From 7ae1ce21c23d5d9586eb9d7c828b758bf610ebc7 Mon Sep 17 00:00:00 2001 From: "leecam@chromium.org" Date: Fri, 22 Aug 2014 02:02:15 +0000 Subject: sandbox: Update known syscalls to kernel 3.17 Updated Arm, Mips, x86_32 and x86_64 syscall defines to match the latest kernel 3.17 at the time of this commit. BUG=406123 TEST=sandbox_linux_unittests Review URL: https://codereview.chromium.org/493603003 Cr-Commit-Position: refs/heads/master@{#291315} git-svn-id: svn://svn.chromium.org/chrome/trunk/src@291315 0039d316-1c4b-4281-b951-d872f2087c98 --- .../linux/seccomp-bpf-helpers/baseline_policy.cc | 3 ++ sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc | 21 ++++++++++++-- sandbox/linux/seccomp-bpf-helpers/syscall_sets.h | 1 + sandbox/linux/services/arm_linux_syscalls.h | 32 ++++++++++++++++++++++ sandbox/linux/services/mips_linux_syscalls.h | 16 +++++++++++ sandbox/linux/services/x86_32_linux_syscalls.h | 28 +++++++++++++++++++ sandbox/linux/services/x86_64_linux_syscalls.h | 28 +++++++++++++++++++ 7 files changed, 127 insertions(+), 2 deletions(-) (limited to 'sandbox') diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc index 7f4d559..1a6bec5 100644 --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -181,6 +181,9 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, return Error(fs_denied_errno); } + if (SyscallSets::IsSeccomp(sysno)) + return Error(EPERM); + if (SyscallSets::IsAnySystemV(sysno)) { return Error(EPERM); } diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc index f31695f..d3b9807 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc @@ -107,6 +107,9 @@ bool SyscallSets::IsFileSystem(int sysno) { #if defined(__i386__) || defined(__arm__) || defined(__mips__) case __NR_lstat64: #endif +#if !defined(__mips__) + case __NR_memfd_create: +#endif case __NR_mkdir: case __NR_mkdirat: case __NR_mknod: @@ -117,6 +120,7 @@ bool SyscallSets::IsFileSystem(int sysno) { case __NR_readlinkat: case __NR_rename: case __NR_renameat: + case __NR_renameat2: case __NR_rmdir: case __NR_stat: // EPERM not a valid errno. #if defined(__i386__) @@ -564,6 +568,15 @@ bool SyscallSets::IsPrctl(int sysno) { } } +bool SyscallSets::IsSeccomp(int sysno) { + switch (sysno) { + case __NR_seccomp: + return true; + default: + return false; + } +} + bool SyscallSets::IsAllowedBasicScheduler(int sysno) { switch (sysno) { case __NR_sched_yield: @@ -605,6 +618,7 @@ bool SyscallSets::IsKernelModule(int sysno) { #endif case __NR_delete_module: case __NR_init_module: + case __NR_finit_module: return true; default: return false; @@ -697,9 +711,7 @@ bool SyscallSets::IsDebug(int sysno) { case __NR_ptrace: case __NR_process_vm_readv: case __NR_process_vm_writev: -#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) case __NR_kcmp: -#endif return true; default: return false; @@ -828,10 +840,12 @@ bool SyscallSets::IsAdvancedScheduler(int sysno) { case __NR_sched_get_priority_max: case __NR_sched_get_priority_min: case __NR_sched_getaffinity: + case __NR_sched_getattr: case __NR_sched_getparam: case __NR_sched_getscheduler: case __NR_sched_rr_get_interval: case __NR_sched_setaffinity: + case __NR_sched_setattr: case __NR_sched_setparam: case __NR_sched_setscheduler: return true; @@ -915,6 +929,9 @@ bool SyscallSets::IsExtendedAttributes(int sysno) { // TODO(jln): classify this better. bool SyscallSets::IsMisc(int sysno) { switch (sysno) { +#if !defined(_mips_) + case __NR_getrandom: +#endif case __NR_name_to_handle_at: case __NR_open_by_handle_at: case __NR_perf_event_open: diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h index b0cf10c..bda1d72 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h @@ -54,6 +54,7 @@ class SANDBOX_EXPORT SyscallSets { static bool IsAllowedAddressSpaceAccess(int sysno); static bool IsAllowedGeneralIo(int sysno); static bool IsPrctl(int sysno); + static bool IsSeccomp(int sysno); static bool IsAllowedBasicScheduler(int sysno); static bool IsAdminOperation(int sysno); static bool IsKernelModule(int sysno); diff --git a/sandbox/linux/services/arm_linux_syscalls.h b/sandbox/linux/services/arm_linux_syscalls.h index dd0826e..5fa140d 100644 --- a/sandbox/linux/services/arm_linux_syscalls.h +++ b/sandbox/linux/services/arm_linux_syscalls.h @@ -1347,6 +1347,38 @@ #define __NR_process_vm_writev (__NR_SYSCALL_BASE+377) #endif +#if !defined(__NR_kcmp) +#define __NR_kcmp (__NR_SYSCALL_BASE+378) +#endif + +#if !defined(__NR_finit_module) +#define __NR_finit_module (__NR_SYSCALL_BASE+379) +#endif + +#if !defined(__NR_sched_setattr) +#define __NR_sched_setattr (__NR_SYSCALL_BASE+380) +#endif + +#if !defined(__NR_sched_getattr) +#define __NR_sched_getattr (__NR_SYSCALL_BASE+381) +#endif + +#if !defined(__NR_renameat2) +#define __NR_renameat2 (__NR_SYSCALL_BASE+382) +#endif + +#if !defined(__NR_seccomp) +#define __NR_seccomp (__NR_SYSCALL_BASE+383) +#endif + +#if !defined(__NR_getrandom) +#define __NR_getrandom (__NR_SYSCALL_BASE+384) +#endif + +#if !defined(__NR_memfd_create) +#define __NR_memfd_create (__NR_SYSCALL_BASE+385) +#endif + // ARM private syscalls. #if !defined(__ARM_NR_breakpoint) #define __ARM_NR_breakpoint (__ARM_NR_BASE+1) diff --git a/sandbox/linux/services/mips_linux_syscalls.h b/sandbox/linux/services/mips_linux_syscalls.h index ef609f7..14daff9 100644 --- a/sandbox/linux/services/mips_linux_syscalls.h +++ b/sandbox/linux/services/mips_linux_syscalls.h @@ -1409,4 +1409,20 @@ #define __NR_finit_module (__NR_Linux + 348) #endif +#if !defined(__NR_sched_setattr) +#define __NR_sched_setattr (__NR_Linux + 349) +#endif + +#if !defined(__NR_sched_getattr) +#define __NR_sched_getattr (__NR_Linux + 350) +#endif + +#if !defined(__NR_renameat2) +#define __NR_renameat2 (__NR_Linux + 351) +#endif + +#if !defined(__NR_seccomp) +#define __NR_seccomp (__NR_Linux + 352) +#endif + #endif // SANDBOX_LINUX_SERVICES_MIPS_LINUX_SYSCALLS_H_ diff --git a/sandbox/linux/services/x86_32_linux_syscalls.h b/sandbox/linux/services/x86_32_linux_syscalls.h index ca8ccbd..0fc2183 100644 --- a/sandbox/linux/services/x86_32_linux_syscalls.h +++ b/sandbox/linux/services/x86_32_linux_syscalls.h @@ -1394,5 +1394,33 @@ #define __NR_kcmp 349 #endif +#if !defined(__NR_finit_module) +#define __NR_finit_module 350 +#endif + +#if !defined(__NR_sched_setattr) +#define __NR_sched_setattr 351 +#endif + +#if !defined(__NR_sched_getattr) +#define __NR_sched_getattr 352 +#endif + +#if !defined(__NR_renameat2) +#define __NR_renameat2 353 +#endif + +#if !defined(__NR_seccomp) +#define __NR_seccomp 354 +#endif + +#if !defined(__NR_getrandom) +#define __NR_getrandom 355 +#endif + +#if !defined(__NR_memfd_create) +#define __NR_memfd_create 356 +#endif + #endif // SANDBOX_LINUX_SERVICES_X86_32_LINUX_SYSCALLS_H_ diff --git a/sandbox/linux/services/x86_64_linux_syscalls.h b/sandbox/linux/services/x86_64_linux_syscalls.h index bd30c55..ea6c555 100644 --- a/sandbox/linux/services/x86_64_linux_syscalls.h +++ b/sandbox/linux/services/x86_64_linux_syscalls.h @@ -1262,5 +1262,33 @@ #define __NR_kcmp 312 #endif +#if !defined(__NR_finit_module) +#define __NR_finit_module 313 +#endif + +#if !defined(__NR_sched_setattr) +#define __NR_sched_setattr 314 +#endif + +#if !defined(__NR_sched_getattr) +#define __NR_sched_getattr 315 +#endif + +#if !defined(__NR_renameat2) +#define __NR_renameat2 316 +#endif + +#if !defined(__NR_seccomp) +#define __NR_seccomp 317 +#endif + +#if !defined(__NR_getrandom) +#define __NR_getrandom 318 +#endif + +#if !defined(__NR_memfd_create) +#define __NR_memfd_create 319 +#endif + #endif // SANDBOX_LINUX_SERVICES_X86_64_LINUX_SYSCALLS_H_ -- cgit v1.1