1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // Note: any code in this file MUST be async-signal safe.
7 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
9 #include <sys/syscall.h>
12 #include "base/basictypes.h"
13 #include "base/logging.h"
14 #include "base/posix/eintr_wrapper.h"
15 #include "build/build_config.h"
16 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
17 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
18 #include "sandbox/linux/seccomp-bpf/syscall.h"
19 #include "sandbox/linux/services/syscall_wrappers.h"
20 #include "sandbox/linux/system_headers/linux_syscalls.h"
23 // __NR_Linux, is defined in <asm/unistd.h>.
24 #include <asm/unistd.h>
27 #define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure"
28 #define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure"
29 #define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure"
30 #define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure"
31 #define SECCOMP_MESSAGE_KILL_CONTENT "(tg)kill() failure"
32 #define SECCOMP_MESSAGE_FUTEX_CONTENT "futex() failure"
36 inline bool IsArchitectureX86_64() {
37 #if defined(__x86_64__)
44 // Write |error_message| to stderr. Similar to RawLog(), but a bit more careful
45 // about async-signal safety. |size| is the size to write and should typically
46 // not include a terminating \0.
47 void WriteToStdErr(const char* error_message
, size_t size
) {
49 // TODO(jln): query the current policy to check if send() is available and
50 // use it to perform a non-blocking write.
51 const int ret
= HANDLE_EINTR(write(STDERR_FILENO
, error_message
, size
));
52 // We can't handle any type of error here.
53 if (ret
<= 0 || static_cast<size_t>(ret
) > size
) break;
59 // Invalid syscall values are truncated to zero.
60 // On architectures where base value is zero (Intel and Arm),
61 // syscall number is the same as offset from base.
62 // This function returns values between 0 and 1023 on all architectures.
63 // On architectures where base value is different than zero (currently only
64 // Mips), we are truncating valid syscall values to offset from base.
65 uint32_t SyscallNumberToOffsetFromBase(uint32_t sysno
) {
67 // On MIPS syscall numbers are in different range than on x86 and ARM.
68 // Valid MIPS O32 ABI syscall __NR_syscall will be truncated to zero for
70 sysno
= sysno
- __NR_Linux
;
79 // Print a seccomp-bpf failure to handle |sysno| to stderr in an
80 // async-signal safe way.
81 void PrintSyscallError(uint32_t sysno
) {
84 // TODO(markus): replace with async-signal safe snprintf when available.
85 const size_t kNumDigits
= 4;
86 char sysno_base10
[kNumDigits
];
89 for (int i
= kNumDigits
- 1; i
>= 0; i
--) {
92 sysno_base10
[i
] = '0' + mod
;
94 #if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
95 static const char kSeccompErrorPrefix
[] = __FILE__
96 ":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT
" in syscall 4000 + ";
98 static const char kSeccompErrorPrefix
[] =
99 __FILE__
":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT
" in syscall ";
101 static const char kSeccompErrorPostfix
[] = "\n";
102 WriteToStdErr(kSeccompErrorPrefix
, sizeof(kSeccompErrorPrefix
) - 1);
103 WriteToStdErr(sysno_base10
, sizeof(sysno_base10
));
104 WriteToStdErr(kSeccompErrorPostfix
, sizeof(kSeccompErrorPostfix
) - 1);
111 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data
& args
, void* aux
) {
112 uint32_t syscall
= SyscallNumberToOffsetFromBase(args
.nr
);
114 PrintSyscallError(syscall
);
116 // Encode 8-bits of the 1st two arguments too, so we can discern which socket
117 // type, which fcntl, ... etc., without being likely to hit a mapped
119 // Do not encode more bits here without thinking about increasing the
120 // likelihood of collision with mapped pages.
121 syscall
|= ((args
.args
[0] & 0xffUL
) << 12);
122 syscall
|= ((args
.args
[1] & 0xffUL
) << 20);
123 // Purposefully dereference the syscall as an address so it'll show up very
124 // clearly and easily in crash dumps.
125 volatile char* addr
= reinterpret_cast<volatile char*>(syscall
);
127 // In case we hit a mapped address, hit the null page with just the syscall,
130 addr
= reinterpret_cast<volatile char*>(syscall
);
136 // TODO(jln): refactor the reporting functions.
138 intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data
& args
, void* aux
) {
139 static const char kSeccompCloneError
[] =
140 __FILE__
":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT
"\n";
141 WriteToStdErr(kSeccompCloneError
, sizeof(kSeccompCloneError
) - 1);
142 // "flags" is the first argument in the kernel's clone().
143 // Mark as volatile to be able to find the value on the stack in a minidump.
144 volatile uint64_t clone_flags
= args
.args
[0];
146 if (IsArchitectureX86_64()) {
147 addr
= reinterpret_cast<volatile char*>(clone_flags
& 0xFFFFFF);
150 // Hit the NULL page if this fails to fault.
151 addr
= reinterpret_cast<volatile char*>(clone_flags
& 0xFFF);
157 intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data
& args
,
159 static const char kSeccompPrctlError
[] =
160 __FILE__
":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT
"\n";
161 WriteToStdErr(kSeccompPrctlError
, sizeof(kSeccompPrctlError
) - 1);
162 // Mark as volatile to be able to find the value on the stack in a minidump.
163 volatile uint64_t option
= args
.args
[0];
164 volatile char* addr
=
165 reinterpret_cast<volatile char*>(option
& 0xFFF);
171 intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data
& args
,
173 static const char kSeccompIoctlError
[] =
174 __FILE__
":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT
"\n";
175 WriteToStdErr(kSeccompIoctlError
, sizeof(kSeccompIoctlError
) - 1);
176 // Make "request" volatile so that we can see it on the stack in a minidump.
177 volatile uint64_t request
= args
.args
[1];
178 volatile char* addr
= reinterpret_cast<volatile char*>(request
& 0xFFFF);
180 // Hit the NULL page if this fails.
181 addr
= reinterpret_cast<volatile char*>(request
& 0xFFF);
187 intptr_t SIGSYSKillFailure(const struct arch_seccomp_data
& args
,
189 static const char kSeccompKillError
[] =
190 __FILE__
":**CRASHING**:" SECCOMP_MESSAGE_KILL_CONTENT
"\n";
191 WriteToStdErr(kSeccompKillError
, sizeof(kSeccompKillError
) - 1);
192 // Make "request" volatile so that we can see it on the stack in a minidump.
193 volatile uint64_t pid
= args
.args
[0];
194 volatile char* addr
= reinterpret_cast<volatile char*>(pid
& 0xFFF);
196 // Hit the NULL page if this fails.
197 addr
= reinterpret_cast<volatile char*>(pid
& 0xFFF);
203 intptr_t SIGSYSFutexFailure(const struct arch_seccomp_data
& args
,
205 static const char kSeccompFutexError
[] =
206 __FILE__
":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT
"\n";
207 WriteToStdErr(kSeccompFutexError
, sizeof(kSeccompFutexError
) - 1);
208 volatile int futex_op
= args
.args
[1];
209 volatile char* addr
= reinterpret_cast<volatile char*>(futex_op
& 0xFFF);
215 intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data
& args
,
218 case __NR_sched_getaffinity
:
219 case __NR_sched_getattr
:
220 case __NR_sched_getparam
:
221 case __NR_sched_getscheduler
:
222 case __NR_sched_rr_get_interval
:
223 case __NR_sched_setaffinity
:
224 case __NR_sched_setattr
:
225 case __NR_sched_setparam
:
226 case __NR_sched_setscheduler
:
227 const pid_t tid
= sys_gettid();
228 // The first argument is the pid. If is our thread id, then replace it
229 // with 0, which is equivalent and allowed by the policy.
230 if (args
.args
[0] == static_cast<uint64_t>(tid
)) {
231 return Syscall::Call(args
.nr
,
233 static_cast<intptr_t>(args
.args
[1]),
234 static_cast<intptr_t>(args
.args
[2]),
235 static_cast<intptr_t>(args
.args
[3]),
236 static_cast<intptr_t>(args
.args
[4]),
237 static_cast<intptr_t>(args
.args
[5]));
242 CrashSIGSYS_Handler(args
, aux
);
244 // Should never be reached.
249 bpf_dsl::ResultExpr
CrashSIGSYS() {
250 return bpf_dsl::Trap(CrashSIGSYS_Handler
, NULL
);
253 bpf_dsl::ResultExpr
CrashSIGSYSClone() {
254 return bpf_dsl::Trap(SIGSYSCloneFailure
, NULL
);
257 bpf_dsl::ResultExpr
CrashSIGSYSPrctl() {
258 return bpf_dsl::Trap(SIGSYSPrctlFailure
, NULL
);
261 bpf_dsl::ResultExpr
CrashSIGSYSIoctl() {
262 return bpf_dsl::Trap(SIGSYSIoctlFailure
, NULL
);
265 bpf_dsl::ResultExpr
CrashSIGSYSKill() {
266 return bpf_dsl::Trap(SIGSYSKillFailure
, NULL
);
269 bpf_dsl::ResultExpr
CrashSIGSYSFutex() {
270 return bpf_dsl::Trap(SIGSYSFutexFailure
, NULL
);
273 bpf_dsl::ResultExpr
RewriteSchedSIGSYS() {
274 return bpf_dsl::Trap(SIGSYSSchedHandler
, NULL
);
277 const char* GetErrorMessageContentForTests() {
278 return SECCOMP_MESSAGE_COMMON_CONTENT
;
281 const char* GetCloneErrorMessageContentForTests() {
282 return SECCOMP_MESSAGE_CLONE_CONTENT
;
285 const char* GetPrctlErrorMessageContentForTests() {
286 return SECCOMP_MESSAGE_PRCTL_CONTENT
;
289 const char* GetIoctlErrorMessageContentForTests() {
290 return SECCOMP_MESSAGE_IOCTL_CONTENT
;
293 const char* GetKillErrorMessageContentForTests() {
294 return SECCOMP_MESSAGE_KILL_CONTENT
;
297 const char* GetFutexErrorMessageContentForTests() {
298 return SECCOMP_MESSAGE_FUTEX_CONTENT
;
301 } // namespace sandbox.