syscall_sets.h revision 5f1c94371a64b3196d4be9466099bb892df9b88e
1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_ 6#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_ 7 8#include "base/basictypes.h" 9#include "build/build_config.h" 10#include "sandbox/sandbox_export.h" 11 12// These are helpers to build seccomp-bpf policies, i.e. policies for a 13// sandbox that reduces the Linux kernel's attack surface. Given their 14// nature, they don't have any clear semantics and are completely 15// "implementation-defined". 16 17namespace sandbox { 18 19class SANDBOX_EXPORT SyscallSets { 20 public: 21 static bool IsKill(int sysno); 22 static bool IsAllowedGettime(int sysno); 23 static bool IsCurrentDirectory(int sysno); 24 static bool IsUmask(int sysno); 25 // System calls that directly access the file system. They might acquire 26 // a new file descriptor or otherwise perform an operation directly 27 // via a path. 28 static bool IsFileSystem(int sysno); 29 static bool IsAllowedFileSystemAccessViaFd(int sysno); 30 static bool IsDeniedFileSystemAccessViaFd(int sysno); 31 static bool IsGetSimpleId(int sysno); 32 static bool IsProcessPrivilegeChange(int sysno); 33 static bool IsProcessGroupOrSession(int sysno); 34 static bool IsAllowedSignalHandling(int sysno); 35 static bool IsAllowedOperationOnFd(int sysno); 36 static bool IsKernelInternalApi(int sysno); 37 // This should be thought through in conjunction with IsFutex(). 38 static bool IsAllowedProcessStartOrDeath(int sysno); 39 // It's difficult to restrict those, but there is attack surface here. 40 static bool IsAllowedFutex(int sysno); 41 static bool IsAllowedEpoll(int sysno); 42 static bool IsAllowedGetOrModifySocket(int sysno); 43 static bool IsDeniedGetOrModifySocket(int sysno); 44 45#if defined(__i386__) || defined(__mips__) 46 // Big multiplexing system call for sockets. 47 static bool IsSocketCall(int sysno); 48#endif 49 50#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) 51 static bool IsNetworkSocketInformation(int sysno); 52#endif 53 54 static bool IsAllowedAddressSpaceAccess(int sysno); 55 static bool IsAllowedGeneralIo(int sysno); 56 static bool IsPrctl(int sysno); 57 static bool IsAllowedBasicScheduler(int sysno); 58 static bool IsAdminOperation(int sysno); 59 static bool IsKernelModule(int sysno); 60 static bool IsGlobalFSViewChange(int sysno); 61 static bool IsFsControl(int sysno); 62 static bool IsNuma(int sysno); 63 static bool IsMessageQueue(int sysno); 64 static bool IsGlobalProcessEnvironment(int sysno); 65 static bool IsDebug(int sysno); 66 static bool IsGlobalSystemStatus(int sysno); 67 static bool IsEventFd(int sysno); 68 // Asynchronous I/O API. 69 static bool IsAsyncIo(int sysno); 70 static bool IsKeyManagement(int sysno); 71#if defined(__x86_64__) || defined(__arm__) 72 static bool IsSystemVSemaphores(int sysno); 73#endif 74#if defined(__x86_64__) || defined(__arm__) 75 // These give a lot of ambient authority and bypass the setuid sandbox. 76 static bool IsSystemVSharedMemory(int sysno); 77#endif 78 79#if defined(__x86_64__) || defined(__arm__) 80 static bool IsSystemVMessageQueue(int sysno); 81#endif 82 83#if defined(__i386__) || defined(__mips__) 84 // Big system V multiplexing system call. 85 static bool IsSystemVIpc(int sysno); 86#endif 87 88 static bool IsAnySystemV(int sysno); 89 static bool IsAdvancedScheduler(int sysno); 90 static bool IsInotify(int sysno); 91 static bool IsFaNotify(int sysno); 92 static bool IsTimer(int sysno); 93 static bool IsAdvancedTimer(int sysno); 94 static bool IsExtendedAttributes(int sysno); 95 static bool IsMisc(int sysno); 96#if defined(__arm__) 97 static bool IsArmPciConfig(int sysno); 98 static bool IsArmPrivate(int sysno); 99#endif // defined(__arm__) 100#if defined(__mips__) 101 static bool IsMipsPrivate(int sysno); 102 static bool IsMipsMisc(int sysno); 103#endif // defined(__mips__) 104 private: 105 DISALLOW_IMPLICIT_CONSTRUCTORS(SyscallSets); 106}; 107 108} // namespace sandbox. 109 110#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_ 111