1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ 6#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ 7 8#include <unistd.h> 9 10#include "build/build_config.h" 11#include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h" 12#include "sandbox/sandbox_export.h" 13 14// These are helpers to build seccomp-bpf policies, i.e. policies for a 15// sandbox that reduces the Linux kernel's attack surface. They return a 16// bpf_dsl::ResultExpr suitable to restrict certain system call parameters. 17 18namespace sandbox { 19 20// Allow clone(2) for threads. 21// Reject fork(2) attempts with EPERM. 22// Don't restrict on ASAN. 23// Crash if anything else is attempted. 24SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictCloneToThreadsAndEPERMFork(); 25 26// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. 27// Crash if anything else is attempted. 28SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrctl(); 29 30// Allow TCGETS and FIONREAD. 31// Crash if anything else is attempted. 32SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictIoctl(); 33 34// Restrict the flags argument in mmap(2). 35// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | 36// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE. 37// Crash if any other flag is used. 38SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlags(); 39 40// Restrict the prot argument in mprotect(2). 41// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC. 42SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags(); 43 44// Restrict fcntl(2) cmd argument to: 45// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, 46// F_SETLK, F_SETLKW and F_GETLK. 47// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | 48// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. 49SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFcntlCommands(); 50 51#if defined(__i386__) || defined(__mips__) 52// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), 53// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). 54SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSocketcallCommand(); 55#endif 56 57// Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or 58// kill iff the first parameter is |target_pid|, crashing otherwise or if 59// |sysno| is tkill. 60SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictKillTarget(pid_t target_pid, 61 int sysno); 62 63// Crash if FUTEX_CMP_REQUEUE_PI is used in the second argument of futex(2). 64SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFutex(); 65 66// Crash if |which| is not PRIO_PROCESS. EPERM if |who| is not 0, neither 67// |target_pid| while calling setpriority(2) / getpriority(2). 68SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetSetpriority(pid_t target_pid); 69 70// Restricts |pid| for sched_* syscalls which take a pid as the first argument. 71// We only allow calling these syscalls if the pid argument is equal to the pid 72// of the sandboxed process or 0 (indicating the current thread). The following 73// syscalls are supported: 74// 75// sched_getaffinity(), sched_getattr(), sched_getparam(), sched_getscheduler(), 76// sched_rr_get_interval(), sched_setaffinity(), sched_setattr(), 77// sched_setparam(), sched_setscheduler() 78SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSchedTarget(pid_t target_pid, 79 int sysno); 80 81// Restricts the |pid| argument of prlimit64 to 0 (meaning the calling process) 82// or target_pid. 83SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimit64(pid_t target_pid); 84 85// Restricts the |who| argument of getrusage to RUSAGE_SELF (meaning the calling 86// process). 87SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetrusage(); 88 89// Restrict |clk_id| for clock_getres(), clock_gettime() and clock_settime(). 90// We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID, 91// CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID. In particular, this disallows 92// access to arbitrary per-{process,thread} CPU-time clock IDs (such as those 93// returned by {clock,pthread}_getcpuclockid), which can leak information 94// about the state of the host OS. 95SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictClockID(); 96 97} // namespace sandbox. 98 99#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ 100