1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
6 
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <fcntl.h>
10 #include <linux/net.h>
11 #include <sched.h>
12 #include <signal.h>
13 #include <stdint.h>
14 #include <sys/mman.h>
15 #include <sys/prctl.h>
16 #include <sys/resource.h>
17 #include <sys/stat.h>
18 #include <sys/time.h>
19 #include <sys/types.h>
20 #include <time.h>
21 #include <unistd.h>
22 
23 #include "base/logging.h"
24 #include "base/macros.h"
25 #include "build/build_config.h"
26 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
27 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
28 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
29 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
30 #include "sandbox/linux/system_headers/linux_futex.h"
31 #include "sandbox/linux/system_headers/linux_syscalls.h"
32 #include "sandbox/linux/system_headers/linux_time.h"
33 
34 // PNaCl toolchain does not provide sys/ioctl.h header.
35 #if !defined(OS_NACL_NONSFI)
36 #include <sys/ioctl.h>
37 #endif
38 
39 #if defined(OS_ANDROID)
40 
41 #if !defined(F_DUPFD_CLOEXEC)
42 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
43 #endif
44 
45 // https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/private/bionic_prctl.h
46 #if !defined(PR_SET_VMA)
47 #define PR_SET_VMA 0x53564d41
48 #endif
49 
50 #ifndef PR_SET_PTRACER
51 #define PR_SET_PTRACER 0x59616d61
52 #endif
53 
54 #endif  // defined(OS_ANDROID)
55 
56 #if defined(__arm__) && !defined(MAP_STACK)
57 #define MAP_STACK 0x20000  // Daisy build environment has old headers.
58 #endif
59 
60 #if defined(__mips__) && !defined(MAP_STACK)
61 #define MAP_STACK 0x40000
62 #endif
63 namespace {
64 
IsArchitectureX86_64()65 inline bool IsArchitectureX86_64() {
66 #if defined(__x86_64__)
67   return true;
68 #else
69   return false;
70 #endif
71 }
72 
IsArchitectureI386()73 inline bool IsArchitectureI386() {
74 #if defined(__i386__)
75   return true;
76 #else
77   return false;
78 #endif
79 }
80 
IsAndroid()81 inline bool IsAndroid() {
82 #if defined(OS_ANDROID)
83   return true;
84 #else
85   return false;
86 #endif
87 }
88 
IsArchitectureMips()89 inline bool IsArchitectureMips() {
90 #if defined(__mips__)
91   return true;
92 #else
93   return false;
94 #endif
95 }
96 
97 // Ubuntu's version of glibc has a race condition in sem_post that can cause
98 // it to call futex(2) with bogus op arguments. To workaround this, we need
99 // to allow those futex(2) calls to fail with EINVAL, instead of crashing the
100 // process. See crbug.com/598471.
IsBuggyGlibcSemPost()101 inline bool IsBuggyGlibcSemPost() {
102 #if defined(LIBC_GLIBC) && !defined(OS_CHROMEOS)
103   return true;
104 #else
105   return false;
106 #endif
107 }
108 
109 }  // namespace.
110 
111 #define CASES SANDBOX_BPF_DSL_CASES
112 
113 using sandbox::bpf_dsl::Allow;
114 using sandbox::bpf_dsl::Arg;
115 using sandbox::bpf_dsl::BoolExpr;
116 using sandbox::bpf_dsl::Error;
117 using sandbox::bpf_dsl::If;
118 using sandbox::bpf_dsl::ResultExpr;
119 
120 namespace sandbox {
121 
122 #if !defined(OS_NACL_NONSFI)
123 // Allow Glibc's and Android pthread creation flags, crash on any other
124 // thread creation attempts and EPERM attempts to use neither
125 // CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
RestrictCloneToThreadsAndEPERMFork()126 ResultExpr RestrictCloneToThreadsAndEPERMFork() {
127   const Arg<unsigned long> flags(0);
128 
129   // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
130   const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
131                                      CLONE_SIGHAND | CLONE_THREAD |
132                                      CLONE_SYSVSEM;
133   const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
134 
135   const uint64_t kGlibcPthreadFlags =
136       CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
137       CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
138   const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
139 
140   const BoolExpr android_test =
141       AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
142             flags == kGlibcPthreadFlags);
143 
144   return If(IsAndroid() ? android_test : glibc_test, Allow())
145       .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
146       .Else(CrashSIGSYSClone());
147 }
148 
RestrictPrctl()149 ResultExpr RestrictPrctl() {
150   // Will need to add seccomp compositing in the future. PR_SET_PTRACER is
151   // used by breakpad but not needed anymore.
152   const Arg<int> option(0);
153   return Switch(option)
154       .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE
155 #if defined(OS_ANDROID)
156               , PR_SET_VMA, PR_SET_PTRACER
157 
158 // Enable PR_SET_TIMERSLACK_PID, an Android custom prctl which is used in:
159 // https://android.googlesource.com/platform/system/core/+/lollipop-release/libcutils/sched_policy.c.
160 // Depending on the Android kernel version, this prctl may have different
161 // values. Since we don't know the correct value for the running kernel, we must
162 // allow them all.
163 //
164 // The effect is:
165 // On 3.14 kernels, this allows PR_SET_TIMERSLACK_PID and 43 and 127 (invalid
166 // prctls which will return EINVAL)
167 // On 3.18 kernels, this allows PR_SET_TIMERSLACK_PID, PR_SET_THP_DISABLE, and
168 // 127 (invalid).
169 // On 4.1 kernels and up, this allows PR_SET_TIMERSLACK_PID, PR_SET_THP_DISABLE,
170 // and PR_MPX_ENABLE_MANAGEMENT.
171 
172 // https://android.googlesource.com/kernel/common/+/android-3.14/include/uapi/linux/prctl.h
173 #define PR_SET_TIMERSLACK_PID_1 41
174 
175 // https://android.googlesource.com/kernel/common/+/android-3.18/include/uapi/linux/prctl.h
176 #define PR_SET_TIMERSLACK_PID_2 43
177 
178 // https://android.googlesource.com/kernel/common/+/android-4.1/include/uapi/linux/prctl.h and up
179 #define PR_SET_TIMERSLACK_PID_3 127
180 
181               , PR_SET_TIMERSLACK_PID_1
182               , PR_SET_TIMERSLACK_PID_2
183               , PR_SET_TIMERSLACK_PID_3
184 #endif  // defined(OS_ANDROID)
185               ),
186              Allow())
187       .Default(CrashSIGSYSPrctl());
188 }
189 
RestrictIoctl()190 ResultExpr RestrictIoctl() {
191   const Arg<int> request(1);
192   return Switch(request).CASES((TCGETS, FIONREAD), Allow()).Default(
193       CrashSIGSYSIoctl());
194 }
195 
RestrictMmapFlags()196 ResultExpr RestrictMmapFlags() {
197   // The flags you see are actually the allowed ones, and the variable is a
198   // "denied" mask because of the negation operator.
199   // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
200   // MAP_POPULATE.
201   // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries.
202   const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
203                                 MAP_STACK | MAP_NORESERVE | MAP_FIXED |
204                                 MAP_DENYWRITE;
205   const Arg<int> flags(3);
206   return If((flags & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
207 }
208 
RestrictMprotectFlags()209 ResultExpr RestrictMprotectFlags() {
210   // The flags you see are actually the allowed ones, and the variable is a
211   // "denied" mask because of the negation operator.
212   // Significantly, we don't permit weird undocumented flags such as
213   // PROT_GROWSDOWN.
214   const uint64_t kAllowedMask = PROT_READ | PROT_WRITE | PROT_EXEC;
215   const Arg<int> prot(2);
216   return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
217 }
218 
RestrictFcntlCommands()219 ResultExpr RestrictFcntlCommands() {
220   // We also restrict the flags in F_SETFL. We don't want to permit flags with
221   // a history of trouble such as O_DIRECT. The flags you see are actually the
222   // allowed ones, and the variable is a "denied" mask because of the negation
223   // operator.
224   // Glibc overrides the kernel's O_LARGEFILE value. Account for this.
225   uint64_t kOLargeFileFlag = O_LARGEFILE;
226   if (IsArchitectureX86_64() || IsArchitectureI386() || IsArchitectureMips())
227     kOLargeFileFlag = 0100000;
228 
229   const Arg<int> cmd(1);
230   const Arg<long> long_arg(2);
231 
232   const uint64_t kAllowedMask = O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC |
233                                 kOLargeFileFlag | O_CLOEXEC | O_NOATIME;
234   return Switch(cmd)
235       .CASES((F_GETFL,
236               F_GETFD,
237               F_SETFD,
238               F_SETLK,
239               F_SETLKW,
240               F_GETLK,
241               F_DUPFD,
242               F_DUPFD_CLOEXEC),
243              Allow())
244       .Case(F_SETFL,
245             If((long_arg & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS()))
246       .Default(CrashSIGSYS());
247 }
248 
249 #if defined(__i386__) || defined(__mips__)
RestrictSocketcallCommand()250 ResultExpr RestrictSocketcallCommand() {
251   // Unfortunately, we are unable to restrict the first parameter to
252   // socketpair(2). Whilst initially sounding bad, it's noteworthy that very
253   // few protocols actually support socketpair(2). The scary call that we're
254   // worried about, socket(2), remains blocked.
255   const Arg<int> call(0);
256   return Switch(call)
257       .CASES((SYS_SOCKETPAIR,
258               SYS_SHUTDOWN,
259               SYS_RECV,
260               SYS_SEND,
261               SYS_RECVFROM,
262               SYS_SENDTO,
263               SYS_RECVMSG,
264               SYS_SENDMSG),
265              Allow())
266       .Default(Error(EPERM));
267 }
268 #endif
269 
RestrictKillTarget(pid_t target_pid,int sysno)270 ResultExpr RestrictKillTarget(pid_t target_pid, int sysno) {
271   switch (sysno) {
272     case __NR_kill:
273     case __NR_tgkill: {
274       const Arg<pid_t> pid(0);
275       return If(pid == target_pid, Allow()).Else(CrashSIGSYSKill());
276     }
277     case __NR_tkill:
278       return CrashSIGSYSKill();
279     default:
280       NOTREACHED();
281       return CrashSIGSYS();
282   }
283 }
284 
RestrictFutex()285 ResultExpr RestrictFutex() {
286   const uint64_t kAllowedFutexFlags = FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME;
287   const Arg<int> op(1);
288   return Switch(op & ~kAllowedFutexFlags)
289       .CASES((FUTEX_WAIT, FUTEX_WAKE, FUTEX_REQUEUE, FUTEX_CMP_REQUEUE,
290               FUTEX_WAKE_OP, FUTEX_WAIT_BITSET, FUTEX_WAKE_BITSET),
291              Allow())
292       .Default(IsBuggyGlibcSemPost() ? Error(EINVAL) : CrashSIGSYSFutex());
293 }
294 
RestrictGetSetpriority(pid_t target_pid)295 ResultExpr RestrictGetSetpriority(pid_t target_pid) {
296   const Arg<int> which(0);
297   const Arg<int> who(1);
298   return If(which == PRIO_PROCESS,
299             Switch(who).CASES((0, target_pid), Allow()).Default(Error(EPERM)))
300       .Else(CrashSIGSYS());
301 }
302 
RestrictSchedTarget(pid_t target_pid,int sysno)303 ResultExpr RestrictSchedTarget(pid_t target_pid, int sysno) {
304   switch (sysno) {
305     case __NR_sched_getaffinity:
306     case __NR_sched_getattr:
307     case __NR_sched_getparam:
308     case __NR_sched_getscheduler:
309     case __NR_sched_rr_get_interval:
310     case __NR_sched_setaffinity:
311     case __NR_sched_setattr:
312     case __NR_sched_setparam:
313     case __NR_sched_setscheduler: {
314       const Arg<pid_t> pid(0);
315       return Switch(pid)
316           .CASES((0, target_pid), Allow())
317           .Default(RewriteSchedSIGSYS());
318     }
319     default:
320       NOTREACHED();
321       return CrashSIGSYS();
322   }
323 }
324 
RestrictPrlimit64(pid_t target_pid)325 ResultExpr RestrictPrlimit64(pid_t target_pid) {
326   const Arg<pid_t> pid(0);
327   return Switch(pid).CASES((0, target_pid), Allow()).Default(CrashSIGSYS());
328 }
329 
RestrictGetrusage()330 ResultExpr RestrictGetrusage() {
331   const Arg<int> who(0);
332   return If(who == RUSAGE_SELF, Allow()).Else(CrashSIGSYS());
333 }
334 #endif  // !defined(OS_NACL_NONSFI)
335 
RestrictClockID()336 ResultExpr RestrictClockID() {
337   static_assert(4 == sizeof(clockid_t), "clockid_t is not 32bit");
338   const Arg<clockid_t> clockid(0);
339   return Switch(clockid)
340       .CASES((
341 #if defined(OS_ANDROID)
342               CLOCK_BOOTTIME,
343 #endif
344               CLOCK_MONOTONIC,
345               CLOCK_MONOTONIC_COARSE,
346               CLOCK_PROCESS_CPUTIME_ID,
347               CLOCK_REALTIME,
348               CLOCK_REALTIME_COARSE,
349               CLOCK_THREAD_CPUTIME_ID),
350              Allow())
351       .Default(CrashSIGSYS());
352 }
353 
354 }  // namespace sandbox.
355