search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix link in German terms of service.
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf / sandbox_bpf.cc
blob239043eb270d57b8b60df714323f5a166a380ede
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
6
7 // Some headers on Android are missing cdefs: crbug.com/172337.
8 // (We can't use OS_ANDROID here since build_config.h is not included).
9 #if defined(ANDROID)
10 #include <sys/cdefs.h>
11 #endif
12
13 #include <errno.h>
14 #include <sys/prctl.h>
15 #include <sys/types.h>
16 #include <unistd.h>
17
18 #include "base/compiler_specific.h"
19 #include "base/files/scoped_file.h"
20 #include "base/logging.h"
21 #include "base/macros.h"
22 #include "base/memory/scoped_ptr.h"
23 #include "base/posix/eintr_wrapper.h"
24 #include "base/third_party/valgrind/valgrind.h"
25 #include "sandbox/linux/bpf_dsl/codegen.h"
26 #include "sandbox/linux/bpf_dsl/policy.h"
27 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
28 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
29 #include "sandbox/linux/bpf_dsl/syscall_set.h"
30 #include "sandbox/linux/seccomp-bpf/die.h"
31 #include "sandbox/linux/seccomp-bpf/syscall.h"
32 #include "sandbox/linux/seccomp-bpf/trap.h"
33 #include "sandbox/linux/services/proc_util.h"
34 #include "sandbox/linux/services/syscall_wrappers.h"
35 #include "sandbox/linux/services/thread_helpers.h"
36 #include "sandbox/linux/system_headers/linux_filter.h"
37 #include "sandbox/linux/system_headers/linux_seccomp.h"
38 #include "sandbox/linux/system_headers/linux_syscalls.h"
39
40 namespace sandbox {
41
42 namespace {
43
44 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
45
46 bool IsSingleThreaded(int proc_fd) {
47 return ThreadHelpers::IsSingleThreaded(proc_fd);
48 }
49
50 // Check if the kernel supports seccomp-filter (a.k.a. seccomp mode 2) via
51 // prctl().
52 bool KernelSupportsSeccompBPF() {
53 errno = 0;
54 const int rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr);
55
56 if (rv == -1 && EFAULT == errno) {
57 return true;
58 }
59 return false;
60 }
61
62 // LG introduced a buggy syscall, sys_set_media_ext, with the same number as
63 // seccomp. Return true if the current kernel has this buggy syscall.
64 //
65 // We want this to work with upcoming versions of seccomp, so we pass bogus
66 // flags that are unlikely to ever be used by the kernel. A normal kernel would
67 // return -EINVAL, but a buggy LG kernel would return 1.
68 bool KernelHasLGBug() {
69 #if defined(OS_ANDROID)
70 // sys_set_media will see this as NULL, which should be a safe (non-crashing)
71 // way to invoke it. A genuine seccomp syscall will see it as
72 // SECCOMP_SET_MODE_STRICT.
73 const unsigned int operation = 0;
74 // Chosen by fair dice roll. Guaranteed to be random.
75 const unsigned int flags = 0xf7a46a5c;
76 const int rv = sys_seccomp(operation, flags, nullptr);
77 // A genuine kernel would return -EINVAL (which would set rv to -1 and errno
78 // to EINVAL), or at the very least return some kind of error (which would
79 // set rv to -1). Any other behavior indicates that whatever code received
80 // our syscall was not the real seccomp.
81 if (rv != -1) {
82 return true;
83 }
84 #endif // defined(OS_ANDROID)
85
86 return false;
87 }
88
89 // Check if the kernel supports seccomp-filter via the seccomp system call
90 // and the TSYNC feature to enable seccomp on all threads.
91 bool KernelSupportsSeccompTsync() {
92 if (KernelHasLGBug()) {
93 return false;
94 }
95
96 errno = 0;
97 const int rv =
98 sys_seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, nullptr);
99
100 if (rv == -1 && errno == EFAULT) {
101 return true;
102 } else {
103 // TODO(jln): turn these into DCHECK after 417888 is considered fixed.
104 CHECK_EQ(-1, rv);
105 CHECK(ENOSYS == errno || EINVAL == errno);
106 return false;
107 }
108 }
109
110 uint64_t EscapePC() {
111 intptr_t rv = Syscall::Call(-1);
112 if (rv == -1 && errno == ENOSYS) {
113 return 0;
114 }
115 return static_cast<uint64_t>(static_cast<uintptr_t>(rv));
116 }
117
118 } // namespace
119
120 SandboxBPF::SandboxBPF(bpf_dsl::Policy* policy)
121 : proc_fd_(), sandbox_has_started_(false), policy_(policy) {
122 }
123
124 SandboxBPF::~SandboxBPF() {
125 }
126
127 // static
128 bool SandboxBPF::SupportsSeccompSandbox(SeccompLevel level) {
129 // Never pretend to support seccomp with Valgrind, as it
130 // throws the tool off.
131 if (IsRunningOnValgrind()) {
132 return false;
133 }
134
135 switch (level) {
136 case SeccompLevel::SINGLE_THREADED:
137 return KernelSupportsSeccompBPF();
138 case SeccompLevel::MULTI_THREADED:
139 return KernelSupportsSeccompTsync();
140 }
141 NOTREACHED();
142 return false;
143 }
144
145 bool SandboxBPF::StartSandbox(SeccompLevel seccomp_level) {
146 DCHECK(policy_);
147 CHECK(seccomp_level == SeccompLevel::SINGLE_THREADED ||
148 seccomp_level == SeccompLevel::MULTI_THREADED);
149
150 if (sandbox_has_started_) {
151 SANDBOX_DIE(
152 "Cannot repeatedly start sandbox. Create a separate Sandbox "
153 "object instead.");
154 return false;
155 }
156
157 if (!proc_fd_.is_valid()) {
158 SetProcFd(ProcUtil::OpenProc());
159 }
160
161 const bool supports_tsync = KernelSupportsSeccompTsync();
162
163 if (seccomp_level == SeccompLevel::SINGLE_THREADED) {
164 // Wait for /proc/self/task/ to update if needed and assert the
165 // process is single threaded.
166 ThreadHelpers::AssertSingleThreaded(proc_fd_.get());
167 } else if (seccomp_level == SeccompLevel::MULTI_THREADED) {
168 if (IsSingleThreaded(proc_fd_.get())) {
169 SANDBOX_DIE("Cannot start sandbox; "
170 "process may be single-threaded when reported as not");
171 return false;
172 }
173 if (!supports_tsync) {
174 SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing "
175 "filters for a threadgroup");
176 return false;
177 }
178 }
179
180 // We no longer need access to any files in /proc. We want to do this
181 // before installing the filters, just in case that our policy denies
182 // close().
183 if (proc_fd_.is_valid()) {
184 proc_fd_.reset();
185 }
186
187 // Install the filters.
188 InstallFilter(supports_tsync ||
189 seccomp_level == SeccompLevel::MULTI_THREADED);
190
191 return true;
192 }
193
194 void SandboxBPF::SetProcFd(base::ScopedFD proc_fd) {
195 proc_fd_.swap(proc_fd);
196 }
197
198 // static
199 bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
200 return SyscallSet::IsValid(sysnum);
201 }
202
203 // static
204 bool SandboxBPF::IsRequiredForUnsafeTrap(int sysno) {
205 return bpf_dsl::PolicyCompiler::IsRequiredForUnsafeTrap(sysno);
206 }
207
208 // static
209 intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) {
210 return Syscall::Call(
211 args.nr, static_cast<intptr_t>(args.args[0]),
212 static_cast<intptr_t>(args.args[1]), static_cast<intptr_t>(args.args[2]),
213 static_cast<intptr_t>(args.args[3]), static_cast<intptr_t>(args.args[4]),
214 static_cast<intptr_t>(args.args[5]));
215 }
216
217 scoped_ptr<CodeGen::Program> SandboxBPF::AssembleFilter(
218 bool force_verification) {
219 #if !defined(NDEBUG)
220 force_verification = true;
221 #endif
222 DCHECK(policy_);
223
224 bpf_dsl::PolicyCompiler compiler(policy_.get(), Trap::Registry());
225 if (Trap::SandboxDebuggingAllowedByUser()) {
226 compiler.DangerousSetEscapePC(EscapePC());
227 }
228 return compiler.Compile(force_verification);
229 }
230
231 void SandboxBPF::InstallFilter(bool must_sync_threads) {
232 // We want to be very careful in not imposing any requirements on the
233 // policies that are set with SetSandboxPolicy(). This means, as soon as
234 // the sandbox is active, we shouldn't be relying on libraries that could
235 // be making system calls. This, for example, means we should avoid
236 // using the heap and we should avoid using STL functions.
237 // Temporarily copy the contents of the "program" vector into a
238 // stack-allocated array; and then explicitly destroy that object.
239 // This makes sure we don't ex- or implicitly call new/delete after we
240 // installed the BPF filter program in the kernel. Depending on the
241 // system memory allocator that is in effect, these operators can result
242 // in system calls to things like munmap() or brk().
243 CodeGen::Program* program = AssembleFilter(false).release();
244
245 struct sock_filter bpf[program->size()];
246 const struct sock_fprog prog = {static_cast<unsigned short>(program->size()),
247 bpf};
248 memcpy(bpf, &(*program)[0], sizeof(bpf));
249 delete program;
250
251 // Make an attempt to release memory that is no longer needed here, rather
252 // than in the destructor. Try to avoid as much as possible to presume of
253 // what will be possible to do in the new (sandboxed) execution environment.
254 policy_.reset();
255
256 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
257 SANDBOX_DIE("Kernel refuses to enable no-new-privs");
258 }
259
260 // Install BPF filter program. If the thread state indicates multi-threading
261 // support, then the kernel hass the seccomp system call. Otherwise, fall
262 // back on prctl, which requires the process to be single-threaded.
263 if (must_sync_threads) {
264 int rv =
265 sys_seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog);
266 if (rv) {
267 SANDBOX_DIE(
268 "Kernel refuses to turn on and synchronize threads for BPF filters");
269 }
270 } else {
271 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
272 SANDBOX_DIE("Kernel refuses to turn on BPF filters");
273 }
274 }
275
276 sandbox_has_started_ = true;
277 }
278
279 } // namespace sandbox