Explicitly test bit 30 in the system call number to distinguish between the new x32 API and older Intel APIs.

Also, extend the system call range from 0..512 to 0..1024. This covers the extra system calls added with x32.

As x32 isn't widely available yet, we don't add any other code to support it (e.g. we don't build a version of
demo.cc that runs in x32). But by explicitly blocking it for i386 and x86-64 we ensure that a "default allow"
policy is going to do the right thing.

TEST=make && demo32 && demo64
BUG=130662

Review URL: https://chromiumcodereview.appspot.com/10542028

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@141155 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 27 insertions, 6 deletions

diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
index e7b1da6..773a471 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
@@ -215,17 +215,37 @@ void Sandbox::installFilter() {
   // system call.
   std::vector<struct sock_filter> program;
   program.push_back((struct sock_filter)
-                    BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
-                             offsetof(struct arch_seccomp_data, arch)));
+    BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct arch_seccomp_data, arch)));
   program.push_back((struct sock_filter)
     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 1, 0));
+
+  // TODO: Instead of killing outright, we should raise a SIGSYS and
+  //       report a useful error message. SIGKILL cannot be trapped by the
+  //       debugger and essentially makes the program fail in a way that is
+  //       almost impossible to debug.
   program.push_back((struct sock_filter)
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO + SECCOMP_DENY_ERRNO));
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL));
 
   // Grab the system call number, so that we can implement jump tables.
   program.push_back((struct sock_filter)
     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct arch_seccomp_data, nr)));
 
+  // On Intel architectures, verify that system call numbers are in the
+  // expected number range. The older i386 and x86-64 APIs clear bit 30
+  // on all system calls. The newer x86-32 API always sets bit 30.
+#if defined(__i386__) || defined(__x86_64__)
+#if defined(__x86_64__) && defined(__ILP32__)
+  program.push_back((struct sock_filter)
+    BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x40000000, 1, 0));
+#else
+  program.push_back((struct sock_filter)
+    BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x40000000, 0, 1));
+#endif
+  // TODO: raise a suitable SIGSYS signal
+  program.push_back((struct sock_filter)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL));
+#endif
+
   // Evaluate all possible system calls and depending on their
   // exit codes generate a BPF filter.
   // This is very inefficient right now. We need to be much smarter
@@ -266,8 +286,9 @@ void Sandbox::installFilter() {
 
   // Everything that isn't allowed is forbidden. Eventually, we would
   // like to have a way to log forbidden calls, when in debug mode.
+  // TODO: raise a suitable SIGSYS signal
   program.push_back((struct sock_filter)
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO + SECCOMP_DENY_ERRNO));
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL));
 
   // Install BPF filter program
   const struct sock_fprog prog = { program.size(), &program[0] };
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index c3f504a..3501e62 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -72,7 +72,7 @@
 
 #if defined(__i386__)
 #define MIN_SYSCALL  0
-#define MAX_SYSCALL  512
+#define MAX_SYSCALL  1024
 #define SECCOMP_ARCH AUDIT_ARCH_I386
 #define REG_RESULT   REG_EAX
 #define REG_SYSCALL  REG_EAX
@@ -84,7 +84,7 @@
 #define REG_PARM6    REG_EBP
 #elif defined(__x86_64__)
 #define MIN_SYSCALL  0
-#define MAX_SYSCALL  512
+#define MAX_SYSCALL  1024
 #define SECCOMP_ARCH AUDIT_ARCH_X86_64
 #define REG_RESULT   REG_RAX
 #define REG_SYSCALL  REG_RAX