summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-08-30 03:10:26 +0000
committerjln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-08-30 03:10:26 +0000
commitd705c2ecc8141331f29cd21b1d2fa4822bd827a1 (patch)
treea0a258894c26d9ab8bc26926e5bdfd978e9d85e2
parent8ddfe318975cb55f0bd198495b6db81367742afc (diff)
downloadchromium_src-d705c2ecc8141331f29cd21b1d2fa4822bd827a1.zip
chromium_src-d705c2ecc8141331f29cd21b1d2fa4822bd827a1.tar.gz
chromium_src-d705c2ecc8141331f29cd21b1d2fa4822bd827a1.tar.bz2
Linux: add a seccomp-bpf sandbox for renderers
Renderers are now sandboxed under seccomp-bpf. We also make seccomp-bpf the default sandbox, even when seccomp-legacy is enabled (which is the case in Debug builds). BUG=145327 NOTRY=true Review URL: https://chromiumcodereview.appspot.com/10885021 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@154054 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--content/common/sandbox_init_linux.cc15
-rw-r--r--content/common/sandbox_linux.cc17
-rw-r--r--content/common/sandbox_seccomp_bpf_linux.cc51
3 files changed, 59 insertions, 24 deletions
diff --git a/content/common/sandbox_init_linux.cc b/content/common/sandbox_init_linux.cc
index 56830a4..1c59e9e 100644
--- a/content/common/sandbox_init_linux.cc
+++ b/content/common/sandbox_init_linux.cc
@@ -33,15 +33,12 @@ bool InitializeSandbox() {
return false;
}
- // First, try to enable seccomp-legacy.
- seccomp_legacy_started = linux_sandbox->StartSeccompLegacy(process_type);
-
- // Then, try to enable seccomp-bpf.
- // If seccomp-legacy is enabled, seccomp-bpf initialization will crash
- // instead of failing gracefully.
- // TODO(markus): fix this (crbug.com/139872).
- if (!seccomp_legacy_started) {
- seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type);
+ // First, try to enable seccomp-bpf.
+ seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type);
+
+ // If that fails, try to enable seccomp-legacy.
+ if (!seccomp_bpf_started) {
+ seccomp_legacy_started = linux_sandbox->StartSeccompLegacy(process_type);
}
return seccomp_legacy_started || seccomp_bpf_started;
diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
index fb39c11..ad73fe6 100644
--- a/content/common/sandbox_linux.cc
+++ b/content/common/sandbox_linux.cc
@@ -158,16 +158,21 @@ int LinuxSandbox::GetStatus() const {
if (setuid_sandbox_client_->IsInNewNETNamespace())
sandbox_flags |= kSandboxLinuxNetNS;
}
- if (seccomp_legacy_supported() &&
- ShouldEnableSeccompLegacy(switches::kRendererProcess)) {
+
+ if (seccomp_bpf_supported() &&
+ SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) {
// We report whether the sandbox will be activated when renderers go
// through sandbox initialization.
- sandbox_flags |= kSandboxLinuxSeccompLegacy;
+ sandbox_flags |= kSandboxLinuxSeccompBpf;
}
- if (seccomp_bpf_supported() &&
- SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) {
+
+ // We only try to enable seccomp-legacy when seccomp-bpf is not supported
+ // or not enabled.
+ if (!(sandbox_flags & kSandboxLinuxSeccompBpf) &&
+ seccomp_legacy_supported() &&
+ ShouldEnableSeccompLegacy(switches::kRendererProcess)) {
// Same here, what we report is what we will do for the renderer.
- sandbox_flags |= kSandboxLinuxSeccompBpf;
+ sandbox_flags |= kSandboxLinuxSeccompLegacy;
}
return sandbox_flags;
}
diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc
index 37d5261..497996b 100644
--- a/content/common/sandbox_seccomp_bpf_linux.cc
+++ b/content/common/sandbox_seccomp_bpf_linux.cc
@@ -906,13 +906,13 @@ bool IsSystemVSemaphores(int sysno) {
#if defined(__x86_64__)
// These give a lot of ambient authority and bypass the setuid sandbox.
-bool IsAllowedSystemVSharedMemory(int sysno) {
+bool IsSystemVSharedMemory(int sysno) {
switch (sysno) {
case __NR_shmat:
case __NR_shmctl:
case __NR_shmdt:
- return true;
case __NR_shmget:
+ return true;
default:
return false;
}
@@ -1139,9 +1139,6 @@ bool IsBaselinePolicyWatched_x86_64(int sysno) {
if (IsAdminOperation(sysno) ||
IsAdvancedScheduler(sysno) ||
IsAdvancedTimer(sysno) ||
-#if defined(__x86_64__)
- IsAllowedSystemVSharedMemory(sysno) ||
-#endif
IsAsyncIo(sysno) ||
IsDebug(sysno) ||
IsEventFd(sysno) ||
@@ -1169,6 +1166,7 @@ bool IsBaselinePolicyWatched_x86_64(int sysno) {
#if defined(__x86_64__)
IsSystemVMessageQueue(sysno) ||
IsSystemVSemaphores(sysno) ||
+ IsSystemVSharedMemory(sysno) ||
#elif defined(__i386__)
IsSystemVIpc(sysno) ||
#endif
@@ -1239,6 +1237,38 @@ playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) {
}
}
+playground2::Sandbox::ErrorCode RendererProcessPolicy_x86_64(int sysno) {
+ switch (sysno) {
+ case __NR_ioctl:
+ return ENOTTY;
+ case __NR_fdatasync:
+ case __NR_fsync:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_getrlimit:
+#endif
+ case __NR_pread64:
+ case __NR_pwrite64:
+ case __NR_sched_get_priority_max:
+ case __NR_sched_get_priority_min:
+ case __NR_sched_getparam:
+ case __NR_sched_getscheduler:
+ case __NR_sched_setscheduler:
+ case __NR_setpriority:
+ case __NR_sysinfo:
+ case __NR_times:
+ case __NR_uname:
+ return playground2::Sandbox::SB_ALLOWED;
+ default:
+#if defined(__x86_64__)
+ if (IsSystemVSharedMemory(sysno))
+ return playground2::Sandbox::SB_ALLOWED;
+#endif
+
+ // Default on the baseline policy.
+ return BaselinePolicy_x86_64(sysno);
+ }
+}
+
// x86_64 only for now. Needs to be adapted and tested for i386.
playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
switch (sysno) {
@@ -1256,12 +1286,12 @@ playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) {
#if defined(__x86_64__)
// These are under investigation, and hopefully not here for the long
// term.
- if (IsAllowedSystemVSharedMemory(sysno))
+ if (IsSystemVSharedMemory(sysno))
return playground2::Sandbox::SB_ALLOWED;
#endif
// Default on the baseline policy.
- return BaselinePolicy_x86_64(sysno);
+ return BaselinePolicy_x86_64(sysno);
}
}
@@ -1326,8 +1356,11 @@ playground2::Sandbox::EvaluateSyscall GetProcessSyscallPolicy(
return FlashProcessPolicy_x86_64;
}
- if (process_type == switches::kRendererProcess ||
- process_type == switches::kWorkerProcess) {
+ if (process_type == switches::kRendererProcess) {
+ return RendererProcessPolicy_x86_64;
+ }
+
+ if (process_type == switches::kWorkerProcess) {
return BlacklistDebugAndNumaPolicy;
}
NOTREACHED();