diff options
| author | rickyz <rickyz@chromium.org> | 2014-11-21 17:46:05 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2014-11-22 01:46:32 +0000 |
| commit | 1786cee689835689580a72dd7987ef95ef1f0fb6 (patch) | |
| tree | dfa4f2d9b070d05a624f51ea7a803bfd0accb654 /sandbox | |
| parent | 7a9d3c87e6957880aee09980e85a7a9ce4ee4326 (diff) | |
| download | chromium_src-1786cee689835689580a72dd7987ef95ef1f0fb6.zip chromium_src-1786cee689835689580a72dd7987ef95ef1f0fb6.tar.gz chromium_src-1786cee689835689580a72dd7987ef95ef1f0fb6.tar.bz2 | |
Restrict clock_getres and prlimit64 on the NaCl helper.
BUG=270914, 413855
Review URL: https://codereview.chromium.org/693023003
Cr-Commit-Position: refs/heads/master@{#305337}
Diffstat (limited to 'sandbox')
3 files changed, 39 insertions, 0 deletions
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc index 82cdc8d..2d3e7de 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc @@ -286,5 +286,9 @@ ResultExpr RestrictSchedTarget(pid_t target_pid, int sysno) { } } +ResultExpr RestrictPrlimit64(pid_t target_pid) { + const Arg<pid_t> pid(0); + return If(pid == 0 || pid == target_pid, Allow()).Else(CrashSIGSYS()); +} } // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h index ec30511..8bde616 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h @@ -87,6 +87,10 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictClockID(); SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSchedTarget(pid_t target_pid, int sysno); +// Restricts the |pid| argument of prlimit64 to 0 (meaning the calling process) +// or target_pid. +SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimit64(pid_t target_pid); + } // namespace sandbox. #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc index c97d95e..264ee4d 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc @@ -6,7 +6,9 @@ #include <errno.h> #include <sched.h> +#include <sys/resource.h> #include <sys/syscall.h> +#include <sys/types.h> #include <time.h> #include <unistd.h> @@ -209,6 +211,35 @@ BPF_DEATH_TEST_C(ParameterRestrictions, sched_getparam(kInitPID, ¶m); } +class RestrictPrlimit64Policy : public bpf_dsl::Policy { + public: + RestrictPrlimit64Policy() {} + ~RestrictPrlimit64Policy() override {} + + ResultExpr EvaluateSyscall(int sysno) const override { + switch (sysno) { + case __NR_prlimit64: + return RestrictPrlimit64(getpid()); + default: + return Allow(); + } + } +}; + +BPF_TEST_C(ParameterRestrictions, prlimit64_allowed, RestrictPrlimit64Policy) { + BPF_ASSERT_EQ(0, syscall(__NR_prlimit64, 0, RLIMIT_AS, NULL, NULL)); + BPF_ASSERT_EQ(0, syscall(__NR_prlimit64, getpid(), RLIMIT_AS, NULL, NULL)); +} + +BPF_DEATH_TEST_C(ParameterRestrictions, + prlimit64_crash_not_self, + DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), + RestrictPrlimit64Policy) { + const pid_t kInitPID = 1; + BPF_ASSERT_NE(kInitPID, getpid()); + syscall(__NR_prlimit64, kInitPID, RLIMIT_AS, NULL, NULL); +} + } // namespace } // namespace sandbox |