components/nacl/loader/nacl_sandbox_linux.cc - platform/external/chromium_org - Git at Google

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "components/nacl/loader/nacl_sandbox_linux.h"

 #include <signal.h>
 #include <sys/ptrace.h>

 #include "base/callback.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "build/build_config.h"
 #include "content/public/common/sandbox_init.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/services/linux_syscalls.h"

 using playground2::ErrorCode;
 using playground2::Sandbox;

 namespace {

 // On ARM and x86_64, System V shared memory calls have each their own system
 // call, while on i386 they are multiplexed.
 #if defined(__x86_64__) || defined(__arm__)
 bool IsSystemVSharedMemory(int sysno) {
   switch (sysno) {
     case __NR_shmat:
     case __NR_shmctl:
     case __NR_shmdt:
     case __NR_shmget:
       return true;
     default:
       return false;
   }
 }
 #endif

 #if defined(__i386__)
 // Big system V multiplexing system call.
 bool IsSystemVIpc(int sysno) {
   switch (sysno) {
     case __NR_ipc:
       return true;
     default:
       return false;
   }
 }
 #endif

 ErrorCode NaClBpfSandboxPolicy(
     playground2::Sandbox* sb, int sysno, void* aux) {
   const playground2::BpfSandboxPolicyCallback baseline_policy =
       content::GetBpfSandboxBaselinePolicy();
   switch (sysno) {
     // TODO(jln): NaCl's GDB debug stub uses the following socket system calls,
     // see if it can be restricted a bit.
 #if defined(__x86_64__) || defined(__arm__)
     // transport_common.cc needs this.
     case __NR_accept:
     case __NR_setsockopt:
 #elif defined(__i386__)
     case __NR_socketcall:
 #endif
     // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is
     // used by NaCl's GDB debug stub.
     case __NR_rt_sigtimedwait:
 #if defined(__i386__)
     // Needed on i386 to set-up the custom segments.
     case __NR_modify_ldt:
 #endif
     // NaClAddrSpaceBeforeAlloc needs prlimit64.
     case __NR_prlimit64:
     // NaCl uses custom signal stacks.
     case __NR_sigaltstack:
     // Below is fairly similar to the policy for a Chromium renderer.
     // TODO(jln): restrict clone(), ioctl() and prctl().
     case __NR_ioctl:
 #if defined(__i386__) || defined(__x86_64__)
     case __NR_getrlimit:
 #endif
 #if defined(__i386__) || defined(__arm__)
     case __NR_ugetrlimit:
 #endif
     // NaCl runtime exposes clock_getres to untrusted code.
     case __NR_clock_getres:
     case __NR_pread64:
     case __NR_pwrite64:
     case __NR_sched_get_priority_max:
     case __NR_sched_get_priority_min:
     case __NR_sched_getaffinity:
     case __NR_sched_getparam:
     case __NR_sched_getscheduler:
     case __NR_sched_setscheduler:
     case __NR_setpriority:
     case __NR_sysinfo:
     // __NR_times needed as clock() is called by CommandBufferHelper, which is
     // used by NaCl applications that use Pepper's 3D interfaces.
     // See crbug.com/264856 for details.
     case __NR_times:
     case __NR_uname:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     case __NR_ptrace:
       return ErrorCode(EPERM);
     default:
       // TODO(jln): look into getting rid of System V shared memory:
       // platform_qualify/linux/sysv_shm_and_mmap.c makes it a requirement, but
       // it may not be needed in all cases. Chromium renderers don't need
       // System V shared memory on Aura.
 #if defined(__x86_64__) || defined(__arm__)
       if (IsSystemVSharedMemory(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 #elif defined(__i386__)
       if (IsSystemVIpc(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
       return baseline_policy.Run(sb, sysno, aux);
   }
   NOTREACHED();
   // GCC wants this.
   return ErrorCode(EPERM);
 }

 void RunSandboxSanityChecks() {
   errno = 0;
   // Make a ptrace request with an invalid PID.
   long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
   CHECK_EQ(-1, ptrace_ret);
   // Without the sandbox on, this ptrace call would ESRCH instead.
   CHECK_EQ(EPERM, errno);
 }

 }  // namespace

 bool InitializeBpfSandbox() {
   bool sandbox_is_initialized =
       content::InitializeSandbox(NaClBpfSandboxPolicy);
   if (sandbox_is_initialized) {
     RunSandboxSanityChecks();
     return true;
   }
   return false;
 }
	// Copyright 2013 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "components/nacl/loader/nacl_sandbox_linux.h"

	#include <signal.h>
	#include <sys/ptrace.h>

	#include "base/callback.h"
	#include "base/compiler_specific.h"
	#include "base/logging.h"
	#include "build/build_config.h"
	#include "content/public/common/sandbox_init.h"
	#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
	#include "sandbox/linux/services/linux_syscalls.h"

	using playground2::ErrorCode;
	using playground2::Sandbox;

	namespace {

	// On ARM and x86_64, System V shared memory calls have each their own system
	// call, while on i386 they are multiplexed.
	#if defined(__x86_64__) \|\| defined(__arm__)
	bool IsSystemVSharedMemory(int sysno) {
	switch (sysno) {
	case __NR_shmat:
	case __NR_shmctl:
	case __NR_shmdt:
	case __NR_shmget:
	return true;
	default:
	return false;
	}
	}
	#endif

	#if defined(__i386__)
	// Big system V multiplexing system call.
	bool IsSystemVIpc(int sysno) {
	switch (sysno) {
	case __NR_ipc:
	return true;
	default:
	return false;
	}
	}
	#endif

	ErrorCode NaClBpfSandboxPolicy(
	playground2::Sandbox* sb, int sysno, void* aux) {
	const playground2::BpfSandboxPolicyCallback baseline_policy =
	content::GetBpfSandboxBaselinePolicy();
	switch (sysno) {
	// TODO(jln): NaCl's GDB debug stub uses the following socket system calls,
	// see if it can be restricted a bit.
	#if defined(__x86_64__) \|\| defined(__arm__)
	// transport_common.cc needs this.
	case __NR_accept:
	case __NR_setsockopt:
	#elif defined(__i386__)
	case __NR_socketcall:
	#endif
	// trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is
	// used by NaCl's GDB debug stub.
	case __NR_rt_sigtimedwait:
	#if defined(__i386__)
	// Needed on i386 to set-up the custom segments.
	case __NR_modify_ldt:
	#endif
	// NaClAddrSpaceBeforeAlloc needs prlimit64.
	case __NR_prlimit64:
	// NaCl uses custom signal stacks.
	case __NR_sigaltstack:
	// Below is fairly similar to the policy for a Chromium renderer.
	// TODO(jln): restrict clone(), ioctl() and prctl().
	case __NR_ioctl:
	#if defined(__i386__) \|\| defined(__x86_64__)
	case __NR_getrlimit:
	#endif
	#if defined(__i386__) \|\| defined(__arm__)
	case __NR_ugetrlimit:
	#endif
	// NaCl runtime exposes clock_getres to untrusted code.
	case __NR_clock_getres:
	case __NR_pread64:
	case __NR_pwrite64:
	case __NR_sched_get_priority_max:
	case __NR_sched_get_priority_min:
	case __NR_sched_getaffinity:
	case __NR_sched_getparam:
	case __NR_sched_getscheduler:
	case __NR_sched_setscheduler:
	case __NR_setpriority:
	case __NR_sysinfo:
	// __NR_times needed as clock() is called by CommandBufferHelper, which is
	// used by NaCl applications that use Pepper's 3D interfaces.
	// See crbug.com/264856 for details.
	case __NR_times:
	case __NR_uname:
	return ErrorCode(ErrorCode::ERR_ALLOWED);
	case __NR_ptrace:
	return ErrorCode(EPERM);
	default:
	// TODO(jln): look into getting rid of System V shared memory:
	// platform_qualify/linux/sysv_shm_and_mmap.c makes it a requirement, but
	// it may not be needed in all cases. Chromium renderers don't need
	// System V shared memory on Aura.
	#if defined(__x86_64__) \|\| defined(__arm__)
	if (IsSystemVSharedMemory(sysno))
	return ErrorCode(ErrorCode::ERR_ALLOWED);
	#elif defined(__i386__)
	if (IsSystemVIpc(sysno))
	return ErrorCode(ErrorCode::ERR_ALLOWED);
	#endif
	return baseline_policy.Run(sb, sysno, aux);
	}
	NOTREACHED();
	// GCC wants this.
	return ErrorCode(EPERM);
	}

	void RunSandboxSanityChecks() {
	errno = 0;
	// Make a ptrace request with an invalid PID.
	long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
	CHECK_EQ(-1, ptrace_ret);
	// Without the sandbox on, this ptrace call would ESRCH instead.
	CHECK_EQ(EPERM, errno);
	}

	} // namespace

	bool InitializeBpfSandbox() {
	bool sandbox_is_initialized =
	content::InitializeSandbox(NaClBpfSandboxPolicy);
	if (sandbox_is_initialized) {
	RunSandboxSanityChecks();
	return true;
	}
	return false;
	}