1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
// Some headers on Android are missing cdefs: crbug.com/172337.
// (We can't use OS_ANDROID here since build_config.h is not included).
#if defined(ANDROID)
#include <sys/cdefs.h>
#endif
#include <errno.h>
#include <fcntl.h>
#include <linux/filter.h>
#include <signal.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include "base/compiler_specific.h"
#include "base/logging.h"
#include "base/macros.h"
#include "base/memory/scoped_ptr.h"
#include "base/posix/eintr_wrapper.h"
#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
#include "sandbox/linux/bpf_dsl/policy.h"
#include "sandbox/linux/bpf_dsl/policy_compiler.h"
#include "sandbox/linux/seccomp-bpf/codegen.h"
#include "sandbox/linux/seccomp-bpf/die.h"
#include "sandbox/linux/seccomp-bpf/errorcode.h"
#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
#include "sandbox/linux/seccomp-bpf/syscall.h"
#include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
#include "sandbox/linux/seccomp-bpf/trap.h"
#include "sandbox/linux/seccomp-bpf/verifier.h"
#include "sandbox/linux/services/linux_syscalls.h"
using sandbox::bpf_dsl::Allow;
using sandbox::bpf_dsl::Error;
using sandbox::bpf_dsl::ResultExpr;
namespace sandbox {
namespace {
const int kExpectedExitCode = 100;
#if !defined(NDEBUG)
void WriteFailedStderrSetupMessage(int out_fd) {
const char* error_string = strerror(errno);
static const char msg[] =
"You have reproduced a puzzling issue.\n"
"Please, report to crbug.com/152530!\n"
"Failed to set up stderr: ";
if (HANDLE_EINTR(write(out_fd, msg, sizeof(msg) - 1)) > 0 && error_string &&
HANDLE_EINTR(write(out_fd, error_string, strlen(error_string))) > 0 &&
HANDLE_EINTR(write(out_fd, "\n", 1))) {
}
}
#endif // !defined(NDEBUG)
// We define a really simple sandbox policy. It is just good enough for us
// to tell that the sandbox has actually been activated.
class ProbePolicy : public bpf_dsl::Policy {
public:
ProbePolicy() {}
virtual ~ProbePolicy() {}
virtual ResultExpr EvaluateSyscall(int sysnum) const override {
switch (sysnum) {
case __NR_getpid:
// Return EPERM so that we can check that the filter actually ran.
return Error(EPERM);
case __NR_exit_group:
// Allow exit() with a non-default return code.
return Allow();
default:
// Make everything else fail in an easily recognizable way.
return Error(EINVAL);
}
}
private:
DISALLOW_COPY_AND_ASSIGN(ProbePolicy);
};
void ProbeProcess(void) {
if (syscall(__NR_getpid) < 0 && errno == EPERM) {
syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
}
}
class AllowAllPolicy : public bpf_dsl::Policy {
public:
AllowAllPolicy() {}
virtual ~AllowAllPolicy() {}
virtual ResultExpr EvaluateSyscall(int sysnum) const override {
DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum));
return Allow();
}
private:
DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
};
void TryVsyscallProcess(void) {
time_t current_time;
// time() is implemented as a vsyscall. With an older glibc, with
// vsyscall=emulate and some versions of the seccomp BPF patch
// we may get SIGKILL-ed. Detect this!
if (time(¤t_time) != static_cast<time_t>(-1)) {
syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
}
}
bool IsSingleThreaded(int proc_fd) {
if (proc_fd < 0) {
// Cannot determine whether program is single-threaded. Hope for
// the best...
return true;
}
struct stat sb;
int task = -1;
if ((task = openat(proc_fd, "self/task", O_RDONLY | O_DIRECTORY)) < 0 ||
fstat(task, &sb) != 0 || sb.st_nlink != 3 || IGNORE_EINTR(close(task))) {
if (task >= 0) {
if (IGNORE_EINTR(close(task))) {
}
}
return false;
}
return true;
}
} // namespace
SandboxBPF::SandboxBPF()
: quiet_(false), proc_fd_(-1), sandbox_has_started_(false), policy_() {
}
SandboxBPF::~SandboxBPF() {
}
bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
return SyscallSet::IsValid(sysnum);
}
bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
scoped_ptr<bpf_dsl::Policy> policy) {
// Block all signals before forking a child process. This prevents an
// attacker from manipulating our test by sending us an unexpected signal.
sigset_t old_mask, new_mask;
if (sigfillset(&new_mask) || sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {
SANDBOX_DIE("sigprocmask() failed");
}
int fds[2];
if (pipe2(fds, O_NONBLOCK | O_CLOEXEC)) {
SANDBOX_DIE("pipe() failed");
}
if (fds[0] <= 2 || fds[1] <= 2) {
SANDBOX_DIE("Process started without standard file descriptors");
}
// This code is using fork() and should only ever run single-threaded.
// Most of the code below is "async-signal-safe" and only minor changes
// would be needed to support threads.
DCHECK(IsSingleThreaded(proc_fd_));
pid_t pid = fork();
if (pid < 0) {
// Die if we cannot fork(). We would probably fail a little later
// anyway, as the machine is likely very close to running out of
// memory.
// But what we don't want to do is return "false", as a crafty
// attacker might cause fork() to fail at will and could trick us
// into running without a sandbox.
sigprocmask(SIG_SETMASK, &old_mask, NULL); // OK, if it fails
SANDBOX_DIE("fork() failed unexpectedly");
}
// In the child process
if (!pid) {
// Test a very simple sandbox policy to verify that we can
// successfully turn on sandboxing.
Die::EnableSimpleExit();
errno = 0;
if (IGNORE_EINTR(close(fds[0]))) {
// This call to close() has been failing in strange ways. See
// crbug.com/152530. So we only fail in debug mode now.
#if !defined(NDEBUG)
WriteFailedStderrSetupMessage(fds[1]);
SANDBOX_DIE(NULL);
#endif
}
if (HANDLE_EINTR(dup2(fds[1], 2)) != 2) {
// Stderr could very well be a file descriptor to .xsession-errors, or
// another file, which could be backed by a file system that could cause
// dup2 to fail while trying to close stderr. It's important that we do
// not fail on trying to close stderr.
// If dup2 fails here, we will continue normally, this means that our
// parent won't cause a fatal failure if something writes to stderr in
// this child.
#if !defined(NDEBUG)
// In DEBUG builds, we still want to get a report.
WriteFailedStderrSetupMessage(fds[1]);
SANDBOX_DIE(NULL);
#endif
}
if (IGNORE_EINTR(close(fds[1]))) {
// This call to close() has been failing in strange ways. See
// crbug.com/152530. So we only fail in debug mode now.
#if !defined(NDEBUG)
WriteFailedStderrSetupMessage(fds[1]);
SANDBOX_DIE(NULL);
#endif
}
SetSandboxPolicy(policy.release());
if (!StartSandbox(PROCESS_SINGLE_THREADED)) {
SANDBOX_DIE(NULL);
}
// Run our code in the sandbox.
code_in_sandbox();
// code_in_sandbox() is not supposed to return here.
SANDBOX_DIE(NULL);
}
// In the parent process.
if (IGNORE_EINTR(close(fds[1]))) {
SANDBOX_DIE("close() failed");
}
if (sigprocmask(SIG_SETMASK, &old_mask, NULL)) {
SANDBOX_DIE("sigprocmask() failed");
}
int status;
if (HANDLE_EINTR(waitpid(pid, &status, 0)) != pid) {
SANDBOX_DIE("waitpid() failed unexpectedly");
}
bool rc = WIFEXITED(status) && WEXITSTATUS(status) == kExpectedExitCode;
// If we fail to support sandboxing, there might be an additional
// error message. If so, this was an entirely unexpected and fatal
// failure. We should report the failure and somebody must fix
// things. This is probably a security-critical bug in the sandboxing
// code.
if (!rc) {
char buf[4096];
ssize_t len = HANDLE_EINTR(read(fds[0], buf, sizeof(buf) - 1));
if (len > 0) {
while (len > 1 && buf[len - 1] == '\n') {
--len;
}
buf[len] = '\000';
SANDBOX_DIE(buf);
}
}
if (IGNORE_EINTR(close(fds[0]))) {
SANDBOX_DIE("close() failed");
}
return rc;
}
bool SandboxBPF::KernelSupportSeccompBPF() {
return RunFunctionInPolicy(ProbeProcess,
scoped_ptr<bpf_dsl::Policy>(new ProbePolicy())) &&
RunFunctionInPolicy(TryVsyscallProcess,
scoped_ptr<bpf_dsl::Policy>(new AllowAllPolicy()));
}
// static
SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
// It the sandbox is currently active, we clearly must have support for
// sandboxing.
if (status_ == STATUS_ENABLED) {
return status_;
}
// Even if the sandbox was previously available, something might have
// changed in our run-time environment. Check one more time.
if (status_ == STATUS_AVAILABLE) {
if (!IsSingleThreaded(proc_fd)) {
status_ = STATUS_UNAVAILABLE;
}
return status_;
}
if (status_ == STATUS_UNAVAILABLE && IsSingleThreaded(proc_fd)) {
// All state transitions resulting in STATUS_UNAVAILABLE are immediately
// preceded by STATUS_AVAILABLE. Furthermore, these transitions all
// happen, if and only if they are triggered by the process being multi-
// threaded.
// In other words, if a single-threaded process is currently in the
// STATUS_UNAVAILABLE state, it is safe to assume that sandboxing is
// actually available.
status_ = STATUS_AVAILABLE;
return status_;
}
// If we have not previously checked for availability of the sandbox or if
// we otherwise don't believe to have a good cached value, we have to
// perform a thorough check now.
if (status_ == STATUS_UNKNOWN) {
// We create our own private copy of a "Sandbox" object. This ensures that
// the object does not have any policies configured, that might interfere
// with the tests done by "KernelSupportSeccompBPF()".
SandboxBPF sandbox;
// By setting "quiet_ = true" we suppress messages for expected and benign
// failures (e.g. if the current kernel lacks support for BPF filters).
sandbox.quiet_ = true;
sandbox.set_proc_fd(proc_fd);
status_ = sandbox.KernelSupportSeccompBPF() ? STATUS_AVAILABLE
: STATUS_UNSUPPORTED;
// As we are performing our tests from a child process, the run-time
// environment that is visible to the sandbox is always guaranteed to be
// single-threaded. Let's check here whether the caller is single-
// threaded. Otherwise, we mark the sandbox as temporarily unavailable.
if (status_ == STATUS_AVAILABLE && !IsSingleThreaded(proc_fd)) {
status_ = STATUS_UNAVAILABLE;
}
}
return status_;
}
// static
SandboxBPF::SandboxStatus
SandboxBPF::SupportsSeccompThreadFilterSynchronization() {
// Applying NO_NEW_PRIVS, a BPF filter, and synchronizing the filter across
// the thread group are all handled atomically by this syscall.
const int rv = syscall(
__NR_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, NULL);
if (rv == -1 && errno == EFAULT) {
return STATUS_AVAILABLE;
} else {
// TODO(jln): turn these into DCHECK after 417888 is considered fixed.
CHECK_EQ(-1, rv);
CHECK(ENOSYS == errno || EINVAL == errno);
return STATUS_UNSUPPORTED;
}
}
void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
CHECK(thread_state == PROCESS_SINGLE_THREADED ||
thread_state == PROCESS_MULTI_THREADED);
if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
SANDBOX_DIE(
"Trying to start sandbox, even though it is known to be "
"unavailable");
return false;
} else if (sandbox_has_started_) {
SANDBOX_DIE(
"Cannot repeatedly start sandbox. Create a separate Sandbox "
"object instead.");
return false;
}
if (proc_fd_ < 0) {
proc_fd_ = open("/proc", O_RDONLY | O_DIRECTORY);
}
if (proc_fd_ < 0) {
// For now, continue in degraded mode, if we can't access /proc.
// In the future, we might want to tighten this requirement.
}
bool supports_tsync =
SupportsSeccompThreadFilterSynchronization() == STATUS_AVAILABLE;
if (thread_state == PROCESS_SINGLE_THREADED) {
if (!IsSingleThreaded(proc_fd_)) {
SANDBOX_DIE("Cannot start sandbox; process is already multi-threaded");
return false;
}
} else if (thread_state == PROCESS_MULTI_THREADED) {
if (IsSingleThreaded(proc_fd_)) {
SANDBOX_DIE("Cannot start sandbox; "
"process may be single-threaded when reported as not");
return false;
}
if (!supports_tsync) {
SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing "
"filters for a threadgroup");
return false;
}
}
// We no longer need access to any files in /proc. We want to do this
// before installing the filters, just in case that our policy denies
// close().
if (proc_fd_ >= 0) {
if (IGNORE_EINTR(close(proc_fd_))) {
SANDBOX_DIE("Failed to close file descriptor for /proc");
return false;
}
proc_fd_ = -1;
}
// Install the filters.
InstallFilter(supports_tsync || thread_state == PROCESS_MULTI_THREADED);
// We are now inside the sandbox.
status_ = STATUS_ENABLED;
return true;
}
// Don't take a scoped_ptr here, polymorphism make their use awkward.
void SandboxBPF::SetSandboxPolicy(bpf_dsl::Policy* policy) {
DCHECK(!policy_);
if (sandbox_has_started_) {
SANDBOX_DIE("Cannot change policy after sandbox has started");
}
policy_.reset(policy);
}
void SandboxBPF::InstallFilter(bool must_sync_threads) {
// We want to be very careful in not imposing any requirements on the
// policies that are set with SetSandboxPolicy(). This means, as soon as
// the sandbox is active, we shouldn't be relying on libraries that could
// be making system calls. This, for example, means we should avoid
// using the heap and we should avoid using STL functions.
// Temporarily copy the contents of the "program" vector into a
// stack-allocated array; and then explicitly destroy that object.
// This makes sure we don't ex- or implicitly call new/delete after we
// installed the BPF filter program in the kernel. Depending on the
// system memory allocator that is in effect, these operators can result
// in system calls to things like munmap() or brk().
CodeGen::Program* program = AssembleFilter(false).release();
struct sock_filter bpf[program->size()];
const struct sock_fprog prog = {static_cast<unsigned short>(program->size()),
bpf};
memcpy(bpf, &(*program)[0], sizeof(bpf));
delete program;
// Make an attempt to release memory that is no longer needed here, rather
// than in the destructor. Try to avoid as much as possible to presume of
// what will be possible to do in the new (sandboxed) execution environment.
policy_.reset();
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to enable no-new-privs");
}
// Install BPF filter program. If the thread state indicates multi-threading
// support, then the kernel hass the seccomp system call. Otherwise, fall
// back on prctl, which requires the process to be single-threaded.
if (must_sync_threads) {
int rv = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
SECCOMP_FILTER_FLAG_TSYNC, reinterpret_cast<const char*>(&prog));
if (rv) {
SANDBOX_DIE(quiet_ ? NULL :
"Kernel refuses to turn on and synchronize threads for BPF filters");
}
} else {
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to turn on BPF filters");
}
}
sandbox_has_started_ = true;
}
scoped_ptr<CodeGen::Program> SandboxBPF::AssembleFilter(
bool force_verification) {
#if !defined(NDEBUG)
force_verification = true;
#endif
bpf_dsl::PolicyCompiler compiler(policy_.get(), Trap::Registry());
scoped_ptr<CodeGen::Program> program = compiler.Compile();
// Make sure compilation resulted in BPF program that executes
// correctly. Otherwise, there is an internal error in our BPF compiler.
// There is really nothing the caller can do until the bug is fixed.
if (force_verification) {
// Verification is expensive. We only perform this step, if we are
// compiled in debug mode, or if the caller explicitly requested
// verification.
const char* err = NULL;
if (!Verifier::VerifyBPF(&compiler, *program, *policy_, &err)) {
CodeGen::PrintProgram(*program);
SANDBOX_DIE(err);
}
}
return program.Pass();
}
bool SandboxBPF::IsRequiredForUnsafeTrap(int sysno) {
return bpf_dsl::PolicyCompiler::IsRequiredForUnsafeTrap(sysno);
}
intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) {
return Syscall::Call(args.nr,
static_cast<intptr_t>(args.args[0]),
static_cast<intptr_t>(args.args[1]),
static_cast<intptr_t>(args.args[2]),
static_cast<intptr_t>(args.args[3]),
static_cast<intptr_t>(args.args[4]),
static_cast<intptr_t>(args.args[5]));
}
SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
} // namespace sandbox
|
