syscall_parameters_restrictions.h revision cedac228d2dd51db4b79ea1e72c7f249408ee061
1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ 6#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ 7 8#include <unistd.h> 9 10#include "build/build_config.h" 11#include "sandbox/sandbox_export.h" 12 13// These are helpers to build seccomp-bpf policies, i.e. policies for a 14// sandbox that reduces the Linux kernel's attack surface. They return an 15// SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters. 16 17namespace sandbox { 18 19class ErrorCode; 20class SandboxBPF; 21 22// Allow clone(2) for threads. 23// Reject fork(2) attempts with EPERM. 24// Don't restrict on ASAN. 25// Crash if anything else is attempted. 26SANDBOX_EXPORT ErrorCode 27 RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox); 28 29// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. 30// Crash if anything else is attempted. 31SANDBOX_EXPORT ErrorCode RestrictPrctl(SandboxBPF* sandbox); 32 33// Allow TCGETS and FIONREAD. 34// Crash if anything else is attempted. 35SANDBOX_EXPORT ErrorCode RestrictIoctl(SandboxBPF* sandbox); 36 37// Restrict the flags argument in mmap(2). 38// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | 39// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE. 40// Crash if any other flag is used. 41SANDBOX_EXPORT ErrorCode RestrictMmapFlags(SandboxBPF* sandbox); 42 43// Restrict the prot argument in mprotect(2). 44// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC. 45SANDBOX_EXPORT ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox); 46 47// Restrict fcntl(2) cmd argument to: 48// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, 49// F_SETLK, F_SETLKW and F_GETLK. 50// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | 51// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. 52SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox); 53 54#if defined(__i386__) 55// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), 56// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). 57SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox); 58#endif 59 60// Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or 61// kill iff the first parameter is |target_pid|, crashing otherwise or if 62// |sysno| is tkill. 63ErrorCode RestrictKillTarget(pid_t target_pid, SandboxBPF* sandbox, int sysno); 64 65} // namespace sandbox. 66 67#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ 68