• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "components/nacl/loader/nacl_sandbox_linux.h"
6 
7 #include <errno.h>
8 #include <signal.h>
9 #include <sys/ptrace.h>
10 
11 #include "base/basictypes.h"
12 #include "base/callback.h"
13 #include "base/compiler_specific.h"
14 #include "base/logging.h"
15 #include "build/build_config.h"
16 #include "content/public/common/sandbox_init.h"
17 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
18 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
19 #include "sandbox/linux/services/linux_syscalls.h"
20 
21 using sandbox::ErrorCode;
22 using sandbox::SandboxBPF;
23 using sandbox::SandboxBPFPolicy;
24 
25 namespace {
26 
27 // On ARM and x86_64, System V shared memory calls have each their own system
28 // call, while on i386 they are multiplexed.
29 #if defined(__x86_64__) || defined(__arm__)
IsSystemVSharedMemory(int sysno)30 bool IsSystemVSharedMemory(int sysno) {
31   switch (sysno) {
32     case __NR_shmat:
33     case __NR_shmctl:
34     case __NR_shmdt:
35     case __NR_shmget:
36       return true;
37     default:
38       return false;
39   }
40 }
41 #endif
42 
43 #if defined(__i386__)
44 // Big system V multiplexing system call.
IsSystemVIpc(int sysno)45 bool IsSystemVIpc(int sysno) {
46   switch (sysno) {
47     case __NR_ipc:
48       return true;
49     default:
50       return false;
51   }
52 }
53 #endif
54 
55 class NaClBPFSandboxPolicy : public SandboxBPFPolicy {
56  public:
NaClBPFSandboxPolicy()57   NaClBPFSandboxPolicy()
58       : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) {}
~NaClBPFSandboxPolicy()59   virtual ~NaClBPFSandboxPolicy() {}
60 
61   virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
62                                     int system_call_number) const OVERRIDE;
63 
64  private:
65   scoped_ptr<SandboxBPFPolicy> baseline_policy_;
66   DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy);
67 };
68 
EvaluateSyscall(sandbox::SandboxBPF * sb,int sysno) const69 ErrorCode NaClBPFSandboxPolicy::EvaluateSyscall(
70     sandbox::SandboxBPF* sb, int sysno) const {
71   DCHECK(baseline_policy_);
72   switch (sysno) {
73     // TODO(jln): NaCl's GDB debug stub uses the following socket system calls,
74     // see if it can be restricted a bit.
75 #if defined(__x86_64__) || defined(__arm__)
76     // transport_common.cc needs this.
77     case __NR_accept:
78     case __NR_setsockopt:
79 #elif defined(__i386__)
80     case __NR_socketcall:
81 #endif
82     // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is
83     // used by NaCl's GDB debug stub.
84     case __NR_rt_sigtimedwait:
85 #if defined(__i386__)
86     // Needed on i386 to set-up the custom segments.
87     case __NR_modify_ldt:
88 #endif
89     // NaClAddrSpaceBeforeAlloc needs prlimit64.
90     case __NR_prlimit64:
91     // NaCl uses custom signal stacks.
92     case __NR_sigaltstack:
93     // Below is fairly similar to the policy for a Chromium renderer.
94     // TODO(jln): restrict clone(), ioctl() and prctl().
95     case __NR_ioctl:
96 #if defined(__i386__) || defined(__x86_64__)
97     case __NR_getrlimit:
98 #endif
99 #if defined(__i386__) || defined(__arm__)
100     case __NR_ugetrlimit:
101 #endif
102     // NaCl runtime exposes clock_getres to untrusted code.
103     case __NR_clock_getres:
104     // NaCl runtime uses flock to simulate POSIX behavior for pwrite.
105     case __NR_flock:
106     case __NR_pread64:
107     case __NR_pwrite64:
108     case __NR_sched_get_priority_max:
109     case __NR_sched_get_priority_min:
110     case __NR_sched_getaffinity:
111     case __NR_sched_getparam:
112     case __NR_sched_getscheduler:
113     case __NR_sched_setscheduler:
114     case __NR_setpriority:
115     case __NR_sysinfo:
116     // __NR_times needed as clock() is called by CommandBufferHelper, which is
117     // used by NaCl applications that use Pepper's 3D interfaces.
118     // See crbug.com/264856 for details.
119     case __NR_times:
120     case __NR_uname:
121       return ErrorCode(ErrorCode::ERR_ALLOWED);
122     case __NR_ptrace:
123       return ErrorCode(EPERM);
124     default:
125       // TODO(jln): look into getting rid of System V shared memory:
126       // platform_qualify/linux/sysv_shm_and_mmap.c makes it a requirement, but
127       // it may not be needed in all cases. Chromium renderers don't need
128       // System V shared memory on Aura.
129 #if defined(__x86_64__) || defined(__arm__)
130       if (IsSystemVSharedMemory(sysno))
131         return ErrorCode(ErrorCode::ERR_ALLOWED);
132 #elif defined(__i386__)
133       if (IsSystemVIpc(sysno))
134         return ErrorCode(ErrorCode::ERR_ALLOWED);
135 #endif
136       return baseline_policy_->EvaluateSyscall(sb, sysno);
137   }
138   NOTREACHED();
139   // GCC wants this.
140   return ErrorCode(EPERM);
141 }
142 
RunSandboxSanityChecks()143 void RunSandboxSanityChecks() {
144   errno = 0;
145   // Make a ptrace request with an invalid PID.
146   long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
147   CHECK_EQ(-1, ptrace_ret);
148   // Without the sandbox on, this ptrace call would ESRCH instead.
149   CHECK_EQ(EPERM, errno);
150 }
151 
152 }  // namespace
153 
InitializeBPFSandbox()154 bool InitializeBPFSandbox() {
155   bool sandbox_is_initialized = content::InitializeSandbox(
156       scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy()));
157   if (sandbox_is_initialized) {
158     RunSandboxSanityChecks();
159     return true;
160   }
161   return false;
162 }
163