1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
7 #include "build/build_config.h"
9 #if defined(USE_SECCOMP_BPF)
13 #include <sys/ptrace.h>
15 #include "base/basictypes.h"
16 #include "base/callback.h"
17 #include "base/compiler_specific.h"
18 #include "base/logging.h"
20 #include "content/public/common/sandbox_init.h"
21 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
22 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
23 #include "sandbox/linux/services/linux_syscalls.h"
25 #endif // defined(USE_SECCOMP_BPF)
29 #if defined(USE_SECCOMP_BPF)
33 class NaClBPFSandboxPolicy : public sandbox::SandboxBPFPolicy {
35 NaClBPFSandboxPolicy()
36 : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) {}
37 virtual ~NaClBPFSandboxPolicy() {}
39 virtual sandbox::ErrorCode EvaluateSyscall(
40 sandbox::SandboxBPF* sandbox_compiler,
41 int system_call_number) const OVERRIDE;
42 virtual sandbox::ErrorCode InvalidSyscall(
43 sandbox::SandboxBPF* sandbox_compiler) const OVERRIDE {
44 return baseline_policy_->InvalidSyscall(sandbox_compiler);
48 scoped_ptr<sandbox::SandboxBPFPolicy> baseline_policy_;
49 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy);
52 sandbox::ErrorCode NaClBPFSandboxPolicy::EvaluateSyscall(
53 sandbox::SandboxBPF* sb, int sysno) const {
54 DCHECK(baseline_policy_);
56 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls,
57 // see if it can be restricted a bit.
58 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
59 // transport_common.cc needs this.
62 #elif defined(__i386__)
65 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is
66 // used by NaCl's GDB debug stub.
67 case __NR_rt_sigtimedwait:
68 #if defined(__i386__) || defined(__mips__)
69 // Needed on i386 to set-up the custom segments.
72 // NaClAddrSpaceBeforeAlloc needs prlimit64.
74 // NaCl uses custom signal stacks.
75 case __NR_sigaltstack:
76 // Below is fairly similar to the policy for a Chromium renderer.
77 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
80 #if defined(__i386__) || defined(__arm__)
83 // NaCl runtime exposes clock_getres to untrusted code.
84 case __NR_clock_getres:
85 // NaCl runtime uses flock to simulate POSIX behavior for pwrite.
89 case __NR_sched_get_priority_max:
90 case __NR_sched_get_priority_min:
91 case __NR_sched_getaffinity:
92 case __NR_sched_getparam:
93 case __NR_sched_getscheduler:
94 case __NR_sched_setscheduler:
95 case __NR_setpriority:
97 // __NR_times needed as clock() is called by CommandBufferHelper, which is
98 // used by NaCl applications that use Pepper's 3D interfaces.
99 // See crbug.com/264856 for details.
102 return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED);
105 return sandbox::ErrorCode(EPERM);
107 return baseline_policy_->EvaluateSyscall(sb, sysno);
111 return sandbox::ErrorCode(EPERM);
114 void RunSandboxSanityChecks() {
116 // Make a ptrace request with an invalid PID.
117 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL);
118 CHECK_EQ(-1, ptrace_ret);
119 // Without the sandbox on, this ptrace call would ESRCH instead.
120 CHECK_EQ(EPERM, errno);
127 #error "Seccomp-bpf disabled on supported architecture!"
129 #endif // defined(USE_SECCOMP_BPF)
131 bool InitializeBPFSandbox() {
132 #if defined(USE_SECCOMP_BPF)
133 bool sandbox_is_initialized = content::InitializeSandbox(
134 scoped_ptr<sandbox::SandboxBPFPolicy>(new NaClBPFSandboxPolicy));
135 if (sandbox_is_initialized) {
136 RunSandboxSanityChecks();
139 #endif // defined(USE_SECCOMP_BPF)