syscall_parameters_restrictions.h revision cedac228d2dd51db4b79ea1e72c7f249408ee061 
1// Copyright (c) 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
6#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
7
8#include <unistd.h>
9
10#include "build/build_config.h"
11#include "sandbox/sandbox_export.h"
12
13// These are helpers to build seccomp-bpf policies, i.e. policies for a
14// sandbox that reduces the Linux kernel's attack surface. They return an
15// SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters.
16
17namespace sandbox {
18
19class ErrorCode;
20class SandboxBPF;
21
22// Allow clone(2) for threads.
23// Reject fork(2) attempts with EPERM.
24// Don't restrict on ASAN.
25// Crash if anything else is attempted.
26SANDBOX_EXPORT ErrorCode
27    RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);
28
29// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.
30// Crash if anything else is attempted.
31SANDBOX_EXPORT ErrorCode RestrictPrctl(SandboxBPF* sandbox);
32
33// Allow TCGETS and FIONREAD.
34// Crash if anything else is attempted.
35SANDBOX_EXPORT ErrorCode RestrictIoctl(SandboxBPF* sandbox);
36
37// Restrict the flags argument in mmap(2).
38// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
39// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
40// Crash if any other flag is used.
41SANDBOX_EXPORT ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);
42
43// Restrict the prot argument in mprotect(2).
44// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
45SANDBOX_EXPORT ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);
46
47// Restrict fcntl(2) cmd argument to:
48// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
49// F_SETLK, F_SETLKW and F_GETLK.
50// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |
51// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
52SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);
53
54#if defined(__i386__)
55// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
56// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
57SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);
58#endif
59
60// Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or
61// kill iff the first parameter is |target_pid|, crashing otherwise or if
62// |sysno| is tkill.
63ErrorCode RestrictKillTarget(pid_t target_pid, SandboxBPF* sandbox, int sysno);
64
65}  // namespace sandbox.
66
67#endif  // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
68