1// Copyright (c) 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
6#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
7
8#include <unistd.h>
9
10#include "build/build_config.h"
11#include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"
12#include "sandbox/sandbox_export.h"
13
14// These are helpers to build seccomp-bpf policies, i.e. policies for a
15// sandbox that reduces the Linux kernel's attack surface. They return a
16// bpf_dsl::ResultExpr suitable to restrict certain system call parameters.
17
18namespace sandbox {
19
20// Allow clone(2) for threads.
21// Reject fork(2) attempts with EPERM.
22// Don't restrict on ASAN.
23// Crash if anything else is attempted.
24SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictCloneToThreadsAndEPERMFork();
25
26// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.
27// Crash if anything else is attempted.
28SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrctl();
29
30// Allow TCGETS and FIONREAD.
31// Crash if anything else is attempted.
32SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictIoctl();
33
34// Restrict the flags argument in mmap(2).
35// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
36// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
37// Crash if any other flag is used.
38SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlags();
39
40// Restrict the prot argument in mprotect(2).
41// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
42SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags();
43
44// Restrict fcntl(2) cmd argument to:
45// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
46// F_SETLK, F_SETLKW and F_GETLK.
47// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |
48// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
49SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFcntlCommands();
50
51#if defined(__i386__) || defined(__mips__)
52// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
53// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
54SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSocketcallCommand();
55#endif
56
57// Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or
58// kill iff the first parameter is |target_pid|, crashing otherwise or if
59// |sysno| is tkill.
60SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictKillTarget(pid_t target_pid,
61                                                      int sysno);
62
63// Crash if FUTEX_CMP_REQUEUE_PI is used in the second argument of futex(2).
64SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFutex();
65
66// Crash if |which| is not PRIO_PROCESS. EPERM if |who| is not 0, neither
67// |target_pid| while calling setpriority(2) / getpriority(2).
68SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetSetpriority(pid_t target_pid);
69
70// Restricts |pid| for sched_* syscalls which take a pid as the first argument.
71// We only allow calling these syscalls if the pid argument is equal to the pid
72// of the sandboxed process or 0 (indicating the current thread).  The following
73// syscalls are supported:
74//
75// sched_getaffinity(), sched_getattr(), sched_getparam(), sched_getscheduler(),
76// sched_rr_get_interval(), sched_setaffinity(), sched_setattr(),
77// sched_setparam(), sched_setscheduler()
78SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSchedTarget(pid_t target_pid,
79                                                       int sysno);
80
81// Restricts the |pid| argument of prlimit64 to 0 (meaning the calling process)
82// or target_pid.
83SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimit64(pid_t target_pid);
84
85// Restricts the |who| argument of getrusage to RUSAGE_SELF (meaning the calling
86// process).
87SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetrusage();
88
89// Restrict |clk_id| for clock_getres(), clock_gettime() and clock_settime().
90// We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID,
91// CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID.  In particular, this disallows
92// access to arbitrary per-{process,thread} CPU-time clock IDs (such as those
93// returned by {clock,pthread}_getcpuclockid), which can leak information
94// about the state of the host OS.
95SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictClockID();
96
97}  // namespace sandbox.
98
99#endif  // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
100