// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifdef UNSAFE_BUFFERS_BUILD // TODO(crbug.com/351564777): Remove this and convert code to safer constructs. #pragma allow_unsafe_buffers #endif #include "sandbox/linux/seccomp-bpf/trap.h" #include <errno.h> #include <signal.h> #include <stddef.h> #include <stdint.h> #include <string.h> #include <sys/syscall.h> #include <algorithm> #include <atomic> #include <limits> #include <tuple> #include "base/compiler_specific.h" #include "base/logging.h" #include "base/memory/raw_ptr_exclusion.h" #include "build/build_config.h" #include "sandbox/linux/bpf_dsl/seccomp_macros.h" #include "sandbox/linux/seccomp-bpf/die.h" #include "sandbox/linux/seccomp-bpf/syscall.h" #include "sandbox/linux/services/syscall_wrappers.h" #include "sandbox/linux/system_headers/linux_seccomp.h" #include "sandbox/linux/system_headers/linux_signal.h" namespace { struct arch_sigsys { … }; const int kCapacityIncrement = …; // Unsafe traps can only be turned on, if the user explicitly allowed them // by setting the CHROME_SANDBOX_DEBUGGING environment variable. const char kSandboxDebuggingEnv[] = …; // We need to tell whether we are performing a "normal" callback, or // whether we were called recursively from within a UnsafeTrap() callback. // This is a little tricky to do, because we need to somehow get access to // per-thread data from within a signal context. Normal TLS storage is not // safely accessible at this time. We could roll our own, but that involves // a lot of complexity. Instead, we co-opt one bit in the signal mask. // If BUS is blocked, we assume that we have been called recursively. // There is a possibility for collision with other code that needs to do // this, but in practice the risks are low. // If SIGBUS turns out to be a problem, we could instead co-opt one of the // realtime signals. There are plenty of them. Unfortunately, there is no // way to mark a signal as allocated. So, the potential for collision is // possibly even worse. bool GetIsInSigHandler(const ucontext_t* ctx) { … } void SetIsInSigHandler() { … } bool IsDefaultSignalAction(const struct sigaction& sa) { … } } // namespace namespace sandbox { Trap::Trap() { … } bpf_dsl::TrapRegistry* Trap::Registry() { … } void Trap::SigSysAction(int nr, LinuxSigInfo* info, void* void_context) { … } void Trap::SigSys(int nr, LinuxSigInfo* info, ucontext_t* ctx) { … } uint16_t Trap::Add(const Handler& handler) { … } bool Trap::SandboxDebuggingAllowedByUser() { … } bool Trap::EnableUnsafeTraps() { … } Trap* Trap::global_trap_; } // namespace sandbox
Codebase Browser
chromium