components/nacl/loader/nonsfi/nonsfi_sandbox.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
   6
   7 #include <errno.h>
   8 #include <fcntl.h>
   9 #include <linux/net.h>
  10 #include <sys/mman.h>
  11 #include <sys/prctl.h>
  12 #include <sys/socket.h>
  13 #include <sys/syscall.h>
  14 #include <sys/time.h>
  15
  16 #include "base/basictypes.h"
  17 #include "base/logging.h"
  18 #include "base/time/time.h"
  19 #include "build/build_config.h"
  20 #include "content/public/common/sandbox_init.h"
  21 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
  22 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
  23 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
  24 #include "sandbox/linux/system_headers/linux_futex.h"
  25 #include "sandbox/linux/system_headers/linux_syscalls.h"
  26
  27 // Chrome OS Daisy (ARM) build environment and PNaCl toolchain do not define
  28 // MAP_STACK.
  29 #if !defined(MAP_STACK)
  30 # if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY)
  31 #  define MAP_STACK 0x20000
  32 # else
  33 // Note that, on other architecture, MAP_STACK has different value (e.g. mips'
  34 // MAP_STACK is 0x40000), though Non-SFI is not supported on such
  35 // architectures.
  36 #  error "Unknown platform."
  37 # endif
  38 #endif  // !defined(MAP_STACK)
  39
  40 #define CASES SANDBOX_BPF_DSL_CASES
  41
  42 using sandbox::CrashSIGSYS;
  43 using sandbox::CrashSIGSYSClone;
  44 using sandbox::CrashSIGSYSFutex;
  45 using sandbox::CrashSIGSYSPrctl;
  46 using sandbox::bpf_dsl::Allow;
  47 using sandbox::bpf_dsl::Arg;
  48 using sandbox::bpf_dsl::BoolExpr;
  49 using sandbox::bpf_dsl::Error;
  50 using sandbox::bpf_dsl::If;
  51 using sandbox::bpf_dsl::ResultExpr;
  52
  53 namespace nacl {
  54 namespace nonsfi {
  55 namespace {
  56
  57 ResultExpr RestrictFcntlCommands() {
  58   const Arg<int> cmd(1);
  59   const Arg<long> long_arg(2);
  60
  61   // We allow following cases:
  62   // 1. F_SETFD + FD_CLOEXEC: libevent's epoll_init uses this.
  63   // 2. F_GETFL: Used by SetNonBlocking in
  64   // message_pump_libevent.cc and Channel::ChannelImpl::CreatePipe
  65   // in ipc_channel_posix.cc. Note that the latter does not work
  66   // with EPERM.
  67   // 3. F_SETFL: Used by evutil_make_socket_nonblocking in
  68   // libevent and SetNonBlocking. As the latter mix O_NONBLOCK to
  69   // the return value of F_GETFL, so we need to allow O_ACCMODE in
  70   // addition to O_NONBLOCK.
  71   const uint64_t kAllowedMask = O_ACCMODE | O_NONBLOCK;
  72   return If((cmd == F_SETFD && long_arg == FD_CLOEXEC) || cmd == F_GETFL ||
  73                 (cmd == F_SETFL && (long_arg & ~kAllowedMask) == 0),
  74             Allow()).Else(CrashSIGSYS());
  75 }
  76
  77 ResultExpr RestrictClone() {
  78   // We allow clone only for new thread creation.
  79   int clone_flags =
  80       CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
  81       CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS;
  82 #if !defined(OS_NACL_NONSFI)
  83   clone_flags |= CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
  84 #endif
  85   const Arg<int> flags(0);
  86   return If(flags == clone_flags, Allow()).Else(CrashSIGSYSClone());
  87 }
  88
  89 ResultExpr RestrictFutexOperation() {
  90   // TODO(hamaji): Allow only FUTEX_PRIVATE_FLAG futexes.
  91   const uint64_t kAllowedFutexFlags = FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME;
  92   const Arg<int> op(1);
  93   return Switch(op & ~kAllowedFutexFlags)
  94       .CASES((FUTEX_WAIT,
  95               FUTEX_WAKE,
  96               FUTEX_REQUEUE,
  97               FUTEX_CMP_REQUEUE,
  98               FUTEX_WAKE_OP,
  99               FUTEX_WAIT_BITSET,
 100               FUTEX_WAKE_BITSET),
 101              Allow())
 102       .Default(CrashSIGSYSFutex());
 103 }
 104
 105 ResultExpr RestrictPrctl() {
 106   // base::PlatformThread::SetName() uses PR_SET_NAME so we return
 107   // EPERM for it. Otherwise, we will raise SIGSYS.
 108   const Arg<int> option(0);
 109   return If(option == PR_SET_NAME, Error(EPERM)).Else(CrashSIGSYSPrctl());
 110 }
 111
 112 #if defined(__i386__)
 113 ResultExpr RestrictSocketcall() {
 114   // We only allow socketpair, sendmsg, and recvmsg.
 115   const Arg<int> call(0);
 116   return If(call == SYS_SOCKETPAIR || call == SYS_SHUTDOWN ||
 117                 call == SYS_SENDMSG || call == SYS_RECVMSG,
 118             Allow()).Else(CrashSIGSYS());
 119 }
 120 #endif
 121
 122 ResultExpr RestrictMprotect() {
 123   // TODO(jln, keescook, drewry): Limit the use of mprotect by adding
 124   // some features to linux kernel.
 125   const uint64_t kAllowedMask = PROT_READ | PROT_WRITE | PROT_EXEC;
 126   const Arg<int> prot(2);
 127   return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
 128 }
 129
 130 ResultExpr RestrictMmap() {
 131   const uint64_t kAllowedFlagMask =
 132       MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK | MAP_FIXED;
 133   // When PROT_EXEC is specified, IRT mmap of Non-SFI NaCl helper
 134   // calls mmap without PROT_EXEC and then adds PROT_EXEC by mprotect,
 135   // so we do not need to allow PROT_EXEC in mmap.
 136   const uint64_t kAllowedProtMask = PROT_READ | PROT_WRITE;
 137   const Arg<int> prot(2), flags(3);
 138   return If((prot & ~kAllowedProtMask) == 0 && (flags & ~kAllowedFlagMask) == 0,
 139             Allow()).Else(CrashSIGSYS());
 140 }
 141
 142 #if defined(__x86_64__) || defined(__arm__)
 143 ResultExpr RestrictSocketpair() {
 144   // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
 145   // Note: PNaCl toolchain does not define PF_UNIX.
 146 #if !defined(OS_NACL_NONSFI)
 147   static_assert(AF_UNIX == PF_UNIX, "AF_UNIX must equal PF_UNIX.");
 148 #endif
 149   const Arg<int> domain(0);
 150   return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS());
 151 }
 152 #endif
 153
 154 bool IsGracefullyDenied(int sysno) {
 155   switch (sysno) {
 156     // libevent tries this first and then falls back to poll if
 157     // epoll_create fails.
 158     case __NR_epoll_create:
 159     // third_party/libevent uses them, but we can just return -1 from
 160     // them as it is just checking getuid() != geteuid() and
 161     // getgid() != getegid()
 162 #if defined(__i386__) || defined(__arm__)
 163     case __NR_getegid32:
 164     case __NR_geteuid32:
 165     case __NR_getgid32:
 166     case __NR_getuid32:
 167 #endif
 168     case __NR_getegid:
 169     case __NR_geteuid:
 170     case __NR_getgid:
 171     case __NR_getuid:
 172     // tcmalloc calls madvise in TCMalloc_SystemRelease.
 173     case __NR_madvise:
 174     // EPERM instead of SIGSYS as glibc tries to open files in /proc.
 175     // openat via opendir via get_nprocs_conf and open via get_nprocs.
 176     // TODO(hamaji): Remove this when we switch to newlib.
 177     case __NR_open:
 178     case __NR_openat:
 179     // For RunSandboxSanityChecks().
 180     case __NR_ptrace:
 181     // glibc uses this for its pthread implementation. If we return
 182     // EPERM for this, glibc will stop using this.
 183     // TODO(hamaji): newlib does not use this. Make this SIGTRAP once
 184     // we have switched to newlib.
 185     case __NR_set_robust_list:
 186     // This is obsolete in ARM EABI, but x86 glibc indirectly calls
 187     // this in sysconf.
 188 #if defined(__i386__) || defined(__x86_64__)
 189     case __NR_time:
 190 #endif
 191       return true;
 192
 193     default:
 194       return false;
 195   }
 196 }
 197
 198 void RunSandboxSanityChecks() {
 199   errno = 0;
 200   // Make a ptrace request with an invalid PID.
 201   long ptrace_ret = syscall(
 202       __NR_ptrace, 3 /* = PTRACE_PEEKUSER */, -1 /* pid */, NULL, NULL);
 203   CHECK_EQ(-1, ptrace_ret);
 204   // Without the sandbox on, this ptrace call would ESRCH instead.
 205   CHECK_EQ(EPERM, errno);
 206 }
 207
 208 }  // namespace
 209
 210 ResultExpr NaClNonSfiBPFSandboxPolicy::EvaluateSyscall(int sysno) const {
 211   switch (sysno) {
 212     // Allowed syscalls.
 213 #if defined(__i386__) || defined(__arm__)
 214     case __NR__llseek:
 215 #elif defined(__x86_64__)
 216     case __NR_lseek:
 217 #endif
 218     case __NR_close:
 219     case __NR_dup:
 220     case __NR_dup2:
 221     case __NR_exit:
 222     case __NR_exit_group:
 223 #if defined(__i386__) || defined(__arm__)
 224     case __NR_fstat64:
 225 #elif defined(__x86_64__)
 226     case __NR_fstat:
 227 #endif
 228     // TODO(hamaji): Remove the need of gettid. Currently, this is
 229     // called from PlatformThread::CurrentId().
 230     case __NR_gettid:
 231     case __NR_gettimeofday:
 232     case __NR_munmap:
 233     case __NR_nanosleep:
 234     // TODO(hamaji): Remove the need of pipe. Currently, this is
 235     // called from base::MessagePumpLibevent::Init().
 236     case __NR_pipe:
 237     case __NR_poll:
 238     case __NR_pread64:
 239     case __NR_pwrite64:
 240     case __NR_read:
 241     case __NR_restart_syscall:
 242     case __NR_sched_yield:
 243     // __NR_times needed as clock() is called by CommandBufferHelper, which is
 244     // used by NaCl applications that use Pepper's 3D interfaces.
 245     // See crbug.com/264856 for details.
 246     case __NR_times:
 247     case __NR_write:
 248 #if defined(__arm__)
 249     case __ARM_NR_cacheflush:
 250 #endif
 251       return Allow();
 252
 253     case __NR_clock_getres:
 254     case __NR_clock_gettime:
 255       return sandbox::RestrictClockID();
 256
 257     case __NR_clone:
 258       return RestrictClone();
 259
 260 #if defined(__x86_64__)
 261     case __NR_fcntl:
 262 #endif
 263 #if defined(__i386__) || defined(__arm__)
 264     case __NR_fcntl64:
 265 #endif
 266       return RestrictFcntlCommands();
 267
 268     case __NR_futex:
 269       return RestrictFutexOperation();
 270
 271 #if defined(__x86_64__)
 272     case __NR_mmap:
 273 #endif
 274 #if defined(__i386__) || defined(__arm__)
 275     case __NR_mmap2:
 276 #endif
 277       return RestrictMmap();
 278     case __NR_mprotect:
 279       return RestrictMprotect();
 280
 281     case __NR_prctl:
 282       return RestrictPrctl();
 283
 284 #if defined(__i386__)
 285     case __NR_socketcall:
 286       return RestrictSocketcall();
 287 #endif
 288 #if defined(__x86_64__) || defined(__arm__)
 289     case __NR_recvmsg:
 290     case __NR_sendmsg:
 291     case __NR_shutdown:
 292       return Allow();
 293     case __NR_socketpair:
 294       return RestrictSocketpair();
 295 #endif
 296
 297     case __NR_brk:
 298       // The behavior of brk on Linux is different from other system
 299       // calls. It does not return errno but the current break on
 300       // failure. glibc thinks brk failed if the return value of brk
 301       // is less than the requested address (i.e., brk(addr) < addr).
 302       // So, glibc thinks brk succeeded if we return -EPERM and we
 303       // need to return zero instead.
 304       return Error(0);
 305
 306     default:
 307       if (IsGracefullyDenied(sysno))
 308         return Error(EPERM);
 309       return CrashSIGSYS();
 310   }
 311 }
 312
 313 ResultExpr NaClNonSfiBPFSandboxPolicy::InvalidSyscall() const {
 314   return CrashSIGSYS();
 315 }
 316
 317 bool InitializeBPFSandbox(base::ScopedFD proc_fd) {
 318   bool sandbox_is_initialized = content::InitializeSandbox(
 319       scoped_ptr<sandbox::bpf_dsl::Policy>(
 320           new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy()),
 321       proc_fd.Pass());
 322   if (!sandbox_is_initialized)
 323     return false;
 324   RunSandboxSanityChecks();
 325   return true;
 326 }
 327
 328 }  // namespace nonsfi
 329 }  // namespace nacl