| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
BUG=32501
TEST=none
Review URL: http://codereview.chromium.org/672011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40946 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
were observed on some machines (in particular in 32bit mode).
- Some more changes to avoid calling into glibc when we can make a direct
system call, instead. These particular call sites were unlikely to cause
any problems. But it makes the code easier to audit if we avoid all
unnecessary calls into glibc.
- In 64bit mode, gettimeofday() is handled by vsyscalls and tends to be cheap.
In 32bit mode, it is just a regular system call. Some users rely on being
able to call gettimeofday() at a very high rate (up to thousands of
consecutive calls). Recognize this system call pattern and optimize for it.
- Add debugging option that allows us to warn about expensive system calls.
In many cases, these warnings can then be used to optimize the sandboxed
application.
- Fix compilation on newer versions of gcc.
- Changed the x86-32 version of the code that we use when intercepting
system calls. Previously, we would use CALL to jump to the set of
instructions that we had relocated. But we made the mistake of allowing
relocation of instructions that reference %esp. This doesn't work, as
CALL modifies the stack. We now avoid using CALL and instead jump
directly. On x86-32 that requires the use of a PUSH/RET combination as
there is no 32bit wide JMP instruction.
The x86-64 version of the code was already written in a way that would
avoid this particular problem.
(I would like to thank Craig Schlenter for his exceptional detective
work in tracking down the root cause of this bug!)
- For debugging purposes, injected a really small library (less than 4kB)
and discovered that some of our memory map manipulations implicitly
relied on mappings to be at least two pages long. Fixed the code that
made this incorrect assumption.
- For really small libraries, the runtime linker can choose a different
more compact layout. Our computation of the ASR offset did not know how
to deal with that. Fixed by explicitly looking for a ".text" segment
instead of looking for a PT_DYNAMIC section.
- Closed a file descriptor that we kept open longer than needed.
- Removed some unused code.
- Added copyright headers
TEST=tested on i386 and x86-64
BUG=36133
Review URL: http://codereview.chromium.org/661438
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40900 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids false positives if the directory name matches one of the well-known
library names (e.g. ld).
False positives not only result in a performance hit at startup, because we
are now trying to instrument libraries that don't actually contain any system
calls; but even worse than this, we could try to instrument system calls in
the sandboxing code itself. And those system calls are deliberately coded so
that they will not get rewritten.
Fortunately, none of this is a security problem. If we accidentally rewrite
system calls that weren't supposed to be rewritten, we will just crash on
startup.
TEST=the sandbox now works on the buildbots
BUG=36133
Review URL: http://codereview.chromium.org/652188
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39839 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
code hard to understand (and possibly broken) otherwise, some versions of
GCC complain about the comparison without the cast.
TEST=none
BUG=none
Review URL: http://codereview.chromium.org/657034
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39838 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this means the calls will still be denied. But we now return a correct return
code.
But more importantly, this change brings the source code in line with the code
of the stand-alone opensource sandbox. Wherever possible, we try to keep both
code bases identical.
TEST=none
BUG=none
Review URL: http://codereview.chromium.org/657040
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39837 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
This is needed for opening the renderer<->plugin channel.
TEST=flash works in seccomp mode
Review URL: http://codereview.chromium.org/563024
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@38037 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were hitting a stack overflow on renderer startup, because of the following:
When we patch out syscalls, we need a scratch space near (within a 32-bit jump)
of the original code. We pick the scratch space as the end of the nearest empty
region available before the code we're patching. For the vdso region, the
stack lies directly before it and so the region we'd grab was directly before
the stack. This meant that as soon as the stack attempted to grow it'd fail
because it ran into our patch region, and we'd hit a stack overflow.
The fix is to specially note when we're near the stack region, and instead put
our scratch space as far away from the stack as possible.
Review URL: http://codereview.chromium.org/518071
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35759 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
already put a chroot() jail around it. The only tricky part is access
to /proc/self/maps, but we can safely pass in an open file descriptor.
BUG=26527
Review URL: http://codereview.chromium.org/371047
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31372 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
this feature, and if no other obstacle prevents us from enabling it.
Otherwise, we print a warning message and continue running without the sandbox.
This is not ideal, but given the non-trivial number of users who might not have
seccomp enabled by default, this seems the prudent approach.
BUG=26521
Review URL: http://codereview.chromium.org/341092
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@30966 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
enough to just pass the address of a structure as an input parameter
to assembly code. The assembly code must also mark "memory" as getting
clobbered, even if it only wants to read from the structure. This
seems to be a result of strict aliasing and the lack of an ability for
the assembly code to clearly say which pointers it dereferences.
Furthermore, if the assembly code touches the stack (e.g. uses
"push"), it must now mark the stack pointer as getting
clobbered. Otherwise, GCC assumes that the red zone won't be
clobbered, and that it is possible to use the stack pointer as an
input register.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/320008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29829 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
internal. This ensures
that the linker won't complain about IP relative addressing for symbols that could be overridden at
run-time.
- avoided using "g" register constraints, as there has been a report of some versions of GCC
erroneously generating code that is no longer position independant when this constraint is used.
- removed the old code that fork()'s a child to try to extend mappings of libraries at run-time. This
code always was somewhat fragile and caused a measurable performance penalty when the sandbox was
started. Replaced with code that remapped just the very first page. This can actually be done in a
running process without disrupting the use of the libraries.
- added a special case for the instrumentation code allowing it to deal with jumps between the VDSO
and VSyscalls even if the instructions would normally not be eligible for interception as they are IP
relative. After making this change, we can again find sufficiently large code snippets to rewrite them
successfully. This is only a concern on x86_64.
- fixed a bug that would erroneously look for IP relative addressing on x86_32. It doesn't exist for
that architecture.
TEST=none
BUG=http://code.google.com/p/chromium/issues/detail?id=18337
Review URL: http://codereview.chromium.org/306036
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29726 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
TEST=none
BUG=none
Review URL: http://codereview.chromium.org/204012
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26175 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
is neither sufficient nor necessary. The header does not actually include a
definition for futex(). And while it does include definitions for useful
constants, the version of the file that is shipped by some distributions (e.g
Centos) doesn't even compile as it is meant to only be used by the Linux kernel.
TEST=none
BUG=none
Review URL: http://codereview.chromium.org/193104
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26167 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(Patch by Markus)
This allows the fast path to use read()/write() instead of recvmsg()/sendmsg()
which is much cheaper for the Seccomp sandbox.
Also, fixed minor seccomp sandbox issues discovered by this change.
BUG=19120
ISSUE=164373
http://codereview.chromium.org/177049
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@25518 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
| |
http://codereview.chromium.org/164484
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23318 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Constness of return values and paramaters were causing compiler errors.
BUG=19120
ISSUE=164373
Review URL: http://codereview.chromium.org/164414
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23202 0039d316-1c4b-4281-b951-d872f2087c98
|
|
|
http://code.google.com/p/seccompsandbox/
Make the seccomp sandbox dependant on the --enable-seccomp-sandbox flag
Review URL: http://codereview.chromium.org/165310
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23087 0039d316-1c4b-4281-b951-d872f2087c98
|
