diff options
| author | hidehiko <hidehiko@chromium.org> | 2015-10-26 00:52:19 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-10-26 07:53:31 +0000 |
| commit | 34f421f9fab6a229e1eb5c8783a83fd69f9a5426 (patch) | |
| tree | 28b6ee8477997f46c3431d51582f2d63f5c5f0d4 /components/nacl/loader | |
| parent | 3755a8969a76477ebedd601340234d7335a8856e (diff) | |
| download | chromium_src-34f421f9fab6a229e1eb5c8783a83fd69f9a5426.zip chromium_src-34f421f9fab6a229e1eb5c8783a83fd69f9a5426.tar.gz chromium_src-34f421f9fab6a229e1eb5c8783a83fd69f9a5426.tar.bz2 | |
Non-SFI mode: Harden the seccomp-bpf sandbox.
Some syscalls were allowed (not crashed) as glibc uses them.
We switched to newlib for Non-SFI mode, so now we can
restrict those syscalls.
BUG=539866
TEST=Ran browser_tests --gtest_filter=*NonSfi* and nacl_helper_nonsfi_unittests
Review URL: https://codereview.chromium.org/1418003004
Cr-Commit-Position: refs/heads/master@{#356018}
Diffstat (limited to 'components/nacl/loader')
3 files changed, 7 insertions, 38 deletions
diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc index 5a0249f..9478a9d 100644 --- a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc +++ b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc @@ -174,23 +174,8 @@ bool IsGracefullyDenied(int sysno) { case __NR_getuid: // tcmalloc calls madvise in TCMalloc_SystemRelease. case __NR_madvise: - // EPERM instead of SIGSYS as glibc tries to open files in /proc. - // openat via opendir via get_nprocs_conf and open via get_nprocs. - // TODO(hamaji): Remove this when we switch to newlib. - case __NR_open: - case __NR_openat: // For RunSandboxSanityChecks(). case __NR_ptrace: - // glibc uses this for its pthread implementation. If we return - // EPERM for this, glibc will stop using this. - // TODO(hamaji): newlib does not use this. Make this SIGTRAP once - // we have switched to newlib. - case __NR_set_robust_list: - // This is obsolete in ARM EABI, but x86 glibc indirectly calls - // this in sysconf. -#if defined(__i386__) || defined(__x86_64__) - case __NR_time: -#endif return true; default: @@ -308,15 +293,6 @@ ResultExpr NaClNonSfiBPFSandboxPolicy::EvaluateSyscall(int sysno) const { case __NR_tgkill: return RestrictTgkill(policy_pid_); - case __NR_brk: - // The behavior of brk on Linux is different from other system - // calls. It does not return errno but the current break on - // failure. glibc thinks brk failed if the return value of brk - // is less than the requested address (i.e., brk(addr) < addr). - // So, glibc thinks brk succeeded if we return -EPERM and we - // need to return zero instead. - return Error(0); - default: if (IsGracefullyDenied(sysno)) return Error(EPERM); diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc index acc98b7..53acaa6 100644 --- a/components/nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc +++ b/components/nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc @@ -71,6 +71,7 @@ RESTRICT_SYSCALL_DEATH_TEST(bind); #if defined(__i386__) RESTRICT_SYSCALL_DEATH_TEST(break); #endif +RESTRICT_SYSCALL_DEATH_TEST(brk); RESTRICT_SYSCALL_DEATH_TEST(capget); RESTRICT_SYSCALL_DEATH_TEST(capset); RESTRICT_SYSCALL_DEATH_TEST(chdir); @@ -323,6 +324,8 @@ RESTRICT_SYSCALL_DEATH_TEST(oldstat); #if defined(__i386__) RESTRICT_SYSCALL_DEATH_TEST(olduname); #endif +RESTRICT_SYSCALL_DEATH_TEST(open); +RESTRICT_SYSCALL_DEATH_TEST(openat); RESTRICT_SYSCALL_DEATH_TEST(open_by_handle_at); RESTRICT_SYSCALL_DEATH_TEST(pause); #if defined(__arm__) @@ -426,6 +429,7 @@ RESTRICT_SYSCALL_DEATH_TEST(sendmmsg); RESTRICT_SYSCALL_DEATH_TEST(sendto); #endif RESTRICT_SYSCALL_DEATH_TEST(set_mempolicy); +RESTRICT_SYSCALL_DEATH_TEST(set_robust_list); #if defined(__i386__) || defined(__x86_64__) RESTRICT_SYSCALL_DEATH_TEST(set_thread_area); #endif @@ -552,6 +556,9 @@ RESTRICT_SYSCALL_DEATH_TEST(sysinfo); RESTRICT_SYSCALL_DEATH_TEST(syslog); RESTRICT_SYSCALL_DEATH_TEST(tee); RESTRICT_SYSCALL_DEATH_TEST(tgkill); +#if defined(__i386__) || defined(__x86_64__) +RESTRICT_SYSCALL_DEATH_TEST(time); +#endif RESTRICT_SYSCALL_DEATH_TEST(timer_create); RESTRICT_SYSCALL_DEATH_TEST(timer_delete); RESTRICT_SYSCALL_DEATH_TEST(timer_getoverrun); diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc index 85b94a8..f99acf05 100644 --- a/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc +++ b/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc @@ -560,14 +560,6 @@ BPF_DEATH_TEST_C(NaClNonSfiSandboxTest, mprotect(ptr, getpagesize(), PROT_READ | PROT_GROWSDOWN); } -BPF_TEST_C(NaClNonSfiSandboxTest, - brk, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) { - char* next_brk = static_cast<char*>(sbrk(0)) + getpagesize(); - // The kernel interface must return zero for brk. - BPF_ASSERT_EQ(0, syscall(__NR_brk, next_brk)); -} - // clockid restrictions are mostly tested in sandbox/ with the // RestrictClockID() unittests. Some basic tests are duplicated here as // a precaution. @@ -695,13 +687,7 @@ RESTRICT_SYSCALL_EPERM_TEST(geteuid); RESTRICT_SYSCALL_EPERM_TEST(getgid); RESTRICT_SYSCALL_EPERM_TEST(getuid); RESTRICT_SYSCALL_EPERM_TEST(madvise); -RESTRICT_SYSCALL_EPERM_TEST(open); -RESTRICT_SYSCALL_EPERM_TEST(openat); RESTRICT_SYSCALL_EPERM_TEST(ptrace); -RESTRICT_SYSCALL_EPERM_TEST(set_robust_list); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_EPERM_TEST(time); -#endif } // namespace |