1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
7 #include "build/build_config.h"
9 #if defined(USE_SECCOMP_BPF)
13 #include <sys/ptrace.h>
15 #include "base/basictypes.h"
16 #include "base/callback.h"
17 #include "base/compiler_specific.h"
18 #include "base/logging.h"
20 #include "content/public/common/sandbox_init.h"
21 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
22 #include "sandbox/linux/services/linux_syscalls.h"
24 #endif // defined(USE_SECCOMP_BPF)
28 #if defined(USE_SECCOMP_BPF)
32 using sandbox::bpf_dsl::Allow;
33 using sandbox::bpf_dsl::Error;
34 using sandbox::bpf_dsl::ResultExpr;
36 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::SandboxBPFDSLPolicy {
38 NaClBPFSandboxPolicy()
39 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) {}
40 virtual ~NaClBPFSandboxPolicy() {}
42 virtual ResultExpr EvaluateSyscall(int system_call_number) const OVERRIDE;
43 virtual ResultExpr InvalidSyscall() const OVERRIDE {
44 return baseline_policy_->InvalidSyscall();
48 scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy> baseline_policy_;
50 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy);
53 ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const {
54 DCHECK(baseline_policy_);
56 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls,
57 // see if it can be restricted a bit.
58 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
59 // transport_common.cc needs this.
62 #elif defined(__i386__)
65 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is
66 // used by NaCl's GDB debug stub.
67 case __NR_rt_sigtimedwait:
68 #if defined(__i386__) || defined(__mips__)
69 // Needed on i386 to set-up the custom segments.
72 // NaClAddrSpaceBeforeAlloc needs prlimit64.
74 // NaCl uses custom signal stacks.
75 case __NR_sigaltstack:
76 // Below is fairly similar to the policy for a Chromium renderer.
77 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
80 #if defined(__i386__) || defined(__arm__)
83 // NaCl runtime exposes clock_getres to untrusted code.
84 case __NR_clock_getres:
85 // NaCl runtime uses flock to simulate POSIX behavior for pwrite.
89 case __NR_sched_get_priority_max:
90 case __NR_sched_get_priority_min:
91 case __NR_sched_getaffinity:
92 case __NR_sched_getparam:
93 case __NR_sched_getscheduler:
94 case __NR_sched_setscheduler:
96 // __NR_times needed as clock() is called by CommandBufferHelper, which is
97 // used by NaCl applications that use Pepper's 3D interfaces.
98 // See crbug.com/264856 for details.
106 return baseline_policy_->EvaluateSyscall(sysno);
113 void RunSandboxSanityChecks() {
115 // Make a ptrace request with an invalid PID.
116 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
117 CHECK_EQ(-1, ptrace_ret);
118 // Without the sandbox on, this ptrace call would ESRCH instead.
119 CHECK_EQ(EPERM, errno);
126 #error "Seccomp-bpf disabled on supported architecture!"
128 #endif // defined(USE_SECCOMP_BPF)
130 bool InitializeBPFSandbox() {
131 #if defined(USE_SECCOMP_BPF)
132 bool sandbox_is_initialized = content::InitializeSandbox(
133 scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy>(
134 new NaClBPFSandboxPolicy));
135 if (sandbox_is_initialized) {
136 RunSandboxSanityChecks();
139 #endif // defined(USE_SECCOMP_BPF)