diff options
author | jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-30 03:10:26 +0000 |
---|---|---|
committer | jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-30 03:10:26 +0000 |
commit | d705c2ecc8141331f29cd21b1d2fa4822bd827a1 (patch) | |
tree | a0a258894c26d9ab8bc26926e5bdfd978e9d85e2 | |
parent | 8ddfe318975cb55f0bd198495b6db81367742afc (diff) | |
download | chromium_src-d705c2ecc8141331f29cd21b1d2fa4822bd827a1.zip chromium_src-d705c2ecc8141331f29cd21b1d2fa4822bd827a1.tar.gz chromium_src-d705c2ecc8141331f29cd21b1d2fa4822bd827a1.tar.bz2 |
Linux: add a seccomp-bpf sandbox for renderers
Renderers are now sandboxed under seccomp-bpf.
We also make seccomp-bpf the default sandbox, even when seccomp-legacy
is enabled (which is the case in Debug builds).
BUG=145327
NOTRY=true
Review URL: https://chromiumcodereview.appspot.com/10885021
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@154054 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | content/common/sandbox_init_linux.cc | 15 | ||||
-rw-r--r-- | content/common/sandbox_linux.cc | 17 | ||||
-rw-r--r-- | content/common/sandbox_seccomp_bpf_linux.cc | 51 |
3 files changed, 59 insertions, 24 deletions
diff --git a/content/common/sandbox_init_linux.cc b/content/common/sandbox_init_linux.cc index 56830a4..1c59e9e 100644 --- a/content/common/sandbox_init_linux.cc +++ b/content/common/sandbox_init_linux.cc @@ -33,15 +33,12 @@ bool InitializeSandbox() { return false; } - // First, try to enable seccomp-legacy. - seccomp_legacy_started = linux_sandbox->StartSeccompLegacy(process_type); - - // Then, try to enable seccomp-bpf. - // If seccomp-legacy is enabled, seccomp-bpf initialization will crash - // instead of failing gracefully. - // TODO(markus): fix this (crbug.com/139872). - if (!seccomp_legacy_started) { - seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); + // First, try to enable seccomp-bpf. + seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); + + // If that fails, try to enable seccomp-legacy. + if (!seccomp_bpf_started) { + seccomp_legacy_started = linux_sandbox->StartSeccompLegacy(process_type); } return seccomp_legacy_started || seccomp_bpf_started; diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc index fb39c11..ad73fe6 100644 --- a/content/common/sandbox_linux.cc +++ b/content/common/sandbox_linux.cc @@ -158,16 +158,21 @@ int LinuxSandbox::GetStatus() const { if (setuid_sandbox_client_->IsInNewNETNamespace()) sandbox_flags |= kSandboxLinuxNetNS; } - if (seccomp_legacy_supported() && - ShouldEnableSeccompLegacy(switches::kRendererProcess)) { + + if (seccomp_bpf_supported() && + SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) { // We report whether the sandbox will be activated when renderers go // through sandbox initialization. - sandbox_flags |= kSandboxLinuxSeccompLegacy; + sandbox_flags |= kSandboxLinuxSeccompBpf; } - if (seccomp_bpf_supported() && - SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) { + + // We only try to enable seccomp-legacy when seccomp-bpf is not supported + // or not enabled. + if (!(sandbox_flags & kSandboxLinuxSeccompBpf) && + seccomp_legacy_supported() && + ShouldEnableSeccompLegacy(switches::kRendererProcess)) { // Same here, what we report is what we will do for the renderer. - sandbox_flags |= kSandboxLinuxSeccompBpf; + sandbox_flags |= kSandboxLinuxSeccompLegacy; } return sandbox_flags; } diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc index 37d5261..497996b 100644 --- a/content/common/sandbox_seccomp_bpf_linux.cc +++ b/content/common/sandbox_seccomp_bpf_linux.cc @@ -906,13 +906,13 @@ bool IsSystemVSemaphores(int sysno) { #if defined(__x86_64__) // These give a lot of ambient authority and bypass the setuid sandbox. -bool IsAllowedSystemVSharedMemory(int sysno) { +bool IsSystemVSharedMemory(int sysno) { switch (sysno) { case __NR_shmat: case __NR_shmctl: case __NR_shmdt: - return true; case __NR_shmget: + return true; default: return false; } @@ -1139,9 +1139,6 @@ bool IsBaselinePolicyWatched_x86_64(int sysno) { if (IsAdminOperation(sysno) || IsAdvancedScheduler(sysno) || IsAdvancedTimer(sysno) || -#if defined(__x86_64__) - IsAllowedSystemVSharedMemory(sysno) || -#endif IsAsyncIo(sysno) || IsDebug(sysno) || IsEventFd(sysno) || @@ -1169,6 +1166,7 @@ bool IsBaselinePolicyWatched_x86_64(int sysno) { #if defined(__x86_64__) IsSystemVMessageQueue(sysno) || IsSystemVSemaphores(sysno) || + IsSystemVSharedMemory(sysno) || #elif defined(__i386__) IsSystemVIpc(sysno) || #endif @@ -1239,6 +1237,38 @@ playground2::Sandbox::ErrorCode GpuProcessPolicy_x86_64(int sysno) { } } +playground2::Sandbox::ErrorCode RendererProcessPolicy_x86_64(int sysno) { + switch (sysno) { + case __NR_ioctl: + return ENOTTY; + case __NR_fdatasync: + case __NR_fsync: +#if defined(__i386__) || defined(__x86_64__) + case __NR_getrlimit: +#endif + case __NR_pread64: + case __NR_pwrite64: + case __NR_sched_get_priority_max: + case __NR_sched_get_priority_min: + case __NR_sched_getparam: + case __NR_sched_getscheduler: + case __NR_sched_setscheduler: + case __NR_setpriority: + case __NR_sysinfo: + case __NR_times: + case __NR_uname: + return playground2::Sandbox::SB_ALLOWED; + default: +#if defined(__x86_64__) + if (IsSystemVSharedMemory(sysno)) + return playground2::Sandbox::SB_ALLOWED; +#endif + + // Default on the baseline policy. + return BaselinePolicy_x86_64(sysno); + } +} + // x86_64 only for now. Needs to be adapted and tested for i386. playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) { switch (sysno) { @@ -1256,12 +1286,12 @@ playground2::Sandbox::ErrorCode FlashProcessPolicy_x86_64(int sysno) { #if defined(__x86_64__) // These are under investigation, and hopefully not here for the long // term. - if (IsAllowedSystemVSharedMemory(sysno)) + if (IsSystemVSharedMemory(sysno)) return playground2::Sandbox::SB_ALLOWED; #endif // Default on the baseline policy. - return BaselinePolicy_x86_64(sysno); + return BaselinePolicy_x86_64(sysno); } } @@ -1326,8 +1356,11 @@ playground2::Sandbox::EvaluateSyscall GetProcessSyscallPolicy( return FlashProcessPolicy_x86_64; } - if (process_type == switches::kRendererProcess || - process_type == switches::kWorkerProcess) { + if (process_type == switches::kRendererProcess) { + return RendererProcessPolicy_x86_64; + } + + if (process_type == switches::kWorkerProcess) { return BlacklistDebugAndNumaPolicy; } NOTREACHED(); |