144     return RestrictFcntlCommands();
 145
 146 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
 147   if (sysno == __NR_fcntl64)
 148     return RestrictFcntlCommands();
 149 #endif
 150
 151 #if !defined(__aarch64__)
 152   // fork() is never used as a system call (clone() is used instead), but we
 153   // have seen it in fallback code on Android.
 154   if (sysno == __NR_fork) {
 155     return Error(EPERM);
 156   }
 157 #endif
 158
 159   if (sysno == __NR_futex)
 160     return RestrictFutex();
 161
 162   if (sysno == __NR_set_robust_list)
 163     return Error(EPERM);
 164
 165   if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
 166     return RestrictGetSetpriority(current_pid);
 167
 168   if (sysno == __NR_madvise) {
 169     // Only allow MADV_DONTNEED (aka MADV_FREE).
 170     const Arg<int> advice(2);
 171     return If(advice == MADV_DONTNEED, Allow()).Else(Error(EPERM));
 172   }
 173
 174 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
 175     defined(__aarch64__)
 176   if (sysno == __NR_mmap)
 177     return RestrictMmapFlags();
 178 #endif
 179
 180 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
 181   if (sysno == __NR_mmap2)
 182     return RestrictMmapFlags();
 183 #endif
 184
 185   if (sysno == __NR_mprotect)
 186     return RestrictMprotectFlags();
 187
 188   if (sysno == __NR_prctl)
 189     return RestrictPrctl();
 190
 191 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
 192     defined(__aarch64__)
 193   if (sysno == __NR_socketpair) {
 194     // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
 195     static_assert(AF_UNIX == PF_UNIX,
 196                   "af_unix and pf_unix should not be different");
 197     const Arg<int> domain(0);
 198     return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS());
 199   }
 200 #endif
 201
 202   if (SyscallSets::IsKill(sysno)) {
 203     return RestrictKillTarget(current_pid, sysno);
 204   }
 205
 206   if (SyscallSets::IsFileSystem(sysno) ||
 207       SyscallSets::IsCurrentDirectory(sysno)) {
 208     return Error(fs_denied_errno);
 209   }
 210
 211   if (SyscallSets::IsSeccomp(sysno))
 212     return Error(EPERM);
 213
 214   if (SyscallSets::IsAnySystemV(sysno)) {
 215     return Error(EPERM);
 216   }
 217
 218   if (SyscallSets::IsUmask(sysno) ||
 219       SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) ||
 220       SyscallSets::IsDeniedGetOrModifySocket(sysno) ||
 221       SyscallSets::IsProcessPrivilegeChange(sysno)) {
 222     return Error(EPERM);
 223   }
 224
 225 #if defined(__i386__) || defined(__mips__)
 226   if (SyscallSets::IsSocketCall(sysno))
 227     return RestrictSocketcallCommand();
 228 #endif
 229
 230   if (IsBaselinePolicyWatched(sysno)) {
 231     // Previously unseen syscalls. TODO(jln): some of these should
 232     // be denied gracefully right away.
 233     return CrashSIGSYS();
 234   }
 235
 236   // In any other case crash the program with our SIGSYS handler.
 237   return CrashSIGSYS();
 238 }
 239
 240 }  // namespace.
 241
 242 // Unfortunately C++03 doesn't allow delegated constructors.
 243 // Call other constructor when C++11 lands.
 244 BaselinePolicy::BaselinePolicy() : BaselinePolicy(EPERM) {}
 245
 246 BaselinePolicy::BaselinePolicy(int fs_denied_errno)
 247     : fs_denied_errno_(fs_denied_errno), policy_pid_(sys_getpid()) {
 248 }
 249
 250 BaselinePolicy::~BaselinePolicy() {
 251   // Make sure that this policy is created, used and destroyed by a single
 252   // process.
 253   DCHECK_EQ(sys_getpid(), policy_pid_);
 254 }
 255
 256 ResultExpr BaselinePolicy::EvaluateSyscall(int sysno) const {
 257   // Sanity check that we're only called with valid syscall numbers.
 258   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
 259   // Make sure that this policy is used in the creating process.
 260   if (1 == sysno) {
 261     DCHECK_EQ(sys_getpid(), policy_pid_);
 262   }
 263   return EvaluateSyscallImpl(fs_denied_errno_, policy_pid_, sysno);
 264 }
 265
 266 ResultExpr BaselinePolicy::InvalidSyscall() const {
 267   return CrashSIGSYS();
 268 }
 269
 270 }  // namespace sandbox.