1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5// Note: any code in this file MUST be async-signal safe. 6 7#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" 8 9#include <stddef.h> 10#include <stdint.h> 11#include <sys/syscall.h> 12#include <unistd.h> 13 14#include "base/logging.h" 15#include "base/posix/eintr_wrapper.h" 16#include "build/build_config.h" 17#include "sandbox/linux/bpf_dsl/bpf_dsl.h" 18#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" 19#include "sandbox/linux/seccomp-bpf/syscall.h" 20#include "sandbox/linux/services/syscall_wrappers.h" 21#include "sandbox/linux/system_headers/linux_syscalls.h" 22 23#if defined(__mips__) 24// __NR_Linux, is defined in <asm/unistd.h>. 25#include <asm/unistd.h> 26#endif 27 28#define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure" 29#define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure" 30#define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure" 31#define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure" 32#define SECCOMP_MESSAGE_KILL_CONTENT "(tg)kill() failure" 33#define SECCOMP_MESSAGE_FUTEX_CONTENT "futex() failure" 34 35namespace { 36 37inline bool IsArchitectureX86_64() { 38#if defined(__x86_64__) 39 return true; 40#else 41 return false; 42#endif 43} 44 45// Write |error_message| to stderr. Similar to RawLog(), but a bit more careful 46// about async-signal safety. |size| is the size to write and should typically 47// not include a terminating \0. 48void WriteToStdErr(const char* error_message, size_t size) { 49 while (size > 0) { 50 // TODO(jln): query the current policy to check if send() is available and 51 // use it to perform a non-blocking write. 52 const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size)); 53 // We can't handle any type of error here. 54 if (ret <= 0 || static_cast<size_t>(ret) > size) break; 55 size -= ret; 56 error_message += ret; 57 } 58} 59 60// Invalid syscall values are truncated to zero. 61// On architectures where base value is zero (Intel and Arm), 62// syscall number is the same as offset from base. 63// This function returns values between 0 and 1023 on all architectures. 64// On architectures where base value is different than zero (currently only 65// Mips), we are truncating valid syscall values to offset from base. 66uint32_t SyscallNumberToOffsetFromBase(uint32_t sysno) { 67#if defined(__mips__) 68 // On MIPS syscall numbers are in different range than on x86 and ARM. 69 // Valid MIPS O32 ABI syscall __NR_syscall will be truncated to zero for 70 // simplicity. 71 sysno = sysno - __NR_Linux; 72#endif 73 74 if (sysno >= 1024) 75 sysno = 0; 76 77 return sysno; 78} 79 80// Print a seccomp-bpf failure to handle |sysno| to stderr in an 81// async-signal safe way. 82void PrintSyscallError(uint32_t sysno) { 83 if (sysno >= 1024) 84 sysno = 0; 85 // TODO(markus): replace with async-signal safe snprintf when available. 86 const size_t kNumDigits = 4; 87 char sysno_base10[kNumDigits]; 88 uint32_t rem = sysno; 89 uint32_t mod = 0; 90 for (int i = kNumDigits - 1; i >= 0; i--) { 91 mod = rem % 10; 92 rem /= 10; 93 sysno_base10[i] = '0' + mod; 94 } 95#if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32) 96 static const char kSeccompErrorPrefix[] = __FILE__ 97 ":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall 4000 + "; 98#else 99 static const char kSeccompErrorPrefix[] = 100 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall "; 101#endif 102 static const char kSeccompErrorPostfix[] = "\n"; 103 WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1); 104 WriteToStdErr(sysno_base10, sizeof(sysno_base10)); 105 WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1); 106} 107 108} // namespace. 109 110namespace sandbox { 111 112intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { 113 uint32_t syscall = SyscallNumberToOffsetFromBase(args.nr); 114 115 PrintSyscallError(syscall); 116 117 // Encode 8-bits of the 1st two arguments too, so we can discern which socket 118 // type, which fcntl, ... etc., without being likely to hit a mapped 119 // address. 120 // Do not encode more bits here without thinking about increasing the 121 // likelihood of collision with mapped pages. 122 syscall |= ((args.args[0] & 0xffUL) << 12); 123 syscall |= ((args.args[1] & 0xffUL) << 20); 124 // Purposefully dereference the syscall as an address so it'll show up very 125 // clearly and easily in crash dumps. 126 volatile char* addr = reinterpret_cast<volatile char*>(syscall); 127 *addr = '\0'; 128 // In case we hit a mapped address, hit the null page with just the syscall, 129 // for paranoia. 130 syscall &= 0xfffUL; 131 addr = reinterpret_cast<volatile char*>(syscall); 132 *addr = '\0'; 133 for (;;) 134 _exit(1); 135} 136 137// TODO(jln): refactor the reporting functions. 138 139intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { 140 static const char kSeccompCloneError[] = 141 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n"; 142 WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1); 143 // "flags" is the first argument in the kernel's clone(). 144 // Mark as volatile to be able to find the value on the stack in a minidump. 145 volatile uint64_t clone_flags = args.args[0]; 146 volatile char* addr; 147 if (IsArchitectureX86_64()) { 148 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF); 149 *addr = '\0'; 150 } 151 // Hit the NULL page if this fails to fault. 152 addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF); 153 *addr = '\0'; 154 for (;;) 155 _exit(1); 156} 157 158intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, 159 void* /* aux */) { 160 static const char kSeccompPrctlError[] = 161 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n"; 162 WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1); 163 // Mark as volatile to be able to find the value on the stack in a minidump. 164 volatile uint64_t option = args.args[0]; 165 volatile char* addr = 166 reinterpret_cast<volatile char*>(option & 0xFFF); 167 *addr = '\0'; 168 for (;;) 169 _exit(1); 170} 171 172intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, 173 void* /* aux */) { 174 static const char kSeccompIoctlError[] = 175 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n"; 176 WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1); 177 // Make "request" volatile so that we can see it on the stack in a minidump. 178 volatile uint64_t request = args.args[1]; 179 volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF); 180 *addr = '\0'; 181 // Hit the NULL page if this fails. 182 addr = reinterpret_cast<volatile char*>(request & 0xFFF); 183 *addr = '\0'; 184 for (;;) 185 _exit(1); 186} 187 188intptr_t SIGSYSKillFailure(const struct arch_seccomp_data& args, 189 void* /* aux */) { 190 static const char kSeccompKillError[] = 191 __FILE__":**CRASHING**:" SECCOMP_MESSAGE_KILL_CONTENT "\n"; 192 WriteToStdErr(kSeccompKillError, sizeof(kSeccompKillError) - 1); 193 // Make "pid" volatile so that we can see it on the stack in a minidump. 194 volatile uint64_t my_pid = sys_getpid(); 195 volatile char* addr = reinterpret_cast<volatile char*>(my_pid & 0xFFF); 196 *addr = '\0'; 197 for (;;) 198 _exit(1); 199} 200 201intptr_t SIGSYSFutexFailure(const struct arch_seccomp_data& args, 202 void* /* aux */) { 203 static const char kSeccompFutexError[] = 204 __FILE__ ":**CRASHING**:" SECCOMP_MESSAGE_FUTEX_CONTENT "\n"; 205 WriteToStdErr(kSeccompFutexError, sizeof(kSeccompFutexError) - 1); 206 volatile int futex_op = args.args[1]; 207 volatile char* addr = reinterpret_cast<volatile char*>(futex_op & 0xFFF); 208 *addr = '\0'; 209 for (;;) 210 _exit(1); 211} 212 213intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args, 214 void* aux) { 215 switch (args.nr) { 216 case __NR_sched_getaffinity: 217 case __NR_sched_getattr: 218 case __NR_sched_getparam: 219 case __NR_sched_getscheduler: 220 case __NR_sched_rr_get_interval: 221 case __NR_sched_setaffinity: 222 case __NR_sched_setattr: 223 case __NR_sched_setparam: 224 case __NR_sched_setscheduler: 225 const pid_t tid = sys_gettid(); 226 // The first argument is the pid. If is our thread id, then replace it 227 // with 0, which is equivalent and allowed by the policy. 228 if (args.args[0] == static_cast<uint64_t>(tid)) { 229 return Syscall::Call(args.nr, 230 0, 231 static_cast<intptr_t>(args.args[1]), 232 static_cast<intptr_t>(args.args[2]), 233 static_cast<intptr_t>(args.args[3]), 234 static_cast<intptr_t>(args.args[4]), 235 static_cast<intptr_t>(args.args[5])); 236 } 237 break; 238 } 239 240 CrashSIGSYS_Handler(args, aux); 241 242 // Should never be reached. 243 RAW_CHECK(false); 244 return -ENOSYS; 245} 246 247bpf_dsl::ResultExpr CrashSIGSYS() { 248 return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); 249} 250 251bpf_dsl::ResultExpr CrashSIGSYSClone() { 252 return bpf_dsl::Trap(SIGSYSCloneFailure, NULL); 253} 254 255bpf_dsl::ResultExpr CrashSIGSYSPrctl() { 256 return bpf_dsl::Trap(SIGSYSPrctlFailure, NULL); 257} 258 259bpf_dsl::ResultExpr CrashSIGSYSIoctl() { 260 return bpf_dsl::Trap(SIGSYSIoctlFailure, NULL); 261} 262 263bpf_dsl::ResultExpr CrashSIGSYSKill() { 264 return bpf_dsl::Trap(SIGSYSKillFailure, NULL); 265} 266 267bpf_dsl::ResultExpr CrashSIGSYSFutex() { 268 return bpf_dsl::Trap(SIGSYSFutexFailure, NULL); 269} 270 271bpf_dsl::ResultExpr RewriteSchedSIGSYS() { 272 return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); 273} 274 275const char* GetErrorMessageContentForTests() { 276 return SECCOMP_MESSAGE_COMMON_CONTENT; 277} 278 279const char* GetCloneErrorMessageContentForTests() { 280 return SECCOMP_MESSAGE_CLONE_CONTENT; 281} 282 283const char* GetPrctlErrorMessageContentForTests() { 284 return SECCOMP_MESSAGE_PRCTL_CONTENT; 285} 286 287const char* GetIoctlErrorMessageContentForTests() { 288 return SECCOMP_MESSAGE_IOCTL_CONTENT; 289} 290 291const char* GetKillErrorMessageContentForTests() { 292 return SECCOMP_MESSAGE_KILL_CONTENT; 293} 294 295const char* GetFutexErrorMessageContentForTests() { 296 return SECCOMP_MESSAGE_FUTEX_CONTENT; 297} 298 299} // namespace sandbox. 300