// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" #include <errno.h> #include <fcntl.h> #include <linux/net.h> #include <sched.h> #include <signal.h> #include <stdint.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <sys/prctl.h> #include <sys/ptrace.h> #include <sys/resource.h> #include <sys/stat.h> #include <sys/time.h> #include <sys/types.h> #include <time.h> #include <unistd.h> #include "base/notreached.h" #include "base/synchronization/synchronization_buildflags.h" #include "build/build_config.h" #include "build/chromeos_buildflags.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" #include "sandbox/linux/bpf_dsl/seccomp_macros.h" #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/system_headers/linux_futex.h" #include "sandbox/linux/system_headers/linux_prctl.h" #include "sandbox/linux/system_headers/linux_ptrace.h" #include "sandbox/linux/system_headers/linux_syscalls.h" #include "sandbox/linux/system_headers/linux_time.h" #if (BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_LACROS)) && \ !defined(__arm__) && !defined(__aarch64__) && \ !defined(PTRACE_GET_THREAD_AREA) // Also include asm/ptrace-abi.h since ptrace.h in older libc (for instance // the one in Ubuntu 16.04 LTS) is missing PTRACE_GET_THREAD_AREA. // asm/ptrace-abi.h doesn't exist on arm32 and PTRACE_GET_THREAD_AREA isn't // defined on aarch64, so don't try to include this on those platforms. #include <asm/ptrace-abi.h> #endif #if BUILDFLAG(IS_ANDROID) #if !defined(F_DUPFD_CLOEXEC) #define F_DUPFD_CLOEXEC … #endif #endif // BUILDFLAG(IS_ANDROID) #if defined(__arm__) && !defined(MAP_STACK) #define MAP_STACK … #endif #if defined(__mips__) && !defined(MAP_STACK) #define MAP_STACK … #endif // Temporary definitions for Arm's Memory Tagging Extension (MTE) and Branch // Target Identification (BTI). #if defined(ARCH_CPU_ARM64) #define PROT_MTE … #define PROT_BTI … #endif namespace { inline bool IsArchitectureX86_64() { … } inline bool IsArchitectureI386() { … } inline bool IsAndroid() { … } inline bool IsArchitectureMips() { … } // Ubuntu's version of glibc has a race condition in sem_post that can cause // it to call futex(2) with bogus op arguments. To workaround this, we need // to allow those futex(2) calls to fail with EINVAL, instead of crashing the // process. See crbug.com/598471. inline bool IsBuggyGlibcSemPost() { … } } // namespace. Allow; Arg; BoolExpr; Error; If; ResultExpr; namespace sandbox { // Allow Glibc's and Android pthread creation flags, crash on any other // thread creation attempts and EPERM attempts to use neither // CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is // present (as in newer versions of posix_spawn). ResultExpr RestrictCloneToThreadsAndEPERMFork() { … } #ifndef PR_PAC_RESET_KEYS #define PR_PAC_RESET_KEYS … #endif ResultExpr RestrictPrctl() { … } ResultExpr RestrictIoctl() { … } ResultExpr RestrictMmapFlags() { … } ResultExpr RestrictMprotectFlags() { … } ResultExpr RestrictFcntlCommands() { … } #if defined(__i386__) || defined(__mips__) ResultExpr RestrictSocketcallCommand() { // Unfortunately, we are unable to restrict the first parameter to // socketpair(2). Whilst initially sounding bad, it's noteworthy that very // few protocols actually support socketpair(2). The scary call that we're // worried about, socket(2), remains blocked. const Arg<int> call(0); return Switch(call) .Cases({SYS_SOCKETPAIR, SYS_SHUTDOWN, SYS_RECV, SYS_SEND, SYS_RECVFROM, SYS_SENDTO, SYS_RECVMSG, SYS_SENDMSG}, Allow()) .Default(Error(EPERM)); } #endif ResultExpr RestrictKillTarget(pid_t target_pid, int sysno) { … } ResultExpr RestrictFutex() { … } ResultExpr RestrictGetSetpriority(pid_t target_pid) { … } ResultExpr RestrictSchedTarget(pid_t target_pid, int sysno) { … } ResultExpr RestrictPrlimit64(pid_t target_pid) { … } ResultExpr RestrictGetrusage() { … } ResultExpr RestrictClockID() { … } #if !defined(GRND_NONBLOCK) #define GRND_NONBLOCK … #endif #if !defined(GRND_INSECURE) #define GRND_INSECURE … #endif ResultExpr RestrictGetRandom() { … } ResultExpr RestrictPrlimit(pid_t target_pid) { … } ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid) { … } ResultExpr RestrictPtrace() { … } ResultExpr RestrictPkeyAllocFlags() { … } ResultExpr RestrictGoogle3Threading(int sysno) { … } ResultExpr RestrictPipe2() { … } } // namespace sandbox.
Codebase Browser
chromium