0

Allow Android to use RendererProcessPolicy.

This change sets up the sandbox to build RendererProcessPolicy and
BPFBasePolicy on Android. BPFBasePolicy now also creates a
BaselinePolicyAndroid on Android builds.

The renderer main platform delegate now checks if it's in a renderer
process and sets the RendererProcessPolicy if it is. There are no changes to the seccomp policy on other processes.

The seccomp policy itself is becoming slightly more permissive on Android as there are some syscalls allowed in RendererProcessPolicy that are currently not allowed on BaselinePolicyAndroid (setrlimit, sched_get_priority_max, sched_get_priority_min, times, uname). This change is guarded behind a feature flag so future CLs can properly clean up all the allowed syscalls, as well as determine which syscalls in AndroidBaselinePolicy can now be blocked as they're only needed by the renderer.

Bug: 739879
Change-Id: I01f51d9dc947467d0a1f5b00a4b91625f246a61e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4902220
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Liza Burakova <liza@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1205405}
This commit is contained in:
Liza Burakova
2023-10-04 19:51:56 +00:00
committed by Chromium LUCI CQ
parent 6d86ce67d9
commit 198b80a354
10 changed files with 94 additions and 18 deletions

@ -309,10 +309,7 @@ source_set("common") {
]
if (use_seccomp_bpf) {
sources += [
"//sandbox/policy/linux/bpf_base_policy_linux.cc",
"//sandbox/policy/linux/bpf_base_policy_linux.h",
]
deps += [ "//sandbox/policy" ]
}
}

@ -9,6 +9,7 @@ import("//build/config/ui.gni")
import("//content/common/features.gni")
import("//media/media_options.gni")
import("//ppapi/buildflags/buildflags.gni")
import("//sandbox/features.gni")
import("//testing/libfuzzer/fuzzer_test.gni")
import("//third_party/webrtc/webrtc.gni")
import("//tools/ipc_fuzzer/ipc_fuzzer.gni")
@ -338,6 +339,10 @@ target(link_target_type, "renderer") {
"//third_party/cpu_features:ndk_compat",
"//third_party/libphonenumber",
]
if (use_seccomp_bpf) {
deps += [ "//sandbox/policy" ]
}
}
if (is_linux || is_chromeos) {

@ -13,6 +13,10 @@
#if BUILDFLAG(USE_SECCOMP_BPF)
#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h"
#include "sandbox/policy/features.h"
#include "sandbox/policy/linux/bpf_renderer_policy_linux.h"
#include "sandbox/policy/mojom/sandbox.mojom.h"
#include "sandbox/policy/sandbox_type.h"
#endif
namespace content {
@ -37,7 +41,17 @@ bool RendererMainPlatformDelegate::EnableSandbox() {
#if BUILDFLAG(USE_SECCOMP_BPF)
sandbox::BaselinePolicyAndroid::RuntimeOptions options(
starter.GetDefaultBaselineOptions());
starter.set_policy(std::make_unique<sandbox::BaselinePolicyAndroid>(options));
if (sandbox::policy::SandboxTypeFromCommandLine(
*base::CommandLine::ForCurrentProcess()) ==
sandbox::mojom::Sandbox::kRenderer &&
base::FeatureList::IsEnabled(
sandbox::policy::features::kUseRendererProcessPolicy)) {
starter.set_policy(
std::make_unique<sandbox::policy::RendererProcessPolicy>(options));
} else {
starter.set_policy(
std::make_unique<sandbox::BaselinePolicyAndroid>(options));
}
#endif
starter.StartSandbox();

@ -35,6 +35,19 @@ component("policy") {
"//sandbox/policy/mojom",
]
public_deps = [ "//sandbox:common" ]
if (is_android) {
sources += [
"linux/bpf_base_policy_linux.cc",
"linux/bpf_base_policy_linux.h",
"linux/bpf_renderer_policy_linux.cc",
"linux/bpf_renderer_policy_linux.h",
]
deps += [
"//sandbox:sandbox_buildflags",
"//sandbox/linux:sandbox_services",
"//sandbox/linux:seccomp_bpf",
]
}
if (is_linux || is_chromeos) {
sources += [
"linux/bpf_audio_policy_linux.cc",

@ -134,6 +134,13 @@ BASE_FEATURE(kCacheMacSandboxProfiles,
base::FEATURE_ENABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_MAC)
#if BUILDFLAG(IS_ANDROID)
// Enables the renderer on Android to use a separate seccomp policy.
BASE_FEATURE(kUseRendererProcessPolicy,
"UseRendererProcessPolicy",
base::FEATURE_DISABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_ANDROID)
#if BUILDFLAG(IS_WIN)
bool IsNetworkSandboxSupported() {
// Network service sandbox uses GetNetworkConnectivityHint which is only

@ -48,6 +48,10 @@ SANDBOX_POLICY_EXPORT BASE_DECLARE_FEATURE(kForceSpectreVariant2Mitigation);
SANDBOX_POLICY_EXPORT BASE_DECLARE_FEATURE(kCacheMacSandboxProfiles);
#endif // BUILDFLAG(IS_MAC)
#if BUILDFLAG(IS_ANDROID)
SANDBOX_POLICY_EXPORT BASE_DECLARE_FEATURE(kUseRendererProcessPolicy);
#endif // BUILDFLAG(IS_ANDROID)
#if BUILDFLAG(IS_WIN)
// Returns whether the network sandbox is supported. This is different from
// IsAppContainerSandboxSupported as the Network Service uses some newer APIs to

@ -11,6 +11,10 @@
#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
#include "sandbox/linux/system_headers/linux_syscalls.h"
#if BUILDFLAG(IS_ANDROID)
#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h"
#endif
using sandbox::bpf_dsl::Allow;
using sandbox::bpf_dsl::ResultExpr;
@ -23,10 +27,15 @@ namespace {
static const int kFSDeniedErrno = EPERM;
} // namespace.
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
BPFBasePolicy::BPFBasePolicy()
: baseline_policy_(new BaselinePolicy(kFSDeniedErrno)) {}
BPFBasePolicy::~BPFBasePolicy() {}
: baseline_policy_(std::make_unique<BaselinePolicy>(kFSDeniedErrno)) {}
#elif BUILDFLAG(IS_ANDROID)
BPFBasePolicy::BPFBasePolicy(
const BaselinePolicyAndroid::RuntimeOptions& options)
: baseline_policy_(std::make_unique<BaselinePolicyAndroid>(options)) {}
#endif
BPFBasePolicy::~BPFBasePolicy() = default;
ResultExpr BPFBasePolicy::EvaluateSyscall(int system_call_number) const {
DCHECK(baseline_policy_);

@ -7,13 +7,17 @@
#include <memory>
#include "build/build_config.h"
#include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"
#include "sandbox/linux/bpf_dsl/policy.h"
#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
#include "sandbox/policy/export.h"
namespace sandbox {
namespace policy {
#if BUILDFLAG(IS_ANDROID)
#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h"
#endif
namespace sandbox::policy {
// The "baseline" BPF policy. Any other seccomp-bpf policy should inherit
// from it.
@ -21,7 +25,11 @@ namespace policy {
// as a "kernel attack surface reduction" layer, it's implementation-defined.
class SANDBOX_POLICY_EXPORT BPFBasePolicy : public bpf_dsl::Policy {
public:
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
BPFBasePolicy();
#elif BUILDFLAG(IS_ANDROID)
explicit BPFBasePolicy(const BaselinePolicyAndroid::RuntimeOptions& options);
#endif
BPFBasePolicy(const BPFBasePolicy&) = delete;
BPFBasePolicy& operator=(const BPFBasePolicy&) = delete;
@ -42,7 +50,6 @@ class SANDBOX_POLICY_EXPORT BPFBasePolicy : public bpf_dsl::Policy {
std::unique_ptr<BaselinePolicy> baseline_policy_;
};
} // namespace policy
} // namespace sandbox
} // namespace sandbox::policy
#endif // SANDBOX_POLICY_LINUX_BPF_BASE_POLICY_LINUX_H_

@ -36,6 +36,7 @@ namespace policy {
namespace {
#if !BUILDFLAG(IS_ANDROID)
ResultExpr RestrictIoctl() {
const Arg<unsigned long> request(1);
return Switch(request)
@ -44,10 +45,16 @@ ResultExpr RestrictIoctl() {
Allow())
.Default(CrashSIGSYSIoctl());
}
#endif // !BUILDFLAG(IS_ANDROID)
} // namespace
#if !BUILDFLAG(IS_ANDROID)
RendererProcessPolicy::RendererProcessPolicy() = default;
#else
RendererProcessPolicy::RendererProcessPolicy(
const BaselinePolicyAndroid::RuntimeOptions& options)
: BPFBasePolicy(options) {}
#endif // !BUILDFLAG(IS_ANDROID)
RendererProcessPolicy::~RendererProcessPolicy() = default;
ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
@ -60,8 +67,12 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
case __NR_clock_getres_time64:
#endif
return RestrictClockID();
// Android requires a larger set of allowed ioctls, so this case is handled
// through BPFBasePolicy calling through to BaselinePolicyAndroid on Android.
#if !BUILDFLAG(IS_ANDROID)
case __NR_ioctl:
return RestrictIoctl();
#endif // !BUILDFLAG(IS_ANDROID)
// Allow the system calls below.
case __NR_fdatasync:
case __NR_fsync:

@ -5,15 +5,25 @@
#ifndef SANDBOX_POLICY_LINUX_BPF_RENDERER_POLICY_LINUX_H_
#define SANDBOX_POLICY_LINUX_BPF_RENDERER_POLICY_LINUX_H_
#include "build/build_config.h"
#include "sandbox/policy/export.h"
#include "sandbox/policy/linux/bpf_base_policy_linux.h"
namespace sandbox {
namespace policy {
#if BUILDFLAG(IS_ANDROID)
#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h"
#endif
namespace sandbox::policy {
// This policy can be used by both renderer and worker processes.
class RendererProcessPolicy : public BPFBasePolicy {
class SANDBOX_POLICY_EXPORT RendererProcessPolicy : public BPFBasePolicy {
public:
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
RendererProcessPolicy();
#elif BUILDFLAG(IS_ANDROID)
explicit RendererProcessPolicy(
const BaselinePolicyAndroid::RuntimeOptions& options);
#endif
RendererProcessPolicy(const RendererProcessPolicy&) = delete;
RendererProcessPolicy& operator=(const RendererProcessPolicy&) = delete;
@ -23,7 +33,6 @@ class RendererProcessPolicy : public BPFBasePolicy {
bpf_dsl::ResultExpr EvaluateSyscall(int system_call_number) const override;
};
} // namespace policy
} // namespace sandbox
} // namespace sandbox::policy
#endif // SANDBOX_POLICY_LINUX_BPF_RENDERER_POLICY_LINUX_H_