Linux sandbox: Restrict sched_* syscalls on the GPU and ppapi processes.
BUG=399473,413855 Review URL: https://codereview.chromium.org/598203004 Cr-Commit-Position: refs/heads/master@{#297248}
This commit is contained in:
rickyz
content/common/sandbox_linux
sandbox/linux/seccomp-bpf-helpers
@ -25,6 +25,7 @@
|
||||
#include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
|
||||
#include "content/common/set_process_title.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
|
||||
#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
|
||||
#include "sandbox/linux/seccomp-bpf/trap.h"
|
||||
#include "sandbox/linux/services/broker_process.h"
|
||||
@ -186,15 +187,17 @@ ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
|
||||
case __NR_mprotect:
|
||||
// TODO(jln): restrict prctl.
|
||||
case __NR_prctl:
|
||||
case __NR_sched_getaffinity:
|
||||
case __NR_sched_setaffinity:
|
||||
case __NR_setpriority:
|
||||
return Allow();
|
||||
case __NR_access:
|
||||
case __NR_open:
|
||||
case __NR_openat:
|
||||
DCHECK(broker_process_);
|
||||
return Trap(GpuSIGSYS_Handler, broker_process_);
|
||||
case __NR_setpriority:
|
||||
return sandbox::RestrictGetSetpriority(GetPolicyPid());
|
||||
case __NR_sched_getaffinity:
|
||||
case __NR_sched_setaffinity:
|
||||
return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
|
||||
default:
|
||||
if (SyscallSets::IsEventFd(sysno))
|
||||
return Allow();
|
||||
|
||||
@ -31,12 +31,13 @@ ResultExpr PpapiProcessPolicy::EvaluateSyscall(int sysno) const {
|
||||
case __NR_pwrite64:
|
||||
case __NR_sched_get_priority_max:
|
||||
case __NR_sched_get_priority_min:
|
||||
case __NR_times:
|
||||
return Allow();
|
||||
case __NR_sched_getaffinity:
|
||||
case __NR_sched_getparam:
|
||||
case __NR_sched_getscheduler:
|
||||
case __NR_sched_setscheduler:
|
||||
case __NR_times:
|
||||
return Allow();
|
||||
return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
|
||||
case __NR_ioctl:
|
||||
return Error(ENOTTY); // Flash Access.
|
||||
default:
|
||||
|
||||
@ -36,6 +36,8 @@ class SandboxBPFBasePolicy : public sandbox::bpf_dsl::SandboxBPFDSLPolicy {
|
||||
// Get the errno(3) to return for filesystem errors.
|
||||
static int GetFSDeniedErrno();
|
||||
|
||||
pid_t GetPolicyPid() const { return baseline_policy_->policy_pid(); }
|
||||
|
||||
private:
|
||||
// Compose the BaselinePolicy from sandbox/.
|
||||
scoped_ptr<sandbox::BaselinePolicy> baseline_policy_;
|
||||
|
||||
@ -234,16 +234,15 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
|
||||
|
||||
// Unfortunately C++03 doesn't allow delegated constructors.
|
||||
// Call other constructor when C++11 lands.
|
||||
BaselinePolicy::BaselinePolicy()
|
||||
: fs_denied_errno_(EPERM), current_pid_(syscall(__NR_getpid)) {}
|
||||
BaselinePolicy::BaselinePolicy() : BaselinePolicy(EPERM) {}
|
||||
|
||||
BaselinePolicy::BaselinePolicy(int fs_denied_errno)
|
||||
: fs_denied_errno_(fs_denied_errno), current_pid_(syscall(__NR_getpid)) {}
|
||||
: fs_denied_errno_(fs_denied_errno), policy_pid_(syscall(__NR_getpid)) {}
|
||||
|
||||
BaselinePolicy::~BaselinePolicy() {
|
||||
// Make sure that this policy is created, used and destroyed by a single
|
||||
// process.
|
||||
DCHECK_EQ(syscall(__NR_getpid), current_pid_);
|
||||
DCHECK_EQ(syscall(__NR_getpid), policy_pid_);
|
||||
}
|
||||
|
||||
ResultExpr BaselinePolicy::EvaluateSyscall(int sysno) const {
|
||||
@ -251,9 +250,9 @@ ResultExpr BaselinePolicy::EvaluateSyscall(int sysno) const {
|
||||
DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
|
||||
// Make sure that this policy is used in the creating process.
|
||||
if (1 == sysno) {
|
||||
DCHECK_EQ(syscall(__NR_getpid), current_pid_);
|
||||
DCHECK_EQ(syscall(__NR_getpid), policy_pid_);
|
||||
}
|
||||
return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno);
|
||||
return EvaluateSyscallImpl(fs_denied_errno_, policy_pid_, sysno);
|
||||
}
|
||||
|
||||
ResultExpr BaselinePolicy::InvalidSyscall() const {
|
||||
|
||||
@ -32,10 +32,14 @@ class SANDBOX_EXPORT BaselinePolicy : public bpf_dsl::SandboxBPFDSLPolicy {
|
||||
virtual bpf_dsl::ResultExpr EvaluateSyscall(
|
||||
int system_call_number) const OVERRIDE;
|
||||
virtual bpf_dsl::ResultExpr InvalidSyscall() const OVERRIDE;
|
||||
pid_t policy_pid() const { return policy_pid_; }
|
||||
|
||||
private:
|
||||
int fs_denied_errno_;
|
||||
pid_t current_pid_;
|
||||
|
||||
// The PID that the policy applies to (should be equal to the current pid).
|
||||
pid_t policy_pid_;
|
||||
|
||||
DISALLOW_COPY_AND_ASSIGN(BaselinePolicy);
|
||||
};
|
||||
|
||||
|
||||
@ -57,14 +57,15 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSocketcallCommand();
|
||||
// Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or
|
||||
// kill iff the first parameter is |target_pid|, crashing otherwise or if
|
||||
// |sysno| is tkill.
|
||||
bpf_dsl::ResultExpr RestrictKillTarget(pid_t target_pid, int sysno);
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictKillTarget(pid_t target_pid,
|
||||
int sysno);
|
||||
|
||||
// Crash if FUTEX_CMP_REQUEUE_PI is used in the second argument of futex(2).
|
||||
bpf_dsl::ResultExpr RestrictFutex();
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFutex();
|
||||
|
||||
// Crash if |which| is not PRIO_PROCESS. EPERM if |who| is not 0, neither
|
||||
// |target_pid| while calling setpriority(2) / getpriority(2).
|
||||
bpf_dsl::ResultExpr RestrictGetSetpriority(pid_t target_pid);
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetSetpriority(pid_t target_pid);
|
||||
|
||||
// Restrict |clk_id| for clock_getres(), clock_gettime() and clock_settime().
|
||||
// We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID,
|
||||
|
||||
Reference in New Issue
Block a user