15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <asm/unistd.h> 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <dlfcn.h> 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <errno.h> 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <fcntl.h> 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <linux/audit.h> 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <linux/filter.h> 11868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#include <linux/net.h> 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <signal.h> 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string.h> 142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include <sys/ioctl.h> 15a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles)#include <sys/mman.h> 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <sys/prctl.h> 172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include <sys/socket.h> 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <sys/stat.h> 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <sys/types.h> 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <ucontext.h> 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <unistd.h> 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <vector> 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__arm__) && !defined(MAP_STACK) 2690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#define MAP_STACK 0x20000 // Daisy build environment has old headers. 2790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#endif 2890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 292a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/basictypes.h" 307d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)#include "base/bind.h" 317d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)#include "base/callback.h" 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/command_line.h" 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/logging.h" 34868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#include "build/build_config.h" 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "content/common/sandbox_linux.h" 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "content/common/sandbox_seccomp_bpf_linux.h" 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "content/public/common/content_switches.h" 382a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "sandbox/linux/services/broker_process.h" 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// These are the only architectures supported for now. 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) || \ 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) (defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))) 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define SECCOMP_BPF_SANDBOX 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(SECCOMP_BPF_SANDBOX) 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/linux/services/linux_syscalls.h" 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)using playground2::arch_seccomp_data; 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)using playground2::ErrorCode; 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)using playground2::Sandbox; 532a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)using sandbox::BrokerProcess; 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace { 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 572a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)void StartSandboxWithPolicy(Sandbox::EvaluateSyscall syscall_policy, 582a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) BrokerProcess* broker_process); 592a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 602a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)inline bool RunningOnASAN() { 612a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if defined(ADDRESS_SANITIZER) 622a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return true; 632a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#else 642a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return false; 652a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 662a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 672a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)inline bool IsChromeOS() { 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(OS_CHROMEOS) 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 762a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)inline bool IsArchitectureX86_64() { 772a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if defined(__x86_64__) 782a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return true; 792a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#else 802a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return false; 812a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 822a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 832a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 842a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)inline bool IsArchitectureI386() { 852a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if defined(__i386__) 862a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return true; 872a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#else 882a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return false; 892a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 902a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 912a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)inline bool IsArchitectureArm() { 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__arm__) 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#else 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 10090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)inline bool IsUsingToolKitGtk() { 10190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(TOOLKIT_GTK) 10290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return true; 10390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#else 10490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return false; 10590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#endif 10690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)} 10790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 1082385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch// Write |error_message| to stderr. Similar to RawLog(), but a bit more careful 1092385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch// about async-signal safety. |size| is the size to write and should typically 1102385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch// not include a terminating \0. 1112385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdochvoid WriteToStdErr(const char* error_message, size_t size) { 1122385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch while (size > 0) { 1132385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch // TODO(jln): query the current policy to check if send() is available and 1142385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch // use it to perform a non blocking write. 1152385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size)); 1162385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch // We can't handle any type of error here. 1172385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch if (ret <= 0 || static_cast<size_t>(ret) > size) break; 1182385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch size -= ret; 1192385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch error_message += ret; 1202385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch } 1212385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch} 1222385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch 1232385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch// Print a seccomp-bpf failure to handle |sysno| to stderr in an 1242385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch// async-signal safe way. 1252385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdochvoid PrintSyscallError(uint32_t sysno) { 1262385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch if (sysno >= 1024) 1272385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch sysno = 0; 1282385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch // TODO(markus): replace with async-signal safe snprintf when available. 1292385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch const size_t kNumDigits = 4; 1302385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch char sysno_base10[kNumDigits]; 1312385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch uint32_t rem = sysno; 1322385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch uint32_t mod = 0; 1332385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch for (int i = kNumDigits - 1; i >= 0; i--) { 1342385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch mod = rem % 10; 1352385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch rem /= 10; 1362385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch sysno_base10[i] = '0' + mod; 1372385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch } 1382385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch static const char kSeccompErrorPrefix[] = 1392385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch __FILE__":**CRASHING**:seccomp-bpf failure in syscall "; 1402385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch static const char kSeccompErrorPostfix[] = "\n"; 1412385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1); 1422385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch WriteToStdErr(sysno_base10, sizeof(sysno_base10)); 1432385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1); 1442385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch} 1452385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { 14790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) uint32_t syscall = args.nr; 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (syscall >= 1024) 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) syscall = 0; 1502385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch PrintSyscallError(syscall); 1512385ea399aae016c0806a4f9ef3c9cfe3d2a39dfBen Murdoch 1525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Encode 8-bits of the 1st two arguments too, so we can discern which socket 1535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // type, which fcntl, ... etc., without being likely to hit a mapped 1545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // address. 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Do not encode more bits here without thinking about increasing the 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // likelihood of collision with mapped pages. 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) syscall |= ((args.args[0] & 0xffUL) << 12); 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) syscall |= ((args.args[1] & 0xffUL) << 20); 1595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Purposefully dereference the syscall as an address so it'll show up very 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // clearly and easily in crash dumps. 1615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) volatile char* addr = reinterpret_cast<volatile char*>(syscall); 1625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) *addr = '\0'; 1635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // In case we hit a mapped address, hit the null page with just the syscall, 1645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // for paranoia. 1655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) syscall &= 0xfffUL; 1665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) addr = reinterpret_cast<volatile char*>(syscall); 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) *addr = '\0'; 1685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) for (;;) 1695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) _exit(1); 1705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1722a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// TODO(jln): rewrite reporting functions. 17390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { 1742a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // "flags" in the first argument in the kernel's clone(). 1752a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Mark as volatile to be able to find the value on the stack in a minidump. 1762a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if !defined(NDEBUG) 1772a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) RAW_LOG(ERROR, __FILE__":**CRASHING**:clone() failure\n"); 1782a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 1792a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) volatile uint64_t clone_flags = args.args[0]; 1802a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) volatile char* addr; 1812a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (IsArchitectureX86_64()) { 1822a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF); 1832a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) *addr = '\0'; 1842a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 1852a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Hit the NULL page if this fails to fault. 1862a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF); 1872a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) *addr = '\0'; 1882a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) for (;;) 1892a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) _exit(1); 1902a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 1912a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1922a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// TODO(jln): rewrite reporting functions. 19390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, 1942a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) void* /* aux */) { 1952a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Mark as volatile to be able to find the value on the stack in a minidump. 1962a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if !defined(NDEBUG) 1972a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) RAW_LOG(ERROR, __FILE__":**CRASHING**:prctl() failure\n"); 1982a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 1992a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) volatile uint64_t option = args.args[0]; 2002a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) volatile char* addr = 2012a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) reinterpret_cast<volatile char*>(option & 0xFFF); 2022a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) *addr = '\0'; 2032a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) for (;;) 2042a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) _exit(1); 2052a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 2062a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 20790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, 2082a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) void* /* aux */) { 2092a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Make "request" volatile so that we can see it on the stack in a minidump. 2102a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if !defined(NDEBUG) 2112a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) RAW_LOG(ERROR, __FILE__":**CRASHING**:ioctl() failure\n"); 2122a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 2132a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) volatile uint64_t request = args.args[1]; 2142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF); 2152a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) *addr = '\0'; 2162a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Hit the NULL page if this fails. 2172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) addr = reinterpret_cast<volatile char*>(request & 0xFFF); 2182a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) *addr = '\0'; 2192a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) for (;;) 2202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) _exit(1); 2212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 2222a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 2235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAcceleratedVideoDecodeEnabled() { 2245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Accelerated video decode is currently enabled on Chrome OS, 2255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // but not on Linux: crbug.com/137247. 2265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool is_enabled = IsChromeOS(); 2275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 2295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) is_enabled = is_enabled && 2305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode); 2315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return is_enabled; 2335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 235c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args, 236c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) void* aux_broker_process) { 2372a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) RAW_CHECK(aux_broker_process); 2382a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) BrokerProcess* broker_process = 2392a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) static_cast<BrokerProcess*>(aux_broker_process); 2407d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) switch (args.nr) { 241c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_access: 242c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) return broker_process->Access(reinterpret_cast<const char*>(args.args[0]), 243c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) static_cast<int>(args.args[1])); 2442a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_open: 2452a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return broker_process->Open(reinterpret_cast<const char*>(args.args[0]), 2462a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) static_cast<int>(args.args[1])); 2472a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_openat: 2482a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Allow using openat() as open(). 2492a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (static_cast<int>(args.args[0]) == AT_FDCWD) { 2502a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return 2512a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) broker_process->Open(reinterpret_cast<const char*>(args.args[1]), 2522a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) static_cast<int>(args.args[2])); 2532a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } else { 2542a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return -EPERM; 2552a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 2562a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) default: 2572a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) RAW_CHECK(false); 2582a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return -ENOSYS; 2595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The functions below cover all existing i386, x86_64, and ARM system calls; 2635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// excluding syscalls made obsolete in ARM EABI. 2645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The implicitly defined sets form a partition of the sets of 2655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// system calls. 2665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// TODO(jln) we need to restrict the first parameter! 2685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsKill(int sysno) { 2695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 2705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_kill: 2715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_tkill: 2725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_tgkill: 2735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 2745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 2755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 2765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 2775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedGettime(int sysno) { 2805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 2815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_clock_gettime: 2825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_gettimeofday: 2835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 2845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_time: 2855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 2865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 2875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_adjtimex: // Privileged. 2885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_clock_adjtime: // Privileged. 2895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_clock_getres: // Could be allowed. 2905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_clock_nanosleep: // Could be allowed. 2915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_clock_settime: // Privileged. 2925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 2935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ftime: // Obsolete. 2945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 2955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_settimeofday: // Privileged. 2965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 2975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_stime: 2985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 2995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 3005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 3015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 3025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsCurrentDirectory(int sysno) { 3055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 3065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getcwd: 3075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_chdir: 3085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fchdir: 3095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 3105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 3115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 3125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 3135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsUmask(int sysno) { 3165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 3175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_umask: 3185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 3195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 3205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 3215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 3225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// System calls that directly access the file system. They might acquire 3255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// a new file descriptor or otherwise perform an operation directly 3265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// via a path. 3275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Both EPERM and ENOENT are valid errno unless otherwise noted in comment. 3285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsFileSystem(int sysno) { 3295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 3305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_access: // EPERM not a valid errno. 3315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_chmod: 3325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_chown: 3335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 3345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_chown32: 3355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_creat: 3375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_execve: 3385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_faccessat: // EPERM not a valid errno. 3395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fchmodat: 3405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fchownat: // Should be called chownat ? 3415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) 3425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_newfstatat: // fstatat(). EPERM not a valid errno. 3435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(__i386__) || defined(__arm__) 3445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fstatat64: 3455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_futimesat: // Should be called utimesat ? 3475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lchown: 3485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 3495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lchown32: 3505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_link: 3525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_linkat: 3535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lookup_dcookie: // ENOENT not a valid errno. 3545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lstat: // EPERM not a valid errno. 3555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 3565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_oldlstat: 3575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 3595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lstat64: 3605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mkdir: 3625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mkdirat: 3635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mknod: 3645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mknodat: 3655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_open: 3665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_openat: 3675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_readlink: // EPERM not a valid errno. 3685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_readlinkat: 3695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rename: 3705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_renameat: 3715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rmdir: 3725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_stat: // EPERM not a valid errno. 3735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 3745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_oldstat: 3755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 3775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_stat64: 3785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_statfs: // EPERM not a valid errno. 3805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 3815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_statfs64: 3825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_symlink: 3845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_symlinkat: 3855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_truncate: 3865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 3875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_truncate64: 3885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_unlink: 3905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_unlinkat: 3915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_uselib: // Neither EPERM, nor ENOENT are valid errno. 3925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ustat: // Same as above. Deprecated. 3935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 3945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_utime: 3955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 3965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_utimensat: // New. 3975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_utimes: 3985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 3995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 4005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 4015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 4025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedFileSystemAccessViaFd(int sysno) { 4055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 4065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fstat: 4075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 4085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fstat64: 4095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 4115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(jln): these should be denied gracefully as well (moved below). 4125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 4135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fadvise64: // EPERM not a valid errno. 4145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 4165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fadvise64_64: 4175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__arm__) 4195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_arm_fadvise64_64: 4205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fdatasync: // EPERM not a valid errno. 4225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_flock: // EPERM not a valid errno. 4235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fstatfs: // Give information about the whole filesystem. 4245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 4255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fstatfs64: 4265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fsync: // EPERM not a valid errno. 4285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 4295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_oldfstat: 4305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 4325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sync_file_range: // EPERM not a valid errno. 4335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#elif defined(__arm__) 4345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_arm_sync_file_range: // EPERM not a valid errno. 4355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 4375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 4385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 4395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// EPERM is a good errno for any of these. 4425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsDeniedFileSystemAccessViaFd(int sysno) { 4435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 4445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fallocate: 4455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fchmod: 4465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fchown: 4475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ftruncate: 4485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 4495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fchown32: 4505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ftruncate64: 4515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getdents: // EPERM not a valid errno. 4535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getdents64: // EPERM not a valid errno. 4545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 4555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_readdir: 4565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 4585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 4595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 4605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 4615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsGetSimpleId(int sysno) { 4645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 4655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_capget: 4665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getegid: 4675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_geteuid: 4685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getgid: 4695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getgroups: 4705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getpid: 4715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getppid: 4725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getresgid: 4735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getsid: 4745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_gettid: 4755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getuid: 4765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getresuid: 4775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 4785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getegid32: 4795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_geteuid32: 4805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getgid32: 4815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getgroups32: 4825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getresgid32: 4835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getresuid32: 4845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getuid32: 4855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 4875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 4885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 4895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 4905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsProcessPrivilegeChange(int sysno) { 4935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 4945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_capset: 4955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 4965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ioperm: // Intel privilege. 4975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_iopl: // Intel privilege. 4985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 4995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setfsgid: 5005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setfsuid: 5015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setgid: 5025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setgroups: 5035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setregid: 5045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setresgid: 5055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setresuid: 5065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setreuid: 5075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setuid: 5085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 5095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setfsgid32: 5105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setfsuid32: 5115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setgid32: 5125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setgroups32: 5135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setregid32: 5145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setresgid32: 5155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setresuid32: 5165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setreuid32: 5175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setuid32: 5185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 5195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 5205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 5215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 5225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 5235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsProcessGroupOrSession(int sysno) { 5265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 5275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setpgid: 5285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getpgrp: 5295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setsid: 5305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getpgid: 5315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 5325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 5335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 5345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 5355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedSignalHandling(int sysno) { 5385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 5395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rt_sigaction: 5405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rt_sigprocmask: 5415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rt_sigreturn: 5425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 5435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sigaction: 5445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sigprocmask: 5455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sigreturn: 5465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 5475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 5485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rt_sigpending: 5495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rt_sigqueueinfo: 5505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rt_sigsuspend: 5515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rt_sigtimedwait: 5525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_rt_tgsigqueueinfo: 5535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sigaltstack: 5545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_signalfd: 5555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_signalfd4: 5565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 5575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sigpending: 5585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sigsuspend: 5595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 5605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 5615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_signal: 5625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sgetmask: // Obsolete. 5635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ssetmask: 5645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 5655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 5665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 5675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 5685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 57090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)bool IsAllowedOperationOnFd(int sysno) { 5715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 5725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_close: 5735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_dup: 5745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_dup2: 5755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_dup3: 5765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 5775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_shutdown: 5785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 5795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 58090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) case __NR_fcntl: 58190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__i386__) || defined(__arm__) 58290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) case __NR_fcntl64: 58390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#endif 5845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 5855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 5865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 5875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsKernelInternalApi(int sysno) { 5905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 5915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_restart_syscall: 5925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__arm__) 5935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __ARM_NR_cmpxchg: 5945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 5955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 5965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 5975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 5985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 5995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// This should be thought through in conjunction with IsFutex(). 6025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedProcessStartOrDeath(int sysno) { 6035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 6045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_clone: // TODO(jln): restrict flags. 6055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_exit: 6065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_exit_group: 6075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_wait4: 6085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_waitid: 6095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 6105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_waitpid: 6115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 6125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 6135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setns: // Privileged. 6145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fork: 6155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 6165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_get_thread_area: 6175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_set_thread_area: 6185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 6195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_set_tid_address: 6205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_unshare: 6215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_vfork: 6225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 6235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 6245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 6255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// It's difficult to restrict those, but there is attack surface here. 6285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsFutex(int sysno) { 6295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 6305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_futex: 6315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_get_robust_list: 6325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_set_robust_list: 6335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 6345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 6355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 6365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 6375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedEpoll(int sysno) { 6405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 6415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_epoll_create: 6425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_epoll_create1: 6435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_epoll_ctl: 6445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_epoll_wait: 6455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 6465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 6475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) 6485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_epoll_ctl_old: 6495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 6505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_epoll_pwait: 6515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) 6525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_epoll_wait_old: 6535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 6545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 6555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 6565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedGetOrModifySocket(int sysno) { 6595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 6605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pipe: 6615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pipe2: 6622a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return true; 6632a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) default: 6645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 6655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_socketpair: // We will want to inspect its argument. 6665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 6675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 6685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 6695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsDeniedGetOrModifySocket(int sysno) { 6725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 6735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 6745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_accept: 6755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_accept4: 6765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_bind: 6775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_connect: 6785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_socket: 6795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_listen: 6805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 6815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 6825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 6835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 6845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 6855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 6885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Big multiplexing system call for sockets. 6895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsSocketCall(int sysno) { 6905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 6915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_socketcall: 6925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 6935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 6945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 6955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 6965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 6985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 7005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsNetworkSocketInformation(int sysno) { 7015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 7025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getpeername: 7035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getsockname: 7045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getsockopt: 7055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setsockopt: 7065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 7075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 7085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 7095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 7105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 7115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedAddressSpaceAccess(int sysno) { 7145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 7155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_brk: 7165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mlock: 7175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_munlock: 7185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_munmap: 7195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 720a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) case __NR_madvise: 7215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mincore: 7225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mlockall: 7235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 72490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) case __NR_mmap: 72590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#endif 72690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__i386__) || defined(__arm__) 72790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) case __NR_mmap2: 72890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#endif 72990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 7305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_modify_ldt: 7315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 73290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) case __NR_mprotect: 7335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mremap: 7345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_msync: 7355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_munlockall: 7365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_readahead: 7375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_remap_file_pages: 7385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 7395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_vm86: 7405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_vm86old: 7415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 7435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 7445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 7455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 7465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedGeneralIo(int sysno) { 7485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 7495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lseek: 7505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 7515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR__llseek: 7525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_poll: 7545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ppoll: 7555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pselect6: 7565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_read: 7575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_readv: 7585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__arm__) 7595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_recv: 7605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 7625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_recvfrom: // Could specify source. 7635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_recvmsg: // Could specify source. 7645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 7665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_select: 7675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 7695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR__newselect: 7705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__arm__) 7725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_send: 7735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 7755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sendmsg: // Could specify destination. 7765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sendto: // Could specify destination. 7775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_write: 7795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_writev: 7805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 7815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ioctl: // Can be very powerful. 7825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pread64: 7835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_preadv: 7845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pwrite64: 7855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pwritev: 7865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_recvmmsg: // Could specify source. 7875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sendfile: 7885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 7895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sendfile64: 7905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 7915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sendmmsg: // Could specify destination. 7925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_splice: 7935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_tee: 7945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_vmsplice: 7955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 7965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 7975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 7985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 7995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedPrctl(int sysno) { 8015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 8025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_prctl: 8035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 8045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 8055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) 8065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_arch_prctl: 8075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 8085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 8095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 8105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAllowedBasicScheduler(int sysno) { 8135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 8145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_yield: 8155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pause: 8165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_nanosleep: 8175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 8185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getpriority: 8195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 8205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_nice: 8215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 8225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setpriority: 8235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 8245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 8255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 8265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAdminOperation(int sysno) { 8295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 8305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 8315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_bdflush: 8325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 8335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_kexec_load: 8345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_reboot: 8355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setdomainname: 8365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sethostname: 8375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_syslog: 8385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 8395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 8405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 8415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 8425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsKernelModule(int sysno) { 8455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 8465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 8475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_create_module: 8485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_get_kernel_syms: // Should ENOSYS. 8495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_query_module: 8505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 8515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_delete_module: 8525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_init_module: 8535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 8545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 8555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 8565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 8575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsGlobalFSViewChange(int sysno) { 8605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 8615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pivot_root: 8625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_chroot: 8635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sync: 8645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 8655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 8665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 8675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 8685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsFsControl(int sysno) { 8715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 8725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mount: 8735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_nfsservctl: 8745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_quotactl: 8755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_swapoff: 8765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_swapon: 8775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 8785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_umount: 8795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 8805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_umount2: 8815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 8825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 8835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 8845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 8855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsNuma(int sysno) { 8885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 8895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_get_mempolicy: 8905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getcpu: 8915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mbind: 8925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 8935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_migrate_pages: 8945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 8955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_move_pages: 8965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_set_mempolicy: 8975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 8985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 8995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 9005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 9015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsMessageQueue(int sysno) { 9045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 9055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mq_getsetattr: 9065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mq_notify: 9075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mq_open: 9085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mq_timedreceive: 9095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mq_timedsend: 9105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mq_unlink: 9115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 9125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 9135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 9145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 9155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsGlobalProcessEnvironment(int sysno) { 9185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 9195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_acct: // Privileged. 9205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 9215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getrlimit: 9225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 9235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 9245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ugetrlimit: 9255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 9265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 9275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ulimit: 9285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 9295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getrusage: 9305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_personality: // Can change its personality as well. 9315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_prlimit64: // Like setrlimit / getrlimit. 9325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setrlimit: 9335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_times: 9345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 9355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 9365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 9375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 9385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsDebug(int sysno) { 9415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 9425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ptrace: 9435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_process_vm_readv: 9445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_process_vm_writev: 9455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 9465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_kcmp: 9475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 9485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 9495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 9505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 9515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 9525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsGlobalSystemStatus(int sysno) { 9555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 9565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR__sysctl: 9575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sysfs: 9585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sysinfo: 9595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_uname: 9605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 9615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_olduname: 9625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_oldolduname: 9635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 9645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 9655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 9665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 9675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 9685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsEventFd(int sysno) { 9715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 9725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_eventfd: 9735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_eventfd2: 9745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 9755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 9765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 9775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 9785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Asynchronous I/O API. 9815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAsyncIo(int sysno) { 9825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 9835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_io_cancel: 9845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_io_destroy: 9855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_io_getevents: 9865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_io_setup: 9875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_io_submit: 9885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 9895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 9905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 9915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 9925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsKeyManagement(int sysno) { 9955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 9965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_add_key: 9975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_keyctl: 9985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_request_key: 9995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 10005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 10015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 10025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 10035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 10045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 10055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 10065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsSystemVSemaphores(int sysno) { 10075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 10085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_semctl: 10095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_semget: 10105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_semop: 10115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_semtimedop: 10125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 10135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 10145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 10155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 10165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 10175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 10185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 10195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 10205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// These give a lot of ambient authority and bypass the setuid sandbox. 10215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsSystemVSharedMemory(int sysno) { 10225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 10235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_shmat: 10245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_shmctl: 10255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_shmdt: 10265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_shmget: 10275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 10285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 10295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 10305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 10315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 10325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 10335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 10345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 10355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsSystemVMessageQueue(int sysno) { 10365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 10375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_msgctl: 10385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_msgget: 10395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_msgrcv: 10405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_msgsnd: 10415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 10425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 10435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 10445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 10455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 10465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 10475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 10485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 10495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Big system V multiplexing system call. 10505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsSystemVIpc(int sysno) { 10515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 10525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ipc: 10535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 10545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 10555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 10565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 10575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 10585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 10595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1060868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)bool IsAnySystemV(int sysno) { 1061868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 1062868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) return IsSystemVMessageQueue(sysno) || 1063868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) IsSystemVSemaphores(sysno) || 1064868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) IsSystemVSharedMemory(sysno); 1065868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#elif defined(__i386__) 1066868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) return IsSystemVIpc(sysno); 1067868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#endif 1068868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)} 1069868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 10705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAdvancedScheduler(int sysno) { 10715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 10725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ioprio_get: // IO scheduler. 10735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ioprio_set: 10745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_get_priority_max: 10755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_get_priority_min: 10765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_getaffinity: 10775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_getparam: 10785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_getscheduler: 10795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_rr_get_interval: 10805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_setaffinity: 10815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_setparam: 10825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_setscheduler: 10835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 10845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 10855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 10865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 10875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 10885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 10895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsInotify(int sysno) { 10905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 10915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_inotify_add_watch: 10925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_inotify_init: 10935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_inotify_init1: 10945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_inotify_rm_watch: 10955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 10965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 10975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 10985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 10995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 11005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 11015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsFaNotify(int sysno) { 11025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 11035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fanotify_init: 11045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fanotify_mark: 11055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 11065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 11075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 11085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 11095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 11105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 11115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsTimer(int sysno) { 11125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 11135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getitimer: 11145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 11155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_alarm: 11165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setitimer: 11185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 11195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 11205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 11215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 11225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 11235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 11245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsAdvancedTimer(int sysno) { 11255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 11265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_timer_create: 11275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_timer_delete: 11285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_timer_getoverrun: 11295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_timer_gettime: 11305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_timer_settime: 11315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_timerfd_create: 11325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_timerfd_gettime: 11335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_timerfd_settime: 11345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 11355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 11365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 11375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 11385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 11395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 11405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsExtendedAttributes(int sysno) { 11415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 11425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fgetxattr: 11435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_flistxattr: 11445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fremovexattr: 11455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fsetxattr: 11465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getxattr: 11475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lgetxattr: 11485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_listxattr: 11495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_llistxattr: 11505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lremovexattr: 11515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lsetxattr: 11525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_removexattr: 11535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setxattr: 11545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 11555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 11565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 11575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 11585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 11595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 11605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Various system calls that need to be researched. 11615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// TODO(jln): classify this better. 11625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsMisc(int sysno) { 11635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 11645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_name_to_handle_at: 11655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_open_by_handle_at: 11665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_perf_event_open: 11675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_syncfs: 11685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_vhangup: 11695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The system calls below are not implemented. 11705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 11715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_afs_syscall: 11725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 11745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_break: 11755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 11775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getpmsg: 11785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 11805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_gtty: 11815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_idle: 11825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_lock: 11835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mpx: 11845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_prof: 11855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_profil: 11865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 11885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_putpmsg: 11895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) 11915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_security: 11925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 11945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_stty: 11955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) 11975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_tuxcall: 11985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 11995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_vserver: 12005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 12015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 12025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 12035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 12045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 12055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 12065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__arm__) 12075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsArmPciConfig(int sysno) { 12085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 12095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pciconfig_iobase: 12105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pciconfig_read: 12115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pciconfig_write: 12125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 12135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 12145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 12155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 12165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 12175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 12185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsArmPrivate(int sysno) { 12195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 12205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __ARM_NR_breakpoint: 12215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __ARM_NR_cacheflush: 12225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __ARM_NR_set_tls: 12235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __ARM_NR_usr26: 12245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __ARM_NR_usr32: 12255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 12265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 12275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 12285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 12295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 12305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif // defined(__arm__) 12315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 12325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// End of the system call sets section. 12335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 12345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsBaselinePolicyAllowed(int sysno) { 12355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsAllowedAddressSpaceAccess(sysno) || 12365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedBasicScheduler(sysno) || 12375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedEpoll(sysno) || 12385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedFileSystemAccessViaFd(sysno) || 12395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedGeneralIo(sysno) || 12405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedGetOrModifySocket(sysno) || 12415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedGettime(sysno) || 12425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedPrctl(sysno) || 12435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedProcessStartOrDeath(sysno) || 12445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAllowedSignalHandling(sysno) || 12455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsFutex(sysno) || 12465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsGetSimpleId(sysno) || 12475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsKernelInternalApi(sysno) || 12485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__arm__) 12495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsArmPrivate(sysno) || 12505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 12515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsKill(sysno) || 125290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) IsAllowedOperationOnFd(sysno)) { 12535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 12545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } else { 12555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 12565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 12575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 12585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 12595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// System calls that will trigger the crashing SIGSYS handler. 12605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool IsBaselinePolicyWatched(int sysno) { 12615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsAdminOperation(sysno) || 12625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAdvancedScheduler(sysno) || 12635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAdvancedTimer(sysno) || 12645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsAsyncIo(sysno) || 12655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsDebug(sysno) || 12665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsEventFd(sysno) || 12675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsExtendedAttributes(sysno) || 12685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsFaNotify(sysno) || 12695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsFsControl(sysno) || 12705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsGlobalFSViewChange(sysno) || 12715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsGlobalProcessEnvironment(sysno) || 12725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsGlobalSystemStatus(sysno) || 12735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsInotify(sysno) || 12745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsKernelModule(sysno) || 12755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsKeyManagement(sysno) || 12765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsMessageQueue(sysno) || 12775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsMisc(sysno) || 12785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) 12795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsNetworkSocketInformation(sysno) || 12805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 12815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsNuma(sysno) || 12825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsProcessGroupOrSession(sysno) || 12835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsProcessPrivilegeChange(sysno) || 12845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) 12855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsSocketCall(sysno) || // We'll need to handle this properly to build 12865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // a x86_32 policy. 12875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 12885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__arm__) 12895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsArmPciConfig(sysno) || 12905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 12915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsTimer(sysno)) { 12925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 12935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } else { 12945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 12955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 12965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 12975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1298868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode RestrictMmapFlags(Sandbox* sandbox) { 129990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // The flags you see are actually the allowed ones, and the variable is a 130090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // "denied" mask because of the negation operator. 130190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as 130290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // MAP_POPULATE. 1303a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. 130490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | 1305a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) MAP_STACK | MAP_NORESERVE | MAP_FIXED | 1306a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) MAP_DENYWRITE); 130790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 130890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) denied_mask, 130990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Trap(CrashSIGSYS_Handler, NULL), 131090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED)); 131190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)} 131290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 1313868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode RestrictMprotectFlags(Sandbox* sandbox) { 131490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // The flags you see are actually the allowed ones, and the variable is a 131590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // "denied" mask because of the negation operator. 131690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Significantly, we don't permit weird undocumented flags such as 131790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // PROT_GROWSDOWN. 131890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); 131990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 132090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) denied_mask, 132190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Trap(CrashSIGSYS_Handler, NULL), 132290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED)); 132390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)} 132490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 1325868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode RestrictFcntlCommands(Sandbox* sandbox) { 132690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, 132790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // F_SETLK, F_SETLKW and F_GETLK. 132890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // We also restrict the flags in F_SETFL. We don't want to permit flags with 132990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // a history of trouble such as O_DIRECT. The flags you see are actually the 133090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // allowed ones, and the variable is a "denied" mask because of the negation 133190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // operator. 133290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Glibc overrides the kernel's O_LARGEFILE value. Account for this. 133390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) int kOLargeFileFlag = O_LARGEFILE; 1334eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch if (IsArchitectureX86_64() || IsArchitectureI386()) 133590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) kOLargeFileFlag = 0100000; 133690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 1337eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch // TODO(jln): add TP_LONG/TP_SIZET types. 1338eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch ErrorCode::ArgType mask_long_type; 1339eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch if (sizeof(long) == 8) 1340eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch mask_long_type = ErrorCode::TP_64BIT; 1341eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch else if (sizeof(long) == 4) 1342eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch mask_long_type = ErrorCode::TP_32BIT; 1343eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch else 1344eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch NOTREACHED(); 1345eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 134690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) unsigned long denied_mask = ~(O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC | 134790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) kOLargeFileFlag | O_CLOEXEC | O_NOATIME); 134890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return sandbox->Cond(1, ErrorCode::TP_32BIT, 134990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_GETFL, 135090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 135190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, 135290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_SETFL, 1353eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch sandbox->Cond(2, mask_long_type, 135490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_HAS_ANY_BITS, denied_mask, 135590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Trap(CrashSIGSYS_Handler, NULL), 135690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED)), 135790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, 135890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_GETFD, 135990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 136090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, 136190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_SETFD, 136290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 136390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, 136490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_DUPFD, 136590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 136690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, 136790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_SETLK, 136890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 136990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, 137090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_SETLKW, 137190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 137290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, 137390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_GETLK, 137490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 137590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, 137690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC, 137790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 137890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Trap(CrashSIGSYS_Handler, NULL)))))))))); 137990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)} 138090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 138190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__i386__) 1382868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode RestrictSocketcallCommand(Sandbox* sandbox) { 1383868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // Allow the same individual syscalls as we do on ARM or x86_64. 1384868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // The main difference is that we're unable to restrict the first parameter 1385868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // to socketpair(2). Whilst initially sounding bad, it's noteworthy that very 1386868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // few protocols actually support socketpair(2). The scary call that we're 1387868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // worried about, socket(2), remains blocked. 1388868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1389868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED), 1390868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1391868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED), 1392868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1393868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) SYS_RECV, ErrorCode(ErrorCode::ERR_ALLOWED), 1394868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1395868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) SYS_SENDTO, ErrorCode(ErrorCode::ERR_ALLOWED), 1396868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1397868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) SYS_RECVFROM, ErrorCode(ErrorCode::ERR_ALLOWED), 1398868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1399868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) SYS_SHUTDOWN, ErrorCode(ErrorCode::ERR_ALLOWED), 1400868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1401868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) SYS_SENDMSG, ErrorCode(ErrorCode::ERR_ALLOWED), 1402868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1403868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) SYS_RECVMSG, ErrorCode(ErrorCode::ERR_ALLOWED), 1404868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ErrorCode(EPERM))))))))); 1405868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)} 1406868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#endif 1407868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 1408868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode BaselinePolicy(Sandbox* sandbox, int sysno) { 1409868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) if (IsBaselinePolicyAllowed(sysno)) { 141090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 141190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) } 141290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 14132a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 14142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (sysno == __NR_socketpair) { 14152a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. 14162a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); 14172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, 14182a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 14192a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) sandbox->Trap(CrashSIGSYS_Handler, NULL)); 14202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 14212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 142290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 1423a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) if (sysno == __NR_madvise) { 1424a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) // Only allow MADV_DONTNEED (aka MADV_FREE). 1425a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) return sandbox->Cond(2, ErrorCode::TP_32BIT, 1426a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) ErrorCode::OP_EQUAL, MADV_DONTNEED, 1427a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 1428a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) ErrorCode(EPERM)); 1429a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) } 1430a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) 143190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 14327d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) if (sysno == __NR_mmap) 14337d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) return RestrictMmapFlags(sandbox); 143490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#endif 14352a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 143690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__i386__) || defined(__arm__) 143790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (sysno == __NR_mmap2) 14387d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) return RestrictMmapFlags(sandbox); 143990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#endif 144090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 14417d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) if (sysno == __NR_mprotect) 14427d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) return RestrictMprotectFlags(sandbox); 144390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 1444eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch if (sysno == __NR_fcntl) 1445eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch return RestrictFcntlCommands(sandbox); 144690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 144790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__i386__) || defined(__arm__) 144890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (sysno == __NR_fcntl64) 1449eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch return RestrictFcntlCommands(sandbox); 14502a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 14512a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 14525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsFileSystem(sysno) || IsCurrentDirectory(sysno)) { 1453868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) return ErrorCode(EPERM); 1454868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) } 1455868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 1456868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) if (IsAnySystemV(sysno)) { 1457868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) return ErrorCode(EPERM); 14585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 14595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 14605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) || 14615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IsDeniedGetOrModifySocket(sysno)) { 14625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(EPERM); 14635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 14645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1465868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#if defined(__i386__) 1466868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) if (IsSocketCall(sysno)) 1467868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) return RestrictSocketcallCommand(sandbox); 1468868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#endif 1469868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 14705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsBaselinePolicyWatched(sysno)) { 14715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Previously unseen syscalls. TODO(jln): some of these should 14725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // be denied gracefully right away. 14732a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return sandbox->Trap(CrashSIGSYS_Handler, NULL); 14745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1475c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // In any other case crash the program with our SIGSYS handler. 14762a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return sandbox->Trap(CrashSIGSYS_Handler, NULL); 14775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 14785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 14797d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// The BaselinePolicy only takes two arguments. BaselinePolicyWithAux 14807d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)// allows us to conform to the BPF compiler's policy type. 14817d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)ErrorCode BaselinePolicyWithAux(Sandbox* sandbox, int sysno, void* aux) { 14827d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) CHECK(!aux); 14837d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) return BaselinePolicy(sandbox, sysno); 14847d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)} 14857d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 1486a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)// Main policy for x86_64/i386. Extended by ArmGpuProcessPolicy. 1487868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode GpuProcessPolicy(Sandbox* sandbox, int sysno, 1488868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) void* broker_process) { 14897d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) switch (sysno) { 14905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ioctl: 149190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 149290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // The Nvidia driver uses flags not in the baseline policy 149390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT) 149490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) case __NR_mmap: 149590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#endif 149690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // We also hit this on the linux_chromeos bot but don't yet know what 149790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // weird flags were involved. 149890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) case __NR_mprotect: 14992a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_sched_getaffinity: 15002a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_sched_setaffinity: 150190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) case __NR_setpriority: 15025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 1503c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_access: 15045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_open: 15052a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_openat: 1506c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) return sandbox->Trap(GpuSIGSYS_Handler, broker_process); 15075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 15085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsEventFd(sysno)) 15095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 15105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 15115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Default on the baseline policy. 15122a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return BaselinePolicy(sandbox, sysno); 15135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 15145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 15155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1516c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)// x86_64/i386. 15172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// A GPU broker policy is the same as a GPU policy with open and 15182a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// openat allowed. 1519868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode GpuBrokerProcessPolicy(Sandbox* sandbox, int sysno, void* aux) { 15202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // "aux" would typically be NULL, when called from 15212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // "EnableGpuBrokerPolicyCallBack" 15227d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) switch (sysno) { 1523c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_access: 15242a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_open: 15252a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_openat: 15262a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 15272a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) default: 15282a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return GpuProcessPolicy(sandbox, sysno, aux); 15292a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 15302a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 15312a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1532a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)// Generic ARM GPU process sandbox, inheriting from GpuProcessPolicy. 1533a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)ErrorCode ArmGpuProcessPolicy(Sandbox* sandbox, int sysno, 1534a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) void* broker_process) { 15357d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) switch (sysno) { 1536c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#if defined(__arm__) 1537c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // ARM GPU sandbox is started earlier so we need to allow networking 1538c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // in the sandbox. 1539c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_connect: 1540c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_getpeername: 1541c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_getsockname: 1542c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_sysinfo: 1543c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_uname: 1544c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 15455e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) // Allow only AF_UNIX for |domain|. 15465e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) case __NR_socket: 15475e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) case __NR_socketpair: 15485e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) return sandbox->Cond(0, ErrorCode::TP_32BIT, 15495e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) ErrorCode::OP_EQUAL, AF_UNIX, 15505e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 15515e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) ErrorCode(EPERM)); 1552c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#endif // defined(__arm__) 1553c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) default: 1554c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) if (IsAdvancedScheduler(sysno)) 1555c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 1556c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1557c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Default to the generic GPU policy. 1558c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) return GpuProcessPolicy(sandbox, sysno, broker_process); 1559c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) } 1560c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)} 1561c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1562a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)// Same as above but with shmat allowed, inheriting from GpuProcessPolicy. 1563a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)ErrorCode ArmGpuProcessPolicyWithShmat(Sandbox* sandbox, int sysno, 1564a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) void* broker_process) { 1565a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)#if defined(__arm__) 1566a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) if (sysno == __NR_shmat) 1567a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 1568a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)#endif // defined(__arm__) 1569a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 1570a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) return ArmGpuProcessPolicy(sandbox, sysno, broker_process); 1571a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)} 1572a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 1573c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)// A GPU broker policy is the same as a GPU policy with open and 1574c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)// openat allowed. 1575a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)ErrorCode ArmGpuBrokerProcessPolicy(Sandbox* sandbox, 1576a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) int sysno, void* aux) { 1577c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // "aux" would typically be NULL, when called from 1578c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // "EnableGpuBrokerPolicyCallBack" 15797d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) switch (sysno) { 1580c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_access: 1581c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_open: 1582c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) case __NR_openat: 1583c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 1584c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) default: 1585a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) return ArmGpuProcessPolicy(sandbox, sysno, aux); 1586c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) } 1587c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)} 1588c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1589a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles)// Allow clone(2) for threads. 1590a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles)// Reject fork(2) attempts with EPERM. 1591a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles)// Crash if anything else is attempted. 1592a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles)// Don't restrict on ASAN. 1593a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles)ErrorCode RestrictCloneToThreadsAndEPERMFork(Sandbox* sandbox) { 1594a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) // Glibc's pthread. 1595a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) if (!RunningOnASAN()) { 1596a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1597a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | 1598a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | 1599a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, 1600a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 1601a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1602a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) CLONE_PARENT_SETTID | SIGCHLD, 1603a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) ErrorCode(EPERM), 1604868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // ARM 1605868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1606868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, 1607868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ErrorCode(EPERM), 1608868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) sandbox->Trap(SIGSYSCloneFailure, NULL)))); 1609a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) } else { 1610a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 1611a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) } 1612a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles)} 1613a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) 1614868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode RestrictPrctl(Sandbox* sandbox) { 16152a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. Will need to add 16162a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // seccomp compositing in the future. 16172a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // PR_SET_PTRACER is used by breakpad but not needed anymore. 16182a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 16192a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED), 16202a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 16212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), 16222a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 16232a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) PR_GET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), 162490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Trap(SIGSYSPrctlFailure, NULL)))); 16252a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 16262a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1627868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode RestrictIoctl(Sandbox* sandbox) { 162890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Allow TCGETS and FIONREAD, trap to SIGSYSIoctlFailure otherwise. 162990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS, 16302a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 163190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD, 16322a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) ErrorCode(ErrorCode::ERR_ALLOWED), 163390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) sandbox->Trap(SIGSYSIoctlFailure, NULL))); 16342a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 16352a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1636868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode RendererOrWorkerProcessPolicy(Sandbox* sandbox, int sysno, void*) { 16375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 16382a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_clone: 163990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return RestrictCloneToThreadsAndEPERMFork(sandbox); 16402a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_ioctl: 164190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return RestrictIoctl(sandbox); 16422a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_prctl: 16432a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return RestrictPrctl(sandbox); 16442a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Allow the system calls below. 16455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fdatasync: 16465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_fsync: 1647a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) case __NR_getpriority: 16485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__i386__) || defined(__x86_64__) 16495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_getrlimit: 16505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 1651868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#if defined(__i386__) || defined(__arm__) 1652868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) case __NR_ugetrlimit: 1653868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#endif 16545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_mremap: // See crbug.com/149834. 16555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pread64: 16565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_pwrite64: 16572a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_sched_getaffinity: 16585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_get_priority_max: 16595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_get_priority_min: 16605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_getparam: 16615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_getscheduler: 16625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_setscheduler: 16635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_setpriority: 16645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sysinfo: 16655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_times: 16665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_uname: 16675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 16685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_prlimit64: 16695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(EPERM); // See crbug.com/160157. 16705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 167190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (IsUsingToolKitGtk()) { 16725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 167390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (IsSystemVSharedMemory(sysno)) 167490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 16755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 16762a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if defined(__i386__) 167790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (IsSystemVIpc(sysno)) 167890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 16792a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 168090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) } 16815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 16825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Default on the baseline policy. 16832a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return BaselinePolicy(sandbox, sysno); 16845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 16855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 16865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1687868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode FlashProcessPolicy(Sandbox* sandbox, int sysno, void*) { 16885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) switch (sysno) { 1689a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) case __NR_clone: 1690a93a17c8d99d686bd4a1511e5504e5e6cc9fcadfTorne (Richard Coles) return RestrictCloneToThreadsAndEPERMFork(sandbox); 16917dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch case __NR_pread64: 16927dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch case __NR_pwrite64: 16932a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_sched_get_priority_max: 16942a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_sched_get_priority_min: 16955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_getaffinity: 16962a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_sched_getparam: 16972a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) case __NR_sched_getscheduler: 16985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_sched_setscheduler: 16995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_times: 17005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 17015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) case __NR_ioctl: 17025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ENOTTY); // Flash Access. 17035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default: 170490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (IsUsingToolKitGtk()) { 17055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(__x86_64__) || defined(__arm__) 170690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (IsSystemVSharedMemory(sysno)) 170790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 17085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 17092a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#if defined(__i386__) 171090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (IsSystemVIpc(sysno)) 171190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 17122a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif 171390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) } 17145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 17155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Default on the baseline policy. 17162a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return BaselinePolicy(sandbox, sysno); 17175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 17185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 17195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1720868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode BlacklistDebugAndNumaPolicy(Sandbox* sandbox, int sysno, void*) { 17212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (!Sandbox::IsValidSyscallNumber(sysno)) { 17225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(jln) we should not have to do that in a trivial policy. 17235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ENOSYS); 17245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 17255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 17265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsDebug(sysno) || IsNuma(sysno)) 17272a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return sandbox->Trap(CrashSIGSYS_Handler, NULL); 17285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 17295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 17305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 17315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 17325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Allow all syscalls. 17335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// This will still deny x32 or IA32 calls in 64 bits mode or 17345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 64 bits system calls in compatibility mode. 1735868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)ErrorCode AllowAllPolicy(Sandbox*, int sysno, void*) { 17362a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (!Sandbox::IsValidSyscallNumber(sysno)) { 17375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(jln) we should not have to do that in a trivial policy. 17385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ENOSYS); 17395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } else { 17405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ErrorCode(ErrorCode::ERR_ALLOWED); 17415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 17425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 17435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1744868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)// If a BPF policy is engaged for |process_type|, run a few sanity checks. 1745868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)void RunSandboxSanityChecks(const std::string& process_type) { 1746868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) if (process_type == switches::kRendererProcess || 1747868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) process_type == switches::kWorkerProcess || 1748868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) process_type == switches::kGpuProcess || 1749868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) process_type == switches::kPpapiPluginProcess) { 1750868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int syscall_ret; 1751868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) errno = 0; 1752868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 1753868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // Without the sandbox, this would EBADF. 1754868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) syscall_ret = fchmod(-1, 07777); 1755868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) CHECK_EQ(-1, syscall_ret); 1756868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) CHECK_EQ(EPERM, errno); 1757868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 1758868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // Run most of the sanity checks only in DEBUG mode to avoid a perf. 1759868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // impact. 1760868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#if !defined(NDEBUG) 1761868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) // open() must be restricted. 1762868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) syscall_ret = open("/etc/passwd", O_RDONLY); 1763868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) CHECK_EQ(-1, syscall_ret); 1764868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) CHECK_EQ(EPERM, errno); 1765868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 17665e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) // We should never allow the creation of netlink sockets. 17675e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) syscall_ret = socket(AF_NETLINK, SOCK_DGRAM, 0); 17685e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) CHECK_EQ(-1, syscall_ret); 17695e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles) CHECK_EQ(EPERM, errno); 1770868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#endif // !defined(NDEBUG) 1771868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) } 1772868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)} 1773868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 1774c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)bool EnableGpuBrokerPolicyCallback() { 17752a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL); 17762a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return true; 17772a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 17782a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1779a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)bool EnableArmGpuBrokerPolicyCallback() { 1780a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) StartSandboxWithPolicy(ArmGpuBrokerProcessPolicy, NULL); 1781c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) return true; 1782c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)} 1783c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 17844311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch// Files needed by the ARM GPU userspace. 17854311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdochstatic const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; 17864311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdochstatic const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; 17874311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch 1788c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist, 1789c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) std::vector<std::string>* write_whitelist) { 1790a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) // Device file needed by the ARM GPU userspace. 1791c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) static const char kMali0Path[] = "/dev/mali0"; 1792c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1793c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Devices needed for video decode acceleration on ARM. 1794c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) static const char kDevMfcDecPath[] = "/dev/mfc-dec"; 1795c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) static const char kDevGsc1Path[] = "/dev/gsc1"; 1796c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1797c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) read_whitelist->push_back(kMali0Path); 1798c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) read_whitelist->push_back(kDevMfcDecPath); 1799c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) read_whitelist->push_back(kDevGsc1Path); 1800c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1801c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) write_whitelist->push_back(kMali0Path); 1802c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) write_whitelist->push_back(kDevMfcDecPath); 1803c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) write_whitelist->push_back(kDevGsc1Path); 1804c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)} 1805c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1806a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)void AddArmTegraGpuWhitelist(std::vector<std::string>* read_whitelist, 1807a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) std::vector<std::string>* write_whitelist) { 1808a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) // Device files needed by the Tegra GPU userspace. 1809a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) static const char kDevNvhostCtrlPath[] = "/dev/nvhost-ctrl"; 1810a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) static const char kDevNvhostGr2dPath[] = "/dev/nvhost-gr2d"; 1811a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) static const char kDevNvhostGr3dPath[] = "/dev/nvhost-gr3d"; 1812a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) static const char kDevNvhostIspPath[] = "/dev/nvhost-isp"; 1813a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) static const char kDevNvhostViPath[] = "/dev/nvhost-vi"; 1814a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) static const char kDevNvmapPath[] = "/dev/nvmap"; 1815a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) static const char kDevTegraSemaPath[] = "/dev/tegra_sema"; 1816a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 1817a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kDevNvhostCtrlPath); 1818a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kDevNvhostGr2dPath); 1819a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kDevNvhostGr3dPath); 1820a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kDevNvhostIspPath); 1821a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kDevNvhostViPath); 1822a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kDevNvmapPath); 1823a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kDevTegraSemaPath); 1824a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 1825a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) write_whitelist->push_back(kDevNvhostCtrlPath); 1826a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) write_whitelist->push_back(kDevNvhostGr2dPath); 1827a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) write_whitelist->push_back(kDevNvhostGr3dPath); 1828a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) write_whitelist->push_back(kDevNvhostIspPath); 1829a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) write_whitelist->push_back(kDevNvhostViPath); 1830a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) write_whitelist->push_back(kDevNvmapPath); 1831a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) write_whitelist->push_back(kDevTegraSemaPath); 1832a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)} 1833a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 1834a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, 1835a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) std::vector<std::string>* write_whitelist) { 1836a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) // On ARM we're enabling the sandbox before the X connection is made, 1837a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) // so we need to allow access to |.Xauthority|. 18384311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch static const char kXAuthorityPath[] = "/home/chronos/.Xauthority"; 18394311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch static const char kLdSoCache[] = "/etc/ld.so.cache"; 1840a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 18414311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch read_whitelist->push_back(kXAuthorityPath); 18424311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch read_whitelist->push_back(kLdSoCache); 1843a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kLibGlesPath); 1844a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) read_whitelist->push_back(kLibEglPath); 1845a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 1846a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) AddArmMaliGpuWhitelist(read_whitelist, write_whitelist); 1847a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) AddArmTegraGpuWhitelist(read_whitelist, write_whitelist); 1848a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles)} 1849a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 18502a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Start a broker process to handle open() inside the sandbox. 1851c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)void InitGpuBrokerProcess(Sandbox::EvaluateSyscall gpu_policy, 1852c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) BrokerProcess** broker_process) { 18532a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) static const char kDriRcPath[] = "/etc/drirc"; 18542a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) static const char kDriCard0Path[] = "/dev/dri/card0"; 18552a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 18562a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) CHECK(broker_process); 18572a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) CHECK(*broker_process == NULL); 18582a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1859c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) bool (*sandbox_callback)(void) = NULL; 1860c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 1861c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // All GPU process policies need these files brokered out. 18622a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) std::vector<std::string> read_whitelist; 18632a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) read_whitelist.push_back(kDriCard0Path); 18642a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) read_whitelist.push_back(kDriRcPath); 1865c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 18662a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) std::vector<std::string> write_whitelist; 18672a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) write_whitelist.push_back(kDriCard0Path); 18682a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1869a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) if (gpu_policy == ArmGpuProcessPolicy || 1870a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) gpu_policy == ArmGpuProcessPolicyWithShmat) { 1871c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // We shouldn't be using this policy on non-ARM architectures. 1872c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CHECK(IsArchitectureArm()); 1873a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) AddArmGpuWhitelist(&read_whitelist, &write_whitelist); 1874a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) sandbox_callback = EnableArmGpuBrokerPolicyCallback; 1875c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) } else if (gpu_policy == GpuProcessPolicy) { 1876c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) sandbox_callback = EnableGpuBrokerPolicyCallback; 1877c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) } else { 1878c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // We shouldn't be initializing a GPU broker process without a GPU process 1879c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // policy. 1880c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) NOTREACHED(); 1881c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) } 1882c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 18832a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) *broker_process = new BrokerProcess(read_whitelist, write_whitelist); 1884c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Initialize the broker process and give it a sandbox callback. 1885c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) CHECK((*broker_process)->Init(sandbox_callback)); 18862a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 18872a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 18885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Warms up/preloads resources needed by the policies. 18892a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Eventually start a broker process and return it in broker_process. 18902a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)void WarmupPolicy(Sandbox::EvaluateSyscall policy, 18912a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) BrokerProcess** broker_process) { 18922a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (policy == GpuProcessPolicy) { 1893c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Create a new broker process. 1894c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) InitGpuBrokerProcess(policy, broker_process); 18952a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1896c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) if (IsArchitectureX86_64() || IsArchitectureI386()) { 18972a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Accelerated video decode dlopen()'s a shared object 18982a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // inside the sandbox, so preload it now. 18992a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (IsAcceleratedVideoDecodeEnabled()) { 19002a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const char* I965DrvVideoPath = NULL; 19012a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 19022a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (IsArchitectureX86_64()) { 19032a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; 19042a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } else if (IsArchitectureI386()) { 19052a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; 19062a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 19072a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 19082a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 19092a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) } 19105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1911a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) } else if (policy == ArmGpuProcessPolicy || 1912a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) policy == ArmGpuProcessPolicyWithShmat) { 1913c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Create a new broker process. 1914c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) InitGpuBrokerProcess(policy, broker_process); 1915a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) 19164311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch // Preload the GL libraries. These are in the read whitelist but we have to 19174311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch // preload them anyways to work around ld.so bugs. See crbug.com/268439. 19184311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch dlopen(kLibGlesPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 19194311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch dlopen(kLibEglPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 19204311e82a78ceafbe0585f51d4c8a86df9f21aa0dBen Murdoch 1921a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) // Preload the Tegra libraries. 1922a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) dlopen("/usr/lib/libnvrm.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1923a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) dlopen("/usr/lib/libnvrm_graphics.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1924a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) dlopen("/usr/lib/libnvos.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1925a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) dlopen("/usr/lib/libnvddk_2d.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1926a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) dlopen("/usr/lib/libardrv_dynamic.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1927a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) dlopen("/usr/lib/libnvwsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1928a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) dlopen("/usr/lib/libnvglsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 1929a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) dlopen("/usr/lib/libcgdrv.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); 19305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 19315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 19325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)Sandbox::EvaluateSyscall GetProcessSyscallPolicy( 19345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const CommandLine& command_line, 19355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& process_type) { 19365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (process_type == switches::kGpuProcess) { 1937c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // On Chrome OS ARM, we need a specific GPU process policy. 1938a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) if (IsChromeOS() && IsArchitectureArm()) { 1939a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) if (command_line.HasSwitch(switches::kGpuSandboxAllowSysVShm)) 1940a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) return ArmGpuProcessPolicyWithShmat; 1941a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) else 1942a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) return ArmGpuProcessPolicy; 1943a36e5920737c6adbddd3e43b760e5de8431db6e0Torne (Richard Coles) } 19445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) else 19452a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return GpuProcessPolicy; 19465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 19475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (process_type == switches::kPpapiPluginProcess) { 19495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(jln): figure out what to do with non-Flash PPAPI 19505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // out-of-process plug-ins. 19515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return FlashProcessPolicy; 19525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 19535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (process_type == switches::kRendererProcess || 19555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) process_type == switches::kWorkerProcess) { 19565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return RendererOrWorkerProcessPolicy; 19575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 19585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (process_type == switches::kUtilityProcess) { 19605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return BlacklistDebugAndNumaPolicy; 19615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 19625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NOTREACHED(); 19645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This will be our default if we need one. 19655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return AllowAllPolicy; 19662a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 19672a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 19682a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// broker_process can be NULL if there is no need for one. 19692a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)void StartSandboxWithPolicy(Sandbox::EvaluateSyscall syscall_policy, 19702a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) BrokerProcess* broker_process) { 19712a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Starting the sandbox is a one-way operation. The kernel doesn't allow 19722a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // us to unload a sandbox policy after it has been started. Nonetheless, 19732a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // in order to make the use of the "Sandbox" object easier, we allow for 19742a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // the object to be destroyed after the sandbox has been started. Note that 19752a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // doing so does not stop the sandbox. 19762a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) Sandbox sandbox; 19772a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) sandbox.SetSandboxPolicy(syscall_policy, broker_process); 19782a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) sandbox.StartSandbox(); 19795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 19805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Initialize the seccomp-bpf sandbox. 19825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool StartBpfSandbox(const CommandLine& command_line, 19835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& process_type) { 19842a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) Sandbox::EvaluateSyscall syscall_policy = 19855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetProcessSyscallPolicy(command_line, process_type); 19865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19872a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) BrokerProcess* broker_process = NULL; 19882a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Warm up resources needed by the policy we're about to enable and 19892a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // eventually start a broker process. 19902a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) WarmupPolicy(syscall_policy, &broker_process); 19915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19922a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) StartSandboxWithPolicy(syscall_policy, broker_process); 19935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1994868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) RunSandboxSanityChecks(process_type); 1995868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) 19965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 19975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 19985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 19995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace 20005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif // SECCOMP_BPF_SANDBOX 20025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace content { 20045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Is seccomp BPF globally enabled? 20065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool SandboxSeccompBpf::IsSeccompBpfDesired() { 20075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 20085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!command_line.HasSwitch(switches::kNoSandbox) && 20095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { 20105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 20115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } else { 20125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 20135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 20145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 20155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool SandboxSeccompBpf::ShouldEnableSeccompBpf( 20175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& process_type) { 20185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(SECCOMP_BPF_SANDBOX) 20195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 20205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (process_type == switches::kGpuProcess) 20215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return !command_line.HasSwitch(switches::kDisableGpuSandbox); 20225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 20245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif // SECCOMP_BPF_SANDBOX 20255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 20265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 20275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool SandboxSeccompBpf::SupportsSandbox() { 20295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(SECCOMP_BPF_SANDBOX) 20305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton 20315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // here. 20322a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) Sandbox::SandboxStatus bpf_sandbox_status = 20332a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) Sandbox::SupportsSeccompSandbox(-1); 20342a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Kernel support is what we are interested in here. Other status 20352a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support. 20362a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // We make this a negative check, since if there is a bug, we would rather 20372a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // "fail closed" (expect a sandbox to be available and try to start it). 20382a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) { 20395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 20405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 20415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 20425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 20435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 20445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { 20465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if defined(SECCOMP_BPF_SANDBOX) 20475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 20485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (IsSeccompBpfDesired() && // Global switches policy. 20502a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) ShouldEnableSeccompBpf(process_type) && // Process-specific policy. 20515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SupportsSandbox()) { 20522a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // If the kernel supports the sandbox, and if the command line says we 20532a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // should enable it, enable it or die. 20542a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bool started_sandbox = StartBpfSandbox(command_line, process_type); 20552a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) CHECK(started_sandbox); 20562a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) return true; 20575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 20585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 20595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 20605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 20615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 20627d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)bool SandboxSeccompBpf::StartSandboxWithExternalPolicy( 20637d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) playground2::BpfSandboxPolicy policy) { 20647d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)#if defined(SECCOMP_BPF_SANDBOX) 2065eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch if (IsSeccompBpfDesired() && SupportsSandbox()) { 20667d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) CHECK(policy); 20677d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) StartSandboxWithPolicy(policy, NULL); 20687d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) return true; 20697d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) } 20707d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)#endif // defined(SECCOMP_BPF_SANDBOX) 20717d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) return false; 20727d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)} 20737d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 20747d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)#if defined(SECCOMP_BPF_SANDBOX) 20757d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)playground2::BpfSandboxPolicyCallback SandboxSeccompBpf::GetBaselinePolicy() { 20767d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) return base::Bind(&BaselinePolicyWithAux); 20777d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)} 20787d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles)#endif // defined(SECCOMP_BPF_SANDBOX) 20797d4cd473f85ac64c3747c96c277f9e506a0d2246Torne (Richard Coles) 20805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace content 2081