diff options
| author | Torne (Richard Coles) <torne@google.com> | 2013-12-18 16:25:09 +0000 |
|---|---|---|
| committer | Torne (Richard Coles) <torne@google.com> | 2013-12-18 16:25:09 +0000 |
| commit | a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7 (patch) | |
| tree | dafc1c6417406a7fbd422ad0bb890e96909ef564 /sandbox | |
| parent | d5f893c0bc79db3066bb5ae5d3d972ba1be7dd5f (diff) | |
| download | chromium_org-a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7.tar.gz | |
Merge from Chromium at DEPS revision 240154
This commit was generated by merge_to_master.py.
Change-Id: I8f2ba858cf0e7f413dddedc2ae91dc37f7136c2e
Diffstat (limited to 'sandbox')
79 files changed, 3332 insertions, 365 deletions
diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi index abbf32ef1e..c20ab0428d 100644 --- a/sandbox/linux/sandbox_linux.gypi +++ b/sandbox/linux/sandbox_linux.gypi @@ -58,6 +58,7 @@ [ 'compile_seccomp_bpf==1', { 'dependencies': [ 'seccomp_bpf', + 'seccomp_bpf_helpers', ], }], ], @@ -108,7 +109,6 @@ 'seccomp-bpf/sandbox_bpf.cc', 'seccomp-bpf/sandbox_bpf.h', 'seccomp-bpf/sandbox_bpf_policy.h', - 'seccomp-bpf/sandbox_bpf_policy_forward.h', 'seccomp-bpf/syscall.cc', 'seccomp-bpf/syscall.h', 'seccomp-bpf/syscall_iterator.cc', @@ -127,6 +127,25 @@ ], }, { + 'target_name': 'seccomp_bpf_helpers', + 'type': 'static_library', + 'sources': [ + 'seccomp-bpf-helpers/baseline_policy.cc', + 'seccomp-bpf-helpers/baseline_policy.h', + 'seccomp-bpf-helpers/sigsys_handlers.cc', + 'seccomp-bpf-helpers/sigsys_handlers.h', + 'seccomp-bpf-helpers/syscall_parameters_restrictions.cc', + 'seccomp-bpf-helpers/syscall_parameters_restrictions.h', + 'seccomp-bpf-helpers/syscall_sets.cc', + 'seccomp-bpf-helpers/syscall_sets.h', + ], + 'dependencies': [ + ], + 'include_dirs': [ + '../..', + ], + }, + { # A demonstration program for the seccomp-bpf sandbox. 'target_name': 'seccomp_bpf_demo', 'conditions': [ diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc new file mode 100644 index 0000000000..d0e53e39bc --- /dev/null +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -0,0 +1,175 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" + +#include <errno.h> +#include <sys/mman.h> +#include <sys/types.h> +#include <sys/socket.h> + +#include "base/logging.h" +#include "build/build_config.h" +#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" +#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" +#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" +#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" +#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" +#include "sandbox/linux/services/linux_syscalls.h" + +// Changing this implementation will have an effect on *all* policies. +// Currently this means: Renderer/Worker, GPU, Flash and NaCl. + +namespace sandbox { + +namespace { + +bool IsBaselinePolicyAllowed(int sysno) { + return SyscallSets::IsAllowedAddressSpaceAccess(sysno) || + SyscallSets::IsAllowedBasicScheduler(sysno) || + SyscallSets::IsAllowedEpoll(sysno) || + SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) || + SyscallSets::IsAllowedGeneralIo(sysno) || + SyscallSets::IsAllowedGetOrModifySocket(sysno) || + SyscallSets::IsAllowedGettime(sysno) || + SyscallSets::IsAllowedPrctl(sysno) || + SyscallSets::IsAllowedProcessStartOrDeath(sysno) || + SyscallSets::IsAllowedSignalHandling(sysno) || + SyscallSets::IsFutex(sysno) || + SyscallSets::IsGetSimpleId(sysno) || + SyscallSets::IsKernelInternalApi(sysno) || +#if defined(__arm__) + SyscallSets::IsArmPrivate(sysno) || +#endif + SyscallSets::IsKill(sysno) || + SyscallSets::IsAllowedOperationOnFd(sysno); +} + +// System calls that will trigger the crashing SIGSYS handler. +bool IsBaselinePolicyWatched(int sysno) { + return SyscallSets::IsAdminOperation(sysno) || + SyscallSets::IsAdvancedScheduler(sysno) || + SyscallSets::IsAdvancedTimer(sysno) || + SyscallSets::IsAsyncIo(sysno) || + SyscallSets::IsDebug(sysno) || + SyscallSets::IsEventFd(sysno) || + SyscallSets::IsExtendedAttributes(sysno) || + SyscallSets::IsFaNotify(sysno) || + SyscallSets::IsFsControl(sysno) || + SyscallSets::IsGlobalFSViewChange(sysno) || + SyscallSets::IsGlobalProcessEnvironment(sysno) || + SyscallSets::IsGlobalSystemStatus(sysno) || + SyscallSets::IsInotify(sysno) || + SyscallSets::IsKernelModule(sysno) || + SyscallSets::IsKeyManagement(sysno) || + SyscallSets::IsMessageQueue(sysno) || + SyscallSets::IsMisc(sysno) || +#if defined(__x86_64__) + SyscallSets::IsNetworkSocketInformation(sysno) || +#endif + SyscallSets::IsNuma(sysno) || + SyscallSets::IsProcessGroupOrSession(sysno) || + SyscallSets::IsProcessPrivilegeChange(sysno) || +#if defined(__i386__) + SyscallSets::IsSocketCall(sysno) || +#endif +#if defined(__arm__) + SyscallSets::IsArmPciConfig(sysno) || +#endif + SyscallSets::IsTimer(sysno); +} + +// |fs_denied_errno| is the errno return for denied filesystem access. +ErrorCode EvaluateSyscallImpl(int fs_denied_errno, SandboxBPF* sandbox, + int sysno) { + if (IsBaselinePolicyAllowed(sysno)) { + return ErrorCode(ErrorCode::ERR_ALLOWED); + } + +#if defined(__x86_64__) || defined(__arm__) + if (sysno == __NR_socketpair) { + // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. + COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); + return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Trap(CrashSIGSYS_Handler, NULL)); + } +#endif + + if (sysno == __NR_madvise) { + // Only allow MADV_DONTNEED (aka MADV_FREE). + return sandbox->Cond(2, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, MADV_DONTNEED, + ErrorCode(ErrorCode::ERR_ALLOWED), + ErrorCode(EPERM)); + } + +#if defined(__i386__) || defined(__x86_64__) + if (sysno == __NR_mmap) + return RestrictMmapFlags(sandbox); +#endif + +#if defined(__i386__) || defined(__arm__) + if (sysno == __NR_mmap2) + return RestrictMmapFlags(sandbox); +#endif + + if (sysno == __NR_mprotect) + return RestrictMprotectFlags(sandbox); + + if (sysno == __NR_fcntl) + return RestrictFcntlCommands(sandbox); + +#if defined(__i386__) || defined(__arm__) + if (sysno == __NR_fcntl64) + return RestrictFcntlCommands(sandbox); +#endif + + if (SyscallSets::IsFileSystem(sysno) || + SyscallSets::IsCurrentDirectory(sysno)) { + return ErrorCode(fs_denied_errno); + } + + if (SyscallSets::IsAnySystemV(sysno)) { + return ErrorCode(EPERM); + } + + if (SyscallSets::IsUmask(sysno) || + SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) || + SyscallSets::IsDeniedGetOrModifySocket(sysno)) { + return ErrorCode(EPERM); + } + +#if defined(__i386__) + if (SyscallSets::IsSocketCall(sysno)) + return RestrictSocketcallCommand(sandbox); +#endif + + if (IsBaselinePolicyWatched(sysno)) { + // Previously unseen syscalls. TODO(jln): some of these should + // be denied gracefully right away. + return sandbox->Trap(CrashSIGSYS_Handler, NULL); + } + // In any other case crash the program with our SIGSYS handler. + return sandbox->Trap(CrashSIGSYS_Handler, NULL); +} + +} // namespace. + +// Unfortunately C++03 doesn't allow delegated constructors. +// Call other constructor when C++11 lands. +BaselinePolicy::BaselinePolicy() + : fs_denied_errno_(EPERM) {} + +BaselinePolicy::BaselinePolicy(int fs_denied_errno) + : fs_denied_errno_(fs_denied_errno) {} + +BaselinePolicy::~BaselinePolicy() {} + +ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, + int sysno) const { + return EvaluateSyscallImpl(fs_denied_errno_, sandbox, sysno); +} + +} // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h new file mode 100644 index 0000000000..1dfd137fa3 --- /dev/null +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h @@ -0,0 +1,43 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_ +#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_ + +#include "sandbox/linux/seccomp-bpf/errorcode.h" +#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" + +namespace sandbox { + +class SandboxBPF; +class SandboxBPFPolicy; + +// This is a helper to build seccomp-bpf policies, i.e. policies for a sandbox +// that reduces the Linux kernel's attack surface. Given its nature, it doesn't +// have a clear semantics and is mostly "implementation-defined". +// +// This returns an object that implements the SandboxBPFPolicy interface with +// a "baseline" policy within Chromium. +// The "baseline" policy is somewhat arbitrary. All Chromium policies are an +// alteration of it, and it represents a reasonable common ground to run most +// code in a sandboxed environment. +class BaselinePolicy : public SandboxBPFPolicy { + public: + BaselinePolicy(); + // |fs_denied_errno| is the errno returned when a filesystem access system + // call is denied. + explicit BaselinePolicy(int fs_denied_errno); + virtual ~BaselinePolicy(); + + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, + int system_call_number) const OVERRIDE; + + private: + int fs_denied_errno_; + DISALLOW_COPY_AND_ASSIGN(BaselinePolicy); +}; + +} // namespace sandbox. + +#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_ diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc new file mode 100644 index 0000000000..6ff7125752 --- /dev/null +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc @@ -0,0 +1,146 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Note: any code in this file MUST be async-signal safe. + +#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" + +#include <unistd.h> + +#include "base/basictypes.h" +#include "base/logging.h" +#include "base/posix/eintr_wrapper.h" +#include "build/build_config.h" +#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" + +namespace { + +inline bool IsArchitectureX86_64() { +#if defined(__x86_64__) + return true; +#else + return false; +#endif +} + +// Write |error_message| to stderr. Similar to RawLog(), but a bit more careful +// about async-signal safety. |size| is the size to write and should typically +// not include a terminating \0. +void WriteToStdErr(const char* error_message, size_t size) { + while (size > 0) { + // TODO(jln): query the current policy to check if send() is available and + // use it to perform a non-blocking write. + const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size)); + // We can't handle any type of error here. + if (ret <= 0 || static_cast<size_t>(ret) > size) break; + size -= ret; + error_message += ret; + } +} + +// Print a seccomp-bpf failure to handle |sysno| to stderr in an +// async-signal safe way. +void PrintSyscallError(uint32_t sysno) { + if (sysno >= 1024) + sysno = 0; + // TODO(markus): replace with async-signal safe snprintf when available. + const size_t kNumDigits = 4; + char sysno_base10[kNumDigits]; + uint32_t rem = sysno; + uint32_t mod = 0; + for (int i = kNumDigits - 1; i >= 0; i--) { + mod = rem % 10; + rem /= 10; + sysno_base10[i] = '0' + mod; + } + static const char kSeccompErrorPrefix[] = + __FILE__":**CRASHING**:seccomp-bpf failure in syscall "; + static const char kSeccompErrorPostfix[] = "\n"; + WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1); + WriteToStdErr(sysno_base10, sizeof(sysno_base10)); + WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1); +} + +} // namespace. + +namespace sandbox { + +intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { + uint32_t syscall = args.nr; + if (syscall >= 1024) + syscall = 0; + PrintSyscallError(syscall); + + // Encode 8-bits of the 1st two arguments too, so we can discern which socket + // type, which fcntl, ... etc., without being likely to hit a mapped + // address. + // Do not encode more bits here without thinking about increasing the + // likelihood of collision with mapped pages. + syscall |= ((args.args[0] & 0xffUL) << 12); + syscall |= ((args.args[1] & 0xffUL) << 20); + // Purposefully dereference the syscall as an address so it'll show up very + // clearly and easily in crash dumps. + volatile char* addr = reinterpret_cast<volatile char*>(syscall); + *addr = '\0'; + // In case we hit a mapped address, hit the null page with just the syscall, + // for paranoia. + syscall &= 0xfffUL; + addr = reinterpret_cast<volatile char*>(syscall); + *addr = '\0'; + for (;;) + _exit(1); +} + +// TODO(jln): refactor the reporting functions. + +intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { + // "flags" is the first argument in the kernel's clone(). + // Mark as volatile to be able to find the value on the stack in a minidump. +#if !defined(NDEBUG) + RAW_LOG(ERROR, __FILE__":**CRASHING**:clone() failure\n"); +#endif + volatile uint64_t clone_flags = args.args[0]; + volatile char* addr; + if (IsArchitectureX86_64()) { + addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF); + *addr = '\0'; + } + // Hit the NULL page if this fails to fault. + addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF); + *addr = '\0'; + for (;;) + _exit(1); +} + +intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, + void* /* aux */) { + // Mark as volatile to be able to find the value on the stack in a minidump. +#if !defined(NDEBUG) + RAW_LOG(ERROR, __FILE__":**CRASHING**:prctl() failure\n"); +#endif + volatile uint64_t option = args.args[0]; + volatile char* addr = + reinterpret_cast<volatile char*>(option & 0xFFF); + *addr = '\0'; + for (;;) + _exit(1); +} + +intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, + void* /* aux */) { + // Make "request" volatile so that we can see it on the stack in a minidump. +#if !defined(NDEBUG) + RAW_LOG(ERROR, __FILE__":**CRASHING**:ioctl() failure\n"); +#endif + volatile uint64_t request = args.args[1]; + volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF); + *addr = '\0'; + // Hit the NULL page if this fails. + addr = reinterpret_cast<volatile char*>(request & 0xFFF); + *addr = '\0'; + for (;;) + _exit(1); +} + +} // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h new file mode 100644 index 0000000000..3bf5c16db1 --- /dev/null +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h @@ -0,0 +1,39 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_ +#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_ + +#include "base/basictypes.h" +#include "build/build_config.h" + +// The handlers are suitable for use in Trap() error codes. They are +// guaranteed to be async-signal safe. +// See sandbox/linux/seccomp-bpf/trap.h to see how they work. + +namespace sandbox { + +struct arch_seccomp_data; + +// This handler will crash the currently running process. The crashing address +// will be the number of the current system call, extracted from |args|. +// This handler will also print to stderr the number of the crashing syscall. +intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux); + +// The following three handlers are suitable to report failures with the +// clone(), prctl() and ioctl() system calls respectively. + +// The crashing address will be (clone_flags & 0xFFFFFF), where clone_flags is +// the clone(2) argument, extracted from |args|. +intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux); +// The crashing address will be (option & 0xFFF), where option is the prctl(2) +// argument. +intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* aux); +// The crashing address will be request & 0xFFFF, where request is the ioctl(2) +// argument. +intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux); + +} // namespace sandbox. + +#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_ diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc new file mode 100644 index 0000000000..9b417ce221 --- /dev/null +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc @@ -0,0 +1,214 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" + +#include <errno.h> +#include <fcntl.h> +#include <fcntl.h> +#include <linux/net.h> +#include <sched.h> +#include <signal.h> +#include <sys/ioctl.h> +#include <sys/mman.h> +#include <sys/prctl.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +#include "base/basictypes.h" +#include "base/logging.h" +#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" +#include "sandbox/linux/seccomp-bpf/linux_seccomp.h" +#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" + +#if defined(OS_ANDROID) +#if !defined(F_DUPFD_CLOEXEC) +#define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6) +#endif +#endif + +#if defined(__arm__) && !defined(MAP_STACK) +#define MAP_STACK 0x20000 // Daisy build environment has old headers. +#endif + +namespace { + +inline bool RunningOnASAN() { +#if defined(ADDRESS_SANITIZER) + return true; +#else + return false; +#endif +} + +inline bool IsArchitectureX86_64() { +#if defined(__x86_64__) + return true; +#else + return false; +#endif +} + +inline bool IsArchitectureI386() { +#if defined(__i386__) + return true; +#else + return false; +#endif +} + +} // namespace. + +namespace sandbox { + +ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) { + // Glibc's pthread. + if (!RunningOnASAN()) { + return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | + CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | + CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + CLONE_PARENT_SETTID | SIGCHLD, + ErrorCode(EPERM), + // ARM + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, + ErrorCode(EPERM), + sandbox->Trap(SIGSYSCloneFailure, NULL)))); + } else { + return ErrorCode(ErrorCode::ERR_ALLOWED); + } +} + +ErrorCode RestrictPrctl(SandboxBPF* sandbox) { + // Will need to add seccomp compositing in the future. PR_SET_PTRACER is + // used by breakpad but not needed anymore. + return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + PR_GET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Trap(SIGSYSPrctlFailure, NULL)))); +} + +ErrorCode RestrictIoctl(SandboxBPF* sandbox) { + return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Trap(SIGSYSIoctlFailure, NULL))); +} + +ErrorCode RestrictMmapFlags(SandboxBPF* sandbox) { + // The flags you see are actually the allowed ones, and the variable is a + // "denied" mask because of the negation operator. + // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as + // MAP_POPULATE. + // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries. + uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | + MAP_STACK | MAP_NORESERVE | MAP_FIXED | + MAP_DENYWRITE); + return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, + denied_mask, + sandbox->Trap(CrashSIGSYS_Handler, NULL), + ErrorCode(ErrorCode::ERR_ALLOWED)); +} + +ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox) { + // The flags you see are actually the allowed ones, and the variable is a + // "denied" mask because of the negation operator. + // Significantly, we don't permit weird undocumented flags such as + // PROT_GROWSDOWN. + uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); + return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, + denied_mask, + sandbox->Trap(CrashSIGSYS_Handler, NULL), + ErrorCode(ErrorCode::ERR_ALLOWED)); +} + +ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox) { + // We also restrict the flags in F_SETFL. We don't want to permit flags with + // a history of trouble such as O_DIRECT. The flags you see are actually the + // allowed ones, and the variable is a "denied" mask because of the negation + // operator. + // Glibc overrides the kernel's O_LARGEFILE value. Account for this. + int kOLargeFileFlag = O_LARGEFILE; + if (IsArchitectureX86_64() || IsArchitectureI386()) + kOLargeFileFlag = 0100000; + + // TODO(jln): add TP_LONG/TP_SIZET types. + ErrorCode::ArgType mask_long_type; + if (sizeof(long) == 8) + mask_long_type = ErrorCode::TP_64BIT; + else if (sizeof(long) == 4) + mask_long_type = ErrorCode::TP_32BIT; + else + NOTREACHED(); + + unsigned long denied_mask = ~(O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC | + kOLargeFileFlag | O_CLOEXEC | O_NOATIME); + return sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_GETFL, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_SETFL, + sandbox->Cond(2, mask_long_type, + ErrorCode::OP_HAS_ANY_BITS, denied_mask, + sandbox->Trap(CrashSIGSYS_Handler, NULL), + ErrorCode(ErrorCode::ERR_ALLOWED)), + sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_GETFD, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_SETFD, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_DUPFD, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_SETLK, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_SETLKW, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_GETLK, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(1, ErrorCode::TP_32BIT, + ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC, + ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Trap(CrashSIGSYS_Handler, NULL)))))))))); +} + +#if defined(__i386__) +ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox) { + // Unfortunately, we are unable to restrict the first parameter to + // socketpair(2). Whilst initially sounding bad, it's noteworthy that very + // few protocols actually support socketpair(2). The scary call that we're + // worried about, socket(2), remains blocked. + return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + SYS_RECV, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + SYS_SENDTO, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + SYS_RECVFROM, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + SYS_SHUTDOWN, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + SYS_SENDMSG, ErrorCode(ErrorCode::ERR_ALLOWED), + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + SYS_RECVMSG, ErrorCode(ErrorCode::ERR_ALLOWED), + ErrorCode(EPERM))))))))); +} +#endif + +} // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h new file mode 100644 index 0000000000..65b7c47219 --- /dev/null +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h @@ -0,0 +1,58 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ +#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ + +#include "build/build_config.h" + +// These are helpers to build seccomp-bpf policies, i.e. policies for a +// sandbox that reduces the Linux kernel's attack surface. They return an +// ErrorCode suitable to restrict certain system call parameters. + +namespace sandbox { + +class ErrorCode; +class SandboxBPF; + +// Allow clone(2) for threads. +// Reject fork(2) attempts with EPERM. +// Don't restrict on ASAN. +// Crash if anything else is attempted. +ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox); + +// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. +// Crash if anything else is attempted. +ErrorCode RestrictPrctl(SandboxBPF* sandbox); + +// Allow TCGETS and FIONREAD. +// Crash if anything else is attempted. +ErrorCode RestrictIoctl(SandboxBPF* sandbox); + +// Restrict the flags argument in mmap(2). +// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | +// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE. +// Crash if any other flag is used. +ErrorCode RestrictMmapFlags(SandboxBPF* sandbox); + +// Restrict the prot argument in mprotect(2). +// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC. +ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox); + +// Restrict fcntl(2) cmd argument to: +// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, +// F_SETLK, F_SETLKW and F_GETLK. +// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | +// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. +ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox); + +#if defined(__i386__) +// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), +// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). +ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox); +#endif + +} // namespace sandbox. + +#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc new file mode 100644 index 0000000000..032f6c3c47 --- /dev/null +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc @@ -0,0 +1,981 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" + +#include "build/build_config.h" +#include "sandbox/linux/services/linux_syscalls.h" + +namespace sandbox { + +// The functions below cover all existing i386, x86_64, and ARM system calls; +// excluding syscalls made obsolete in ARM EABI. +// The implicitly defined sets form a partition of the sets of +// system calls. + +// TODO(jln) we need to restrict the first parameter! +bool SyscallSets::IsKill(int sysno) { + switch (sysno) { + case __NR_kill: + case __NR_tkill: + case __NR_tgkill: + return true; + default: + return false; + } +} + +bool SyscallSets::IsAllowedGettime(int sysno) { + switch (sysno) { + case __NR_clock_gettime: + case __NR_gettimeofday: +#if defined(__i386__) || defined(__x86_64__) + case __NR_time: +#endif + return true; + case __NR_adjtimex: // Privileged. + case __NR_clock_adjtime: // Privileged. + case __NR_clock_getres: // Could be allowed. + case __NR_clock_nanosleep: // Could be allowed. + case __NR_clock_settime: // Privileged. +#if defined(__i386__) + case __NR_ftime: // Obsolete. +#endif + case __NR_settimeofday: // Privileged. +#if defined(__i386__) + case __NR_stime: +#endif + default: + return false; + } +} + +bool SyscallSets::IsCurrentDirectory(int sysno) { + switch (sysno) { + case __NR_getcwd: + case __NR_chdir: + case __NR_fchdir: + return true; + default: + return false; + } +} + +bool SyscallSets::IsUmask(int sysno) { + switch (sysno) { + case __NR_umask: + return true; + default: + return false; + } +} + +// System calls that directly access the file system. They might acquire +// a new file descriptor or otherwise perform an operation directly +// via a path. +// Both EPERM and ENOENT are valid errno unless otherwise noted in comment. +bool SyscallSets::IsFileSystem(int sysno) { + switch (sysno) { + case __NR_access: // EPERM not a valid errno. + case __NR_chmod: + case __NR_chown: +#if defined(__i386__) || defined(__arm__) + case __NR_chown32: +#endif + case __NR_creat: + case __NR_execve: + case __NR_faccessat: // EPERM not a valid errno. + case __NR_fchmodat: + case __NR_fchownat: // Should be called chownat ? +#if defined(__x86_64__) + case __NR_newfstatat: // fstatat(). EPERM not a valid errno. +#elif defined(__i386__) || defined(__arm__) + case __NR_fstatat64: +#endif + case __NR_futimesat: // Should be called utimesat ? + case __NR_lchown: +#if defined(__i386__) || defined(__arm__) + case __NR_lchown32: +#endif + case __NR_link: + case __NR_linkat: + case __NR_lookup_dcookie: // ENOENT not a valid errno. + case __NR_lstat: // EPERM not a valid errno. +#if defined(__i386__) + case __NR_oldlstat: +#endif +#if defined(__i386__) || defined(__arm__) + case __NR_lstat64: +#endif + case __NR_mkdir: + case __NR_mkdirat: + case __NR_mknod: + case __NR_mknodat: + case __NR_open: + case __NR_openat: + case __NR_readlink: // EPERM not a valid errno. + case __NR_readlinkat: + case __NR_rename: + case __NR_renameat: + case __NR_rmdir: + case __NR_stat: // EPERM not a valid errno. +#if defined(__i386__) + case __NR_oldstat: +#endif +#if defined(__i386__) || defined(__arm__) + case __NR_stat64: +#endif + case __NR_statfs: // EPERM not a valid errno. +#if defined(__i386__) || defined(__arm__) + case __NR_statfs64: +#endif + case __NR_symlink: + case __NR_symlinkat: + case __NR_truncate: +#if defined(__i386__) || defined(__arm__) + case __NR_truncate64: +#endif + case __NR_unlink: + case __NR_unlinkat: + case __NR_uselib: // Neither EPERM, nor ENOENT are valid errno. + case __NR_ustat: // Same as above. Deprecated. +#if defined(__i386__) || defined(__x86_64__) + case __NR_utime: +#endif + case __NR_utimensat: // New. + case __NR_utimes: + return true; + default: + return false; + } +} + +bool SyscallSets::IsAllowedFileSystemAccessViaFd(int sysno) { + switch (sysno) { + case __NR_fstat: +#if defined(__i386__) || defined(__arm__) + case __NR_fstat64: +#endif + return true; +// TODO(jln): these should be denied gracefully as well (moved below). +#if defined(__i386__) || defined(__x86_64__) + case __NR_fadvise64: // EPERM not a valid errno. +#endif +#if defined(__i386__) + case __NR_fadvise64_64: +#endif +#if defined(__arm__) + case __NR_arm_fadvise64_64: +#endif + case __NR_fdatasync: // EPERM not a valid errno. + case __NR_flock: // EPERM not a valid errno. + case __NR_fstatfs: // Give information about the whole filesystem. +#if defined(__i386__) || defined(__arm__) + case __NR_fstatfs64: +#endif + case __NR_fsync: // EPERM not a valid errno. +#if defined(__i386__) + case __NR_oldfstat: +#endif +#if defined(__i386__) || defined(__x86_64__) + case __NR_sync_file_range: // EPERM not a valid errno. +#elif defined(__arm__) + case __NR_arm_sync_file_range: // EPERM not a valid errno. +#endif + default: + return false; + } +} + +// EPERM is a good errno for any of these. +bool SyscallSets::IsDeniedFileSystemAccessViaFd(int sysno) { + switch (sysno) { + case __NR_fallocate: + case __NR_fchmod: + case __NR_fchown: + case __NR_ftruncate: +#if defined(__i386__) || defined(__arm__) + case __NR_fchown32: + case __NR_ftruncate64: +#endif + case __NR_getdents: // EPERM not a valid errno. + case __NR_getdents64: // EPERM not a valid errno. +#if defined(__i386__) + case __NR_readdir: +#endif + return true; + default: + return false; + } +} + +bool SyscallSets::IsGetSimpleId(int sysno) { + switch (sysno) { + case __NR_capget: + case __NR_getegid: + case __NR_geteuid: + case __NR_getgid: + case __NR_getgroups: + case __NR_getpid: + case __NR_getppid: + case __NR_getresgid: + case __NR_getsid: + case __NR_gettid: + case __NR_getuid: + case __NR_getresuid: +#if defined(__i386__) || defined(__arm__) + case __NR_getegid32: + case __NR_geteuid32: + case __NR_getgid32: + case __NR_getgroups32: + case __NR_getresgid32: + case __NR_getresuid32: + case __NR_getuid32: +#endif + return true; + default: + return false; + } +} + +bool SyscallSets::IsProcessPrivilegeChange(int sysno) { + switch (sysno) { + case __NR_capset: +#if defined(__i386__) || defined(__x86_64__) + case __NR_ioperm: // Intel privilege. + case __NR_iopl: // Intel privilege. +#endif + case __NR_setfsgid: + case __NR_setfsuid: + case __NR_setgid: + case __NR_setgroups: + case __NR_setregid: + case __NR_setresgid: + case __NR_setresuid: + case __NR_setreuid: + case __NR_setuid: +#if defined(__i386__) || defined(__arm__) + case __NR_setfsgid32: + case __NR_setfsuid32: + case __NR_setgid32: + case __NR_setgroups32: + case __NR_setregid32: + case __NR_setresgid32: + case __NR_setresuid32: + case __NR_setreuid32: + case __NR_setuid32: +#endif + return true; + default: + return false; + } +} + +bool SyscallSets::IsProcessGroupOrSession(int sysno) { + switch (sysno) { + case __NR_setpgid: + case __NR_getpgrp: + case __NR_setsid: + case __NR_getpgid: + return true; + default: + return false; + } +} + +bool SyscallSets::IsAllowedSignalHandling(int sysno) { + switch (sysno) { + case __NR_rt_sigaction: + case __NR_rt_sigprocmask: + case __NR_rt_sigreturn: +#if defined(__i386__) || defined(__arm__) + case __NR_sigaction: + case __NR_sigprocmask: + case __NR_sigreturn: +#endif + return true; + case __NR_rt_sigpending: + case __NR_rt_sigqueueinfo: + case __NR_rt_sigsuspend: + case __NR_rt_sigtimedwait: + case __NR_rt_tgsigqueueinfo: + case __NR_sigaltstack: + case __NR_signalfd: + case __NR_signalfd4: +#if defined(__i386__) || defined(__arm__) + case __NR_sigpending: + case __NR_sigsuspend: +#endif +#if defined(__i386__) + case __NR_signal: + case __NR_sgetmask: // Obsolete. + case __NR_ssetmask: +#endif + default: + return false; + } +} + +bool SyscallSets::IsAllowedOperationOnFd(int sysno) { + switch (sysno) { + case __NR_close: + case __NR_dup: + case __NR_dup2: + case __NR_dup3: +#if defined(__x86_64__) || defined(__arm__) + case __NR_shutdown: +#endif + return true; + case __NR_fcntl: +#if defined(__i386__) || defined(__arm__) + case __NR_fcntl64: +#endif + default: + return false; + } +} + +bool SyscallSets::IsKernelInternalApi(int sysno) { + switch (sysno) { + case __NR_restart_syscall: +#if defined(__arm__) + case __ARM_NR_cmpxchg: +#endif + return true; + default: + return false; + } +} + +// This should be thought through in conjunction with IsFutex(). +bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) { + switch (sysno) { + case __NR_clone: // TODO(jln): restrict flags. + case __NR_exit: + case __NR_exit_group: + case __NR_wait4: + case __NR_waitid: +#if defined(__i386__) + case __NR_waitpid: +#endif + return true; + case __NR_setns: // Privileged. + case __NR_fork: +#if defined(__i386__) || defined(__x86_64__) + case __NR_get_thread_area: + case __NR_set_thread_area: +#endif + case __NR_set_tid_address: + case __NR_unshare: + case __NR_vfork: + default: + return false; + } +} + +// It's difficult to restrict those, but there is attack surface here. +bool SyscallSets::IsFutex(int sysno) { + switch (sysno) { + case __NR_futex: + case __NR_get_robust_list: + case __NR_set_robust_list: + return true; + default: + return false; + } +} + +bool SyscallSets::IsAllowedEpoll(int sysno) { + switch (sysno) { + case __NR_epoll_create: + case __NR_epoll_create1: + case __NR_epoll_ctl: + case __NR_epoll_wait: + return true; + default: +#if defined(__x86_64__) + case __NR_epoll_ctl_old: +#endif + case __NR_epoll_pwait: +#if defined(__x86_64__) + case __NR_epoll_wait_old: +#endif + return false; + } +} + +bool SyscallSets::IsAllowedGetOrModifySocket(int sysno) { + switch (sysno) { + case __NR_pipe: + case __NR_pipe2: + return true; + default: +#if defined(__x86_64__) || defined(__arm__) + case __NR_socketpair: // We will want to inspect its argument. +#endif + return false; + } +} + +bool SyscallSets::IsDeniedGetOrModifySocket(int sysno) { + switch (sysno) { +#if defined(__x86_64__) || defined(__arm__) + case __NR_accept: + case __NR_accept4: + case __NR_bind: + case __NR_connect: + case __NR_socket: + case __NR_listen: + return true; +#endif + default: + return false; + } +} + +#if defined(__i386__) +// Big multiplexing system call for sockets. +bool SyscallSets::IsSocketCall(int sysno) { + switch (sysno) { + case __NR_socketcall: + return true; + default: + return false; + } +} +#endif + +#if defined(__x86_64__) || defined(__arm__) +bool SyscallSets::IsNetworkSocketInformation(int sysno) { + switch (sysno) { + case __NR_getpeername: + case __NR_getsockname: + case __NR_getsockopt: + case __NR_setsockopt: + return true; + default: + return false; + } +} +#endif + +bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) { + switch (sysno) { + case __NR_brk: + case __NR_mlock: + case __NR_munlock: + case __NR_munmap: + return true; + case __NR_madvise: + case __NR_mincore: + case __NR_mlockall: +#if defined(__i386__) || defined(__x86_64__) + case __NR_mmap: +#endif +#if defined(__i386__) || defined(__arm__) + case __NR_mmap2: +#endif +#if defined(__i386__) || defined(__x86_64__) + case __NR_modify_ldt: +#endif + case __NR_mprotect: + case __NR_mremap: + case __NR_msync: + case __NR_munlockall: + case __NR_readahead: + case __NR_remap_file_pages: +#if defined(__i386__) + case __NR_vm86: + case __NR_vm86old: +#endif + default: + return false; + } +} + +bool SyscallSets::IsAllowedGeneralIo(int sysno) { + switch (sysno) { + case __NR_lseek: +#if defined(__i386__) || defined(__arm__) + case __NR__llseek: +#endif + case __NR_poll: + case __NR_ppoll: + case __NR_pselect6: + case __NR_read: + case __NR_readv: +#if defined(__arm__) + case __NR_recv: +#endif +#if defined(__x86_64__) || defined(__arm__) + case __NR_recvfrom: // Could specify source. + case __NR_recvmsg: // Could specify source. +#endif +#if defined(__i386__) || defined(__x86_64__) + case __NR_select: +#endif +#if defined(__i386__) || defined(__arm__) + case __NR__newselect: +#endif +#if defined(__arm__) + case __NR_send: +#endif +#if defined(__x86_64__) || defined(__arm__) + case __NR_sendmsg: // Could specify destination. + case __NR_sendto: // Could specify destination. +#endif + case __NR_write: + case __NR_writev: + return true; + case __NR_ioctl: // Can be very powerful. + case __NR_pread64: + case __NR_preadv: + case __NR_pwrite64: + case __NR_pwritev: + case __NR_recvmmsg: // Could specify source. + case __NR_sendfile: +#if defined(__i386__) || defined(__arm__) + case __NR_sendfile64: +#endif + case __NR_sendmmsg: // Could specify destination. + case __NR_splice: + case __NR_tee: + case __NR_vmsplice: + default: + return false; + } +} + +bool SyscallSets::IsAllowedPrctl(int sysno) { + switch (sysno) { + case __NR_prctl: + return true; + default: +#if defined(__x86_64__) + case __NR_arch_prctl: +#endif + return false; + } +} + +bool SyscallSets::IsAllowedBasicScheduler(int sysno) { + switch (sysno) { + case __NR_sched_yield: + case __NR_pause: + case __NR_nanosleep: + return true; + case __NR_getpriority: +#if defined(__i386__) || defined(__arm__) + case __NR_nice: +#endif + case __NR_setpriority: + default: + return false; + } +} + +bool SyscallSets::IsAdminOperation(int sysno) { + switch (sysno) { +#if defined(__i386__) || defined(__arm__) + case __NR_bdflush: +#endif + case __NR_kexec_load: + case __NR_reboot: + case __NR_setdomainname: + case __NR_sethostname: + case __NR_syslog: + return true; + default: + return false; + } +} + +bool SyscallSets::IsKernelModule(int sysno) { + switch (sysno) { +#if defined(__i386__) || defined(__x86_64__) + case __NR_create_module: + case __NR_get_kernel_syms: // Should ENOSYS. + case __NR_query_module: +#endif + case __NR_delete_module: + case __NR_init_module: + return true; + default: + return false; + } +} + +bool SyscallSets::IsGlobalFSViewChange(int sysno) { + switch (sysno) { + case __NR_pivot_root: + case __NR_chroot: + case __NR_sync: + return true; + default: + return false; + } +} + +bool SyscallSets::IsFsControl(int sysno) { + switch (sysno) { + case __NR_mount: + case __NR_nfsservctl: + case __NR_quotactl: + case __NR_swapoff: + case __NR_swapon: +#if defined(__i386__) + case __NR_umount: +#endif + case __NR_umount2: + return true; + default: + return false; + } +} + +bool SyscallSets::IsNuma(int sysno) { + switch (sysno) { + case __NR_get_mempolicy: + case __NR_getcpu: + case __NR_mbind: +#if defined(__i386__) || defined(__x86_64__) + case __NR_migrate_pages: +#endif + case __NR_move_pages: + case __NR_set_mempolicy: + return true; + default: + return false; + } +} + +bool SyscallSets::IsMessageQueue(int sysno) { + switch (sysno) { + case __NR_mq_getsetattr: + case __NR_mq_notify: + case __NR_mq_open: + case __NR_mq_timedreceive: + case __NR_mq_timedsend: + case __NR_mq_unlink: + return true; + default: + return false; + } +} + +bool SyscallSets::IsGlobalProcessEnvironment(int sysno) { + switch (sysno) { + case __NR_acct: // Privileged. +#if defined(__i386__) || defined(__x86_64__) + case __NR_getrlimit: +#endif +#if defined(__i386__) || defined(__arm__) + case __NR_ugetrlimit: +#endif +#if defined(__i386__) + case __NR_ulimit: +#endif + case __NR_getrusage: + case __NR_personality: // Can change its personality as well. + case __NR_prlimit64: // Like setrlimit / getrlimit. + case __NR_setrlimit: + case __NR_times: + return true; + default: + return false; + } +} + +bool SyscallSets::IsDebug(int sysno) { + switch (sysno) { + case __NR_ptrace: + case __NR_process_vm_readv: + case __NR_process_vm_writev: +#if defined(__i386__) || defined(__x86_64__) + case __NR_kcmp: +#endif + return true; + default: + return false; + } +} + +bool SyscallSets::IsGlobalSystemStatus(int sysno) { + switch (sysno) { + case __NR__sysctl: + case __NR_sysfs: + case __NR_sysinfo: + case __NR_uname: +#if defined(__i386__) + case __NR_olduname: + case __NR_oldolduname: +#endif + return true; + default: + return false; + } +} + +bool SyscallSets::IsEventFd(int sysno) { + switch (sysno) { + case __NR_eventfd: + case __NR_eventfd2: + return true; + default: + return false; + } +} + +// Asynchronous I/O API. +bool SyscallSets::IsAsyncIo(int sysno) { + switch (sysno) { + case __NR_io_cancel: + case __NR_io_destroy: + case __NR_io_getevents: + case __NR_io_setup: + case __NR_io_submit: + return true; + default: + return false; + } +} + +bool SyscallSets::IsKeyManagement(int sysno) { + switch (sysno) { + case __NR_add_key: + case __NR_keyctl: + case __NR_request_key: + return true; + default: + return false; + } +} + +#if defined(__x86_64__) || defined(__arm__) +bool SyscallSets::IsSystemVSemaphores(int sysno) { + switch (sysno) { + case __NR_semctl: + case __NR_semget: + case __NR_semop: + case __NR_semtimedop: + return true; + default: + return false; + } +} +#endif + +#if defined(__x86_64__) || defined(__arm__) +// These give a lot of ambient authority and bypass the setuid sandbox. +bool SyscallSets::IsSystemVSharedMemory(int sysno) { + switch (sysno) { + case __NR_shmat: + case __NR_shmctl: + case __NR_shmdt: + case __NR_shmget: + return true; + default: + return false; + } +} +#endif + +#if defined(__x86_64__) || defined(__arm__) +bool SyscallSets::IsSystemVMessageQueue(int sysno) { + switch (sysno) { + case __NR_msgctl: + case __NR_msgget: + case __NR_msgrcv: + case __NR_msgsnd: + return true; + default: + return false; + } +} +#endif + +#if defined(__i386__) +// Big system V multiplexing system call. +bool SyscallSets::IsSystemVIpc(int sysno) { + switch (sysno) { + case __NR_ipc: + return true; + default: + return false; + } +} +#endif + +bool SyscallSets::IsAnySystemV(int sysno) { +#if defined(__x86_64__) || defined(__arm__) + return IsSystemVMessageQueue(sysno) || IsSystemVSemaphores(sysno) || + IsSystemVSharedMemory(sysno); +#elif defined(__i386__) + return IsSystemVIpc(sysno); +#endif +} + +bool SyscallSets::IsAdvancedScheduler(int sysno) { + switch (sysno) { + case __NR_ioprio_get: // IO scheduler. + case __NR_ioprio_set: + case __NR_sched_get_priority_max: + case __NR_sched_get_priority_min: + case __NR_sched_getaffinity: + case __NR_sched_getparam: + case __NR_sched_getscheduler: + case __NR_sched_rr_get_interval: + case __NR_sched_setaffinity: + case __NR_sched_setparam: + case __NR_sched_setscheduler: + return true; + default: + return false; + } +} + +bool SyscallSets::IsInotify(int sysno) { + switch (sysno) { + case __NR_inotify_add_watch: + case __NR_inotify_init: + case __NR_inotify_init1: + case __NR_inotify_rm_watch: + return true; + default: + return false; + } +} + +bool SyscallSets::IsFaNotify(int sysno) { + switch (sysno) { + case __NR_fanotify_init: + case __NR_fanotify_mark: + return true; + default: + return false; + } +} + +bool SyscallSets::IsTimer(int sysno) { + switch (sysno) { + case __NR_getitimer: +#if defined(__i386__) || defined(__x86_64__) + case __NR_alarm: +#endif + case __NR_setitimer: + return true; + default: + return false; + } +} + +bool SyscallSets::IsAdvancedTimer(int sysno) { + switch (sysno) { + case __NR_timer_create: + case __NR_timer_delete: + case __NR_timer_getoverrun: + case __NR_timer_gettime: + case __NR_timer_settime: + case __NR_timerfd_create: + case __NR_timerfd_gettime: + case __NR_timerfd_settime: + return true; + default: + return false; + } +} + +bool SyscallSets::IsExtendedAttributes(int sysno) { + switch (sysno) { + case __NR_fgetxattr: + case __NR_flistxattr: + case __NR_fremovexattr: + case __NR_fsetxattr: + case __NR_getxattr: + case __NR_lgetxattr: + case __NR_listxattr: + case __NR_llistxattr: + case __NR_lremovexattr: + case __NR_lsetxattr: + case __NR_removexattr: + case __NR_setxattr: + return true; + default: + return false; + } +} + +// Various system calls that need to be researched. +// TODO(jln): classify this better. +bool SyscallSets::IsMisc(int sysno) { + switch (sysno) { + case __NR_name_to_handle_at: + case __NR_open_by_handle_at: + case __NR_perf_event_open: + case __NR_syncfs: + case __NR_vhangup: +// The system calls below are not implemented. +#if defined(__i386__) || defined(__x86_64__) + case __NR_afs_syscall: +#endif +#if defined(__i386__) + case __NR_break: +#endif +#if defined(__i386__) || defined(__x86_64__) + case __NR_getpmsg: +#endif +#if defined(__i386__) + case __NR_gtty: + case __NR_idle: + case __NR_lock: + case __NR_mpx: + case __NR_prof: + case __NR_profil: +#endif +#if defined(__i386__) || defined(__x86_64__) + case __NR_putpmsg: +#endif +#if defined(__x86_64__) + case __NR_security: +#endif +#if defined(__i386__) + case __NR_stty: +#endif +#if defined(__x86_64__) + case __NR_tuxcall: +#endif + case __NR_vserver: + return true; + default: + return false; + } +} + +#if defined(__arm__) +bool SyscallSets::IsArmPciConfig(int sysno) { + switch (sysno) { + case __NR_pciconfig_iobase: + case __NR_pciconfig_read: + case __NR_pciconfig_write: + return true; + default: + return false; + } +} + +bool SyscallSets::IsArmPrivate(int sysno) { + switch (sysno) { + case __ARM_NR_breakpoint: + case __ARM_NR_cacheflush: + case __ARM_NR_set_tls: + case __ARM_NR_usr26: + case __ARM_NR_usr32: + return true; + default: + return false; + } +} +#endif // defined(__arm__) + +} // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h new file mode 100644 index 0000000000..d2cf1a1780 --- /dev/null +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h @@ -0,0 +1,105 @@ +// Copyright (c) 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_ +#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_ + +#include "base/basictypes.h" +#include "build/build_config.h" + +// These are helpers to build seccomp-bpf policies, i.e. policies for a +// sandbox that reduces the Linux kernel's attack surface. Given their +// nature, they don't have any clear semantics and are completely +// "implementation-defined". + +namespace sandbox { + +class SyscallSets { + public: + static bool IsKill(int sysno); + static bool IsAllowedGettime(int sysno); + static bool IsCurrentDirectory(int sysno); + static bool IsUmask(int sysno); + // System calls that directly access the file system. They might acquire + // a new file descriptor or otherwise perform an operation directly + // via a path. + static bool IsFileSystem(int sysno); + static bool IsAllowedFileSystemAccessViaFd(int sysno); + static bool IsDeniedFileSystemAccessViaFd(int sysno); + static bool IsGetSimpleId(int sysno); + static bool IsProcessPrivilegeChange(int sysno); + static bool IsProcessGroupOrSession(int sysno); + static bool IsAllowedSignalHandling(int sysno); + static bool IsAllowedOperationOnFd(int sysno); + static bool IsKernelInternalApi(int sysno); + // This should be thought through in conjunction with IsFutex(). + static bool IsAllowedProcessStartOrDeath(int sysno); + // It's difficult to restrict those, but there is attack surface here. + static bool IsFutex(int sysno); + static bool IsAllowedEpoll(int sysno); + static bool IsAllowedGetOrModifySocket(int sysno); + static bool IsDeniedGetOrModifySocket(int sysno); + +#if defined(__i386__) + // Big multiplexing system call for sockets. + static bool IsSocketCall(int sysno); +#endif + +#if defined(__x86_64__) || defined(__arm__) + static bool IsNetworkSocketInformation(int sysno); +#endif + + static bool IsAllowedAddressSpaceAccess(int sysno); + static bool IsAllowedGeneralIo(int sysno); + static bool IsAllowedPrctl(int sysno); + static bool IsAllowedBasicScheduler(int sysno); + static bool IsAdminOperation(int sysno); + static bool IsKernelModule(int sysno); + static bool IsGlobalFSViewChange(int sysno); + static bool IsFsControl(int sysno); + static bool IsNuma(int sysno); + static bool IsMessageQueue(int sysno); + static bool IsGlobalProcessEnvironment(int sysno); + static bool IsDebug(int sysno); + static bool IsGlobalSystemStatus(int sysno); + static bool IsEventFd(int sysno); + // Asynchronous I/O API. + static bool IsAsyncIo(int sysno); + static bool IsKeyManagement(int sysno); +#if defined(__x86_64__) || defined(__arm__) + static bool IsSystemVSemaphores(int sysno); +#endif +#if defined(__x86_64__) || defined(__arm__) + // These give a lot of ambient authority and bypass the setuid sandbox. + static bool IsSystemVSharedMemory(int sysno); +#endif + +#if defined(__x86_64__) || defined(__arm__) + static bool IsSystemVMessageQueue(int sysno); +#endif + +#if defined(__i386__) + // Big system V multiplexing system call. + static bool IsSystemVIpc(int sysno); +#endif + + static bool IsAnySystemV(int sysno); + static bool IsAdvancedScheduler(int sysno); + static bool IsInotify(int sysno); + static bool IsFaNotify(int sysno); + static bool IsTimer(int sysno); + static bool IsAdvancedTimer(int sysno); + static bool IsExtendedAttributes(int sysno); + static bool IsMisc(int sysno); +#if defined(__arm__) + static bool IsArmPciConfig(int sysno); + static bool IsArmPrivate(int sysno); +#endif // defined(__arm__) + private: + DISALLOW_IMPLICIT_CONSTRUCTORS(SyscallSets); +}; + +} // namespace sandbox. + +#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_ diff --git a/sandbox/linux/seccomp-bpf/basicblock.cc b/sandbox/linux/seccomp-bpf/basicblock.cc index 58d27b2757..eb857f00b6 100644 --- a/sandbox/linux/seccomp-bpf/basicblock.cc +++ b/sandbox/linux/seccomp-bpf/basicblock.cc @@ -4,10 +4,10 @@ #include "sandbox/linux/seccomp-bpf/basicblock.h" -namespace playground2 { +namespace sandbox { BasicBlock::BasicBlock() {} BasicBlock::~BasicBlock() {} -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/basicblock.h b/sandbox/linux/seccomp-bpf/basicblock.h index a116f41b3e..d15a372cfe 100644 --- a/sandbox/linux/seccomp-bpf/basicblock.h +++ b/sandbox/linux/seccomp-bpf/basicblock.h @@ -9,7 +9,7 @@ #include "sandbox/linux/seccomp-bpf/instruction.h" -namespace playground2 { +namespace sandbox { struct BasicBlock { BasicBlock(); @@ -44,6 +44,6 @@ struct BasicBlock { int offset; }; -} // namespace playground2 +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_BASICBLOCK_H__ diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h index 13ccf7d61a..7095c23b8c 100644 --- a/sandbox/linux/seccomp-bpf/bpf_tests.h +++ b/sandbox/linux/seccomp-bpf/bpf_tests.h @@ -21,13 +21,13 @@ namespace sandbox { // A BPF_DEATH_TEST is always disabled under ThreadSanitizer, see // crbug.com/243968. #define BPF_DEATH_TEST(test_case_name, test_name, death, policy, aux...) \ - void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX); \ + void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX); \ TEST(test_case_name, DISABLE_ON_TSAN(test_name)) { \ - sandbox::BpfTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy); \ - sandbox::BpfTests<aux>::RunTestInProcess( \ - sandbox::BpfTests<aux>::TestWrapper, &arg, death); \ + sandbox::BPFTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy); \ + sandbox::BPFTests<aux>::RunTestInProcess( \ + sandbox::BPFTests<aux>::TestWrapper, &arg, death); \ } \ - void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX) + void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX) // BPF_TEST() is a special version of SANDBOX_TEST(). It turns into a no-op, // if the host does not have kernel support for running BPF filters. @@ -37,7 +37,7 @@ namespace sandbox { // BPF_TEST() takes a C++ data type as an optional fourth parameter. If // present, this sets up a variable that can be accessed as "BPF_AUX". This // variable will be passed as an argument to the "policy" function. Policies -// would typically use it as an argument to Sandbox::Trap(), if they want to +// would typically use it as an argument to SandboxBPF::Trap(), if they want to // communicate data between the BPF_TEST() and a Trap() function. #define BPF_TEST(test_case_name, test_name, policy, aux...) \ BPF_DEATH_TEST(test_case_name, test_name, DEATH_SUCCESS(), policy, aux) @@ -49,42 +49,42 @@ namespace sandbox { // the caller doesn't provide any type, all the BPF_AUX related data compiles // to nothing. template <class Aux = int[0]> -class BpfTests : public UnitTests { +class BPFTests : public UnitTests { public: typedef Aux AuxType; class TestArgs { public: - TestArgs(void (*t)(AuxType&), playground2::Sandbox::EvaluateSyscall p) + TestArgs(void (*t)(AuxType&), sandbox::SandboxBPF::EvaluateSyscall p) : test_(t), policy_(p), aux_() {} void (*test() const)(AuxType&) { return test_; } - playground2::Sandbox::EvaluateSyscall policy() const { return policy_; } + sandbox::SandboxBPF::EvaluateSyscall policy() const { return policy_; } private: - friend class BpfTests; + friend class BPFTests; void (*test_)(AuxType&); - playground2::Sandbox::EvaluateSyscall policy_; + sandbox::SandboxBPF::EvaluateSyscall policy_; AuxType aux_; }; static void TestWrapper(void* void_arg) { TestArgs* arg = reinterpret_cast<TestArgs*>(void_arg); - playground2::Die::EnableSimpleExit(); - if (playground2::Sandbox::SupportsSeccompSandbox(-1) == - playground2::Sandbox::STATUS_AVAILABLE) { + sandbox::Die::EnableSimpleExit(); + if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) == + sandbox::SandboxBPF::STATUS_AVAILABLE) { // Ensure the the sandbox is actually available at this time int proc_fd; BPF_ASSERT((proc_fd = open("/proc", O_RDONLY | O_DIRECTORY)) >= 0); - BPF_ASSERT(playground2::Sandbox::SupportsSeccompSandbox(proc_fd) == - playground2::Sandbox::STATUS_AVAILABLE); + BPF_ASSERT(sandbox::SandboxBPF::SupportsSeccompSandbox(proc_fd) == + sandbox::SandboxBPF::STATUS_AVAILABLE); // Initialize and then start the sandbox with our custom policy - playground2::Sandbox sandbox; + sandbox::SandboxBPF sandbox; sandbox.set_proc_fd(proc_fd); sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_); - sandbox.Sandbox::StartSandbox(); + sandbox.SandboxBPF::StartSandbox(); arg->test()(arg->aux_); } else { @@ -98,9 +98,9 @@ class BpfTests : public UnitTests { } // Call the compiler and verify the policy. That's the least we can do, // if we don't have kernel support. - playground2::Sandbox sandbox; + sandbox::SandboxBPF sandbox; sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_); - playground2::Sandbox::Program* program = + sandbox::SandboxBPF::Program* program = sandbox.AssembleFilter(true /* force_verification */); delete program; sandbox::UnitTests::IgnoreThisTest(); @@ -108,9 +108,9 @@ class BpfTests : public UnitTests { } private: - DISALLOW_IMPLICIT_CONSTRUCTORS(BpfTests); + DISALLOW_IMPLICIT_CONSTRUCTORS(BPFTests); }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__ diff --git a/sandbox/linux/seccomp-bpf/codegen.cc b/sandbox/linux/seccomp-bpf/codegen.cc index 77df612110..8fb1701179 100644 --- a/sandbox/linux/seccomp-bpf/codegen.cc +++ b/sandbox/linux/seccomp-bpf/codegen.cc @@ -9,8 +9,8 @@ namespace { // Helper function for Traverse(). -void TraverseRecursively(std::set<playground2::Instruction*>* visited, - playground2::Instruction* instruction) { +void TraverseRecursively(std::set<sandbox::Instruction*>* visited, + sandbox::Instruction* instruction) { if (visited->find(instruction) == visited->end()) { visited->insert(instruction); switch (BPF_CLASS(instruction->code)) { @@ -31,7 +31,7 @@ void TraverseRecursively(std::set<playground2::Instruction*>* visited, } // namespace -namespace playground2 { +namespace sandbox { CodeGen::CodeGen() : compiled_(false) {} @@ -48,8 +48,8 @@ CodeGen::~CodeGen() { } } -void CodeGen::PrintProgram(const Sandbox::Program& program) { - for (Sandbox::Program::const_iterator iter = program.begin(); +void CodeGen::PrintProgram(const SandboxBPF::Program& program) { + for (SandboxBPF::Program::const_iterator iter = program.begin(); iter != program.end(); ++iter) { int ip = (int)(iter - program.begin()); @@ -706,7 +706,7 @@ void CodeGen::ComputeRelativeJumps(BasicBlocks* basic_blocks, } void CodeGen::ConcatenateBasicBlocks(const BasicBlocks& basic_blocks, - Sandbox::Program* program) { + SandboxBPF::Program* program) { // Our basic blocks have been sorted and relative jump offsets have been // computed. The last remaining step is for all the instructions in our // basic blocks to be concatenated into a BPF program. @@ -726,7 +726,7 @@ void CodeGen::ConcatenateBasicBlocks(const BasicBlocks& basic_blocks, return; } -void CodeGen::Compile(Instruction* instructions, Sandbox::Program* program) { +void CodeGen::Compile(Instruction* instructions, SandboxBPF::Program* program) { if (compiled_) { SANDBOX_DIE( "Cannot call Compile() multiple times. Create a new code " @@ -747,4 +747,4 @@ void CodeGen::Compile(Instruction* instructions, Sandbox::Program* program) { return; } -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/codegen.h b/sandbox/linux/seccomp-bpf/codegen.h index 6ef76037e2..2745e51194 100644 --- a/sandbox/linux/seccomp-bpf/codegen.h +++ b/sandbox/linux/seccomp-bpf/codegen.h @@ -13,7 +13,7 @@ #include "sandbox/linux/seccomp-bpf/instruction.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" -namespace playground2 { +namespace sandbox { typedef std::vector<Instruction*> Instructions; typedef std::vector<BasicBlock*> BasicBlocks; @@ -28,7 +28,7 @@ typedef std::map<const BasicBlock*, int> IncomingBranches; // // Callers would typically create a new CodeGen object and then use it to // build a DAG of Instructions. They'll eventually call Compile() to convert -// this DAG to a Sandbox::Program. +// this DAG to a SandboxBPF::Program. // // Instructions can be chained at the time when they are created, or they // can be joined later by calling JoinInstructions(). @@ -46,7 +46,7 @@ typedef std::map<const BasicBlock*, int> IncomingBranches; // // // Simplified code follows; in practice, it is important to avoid calling // // any C++ destructors after starting the sandbox. -// Sandbox::Program program; +// SandboxBPF::Program program; // gen.Compile(dag, program); // const struct sock_fprog prog = { // static_cast<unsigned short>(program->size()), &program[0] }; @@ -59,7 +59,7 @@ class CodeGen { // This is a helper method that can be used for debugging purposes. It is // not normally called. - static void PrintProgram(const Sandbox::Program& program); + static void PrintProgram(const SandboxBPF::Program& program); // Create a new instruction. Instructions form a DAG. The instruction objects // are owned by the CodeGen object. They do not need to be explicitly @@ -90,7 +90,7 @@ class CodeGen { // Compiles the graph of instructions into a BPF program that can be passed // to the kernel. Please note that this function modifies the graph in place // and must therefore only be called once per graph. - void Compile(Instruction* instructions, Sandbox::Program* program); + void Compile(Instruction* instructions, SandboxBPF::Program* program); private: friend class CodeGenUnittestHelper; @@ -140,7 +140,7 @@ class CodeGen { // Concatenate instructions from all basic blocks into a BPF program that // can be passed to the kernel. - void ConcatenateBasicBlocks(const BasicBlocks&, Sandbox::Program* program); + void ConcatenateBasicBlocks(const BasicBlocks&, SandboxBPF::Program* program); // We stick all instructions and basic blocks into pools that get destroyed // when the CodeGen object is destroyed. This way, we neither need to worry @@ -154,6 +154,6 @@ class CodeGen { bool compiled_; }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_CODEGEN_H__ diff --git a/sandbox/linux/seccomp-bpf/codegen_unittest.cc b/sandbox/linux/seccomp-bpf/codegen_unittest.cc index ccc5656615..0539a0d433 100644 --- a/sandbox/linux/seccomp-bpf/codegen_unittest.cc +++ b/sandbox/linux/seccomp-bpf/codegen_unittest.cc @@ -12,11 +12,11 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/tests/unit_tests.h" -namespace playground2 { +namespace sandbox { -class SandboxUnittestHelper : public Sandbox { +class SandboxUnittestHelper : public SandboxBPF { public: - typedef Sandbox::Program Program; + typedef SandboxBPF::Program Program; }; // We want to access some of the private methods in the code generator. We @@ -444,4 +444,4 @@ SANDBOX_TEST(CodeGen, All) { ForAllPrograms(CompileAndCompare); } -} // namespace playground2 +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/demo.cc b/sandbox/linux/seccomp-bpf/demo.cc index 48df073c5b..14180181a6 100644 --- a/sandbox/linux/seccomp-bpf/demo.cc +++ b/sandbox/linux/seccomp-bpf/demo.cc @@ -30,9 +30,9 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/services/linux_syscalls.h" -using playground2::arch_seccomp_data; -using playground2::ErrorCode; -using playground2::Sandbox; +using sandbox::ErrorCode; +using sandbox::SandboxBPF; +using sandbox::arch_seccomp_data; #define ERR EPERM @@ -237,7 +237,7 @@ intptr_t DefaultHandler(const struct arch_seccomp_data& data, void *) { return -ERR; } -ErrorCode Evaluator(Sandbox *sandbox, int sysno, void *) { +ErrorCode Evaluator(SandboxBPF* sandbox, int sysno, void *) { switch (sysno) { #if defined(__NR_accept) case __NR_accept: case __NR_accept4: @@ -413,12 +413,12 @@ int main(int argc, char *argv[]) { if (argc) { } if (argv) { } int proc_fd = open("/proc", O_RDONLY|O_DIRECTORY); - if (Sandbox::SupportsSeccompSandbox(proc_fd) != - Sandbox::STATUS_AVAILABLE) { + if (SandboxBPF::SupportsSeccompSandbox(proc_fd) != + SandboxBPF::STATUS_AVAILABLE) { perror("sandbox"); _exit(1); } - Sandbox sandbox; + SandboxBPF sandbox; sandbox.set_proc_fd(proc_fd); sandbox.SetSandboxPolicyDeprecated(Evaluator, NULL); sandbox.StartSandbox(); diff --git a/sandbox/linux/seccomp-bpf/die.cc b/sandbox/linux/seccomp-bpf/die.cc index 594740c779..533e2e9c35 100644 --- a/sandbox/linux/seccomp-bpf/die.cc +++ b/sandbox/linux/seccomp-bpf/die.cc @@ -14,7 +14,7 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/seccomp-bpf/syscall.h" -namespace playground2 { +namespace sandbox { void Die::ExitGroup() { // exit_group() should exit our program. After all, it is defined as a @@ -82,4 +82,4 @@ void Die::LogToStderr(const char* msg, const char* file, int line) { bool Die::simple_exit_ = false; bool Die::suppress_info_ = false; -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/die.h b/sandbox/linux/seccomp-bpf/die.h index 2ed3f07f1a..5dcfda0f2b 100644 --- a/sandbox/linux/seccomp-bpf/die.h +++ b/sandbox/linux/seccomp-bpf/die.h @@ -7,18 +7,18 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { // This is the main API for using this file. Prints a error message and // exits with a fatal error. This is not async-signal safe. -#define SANDBOX_DIE(m) playground2::Die::SandboxDie(m, __FILE__, __LINE__) +#define SANDBOX_DIE(m) sandbox::Die::SandboxDie(m, __FILE__, __LINE__) // An async signal safe version of the same API. Won't print the filename // and line numbers. -#define RAW_SANDBOX_DIE(m) playground2::Die::RawSandboxDie(m) +#define RAW_SANDBOX_DIE(m) sandbox::Die::RawSandboxDie(m) // Adds an informational message to the log file or stderr as appropriate. -#define SANDBOX_INFO(m) playground2::Die::SandboxInfo(m, __FILE__, __LINE__) +#define SANDBOX_INFO(m) sandbox::Die::SandboxInfo(m, __FILE__, __LINE__) class Die { public: @@ -62,6 +62,6 @@ class Die { DISALLOW_IMPLICIT_CONSTRUCTORS(Die); }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_DIE_H__ diff --git a/sandbox/linux/seccomp-bpf/errorcode.cc b/sandbox/linux/seccomp-bpf/errorcode.cc index e517d38119..6484852820 100644 --- a/sandbox/linux/seccomp-bpf/errorcode.cc +++ b/sandbox/linux/seccomp-bpf/errorcode.cc @@ -5,7 +5,7 @@ #include "sandbox/linux/seccomp-bpf/die.h" #include "sandbox/linux/seccomp-bpf/errorcode.h" -namespace playground2 { +namespace sandbox { ErrorCode::ErrorCode(int err) { switch (err) { @@ -101,4 +101,4 @@ bool ErrorCode::LessThan(const ErrorCode& err) const { } } -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/errorcode.h b/sandbox/linux/seccomp-bpf/errorcode.h index 182fadb4dc..625d123513 100644 --- a/sandbox/linux/seccomp-bpf/errorcode.h +++ b/sandbox/linux/seccomp-bpf/errorcode.h @@ -8,7 +8,7 @@ #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" #include "sandbox/linux/seccomp-bpf/trap.h" -namespace playground2 { +namespace sandbox { struct arch_seccomp_data; @@ -46,7 +46,7 @@ class ErrorCode { // access 64bit quantities. But policies are still advised to specify whether // a system call expects a 32bit or a 64bit quantity. enum ArgType { - // When passed as an argument to Sandbox::Cond(), TP_32BIT requests that + // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that // the conditional test should operate on the 32bit part of the system call // argument. // On 64bit architectures, this verifies that user space did not pass @@ -64,7 +64,7 @@ class ErrorCode { // having been sign extended. TP_32BIT, - // When passed as an argument to Sandbox::Cond(), TP_64BIT requests that + // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that // the conditional test should operate on the full 64bit argument. It is // generally harmless to perform a 64bit test on 32bit systems, as the // kernel will always see the top 32 bits of all arguments as zero'd out. @@ -148,7 +148,7 @@ class ErrorCode { private: friend class CodeGen; - friend class Sandbox; + friend class SandboxBPF; friend class Trap; // If we are wrapping a callback, we must assign a unique id. This id is @@ -192,6 +192,6 @@ class ErrorCode { uint32_t err_; }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ diff --git a/sandbox/linux/seccomp-bpf/errorcode_unittest.cc b/sandbox/linux/seccomp-bpf/errorcode_unittest.cc index 3748e5185e..ef04a5f61f 100644 --- a/sandbox/linux/seccomp-bpf/errorcode_unittest.cc +++ b/sandbox/linux/seccomp-bpf/errorcode_unittest.cc @@ -7,7 +7,7 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/tests/unit_tests.h" -using namespace playground2; +namespace sandbox { namespace { @@ -21,13 +21,13 @@ SANDBOX_TEST(ErrorCode, ErrnoConstructor) { ErrorCode e2(EPERM); SANDBOX_ASSERT(e2.err() == SECCOMP_RET_ERRNO + EPERM); - Sandbox sandbox; + SandboxBPF sandbox; ErrorCode e3 = sandbox.Trap(NULL, NULL); SANDBOX_ASSERT((e3.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP); } SANDBOX_TEST(ErrorCode, Trap) { - Sandbox sandbox; + SandboxBPF sandbox; ErrorCode e0 = sandbox.Trap(NULL, "a"); ErrorCode e1 = sandbox.Trap(NULL, "b"); SANDBOX_ASSERT((e0.err() & SECCOMP_RET_DATA) + 1 == @@ -48,7 +48,7 @@ SANDBOX_TEST(ErrorCode, Equals) { ErrorCode e3(EPERM); SANDBOX_ASSERT(!e1.Equals(e3)); - Sandbox sandbox; + SandboxBPF sandbox; ErrorCode e4 = sandbox.Trap(NULL, "a"); ErrorCode e5 = sandbox.Trap(NULL, "b"); ErrorCode e6 = sandbox.Trap(NULL, "a"); @@ -69,7 +69,7 @@ SANDBOX_TEST(ErrorCode, LessThan) { SANDBOX_ASSERT(!e1.LessThan(e3)); SANDBOX_ASSERT( e3.LessThan(e1)); - Sandbox sandbox; + SandboxBPF sandbox; ErrorCode e4 = sandbox.Trap(NULL, "a"); ErrorCode e5 = sandbox.Trap(NULL, "b"); ErrorCode e6 = sandbox.Trap(NULL, "a"); @@ -81,3 +81,5 @@ SANDBOX_TEST(ErrorCode, LessThan) { } } // namespace + +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/instruction.h b/sandbox/linux/seccomp-bpf/instruction.h index 8d35187d76..8567c8fd91 100644 --- a/sandbox/linux/seccomp-bpf/instruction.h +++ b/sandbox/linux/seccomp-bpf/instruction.h @@ -7,7 +7,7 @@ #include <stdint.h> -namespace playground2 { +namespace sandbox { // The fields in this structure have the same meaning as the corresponding // fields in "struct sock_filter". See <linux/filter.h> for a lot more @@ -57,6 +57,6 @@ struct Instruction { uint32_t k; }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_INSTRUCTION_H__ diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc index 3a4b67886a..6b2327e545 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc @@ -30,7 +30,7 @@ #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" #include "sandbox/linux/seccomp-bpf/verifier.h" -namespace playground2 { +namespace sandbox { namespace { @@ -56,8 +56,8 @@ void WriteFailedStderrSetupMessage(int out_fd) { // We define a really simple sandbox policy. It is just good enough for us // to tell that the sandbox has actually been activated. -ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) __attribute__((const)); -ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) { +ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const)); +ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) { switch (sysnum) { case __NR_getpid: // Return EPERM so that we can check that the filter actually ran. @@ -77,8 +77,8 @@ void ProbeProcess(void) { } } -ErrorCode AllowAllEvaluator(Sandbox*, int sysnum, void*) { - if (!Sandbox::IsValidSyscallNumber(sysnum)) { +ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysnum)) { return ErrorCode(ENOSYS); } return ErrorCode(ErrorCode::ERR_ALLOWED); @@ -104,9 +104,9 @@ bool IsSingleThreaded(int proc_fd) { struct stat sb; int task = -1; if ((task = openat(proc_fd, "self/task", O_RDONLY | O_DIRECTORY)) < 0 || - fstat(task, &sb) != 0 || sb.st_nlink != 3 || HANDLE_EINTR(close(task))) { + fstat(task, &sb) != 0 || sb.st_nlink != 3 || IGNORE_EINTR(close(task))) { if (task >= 0) { - if (HANDLE_EINTR(close(task))) { + if (IGNORE_EINTR(close(task))) { } } return false; @@ -162,7 +162,7 @@ void RedirectToUserspace(Instruction* insn, void* aux) { // The performance penalty for this extra round-trip to user-space is not // actually that bad, as we only ever pay it for denied system calls; and a // typical program has very few of these. - Sandbox* sandbox = static_cast<Sandbox*>(aux); + SandboxBPF* sandbox = static_cast<SandboxBPF*>(aux); if (BPF_CLASS(insn->code) == BPF_RET && (insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) { insn->k = sandbox->Trap(ReturnErrno, @@ -174,15 +174,15 @@ void RedirectToUserspace(Instruction* insn, void* aux) { // made by RedirectToUserspace(). This is part of the framework that allows BPF // evaluation in userland. // TODO(markus): document the code inside better. -class RedirectToUserSpacePolicyWrapper : public SandboxBpfPolicy { +class RedirectToUserSpacePolicyWrapper : public SandboxBPFPolicy { public: explicit RedirectToUserSpacePolicyWrapper( - const SandboxBpfPolicy* wrapped_policy) + const SandboxBPFPolicy* wrapped_policy) : wrapped_policy_(wrapped_policy) { DCHECK(wrapped_policy_); } - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE { ErrorCode err = wrapped_policy_->EvaluateSyscall(sandbox_compiler, system_call_number); @@ -194,42 +194,42 @@ class RedirectToUserSpacePolicyWrapper : public SandboxBpfPolicy { } private: - const SandboxBpfPolicy* wrapped_policy_; + const SandboxBPFPolicy* wrapped_policy_; DISALLOW_COPY_AND_ASSIGN(RedirectToUserSpacePolicyWrapper); }; -intptr_t BpfFailure(const struct arch_seccomp_data&, void* aux) { +intptr_t BPFFailure(const struct arch_seccomp_data&, void* aux) { SANDBOX_DIE(static_cast<char*>(aux)); } // This class allows compatibility with the old, deprecated SetSandboxPolicy. -class CompatibilityPolicy : public SandboxBpfPolicy { +class CompatibilityPolicy : public SandboxBPFPolicy { public: - CompatibilityPolicy(Sandbox::EvaluateSyscall syscall_evaluator, void* aux) + CompatibilityPolicy(SandboxBPF::EvaluateSyscall syscall_evaluator, void* aux) : syscall_evaluator_(syscall_evaluator), aux_(aux) { DCHECK(syscall_evaluator_); } - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE { return syscall_evaluator_(sandbox_compiler, system_call_number, aux_); } private: - Sandbox::EvaluateSyscall syscall_evaluator_; + SandboxBPF::EvaluateSyscall syscall_evaluator_; void* aux_; DISALLOW_COPY_AND_ASSIGN(CompatibilityPolicy); }; } // namespace -Sandbox::Sandbox() +SandboxBPF::SandboxBPF() : quiet_(false), proc_fd_(-1), conds_(new Conds), sandbox_has_started_(false) {} -Sandbox::~Sandbox() { +SandboxBPF::~SandboxBPF() { // It is generally unsafe to call any memory allocator operations or to even // call arbitrary destructors after having installed a new policy. We just // have no way to tell whether this policy would allow the system calls that @@ -246,13 +246,13 @@ Sandbox::~Sandbox() { } } -bool Sandbox::IsValidSyscallNumber(int sysnum) { +bool SandboxBPF::IsValidSyscallNumber(int sysnum) { return SyscallIterator::IsValid(sysnum); } -bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), - Sandbox::EvaluateSyscall syscall_evaluator, - void* aux) { +bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(), + EvaluateSyscall syscall_evaluator, + void* aux) { // Block all signals before forking a child process. This prevents an // attacker from manipulating our test by sending us an unexpected signal. sigset_t old_mask, new_mask; @@ -268,6 +268,10 @@ bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), SANDBOX_DIE("Process started without standard file descriptors"); } + // This code is using fork() and should only ever run single-threaded. + // Most of the code below is "async-signal-safe" and only minor changes + // would be needed to support threads. + DCHECK(IsSingleThreaded(proc_fd_)); pid_t pid = fork(); if (pid < 0) { // Die if we cannot fork(). We would probably fail a little later @@ -287,7 +291,7 @@ bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), Die::EnableSimpleExit(); errno = 0; - if (HANDLE_EINTR(close(fds[0]))) { + if (IGNORE_EINTR(close(fds[0]))) { // This call to close() has been failing in strange ways. See // crbug.com/152530. So we only fail in debug mode now. #if !defined(NDEBUG) @@ -309,7 +313,7 @@ bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), SANDBOX_DIE(NULL); #endif } - if (HANDLE_EINTR(close(fds[1]))) { + if (IGNORE_EINTR(close(fds[1]))) { // This call to close() has been failing in strange ways. See // crbug.com/152530. So we only fail in debug mode now. #if !defined(NDEBUG) @@ -329,7 +333,7 @@ bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), } // In the parent process. - if (HANDLE_EINTR(close(fds[1]))) { + if (IGNORE_EINTR(close(fds[1]))) { SANDBOX_DIE("close() failed"); } if (sigprocmask(SIG_SETMASK, &old_mask, NULL)) { @@ -357,19 +361,19 @@ bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), SANDBOX_DIE(buf); } } - if (HANDLE_EINTR(close(fds[0]))) { + if (IGNORE_EINTR(close(fds[0]))) { SANDBOX_DIE("close() failed"); } return rc; } -bool Sandbox::KernelSupportSeccompBPF() { +bool SandboxBPF::KernelSupportSeccompBPF() { return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) && RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0); } -Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { +SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) { // It the sandbox is currently active, we clearly must have support for // sandboxing. if (status_ == STATUS_ENABLED) { @@ -404,7 +408,7 @@ Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { // We create our own private copy of a "Sandbox" object. This ensures that // the object does not have any policies configured, that might interfere // with the tests done by "KernelSupportSeccompBPF()". - Sandbox sandbox; + SandboxBPF sandbox; // By setting "quiet_ = true" we suppress messages for expected and benign // failures (e.g. if the current kernel lacks support for BPF filters). @@ -424,9 +428,9 @@ Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { return status_; } -void Sandbox::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; } +void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; } -void Sandbox::StartSandbox() { +void SandboxBPF::StartSandbox() { if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) { SANDBOX_DIE( "Trying to start sandbox, even though it is known to be " @@ -451,7 +455,7 @@ void Sandbox::StartSandbox() { // before installing the filters, just in case that our policy denies // close(). if (proc_fd_ >= 0) { - if (HANDLE_EINTR(close(proc_fd_))) { + if (IGNORE_EINTR(close(proc_fd_))) { SANDBOX_DIE("Failed to close file descriptor for /proc"); } proc_fd_ = -1; @@ -464,7 +468,7 @@ void Sandbox::StartSandbox() { status_ = STATUS_ENABLED; } -void Sandbox::PolicySanityChecks(SandboxBpfPolicy* policy) { +void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) { for (SyscallIterator iter(true); !iter.Done();) { uint32_t sysnum = iter.Next(); if (!IsDenied(policy->EvaluateSyscall(this, sysnum))) { @@ -477,8 +481,8 @@ void Sandbox::PolicySanityChecks(SandboxBpfPolicy* policy) { } // Deprecated API, supported with a wrapper to the new API. -void Sandbox::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, - void* aux) { +void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, + void* aux) { if (sandbox_has_started_ || !conds_) { SANDBOX_DIE("Cannot change policy after sandbox has started"); } @@ -486,7 +490,7 @@ void Sandbox::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, } // Don't take a scoped_ptr here, polymorphism make their use awkward. -void Sandbox::SetSandboxPolicy(SandboxBpfPolicy* policy) { +void SandboxBPF::SetSandboxPolicy(SandboxBPFPolicy* policy) { DCHECK(!policy_); if (sandbox_has_started_ || !conds_) { SANDBOX_DIE("Cannot change policy after sandbox has started"); @@ -495,7 +499,7 @@ void Sandbox::SetSandboxPolicy(SandboxBpfPolicy* policy) { policy_.reset(policy); } -void Sandbox::InstallFilter() { +void SandboxBPF::InstallFilter() { // We want to be very careful in not imposing any requirements on the // policies that are set with SetSandboxPolicy(). This means, as soon as // the sandbox is active, we shouldn't be relying on libraries that could @@ -536,7 +540,7 @@ void Sandbox::InstallFilter() { return; } -Sandbox::Program* Sandbox::AssembleFilter(bool force_verification) { +SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) { #if !defined(NDEBUG) force_verification = true; #endif @@ -709,7 +713,7 @@ Sandbox::Program* Sandbox::AssembleFilter(bool force_verification) { return program; } -void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) { +void SandboxBPF::VerifyProgram(const Program& program, bool has_unsafe_traps) { // If we previously rewrote the BPF program so that it calls user-space // whenever we return an "errno" value from the filter, then we have to // wrap our system call evaluator to perform the same operation. Otherwise, @@ -727,7 +731,7 @@ void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) { } } -void Sandbox::FindRanges(Ranges* ranges) { +void SandboxBPF::FindRanges(Ranges* ranges) { // Please note that "struct seccomp_data" defines system calls as a signed // int32_t, but BPF instructions always operate on unsigned quantities. We // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL, @@ -755,9 +759,9 @@ void Sandbox::FindRanges(Ranges* ranges) { } } -Instruction* Sandbox::AssembleJumpTable(CodeGen* gen, - Ranges::const_iterator start, - Ranges::const_iterator stop) { +Instruction* SandboxBPF::AssembleJumpTable(CodeGen* gen, + Ranges::const_iterator start, + Ranges::const_iterator stop) { // We convert the list of system call ranges into jump table that performs // a binary search over the ranges. // As a sanity check, we need to have at least one distinct ranges for us @@ -782,7 +786,7 @@ Instruction* Sandbox::AssembleJumpTable(CodeGen* gen, return gen->MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf); } -Instruction* Sandbox::RetExpression(CodeGen* gen, const ErrorCode& err) { +Instruction* SandboxBPF::RetExpression(CodeGen* gen, const ErrorCode& err) { if (err.error_type_ == ErrorCode::ET_COND) { return CondExpression(gen, err); } else { @@ -790,7 +794,7 @@ Instruction* Sandbox::RetExpression(CodeGen* gen, const ErrorCode& err) { } } -Instruction* Sandbox::CondExpression(CodeGen* gen, const ErrorCode& cond) { +Instruction* SandboxBPF::CondExpression(CodeGen* gen, const ErrorCode& cond) { // We can only inspect the six system call arguments that are passed in // CPU registers. if (cond.argno_ < 0 || cond.argno_ >= 6) { @@ -973,19 +977,19 @@ Instruction* Sandbox::CondExpression(CodeGen* gen, const ErrorCode& cond) { return msb_head; } -ErrorCode Sandbox::Unexpected64bitArgument() { +ErrorCode SandboxBPF::Unexpected64bitArgument() { return Kill("Unexpected 64bit argument detected"); } -ErrorCode Sandbox::Trap(Trap::TrapFnc fnc, const void* aux) { +ErrorCode SandboxBPF::Trap(Trap::TrapFnc fnc, const void* aux) { return Trap::MakeTrap(fnc, aux, true /* Safe Trap */); } -ErrorCode Sandbox::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) { +ErrorCode SandboxBPF::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) { return Trap::MakeTrap(fnc, aux, false /* Unsafe Trap */); } -intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) { +intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) { return SandboxSyscall(args.nr, static_cast<intptr_t>(args.args[0]), static_cast<intptr_t>(args.args[1]), @@ -995,12 +999,12 @@ intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) { static_cast<intptr_t>(args.args[5])); } -ErrorCode Sandbox::Cond(int argno, - ErrorCode::ArgType width, - ErrorCode::Operation op, - uint64_t value, - const ErrorCode& passed, - const ErrorCode& failed) { +ErrorCode SandboxBPF::Cond(int argno, + ErrorCode::ArgType width, + ErrorCode::Operation op, + uint64_t value, + const ErrorCode& passed, + const ErrorCode& failed) { return ErrorCode(argno, width, op, @@ -1009,10 +1013,10 @@ ErrorCode Sandbox::Cond(int argno, &*conds_->insert(failed).first); } -ErrorCode Sandbox::Kill(const char* msg) { - return Trap(BpfFailure, const_cast<char*>(msg)); +ErrorCode SandboxBPF::Kill(const char* msg) { + return Trap(BPFFailure, const_cast<char*>(msg)); } -Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN; +SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN; -} // namespace playground2 +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h index dcb65bfeb2..d626e4c74c 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h @@ -20,9 +20,8 @@ #include "sandbox/linux/seccomp-bpf/die.h" #include "sandbox/linux/seccomp-bpf/errorcode.h" #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" -#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h" -namespace playground2 { +namespace sandbox { struct arch_seccomp_data { int nr; @@ -38,11 +37,11 @@ struct arch_sigsys { }; class CodeGen; +class SandboxBPFPolicy; class SandboxUnittestHelper; -class SandboxBpfPolicy; struct Instruction; -class Sandbox { +class SandboxBPF { public: enum SandboxStatus { STATUS_UNKNOWN, // Status prior to calling supportsSeccompSandbox() @@ -52,16 +51,15 @@ class Sandbox { STATUS_ENABLED // The sandbox is now active }; - // BpfSandboxPolicy is the following type: - // ErrorCode (Sandbox *sb, int sysnum, void *aux); // When calling setSandboxPolicy(), the caller can provide an arbitrary // pointer in |aux|. This pointer will then be forwarded to the sandbox // policy each time a call is made through an EvaluateSyscall function // pointer. One common use case would be to pass the "aux" pointer as an // argument to Trap() functions. - typedef BpfSandboxPolicy* EvaluateSyscall; + typedef ErrorCode (*EvaluateSyscall)(SandboxBPF* sandbox_compiler, + int system_call_number, + void* aux); typedef std::vector<std::pair<EvaluateSyscall, void*> > Evaluators; - // A vector of BPF instructions that need to be installed as a filter // program in the kernel. typedef std::vector<struct sock_filter> Program; @@ -76,8 +74,8 @@ class Sandbox { // should be noted that during its lifetime, the object probably made // irreversible state changes to the runtime environment. These changes // stay in effect even after the destructor has been run. - Sandbox(); - ~Sandbox(); + SandboxBPF(); + ~SandboxBPF(); // Checks whether a particular system call number is valid on the current // architecture. E.g. on ARM there's a non-contiguous range of private @@ -114,7 +112,7 @@ class Sandbox { // Set the BPF policy as |policy|. Ownership of |policy| is transfered here // to the sandbox object. - void SetSandboxPolicy(SandboxBpfPolicy* policy); + void SetSandboxPolicy(SandboxBPFPolicy* policy); // We can use ErrorCode to request calling of a trap handler. This method // performs the required wrapping of the callback function into an @@ -226,7 +224,7 @@ class Sandbox { bool KernelSupportSeccompBPF(); // Verify that the current policy passes some basic sanity checks. - void PolicySanityChecks(SandboxBpfPolicy* policy); + void PolicySanityChecks(SandboxBPFPolicy* policy); // Assembles and installs a filter based on the policy that has previously // been configured with SetSandboxPolicy(). @@ -266,13 +264,13 @@ class Sandbox { bool quiet_; int proc_fd_; - scoped_ptr<const SandboxBpfPolicy> policy_; + scoped_ptr<const SandboxBPFPolicy> policy_; Conds* conds_; bool sandbox_has_started_; - DISALLOW_COPY_AND_ASSIGN(Sandbox); + DISALLOW_COPY_AND_ASSIGN(SandboxBPF); }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__ diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h b/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h index 99d9e1939a..1ac5daba5d 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h @@ -7,29 +7,29 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { class ErrorCode; -class Sandbox; +class SandboxBPF; // This is the interface to implement to define a BPF sandbox policy. -class SandboxBpfPolicy { +class SandboxBPFPolicy { public: - SandboxBpfPolicy() {} - virtual ~SandboxBpfPolicy() {} + SandboxBPFPolicy() {} + virtual ~SandboxBPFPolicy() {} // The EvaluateSyscall method is called with the system call number. It can // decide to allow the system call unconditionally by returning ERR_ALLOWED; // it can deny the system call unconditionally by returning an appropriate // "errno" value; or it can request inspection of system call argument(s) by // returning a suitable ErrorCode. - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const = 0; private: - DISALLOW_COPY_AND_ASSIGN(SandboxBpfPolicy); + DISALLOW_COPY_AND_ASSIGN(SandboxBPFPolicy); }; -} // namespace playground2 +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h b/sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h deleted file mode 100644 index 77d9b53ef2..0000000000 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_FORWARD_H_ -#define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_FORWARD_H_ - -#include "base/callback_forward.h" - -namespace playground2 { - -class Sandbox; -class ErrorCode; -typedef ErrorCode BpfSandboxPolicy(Sandbox* sandbox_compiler, - int system_call_number, - void* aux); - -typedef base::Callback<BpfSandboxPolicy> BpfSandboxPolicyCallback; - -} // namespace playground2 - -#endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_FORWARD_H_ diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc index 9d67db8155..988e29544b 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc @@ -40,8 +40,7 @@ #define PR_CAPBSET_DROP 24 #endif -using namespace playground2; -using sandbox::BrokerProcess; +namespace sandbox { namespace { @@ -50,11 +49,11 @@ const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING"; // This test should execute no matter whether we have kernel support. So, // we make it a TEST() instead of a BPF_TEST(). -TEST(SandboxBpf, CallSupports) { +TEST(SandboxBPF, CallSupports) { // We check that we don't crash, but it's ok if the kernel doesn't // support it. bool seccomp_bpf_supported = - Sandbox::SupportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE; + SandboxBPF::SupportsSeccompSandbox(-1) == SandboxBPF::STATUS_AVAILABLE; // We want to log whether or not seccomp BPF is actually supported // since actual test coverage depends on it. RecordProperty("SeccompBPFSupported", @@ -65,9 +64,9 @@ TEST(SandboxBpf, CallSupports) { std::cout << "Pointer size: " << sizeof(void*) << "\n"; } -SANDBOX_TEST(SandboxBpf, CallSupportsTwice) { - Sandbox::SupportsSeccompSandbox(-1); - Sandbox::SupportsSeccompSandbox(-1); +SANDBOX_TEST(SandboxBPF, CallSupportsTwice) { + SandboxBPF::SupportsSeccompSandbox(-1); + SandboxBPF::SupportsSeccompSandbox(-1); } // BPF_TEST does a lot of the boiler-plate code around setting up a @@ -83,8 +82,8 @@ intptr_t FakeGetPid(const struct arch_seccomp_data& args, void* aux) { return (*pid_ptr)++; } -ErrorCode VerboseAPITestingPolicy(Sandbox* sandbox, int sysno, void* aux) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode VerboseAPITestingPolicy(SandboxBPF* sandbox, int sysno, void* aux) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } else if (sysno == __NR_getpid) { return sandbox->Trap(FakeGetPid, aux); @@ -93,11 +92,11 @@ ErrorCode VerboseAPITestingPolicy(Sandbox* sandbox, int sysno, void* aux) { } } -SANDBOX_TEST(SandboxBpf, DISABLE_ON_TSAN(VerboseAPITesting)) { - if (Sandbox::SupportsSeccompSandbox(-1) == - playground2::Sandbox::STATUS_AVAILABLE) { +SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) { + if (SandboxBPF::SupportsSeccompSandbox(-1) == + sandbox::SandboxBPF::STATUS_AVAILABLE) { pid_t test_var = 0; - Sandbox sandbox; + SandboxBPF sandbox; sandbox.SetSandboxPolicyDeprecated(VerboseAPITestingPolicy, &test_var); sandbox.StartSandbox(); @@ -115,8 +114,8 @@ SANDBOX_TEST(SandboxBpf, DISABLE_ON_TSAN(VerboseAPITesting)) { // A simple blacklist test -ErrorCode BlacklistNanosleepPolicy(Sandbox*, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode BlacklistNanosleepPolicy(SandboxBPF*, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -129,7 +128,7 @@ ErrorCode BlacklistNanosleepPolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { +BPF_TEST(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { // nanosleep() should be denied const struct timespec ts = {0, 0}; errno = 0; @@ -139,7 +138,7 @@ BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { // Now do a simple whitelist test -ErrorCode WhitelistGetpidPolicy(Sandbox*, int sysno, void*) { +ErrorCode WhitelistGetpidPolicy(SandboxBPF*, int sysno, void*) { switch (sysno) { case __NR_getpid: case __NR_exit_group: @@ -149,7 +148,7 @@ ErrorCode WhitelistGetpidPolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) { +BPF_TEST(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) { // getpid() should be allowed errno = 0; BPF_ASSERT(syscall(__NR_getpid) > 0); @@ -169,10 +168,10 @@ intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) { return -ENOMEM; } -ErrorCode BlacklistNanosleepPolicySigsys(Sandbox* sandbox, +ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox, int sysno, void* aux) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -185,7 +184,7 @@ ErrorCode BlacklistNanosleepPolicySigsys(Sandbox* sandbox, } } -BPF_TEST(SandboxBpf, +BPF_TEST(SandboxBPF, BasicBlacklistWithSigsys, BlacklistNanosleepPolicySigsys, int /* BPF_AUX */) { @@ -206,8 +205,8 @@ BPF_TEST(SandboxBpf, // A simple test that verifies we can return arbitrary errno values. -ErrorCode ErrnoTestPolicy(Sandbox*, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode ErrnoTestPolicy(SandboxBPF*, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -236,7 +235,7 @@ ErrorCode ErrnoTestPolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, ErrnoTest, ErrnoTestPolicy) { +BPF_TEST(SandboxBPF, ErrnoTest, ErrnoTestPolicy) { // Verify that dup2() returns success, but doesn't actually run. int fds[4]; BPF_ASSERT(pipe(fds) == 0); @@ -278,8 +277,8 @@ BPF_TEST(SandboxBpf, ErrnoTest, ErrnoTestPolicy) { // Testing the stacking of two sandboxes -ErrorCode StackingPolicyPartOne(Sandbox* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode StackingPolicyPartOne(SandboxBPF* sandbox, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } @@ -296,8 +295,8 @@ ErrorCode StackingPolicyPartOne(Sandbox* sandbox, int sysno, void*) { } } -ErrorCode StackingPolicyPartTwo(Sandbox* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode StackingPolicyPartTwo(SandboxBPF* sandbox, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } @@ -314,7 +313,7 @@ ErrorCode StackingPolicyPartTwo(Sandbox* sandbox, int sysno, void*) { } } -BPF_TEST(SandboxBpf, StackingPolicy, StackingPolicyPartOne) { +BPF_TEST(SandboxBPF, StackingPolicy, StackingPolicyPartOne) { errno = 0; BPF_ASSERT(syscall(__NR_getppid, 0) > 0); BPF_ASSERT(errno == 0); @@ -324,7 +323,7 @@ BPF_TEST(SandboxBpf, StackingPolicy, StackingPolicyPartOne) { // Stack a second sandbox with its own policy. Verify that we can further // restrict filters, but we cannot relax existing filters. - Sandbox sandbox; + SandboxBPF sandbox; sandbox.SetSandboxPolicyDeprecated(StackingPolicyPartTwo, NULL); sandbox.StartSandbox(); @@ -351,8 +350,8 @@ int SysnoToRandomErrno(int sysno) { return ((sysno & ~3) >> 2) % 29 + 1; } -ErrorCode SyntheticPolicy(Sandbox*, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode SyntheticPolicy(SandboxBPF*, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -373,7 +372,7 @@ ErrorCode SyntheticPolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, SyntheticPolicy, SyntheticPolicy) { +BPF_TEST(SandboxBPF, SyntheticPolicy, SyntheticPolicy) { // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int // overflow. BPF_ASSERT(std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >= @@ -407,8 +406,8 @@ int ArmPrivateSysnoToErrno(int sysno) { } } -ErrorCode ArmPrivatePolicy(Sandbox*, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode ArmPrivatePolicy(SandboxBPF*, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy. return ErrorCode(ENOSYS); } @@ -423,7 +422,7 @@ ErrorCode ArmPrivatePolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, ArmPrivatePolicy, ArmPrivatePolicy) { +BPF_TEST(SandboxBPF, ArmPrivatePolicy, ArmPrivatePolicy) { for (int syscall_number = static_cast<int>(__ARM_NR_set_tls + 1); syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL); ++syscall_number) { @@ -444,10 +443,10 @@ intptr_t CountSyscalls(const struct arch_seccomp_data& args, void* aux) { // Verify that we can now call the underlying system call without causing // infinite recursion. - return Sandbox::ForwardSyscall(args); + return SandboxBPF::ForwardSyscall(args); } -ErrorCode GreyListedPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, void* aux) { // The use of UnsafeTrap() causes us to print a warning message. This is // generally desirable, but it results in the unittest failing, as it doesn't // expect any messages on "stderr". So, temporarily disable messages. The @@ -472,7 +471,7 @@ ErrorCode GreyListedPolicy(Sandbox* sandbox, int sysno, void* aux) { } else if (sysno == __NR_getpid) { // Disallow getpid() return ErrorCode(EPERM); - } else if (Sandbox::IsValidSyscallNumber(sysno)) { + } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { // Allow (and count) all other system calls. return sandbox->UnsafeTrap(CountSyscalls, aux); } else { @@ -480,7 +479,7 @@ ErrorCode GreyListedPolicy(Sandbox* sandbox, int sysno, void* aux) { } } -BPF_TEST(SandboxBpf, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) { +BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) { BPF_ASSERT(syscall(__NR_getpid) == -1); BPF_ASSERT(errno == EPERM); BPF_ASSERT(BPF_AUX == 0); @@ -497,7 +496,7 @@ BPF_TEST(SandboxBpf, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) { BPF_ASSERT(*name); } -SANDBOX_TEST(SandboxBpf, EnableUnsafeTrapsInSigSysHandler) { +SANDBOX_TEST(SandboxBPF, EnableUnsafeTrapsInSigSysHandler) { // Disabling warning messages that could confuse our test framework. setenv(kSandboxDebuggingEnv, "t", 0); Die::SuppressInfoMessages(true); @@ -516,18 +515,18 @@ intptr_t PrctlHandler(const struct arch_seccomp_data& args, void*) { // return an error. But our handler allows this call. return 0; } else { - return Sandbox::ForwardSyscall(args); + return SandboxBPF::ForwardSyscall(args); } } -ErrorCode PrctlPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode PrctlPolicy(SandboxBPF* sandbox, int sysno, void* aux) { setenv(kSandboxDebuggingEnv, "t", 0); Die::SuppressInfoMessages(true); if (sysno == __NR_prctl) { // Handle prctl() inside an UnsafeTrap() return sandbox->UnsafeTrap(PrctlHandler, NULL); - } else if (Sandbox::IsValidSyscallNumber(sysno)) { + } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { // Allow all other system calls. return ErrorCode(ErrorCode::ERR_ALLOWED); } else { @@ -535,7 +534,7 @@ ErrorCode PrctlPolicy(Sandbox* sandbox, int sysno, void* aux) { } } -BPF_TEST(SandboxBpf, ForwardSyscall, PrctlPolicy) { +BPF_TEST(SandboxBPF, ForwardSyscall, PrctlPolicy) { // This call should never be allowed. But our policy will intercept it and // let it pass successfully. BPF_ASSERT( @@ -563,10 +562,10 @@ BPF_TEST(SandboxBpf, ForwardSyscall, PrctlPolicy) { } intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void*) { - return Sandbox::ForwardSyscall(args); + return SandboxBPF::ForwardSyscall(args); } -ErrorCode RedirectAllSyscallsPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode RedirectAllSyscallsPolicy(SandboxBPF* sandbox, int sysno, void* aux) { setenv(kSandboxDebuggingEnv, "t", 0); Die::SuppressInfoMessages(true); @@ -583,7 +582,7 @@ ErrorCode RedirectAllSyscallsPolicy(Sandbox* sandbox, int sysno, void* aux) { #endif ) { return ErrorCode(ErrorCode::ERR_ALLOWED); - } else if (Sandbox::IsValidSyscallNumber(sysno)) { + } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { return sandbox->UnsafeTrap(AllowRedirectedSyscall, aux); } else { return ErrorCode(ENOSYS); @@ -596,7 +595,7 @@ void SigBusHandler(int, siginfo_t* info, void* void_context) { BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1); } -BPF_TEST(SandboxBpf, SigBus, RedirectAllSyscallsPolicy) { +BPF_TEST(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { // We use the SIGBUS bit in the signal mask as a thread-local boolean // value in the implementation of UnsafeTrap(). This is obviously a bit // of a hack that could conceivably interfere with code that uses SIGBUS @@ -619,7 +618,7 @@ BPF_TEST(SandboxBpf, SigBus, RedirectAllSyscallsPolicy) { BPF_ASSERT(c == 0x55); } -BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { +BPF_TEST(SandboxBPF, SigMask, RedirectAllSyscallsPolicy) { // Signal masks are potentially tricky to handle. For instance, if we // ever tried to update them from inside a Trap() or UnsafeTrap() handler, // the call to sigreturn() at the end of the signal handler would undo @@ -646,7 +645,7 @@ BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { BPF_ASSERT(sigismember(&mask2, SIGUSR2)); } -BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { +BPF_TEST(SandboxBPF, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { // An UnsafeTrap() (or for that matter, a Trap()) has to report error // conditions by returning an exit code in the range -1..-4096. This // should happen automatically if using ForwardSyscall(). If the TrapFnc() @@ -667,7 +666,7 @@ BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { struct arch_seccomp_data args = {}; args.nr = __NR_close; args.args[0] = -1; - BPF_ASSERT(Sandbox::ForwardSyscall(args) == -EBADF); + BPF_ASSERT(SandboxBPF::ForwardSyscall(args) == -EBADF); BPF_ASSERT(errno == 0); } @@ -719,9 +718,9 @@ intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args, } } -ErrorCode DenyOpenPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, int sysno, void* aux) { InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux); - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } @@ -740,7 +739,7 @@ ErrorCode DenyOpenPolicy(Sandbox* sandbox, int sysno, void* aux) { // We use a InitializedOpenBroker class, so that we can run unsandboxed // code in its constructor, which is the only way to do so in a BPF_TEST. -BPF_TEST(SandboxBpf, +BPF_TEST(SandboxBPF, UseOpenBroker, DenyOpenPolicy, InitializedOpenBroker /* BPF_AUX */) { @@ -785,10 +784,10 @@ BPF_TEST(SandboxBpf, BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0); } -// Simple test demonstrating how to use Sandbox::Cond() +// Simple test demonstrating how to use SandboxBPF::Cond() -ErrorCode SimpleCondTestPolicy(Sandbox* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode SimpleCondTestPolicy(SandboxBPF* sandbox, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -825,7 +824,7 @@ ErrorCode SimpleCondTestPolicy(Sandbox* sandbox, int sysno, void*) { } } -BPF_TEST(SandboxBpf, SimpleCondTest, SimpleCondTestPolicy) { +BPF_TEST(SandboxBPF, SimpleCondTest, SimpleCondTestPolicy) { int fd; BPF_ASSERT((fd = open("/proc/self/comm", O_RDWR)) == -1); BPF_ASSERT(errno == EROFS); @@ -839,7 +838,7 @@ BPF_TEST(SandboxBpf, SimpleCondTest, SimpleCondTestPolicy) { BPF_ASSERT(errno == ENOMEM); } -// This test exercises the Sandbox::Cond() method by building a complex +// This test exercises the SandboxBPF::Cond() method by building a complex // tree of conditional equality operations. It then makes system calls and // verifies that they return the values that we expected from our BPF // program. @@ -879,8 +878,8 @@ class EqualityStressTest { } } - ErrorCode Policy(Sandbox* sandbox, int sysno) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { + ErrorCode Policy(SandboxBPF* sandbox, int sysno) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno < 0 || sysno >= (int)arg_values_.size() || @@ -1039,7 +1038,7 @@ class EqualityStressTest { } } - ErrorCode ToErrorCode(Sandbox* sandbox, ArgValue* arg_value) { + ErrorCode ToErrorCode(SandboxBPF* sandbox, ArgValue* arg_value) { // Compute the ErrorCode that should be returned, if none of our // tests succeed (i.e. the system call parameter doesn't match any // of the values in arg_value->tests[].k_value). @@ -1050,13 +1049,13 @@ class EqualityStressTest { err = ErrorCode(arg_value->err); } else { // If this wasn't a leaf node yet, recursively descend into the rest - // of the tree. This will end up adding a few more Sandbox::Cond() + // of the tree. This will end up adding a few more SandboxBPF::Cond() // tests to our ErrorCode. err = ToErrorCode(sandbox, arg_value->arg_value); } // Now, iterate over all the test cases that we want to compare against. - // This builds a chain of Sandbox::Cond() tests + // This builds a chain of SandboxBPF::Cond() tests // (aka "if ... elif ... elif ... elif ... fi") for (int n = arg_value->size; n-- > 0;) { ErrorCode matched; @@ -1140,19 +1139,19 @@ class EqualityStressTest { static const int kMaxArgs = 6; }; -ErrorCode EqualityStressTestPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox, int sysno, void* aux) { return reinterpret_cast<EqualityStressTest*>(aux)->Policy(sandbox, sysno); } -BPF_TEST(SandboxBpf, +BPF_TEST(SandboxBPF, EqualityTests, EqualityStressTestPolicy, EqualityStressTest /* BPF_AUX */) { BPF_AUX.VerifyFilter(); } -ErrorCode EqualityArgumentWidthPolicy(Sandbox* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode EqualityArgumentWidthPolicy(SandboxBPF* sandbox, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_uname) { @@ -1186,7 +1185,7 @@ ErrorCode EqualityArgumentWidthPolicy(Sandbox* sandbox, int sysno, void*) { } } -BPF_TEST(SandboxBpf, EqualityArgumentWidth, EqualityArgumentWidthPolicy) { +BPF_TEST(SandboxBPF, EqualityArgumentWidth, EqualityArgumentWidthPolicy) { BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0x55555555) == -1); BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0xAAAAAAAA) == -2); #if __SIZEOF_POINTER__ > 4 @@ -1206,7 +1205,7 @@ BPF_TEST(SandboxBpf, EqualityArgumentWidth, EqualityArgumentWidthPolicy) { // On 32bit machines, there is no way to pass a 64bit argument through the // syscall interface. So, we have to skip the part of the test that requires // 64bit arguments. -BPF_DEATH_TEST(SandboxBpf, +BPF_DEATH_TEST(SandboxBPF, EqualityArgumentUnallowed64bit, DEATH_MESSAGE("Unexpected 64bit argument detected"), EqualityArgumentWidthPolicy) { @@ -1214,10 +1213,10 @@ BPF_DEATH_TEST(SandboxBpf, } #endif -ErrorCode EqualityWithNegativeArgumentsPolicy(Sandbox* sandbox, +ErrorCode EqualityWithNegativeArgumentsPolicy(SandboxBPF* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_uname) { @@ -1232,7 +1231,7 @@ ErrorCode EqualityWithNegativeArgumentsPolicy(Sandbox* sandbox, } } -BPF_TEST(SandboxBpf, +BPF_TEST(SandboxBPF, EqualityWithNegativeArguments, EqualityWithNegativeArgumentsPolicy) { BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF) == -1); @@ -1241,7 +1240,7 @@ BPF_TEST(SandboxBpf, } #if __SIZEOF_POINTER__ > 4 -BPF_DEATH_TEST(SandboxBpf, +BPF_DEATH_TEST(SandboxBPF, EqualityWithNegative64bitArguments, DEATH_MESSAGE("Unexpected 64bit argument detected"), EqualityWithNegativeArgumentsPolicy) { @@ -1251,14 +1250,14 @@ BPF_DEATH_TEST(SandboxBpf, BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000LL) == -1); } #endif -ErrorCode AllBitTestPolicy(Sandbox *sandbox, int sysno, void *) { +ErrorCode AllBitTestPolicy(SandboxBPF* sandbox, int sysno, void *) { // Test the OP_HAS_ALL_BITS conditional test operator with a couple of // different bitmasks. We try to find bitmasks that could conceivably // touch corner cases. // For all of these tests, we override the uname(). We can make use with // a single system call number, as we use the first system call argument to // select the different bit masks that we want to test against. - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_uname) { @@ -1344,7 +1343,7 @@ ErrorCode AllBitTestPolicy(Sandbox *sandbox, int sysno, void *) { // We expect these tests to succeed on 64bit systems, but to tail on 32bit // systems. #define EXPT64_SUCCESS (sizeof(void*) > 4 ? EXPECT_SUCCESS : EXPECT_FAILURE) -BPF_TEST(SandboxBpf, AllBitTests, AllBitTestPolicy) { +BPF_TEST(SandboxBPF, AllBitTests, AllBitTestPolicy) { // 32bit test: all of 0x0 (should always be true) BITMASK_TEST( 0, 0, ALLBITS32, 0, EXPECT_SUCCESS); BITMASK_TEST( 0, 1, ALLBITS32, 0, EXPECT_SUCCESS); @@ -1447,14 +1446,14 @@ BPF_TEST(SandboxBpf, AllBitTests, AllBitTestPolicy) { BITMASK_TEST(10, -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS); } -ErrorCode AnyBitTestPolicy(Sandbox* sandbox, int sysno, void*) { +ErrorCode AnyBitTestPolicy(SandboxBPF* sandbox, int sysno, void*) { // Test the OP_HAS_ANY_BITS conditional test operator with a couple of // different bitmasks. We try to find bitmasks that could conceivably // touch corner cases. // For all of these tests, we override the uname(). We can make use with // a single system call number, as we use the first system call argument to // select the different bit masks that we want to test against. - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_uname) { @@ -1521,7 +1520,7 @@ ErrorCode AnyBitTestPolicy(Sandbox* sandbox, int sysno, void*) { } } -BPF_TEST(SandboxBpf, AnyBitTests, AnyBitTestPolicy) { +BPF_TEST(SandboxBPF, AnyBitTests, AnyBitTestPolicy) { // 32bit test: any of 0x0 (should always be false) BITMASK_TEST( 0, 0, ANYBITS32, 0x0, EXPECT_FAILURE); BITMASK_TEST( 0, 1, ANYBITS32, 0x0, EXPECT_FAILURE); @@ -1651,12 +1650,12 @@ intptr_t PthreadTrapHandler(const struct arch_seccomp_data& args, void* aux) { } return -EPERM; } -ErrorCode PthreadPolicyEquality(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode PthreadPolicyEquality(SandboxBPF* sandbox, int sysno, void* aux) { // This policy allows creating threads with pthread_create(). But it // doesn't allow any other uses of clone(). Most notably, it does not // allow callers to implement fork() or vfork() by passing suitable flags // to the clone() system call. - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_clone) { @@ -1691,12 +1690,12 @@ ErrorCode PthreadPolicyEquality(Sandbox* sandbox, int sysno, void* aux) { } } -ErrorCode PthreadPolicyBitMask(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode PthreadPolicyBitMask(SandboxBPF* sandbox, int sysno, void* aux) { // This policy allows creating threads with pthread_create(). But it // doesn't allow any other uses of clone(). Most notably, it does not // allow callers to implement fork() or vfork() by passing suitable flags // to the clone() system call. - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_clone) { @@ -1775,8 +1774,10 @@ static void PthreadTest() { &pid) == -EPERM); } -BPF_TEST(SandboxBpf, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); } +BPF_TEST(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); } -BPF_TEST(SandboxBpf, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); } +BPF_TEST(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); } -} // namespace +} // namespace + +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/syscall.cc b/sandbox/linux/seccomp-bpf/syscall.cc index a5cbb0271b..acf207dc14 100644 --- a/sandbox/linux/seccomp-bpf/syscall.cc +++ b/sandbox/linux/seccomp-bpf/syscall.cc @@ -9,7 +9,7 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { asm( // We need to be able to tell the kernel exactly where we made a // system call. The C++ compiler likes to sometimes clone or @@ -196,7 +196,7 @@ intptr_t SandboxSyscall(int nr, // N.B. These are not the calling conventions normally used by the ABI. : "=a"(ret) : "0"(ret), "D"(args) - : "esp", "memory", "ecx", "edx"); + : "cc", "esp", "memory", "ecx", "edx"); #elif defined(__x86_64__) intptr_t ret = nr; { @@ -208,7 +208,7 @@ intptr_t SandboxSyscall(int nr, // N.B. These are not the calling conventions normally used by the ABI. : "=a"(ret) : "0"(ret), "r"(data) - : "rsp", "memory", + : "cc", "rsp", "memory", "rcx", "rdi", "rsi", "rdx", "r8", "r9", "r10", "r11"); } #elif defined(__arm__) @@ -221,7 +221,7 @@ intptr_t SandboxSyscall(int nr, // N.B. These are not the calling conventions normally used by the ABI. : "=r"(inout) : "0"(inout), "r"(data) - : "lr", "memory", "r1", "r2", "r3", "r4", "r5" + : "cc", "lr", "memory", "r1", "r2", "r3", "r4", "r5" #if !defined(__arm__) // In thumb mode, we cannot use "r7" as a general purpose register, as // it is our frame pointer. We have to manually manage and preserve it. @@ -240,4 +240,4 @@ intptr_t SandboxSyscall(int nr, return ret; } -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/syscall.h b/sandbox/linux/seccomp-bpf/syscall.h index f63516ba1c..0b51380e88 100644 --- a/sandbox/linux/seccomp-bpf/syscall.h +++ b/sandbox/linux/seccomp-bpf/syscall.h @@ -7,7 +7,7 @@ #include <stdint.h> -namespace playground2 { +namespace sandbox { // We have to make sure that we have a single "magic" return address for // our system calls, which we can check from within a BPF filter. This @@ -133,6 +133,6 @@ inline intptr_t SandboxSyscall(int nr) { #endif // Pre-C++11 -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__ diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.cc b/sandbox/linux/seccomp-bpf/syscall_iterator.cc index f1f2acfd0f..89cc1cb473 100644 --- a/sandbox/linux/seccomp-bpf/syscall_iterator.cc +++ b/sandbox/linux/seccomp-bpf/syscall_iterator.cc @@ -7,7 +7,7 @@ #include "base/basictypes.h" #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" -namespace playground2 { +namespace sandbox { uint32_t SyscallIterator::Next() { if (done_) { @@ -89,4 +89,4 @@ bool SyscallIterator::IsArmPrivate(uint32_t num) { bool SyscallIterator::IsArmPrivate(uint32_t) { return false; } #endif -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.h b/sandbox/linux/seccomp-bpf/syscall_iterator.h index 3d7f66db3a..3b56ea3144 100644 --- a/sandbox/linux/seccomp-bpf/syscall_iterator.h +++ b/sandbox/linux/seccomp-bpf/syscall_iterator.h @@ -9,7 +9,7 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { // Iterates over the entire system call range from 0..0xFFFFFFFFu. This // iterator is aware of how system calls look like and will skip quickly @@ -50,6 +50,6 @@ class SyscallIterator { DISALLOW_IMPLICIT_CONSTRUCTORS(SyscallIterator); }; -} // namespace playground2 +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_ITERATOR_H__ diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc b/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc index 61e95d7091..08a857a2e2 100644 --- a/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc +++ b/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc @@ -6,7 +6,7 @@ #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" #include "sandbox/linux/tests/unit_tests.h" -using namespace playground2; +namespace sandbox { namespace { @@ -132,3 +132,5 @@ SANDBOX_TEST(SyscallIterator, InvalidOnly) { } } // namespace + +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/syscall_unittest.cc b/sandbox/linux/seccomp-bpf/syscall_unittest.cc index 0472448298..60db69bcd6 100644 --- a/sandbox/linux/seccomp-bpf/syscall_unittest.cc +++ b/sandbox/linux/seccomp-bpf/syscall_unittest.cc @@ -18,7 +18,7 @@ #include "sandbox/linux/tests/unit_tests.h" #include "testing/gtest/include/gtest/gtest.h" -using namespace playground2; +namespace sandbox { namespace { @@ -64,7 +64,7 @@ TEST(Syscall, TrivialSyscallOneArg) { int new_fd; // Duplicate standard error and close it. ASSERT_GE(new_fd = SandboxSyscall(__NR_dup, 2), 0); - int close_return_value = HANDLE_EINTR(SandboxSyscall(__NR_close, new_fd)); + int close_return_value = IGNORE_EINTR(SandboxSyscall(__NR_close, new_fd)); ASSERT_EQ(close_return_value, 0); } @@ -78,8 +78,8 @@ intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) { return -ENOMEM; } -ErrorCode CopyAllArgsOnUnamePolicy(Sandbox* sandbox, int sysno, void* aux) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, int sysno, void* aux) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } if (sysno == __NR_uname) { @@ -160,7 +160,7 @@ TEST(Syscall, ComplexSyscallSixArgs) { // Clean up EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr1, 4096L)); - EXPECT_EQ(0, HANDLE_EINTR(SandboxSyscall(__NR_close, fd))); + EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd))); // Check that the offset argument (i.e. the sixth argument) is processed // correctly. @@ -193,7 +193,9 @@ TEST(Syscall, ComplexSyscallSixArgs) { // Clean up EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr2, 8192L)); EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr3, 4096L)); - EXPECT_EQ(0, HANDLE_EINTR(SandboxSyscall(__NR_close, fd))); + EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd))); } } // namespace + +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/trap.cc b/sandbox/linux/seccomp-bpf/trap.cc index de701a76a9..553a9043bf 100644 --- a/sandbox/linux/seccomp-bpf/trap.cc +++ b/sandbox/linux/seccomp-bpf/trap.cc @@ -13,7 +13,6 @@ #include <limits> #include "base/logging.h" -#include "base/posix/eintr_wrapper.h" #include "sandbox/linux/seccomp-bpf/codegen.h" #include "sandbox/linux/seccomp-bpf/die.h" #include "sandbox/linux/seccomp-bpf/syscall.h" @@ -66,7 +65,7 @@ bool IsDefaultSignalAction(const struct sigaction& sa) { } // namespace -namespace playground2 { +namespace sandbox { Trap::Trap() : trap_array_(NULL), @@ -352,4 +351,4 @@ ErrorCode Trap::ErrorCodeFromTrapId(uint16_t id) { Trap* Trap::global_trap_; -} // namespace playground2 +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/trap.h b/sandbox/linux/seccomp-bpf/trap.h index edaa02304e..334a30d965 100644 --- a/sandbox/linux/seccomp-bpf/trap.h +++ b/sandbox/linux/seccomp-bpf/trap.h @@ -13,7 +13,7 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { class ErrorCode; @@ -111,6 +111,6 @@ class Trap { DISALLOW_IMPLICIT_CONSTRUCTORS(Trap); }; -} // namespace playground2 +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__ diff --git a/sandbox/linux/seccomp-bpf/verifier.cc b/sandbox/linux/seccomp-bpf/verifier.cc index 1d6b26d592..1292504dec 100644 --- a/sandbox/linux/seccomp-bpf/verifier.cc +++ b/sandbox/linux/seccomp-bpf/verifier.cc @@ -9,12 +9,10 @@ #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" #include "sandbox/linux/seccomp-bpf/verifier.h" -namespace { -using playground2::ErrorCode; -using playground2::Sandbox; -using playground2::Verifier; -using playground2::arch_seccomp_data; +namespace sandbox { + +namespace { struct State { State(const std::vector<struct sock_filter>& p, @@ -30,7 +28,7 @@ struct State { DISALLOW_IMPLICIT_CONSTRUCTORS(State); }; -uint32_t EvaluateErrorCode(Sandbox* sandbox, +uint32_t EvaluateErrorCode(SandboxBPF* sandbox, const ErrorCode& code, const struct arch_seccomp_data& data) { if (code.error_type() == ErrorCode::ET_SIMPLE || @@ -78,7 +76,7 @@ uint32_t EvaluateErrorCode(Sandbox* sandbox, } } -bool VerifyErrorCode(Sandbox* sandbox, +bool VerifyErrorCode(SandboxBPF* sandbox, const std::vector<struct sock_filter>& program, struct arch_seccomp_data* data, const ErrorCode& root_code, @@ -362,11 +360,9 @@ void Alu(State* state, const struct sock_filter& insn, const char** err) { } // namespace -namespace playground2 { - -bool Verifier::VerifyBPF(Sandbox* sandbox, +bool Verifier::VerifyBPF(SandboxBPF* sandbox, const std::vector<struct sock_filter>& program, - const SandboxBpfPolicy& policy, + const SandboxBPFPolicy& policy, const char** err) { *err = NULL; for (SyscallIterator iter(false); !iter.Done();) { @@ -447,4 +443,4 @@ uint32_t Verifier::EvaluateBPF(const std::vector<struct sock_filter>& program, return 0; } -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/verifier.h b/sandbox/linux/seccomp-bpf/verifier.h index fff5b6339e..4e80dd9768 100644 --- a/sandbox/linux/seccomp-bpf/verifier.h +++ b/sandbox/linux/seccomp-bpf/verifier.h @@ -10,9 +10,9 @@ #include <utility> #include <vector> -namespace playground2 { +namespace sandbox { -class SandboxBpfPolicy; +class SandboxBPFPolicy; class Verifier { public: @@ -23,9 +23,9 @@ class Verifier { // set by the "evaluators". // Upon success, "err" is set to NULL. Upon failure, it contains a static // error message that does not need to be free()'d. - static bool VerifyBPF(Sandbox* sandbox, + static bool VerifyBPF(SandboxBPF* sandbox, const std::vector<struct sock_filter>& program, - const SandboxBpfPolicy& policy, + const SandboxBPFPolicy& policy, const char** err); // Evaluate a given BPF program for a particular set of system call @@ -44,6 +44,6 @@ class Verifier { DISALLOW_IMPLICIT_CONSTRUCTORS(Verifier); }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_VERIFIER_H__ diff --git a/sandbox/linux/services/broker_process.cc b/sandbox/linux/services/broker_process.cc index 0e91c20603..438e972637 100644 --- a/sandbox/linux/services/broker_process.cc +++ b/sandbox/linux/services/broker_process.cc @@ -21,6 +21,7 @@ #include "base/pickle.h" #include "base/posix/eintr_wrapper.h" #include "base/posix/unix_domain_socket_linux.h" +#include "base/process/process_metrics.h" #include "build/build_config.h" #include "sandbox/linux/services/linux_syscalls.h" @@ -131,7 +132,7 @@ BrokerProcess::BrokerProcess(int denied_errno, BrokerProcess::~BrokerProcess() { if (initialized_ && ipc_socketpair_ != -1) { - void (HANDLE_EINTR(close(ipc_socketpair_))); + close(ipc_socketpair_); } } @@ -146,15 +147,16 @@ bool BrokerProcess::Init(bool (*sandbox_callback)(void)) { return false; } + DCHECK_EQ(1, base::GetNumberOfThreads(base::GetCurrentProcessHandle())); int child_pid = fork(); if (child_pid == -1) { - ignore_result(HANDLE_EINTR(close(socket_pair[0]))); - ignore_result(HANDLE_EINTR(close(socket_pair[1]))); + close(socket_pair[0]); + close(socket_pair[1]); return false; } if (child_pid) { // We are the parent and we have just forked our broker process. - ignore_result(HANDLE_EINTR(close(socket_pair[0]))); + close(socket_pair[0]); // We should only be able to write to the IPC channel. We'll always send // a new file descriptor to receive the reply on. shutdown(socket_pair[1], SHUT_RD); @@ -165,7 +167,7 @@ bool BrokerProcess::Init(bool (*sandbox_callback)(void)) { return true; } else { // We are the broker. - ignore_result(HANDLE_EINTR(close(socket_pair[1]))); + close(socket_pair[1]); // We should only be able to read from this IPC channel. We will send our // replies on a new file descriptor attached to the requests. shutdown(socket_pair[0], SHUT_WR); @@ -329,7 +331,7 @@ bool BrokerProcess::HandleRequest() const { r = false; break; } - int ret = HANDLE_EINTR(close(temporary_ipc)); + int ret = IGNORE_EINTR(close(temporary_ipc)); DCHECK(!ret) << "Could not close temporary IPC channel"; return r; } @@ -374,7 +376,7 @@ bool BrokerProcess::HandleRemoteCommand(IPCCommands command_type, int reply_ipc, // Close anything we have opened in this process. for (std::vector<int>::iterator it = opened_files.begin(); it < opened_files.end(); ++it) { - int ret = HANDLE_EINTR(close(*it)); + int ret = IGNORE_EINTR(close(*it)); DCHECK(!ret) << "Could not close file descriptor"; } diff --git a/sandbox/linux/services/broker_process_unittest.cc b/sandbox/linux/services/broker_process_unittest.cc index 4cb9c6fb92..f163ef9971 100644 --- a/sandbox/linux/services/broker_process_unittest.cc +++ b/sandbox/linux/services/broker_process_unittest.cc @@ -48,7 +48,7 @@ class ScopedTemporaryFile { } ~ScopedTemporaryFile() { CHECK_EQ(0, unlink(full_file_name_)); - CHECK_EQ(0, HANDLE_EINTR(close(fd_))); + CHECK_EQ(0, IGNORE_EINTR(close(fd_))); } int fd() const { return fd_; } diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc index cea757c535..4f041dc288 100644 --- a/sandbox/linux/services/credentials.cc +++ b/sandbox/linux/services/credentials.cc @@ -163,9 +163,15 @@ bool Credentials::HasOpenDirectory(int proc_fd) { } else { proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY | O_RDONLY); if (proc_self_fd < 0) { + // If this process has been chrooted (eg into /proc/self/fdinfo) then + // the new root dir will not have directory listing permissions for us + // (hence EACCES). And if we do have this permission, then /proc won't + // exist anyway (hence ENOENT). + DPCHECK(errno == EACCES || errno == ENOENT) + << "Unexpected failure when trying to open /proc/self/fd: (" + << errno << ") " << strerror(errno); + // If not available, guess false. - // TODO(mostynb@opera.com): add a CHECK_EQ(ENOENT, errno); Figure out what - // other situations are here. http://crbug.com/314985 return false; } } diff --git a/sandbox/linux/services/init_process_reaper.cc b/sandbox/linux/services/init_process_reaper.cc index f5473bac24..2e0b90b7b5 100644 --- a/sandbox/linux/services/init_process_reaper.cc +++ b/sandbox/linux/services/init_process_reaper.cc @@ -33,9 +33,9 @@ bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback) { pid_t child_pid = fork(); if (child_pid == -1) { int close_ret; - close_ret = HANDLE_EINTR(close(sync_fds[0])); + close_ret = IGNORE_EINTR(close(sync_fds[0])); DPCHECK(!close_ret); - close_ret = HANDLE_EINTR(close(sync_fds[1])); + close_ret = IGNORE_EINTR(close(sync_fds[1])); DPCHECK(!close_ret); return false; } @@ -50,7 +50,7 @@ bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback) { CHECK(sigaction(SIGCHLD, &action, NULL) == 0); int close_ret; - close_ret = HANDLE_EINTR(close(sync_fds[0])); + close_ret = IGNORE_EINTR(close(sync_fds[0])); DPCHECK(!close_ret); close_ret = shutdown(sync_fds[1], SHUT_RD); DPCHECK(!close_ret); @@ -58,7 +58,7 @@ bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback) { post_fork_parent_callback->Run(); // Tell the child to continue CHECK(HANDLE_EINTR(send(sync_fds[1], "C", 1, MSG_NOSIGNAL)) == 1); - close_ret = HANDLE_EINTR(close(sync_fds[1])); + close_ret = IGNORE_EINTR(close(sync_fds[1])); DPCHECK(!close_ret); for (;;) { @@ -83,13 +83,13 @@ bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback) { // The child needs to wait for the parent to run the callback to avoid a // race condition. int close_ret; - close_ret = HANDLE_EINTR(close(sync_fds[1])); + close_ret = IGNORE_EINTR(close(sync_fds[1])); DPCHECK(!close_ret); close_ret = shutdown(sync_fds[0], SHUT_WR); DPCHECK(!close_ret); char should_continue; int read_ret = HANDLE_EINTR(read(sync_fds[0], &should_continue, 1)); - close_ret = HANDLE_EINTR(close(sync_fds[0])); + close_ret = IGNORE_EINTR(close(sync_fds[0])); DPCHECK(!close_ret); if (read_ret == 1) return true; diff --git a/sandbox/linux/tests/unit_tests.cc b/sandbox/linux/tests/unit_tests.cc index 320f52b41c..ad30d840f4 100644 --- a/sandbox/linux/tests/unit_tests.cc +++ b/sandbox/linux/tests/unit_tests.cc @@ -150,7 +150,7 @@ void UnitTests::RunTestInProcess(UnitTests::Test test, _exit(kExpectedValue); } - (void)HANDLE_EINTR(close(fds[1])); + close(fds[1]); std::vector<char> msg_buf; ssize_t rc; @@ -175,7 +175,7 @@ void UnitTests::RunTestInProcess(UnitTests::Test test, } ASSERT_NE(poll_ret, -1) << "poll() failed"; ASSERT_NE(poll_ret, 0) << "Timeout while reading child state"; - (void)HANDLE_EINTR(close(fds[0])); + close(fds[0]); std::string msg(msg_buf.begin(), msg_buf.end()); int status = 0; diff --git a/sandbox/sandbox.target.darwin-arm.mk b/sandbox/sandbox.target.darwin-arm.mk index 05ff0094ec..6a0b9d5cfe 100644 --- a/sandbox/sandbox.target.darwin-arm.mk +++ b/sandbox/sandbox.target.darwin-arm.mk @@ -13,7 +13,8 @@ gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared) # Make sure our deps are built first. GYP_TARGET_DEPENDENCIES := \ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \ - $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a + $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \ + $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a GYP_GENERATED_OUTPUTS := diff --git a/sandbox/sandbox.target.darwin-x86.mk b/sandbox/sandbox.target.darwin-x86.mk index 05ff0094ec..6a0b9d5cfe 100644 --- a/sandbox/sandbox.target.darwin-x86.mk +++ b/sandbox/sandbox.target.darwin-x86.mk @@ -13,7 +13,8 @@ gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared) # Make sure our deps are built first. GYP_TARGET_DEPENDENCIES := \ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \ - $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a + $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \ + $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a GYP_GENERATED_OUTPUTS := diff --git a/sandbox/sandbox.target.linux-arm.mk b/sandbox/sandbox.target.linux-arm.mk index 05ff0094ec..6a0b9d5cfe 100644 --- a/sandbox/sandbox.target.linux-arm.mk +++ b/sandbox/sandbox.target.linux-arm.mk @@ -13,7 +13,8 @@ gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared) # Make sure our deps are built first. GYP_TARGET_DEPENDENCIES := \ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \ - $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a + $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \ + $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a GYP_GENERATED_OUTPUTS := diff --git a/sandbox/sandbox.target.linux-x86.mk b/sandbox/sandbox.target.linux-x86.mk index 05ff0094ec..6a0b9d5cfe 100644 --- a/sandbox/sandbox.target.linux-x86.mk +++ b/sandbox/sandbox.target.linux-x86.mk @@ -13,7 +13,8 @@ gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared) # Make sure our deps are built first. GYP_TARGET_DEPENDENCIES := \ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \ - $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a + $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \ + $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a GYP_GENERATED_OUTPUTS := diff --git a/sandbox/sandbox_services.target.darwin-arm.mk b/sandbox/sandbox_services.target.darwin-arm.mk index 8d0d355409..a86b86b16b 100644 --- a/sandbox/sandbox_services.target.darwin-arm.mk +++ b/sandbox/sandbox_services.target.darwin-arm.mk @@ -62,6 +62,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -71,9 +72,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -144,6 +147,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -153,9 +157,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services.target.darwin-mips.mk b/sandbox/sandbox_services.target.darwin-mips.mk index 6eaebbbd77..d9f40087e6 100644 --- a/sandbox/sandbox_services.target.darwin-mips.mk +++ b/sandbox/sandbox_services.target.darwin-mips.mk @@ -61,6 +61,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -70,9 +71,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -142,6 +145,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -151,9 +155,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services.target.darwin-x86.mk b/sandbox/sandbox_services.target.darwin-x86.mk index 4c410bba32..ae1cdd5c95 100644 --- a/sandbox/sandbox_services.target.darwin-x86.mk +++ b/sandbox/sandbox_services.target.darwin-x86.mk @@ -64,6 +64,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -73,9 +74,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -149,6 +152,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -158,9 +162,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services.target.linux-arm.mk b/sandbox/sandbox_services.target.linux-arm.mk index 8d0d355409..a86b86b16b 100644 --- a/sandbox/sandbox_services.target.linux-arm.mk +++ b/sandbox/sandbox_services.target.linux-arm.mk @@ -62,6 +62,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -71,9 +72,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -144,6 +147,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -153,9 +157,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services.target.linux-mips.mk b/sandbox/sandbox_services.target.linux-mips.mk index 6eaebbbd77..d9f40087e6 100644 --- a/sandbox/sandbox_services.target.linux-mips.mk +++ b/sandbox/sandbox_services.target.linux-mips.mk @@ -61,6 +61,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -70,9 +71,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -142,6 +145,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -151,9 +155,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services.target.linux-x86.mk b/sandbox/sandbox_services.target.linux-x86.mk index 4c410bba32..ae1cdd5c95 100644 --- a/sandbox/sandbox_services.target.linux-x86.mk +++ b/sandbox/sandbox_services.target.linux-x86.mk @@ -64,6 +64,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -73,9 +74,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -149,6 +152,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -158,9 +162,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services_headers.target.darwin-arm.mk b/sandbox/sandbox_services_headers.target.darwin-arm.mk index f02be395ea..09f390ea7e 100644 --- a/sandbox/sandbox_services_headers.target.darwin-arm.mk +++ b/sandbox/sandbox_services_headers.target.darwin-arm.mk @@ -60,6 +60,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -69,9 +70,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -140,6 +143,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -149,9 +153,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services_headers.target.darwin-x86.mk b/sandbox/sandbox_services_headers.target.darwin-x86.mk index 099b3cb161..c7b2b2d459 100644 --- a/sandbox/sandbox_services_headers.target.darwin-x86.mk +++ b/sandbox/sandbox_services_headers.target.darwin-x86.mk @@ -62,6 +62,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -71,9 +72,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -145,6 +148,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -154,9 +158,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services_headers.target.linux-arm.mk b/sandbox/sandbox_services_headers.target.linux-arm.mk index f02be395ea..09f390ea7e 100644 --- a/sandbox/sandbox_services_headers.target.linux-arm.mk +++ b/sandbox/sandbox_services_headers.target.linux-arm.mk @@ -60,6 +60,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -69,9 +70,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -140,6 +143,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -149,9 +153,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/sandbox_services_headers.target.linux-x86.mk b/sandbox/sandbox_services_headers.target.linux-x86.mk index 099b3cb161..c7b2b2d459 100644 --- a/sandbox/sandbox_services_headers.target.linux-x86.mk +++ b/sandbox/sandbox_services_headers.target.linux-x86.mk @@ -62,6 +62,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -71,9 +72,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -145,6 +148,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -154,9 +158,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/seccomp_bpf.target.darwin-arm.mk b/sandbox/seccomp_bpf.target.darwin-arm.mk index c18bcaf0a1..55710048d1 100644 --- a/sandbox/seccomp_bpf.target.darwin-arm.mk +++ b/sandbox/seccomp_bpf.target.darwin-arm.mk @@ -70,6 +70,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -79,9 +80,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -151,6 +154,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -160,9 +164,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/seccomp_bpf.target.darwin-x86.mk b/sandbox/seccomp_bpf.target.darwin-x86.mk index 26e021c6d0..57911b9c16 100644 --- a/sandbox/seccomp_bpf.target.darwin-x86.mk +++ b/sandbox/seccomp_bpf.target.darwin-x86.mk @@ -72,6 +72,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -81,9 +82,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -156,6 +159,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -165,9 +169,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/seccomp_bpf.target.linux-arm.mk b/sandbox/seccomp_bpf.target.linux-arm.mk index c18bcaf0a1..55710048d1 100644 --- a/sandbox/seccomp_bpf.target.linux-arm.mk +++ b/sandbox/seccomp_bpf.target.linux-arm.mk @@ -70,6 +70,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -79,9 +80,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -151,6 +154,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -160,9 +164,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/seccomp_bpf.target.linux-x86.mk b/sandbox/seccomp_bpf.target.linux-x86.mk index 26e021c6d0..57911b9c16 100644 --- a/sandbox/seccomp_bpf.target.linux-x86.mk +++ b/sandbox/seccomp_bpf.target.linux-x86.mk @@ -72,6 +72,7 @@ MY_CFLAGS_Debug := \ MY_DEFS_Debug := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -81,9 +82,11 @@ MY_DEFS_Debug := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ @@ -156,6 +159,7 @@ MY_CFLAGS_Release := \ MY_DEFS_Release := \ '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ '-D_FILE_OFFSET_BITS=64' \ '-DNO_TCMALLOC' \ '-DDISABLE_NACL' \ @@ -165,9 +169,11 @@ MY_DEFS_Release := \ '-DENABLE_CONFIGURATION_POLICY' \ '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ '-DUSE_OPENSSL=1' \ '-DENABLE_EGLIMAGE=1' \ '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ '-DENABLE_MANAGED_USERS=1' \ '-D__STDC_CONSTANT_MACROS' \ '-D__STDC_FORMAT_MACROS' \ diff --git a/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk b/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk new file mode 100644 index 0000000000..91cd25a132 --- /dev/null +++ b/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk @@ -0,0 +1,261 @@ +# This file is generated by gyp; do not edit. + +include $(CLEAR_VARS) + +LOCAL_MODULE_CLASS := STATIC_LIBRARIES +LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp +LOCAL_MODULE_SUFFIX := .a +LOCAL_MODULE_TAGS := optional +gyp_intermediate_dir := $(call local-intermediates-dir) +gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared) + +# Make sure our deps are built first. +GYP_TARGET_DEPENDENCIES := + +GYP_GENERATED_OUTPUTS := + +# Make sure our deps and generated files are built first. +LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS) + +LOCAL_CPP_EXTENSION := .cc +LOCAL_GENERATED_SOURCES := + +GYP_COPIED_SOURCE_ORIGIN_DIRS := + +LOCAL_SRC_FILES := \ + sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc \ + sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc \ + sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc \ + sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc + + +# Flags passed to both C and C++ files. +MY_CFLAGS_Debug := \ + -fstack-protector \ + --param=ssp-buffer-size=4 \ + -Werror \ + -fno-exceptions \ + -fno-strict-aliasing \ + -Wall \ + -Wno-unused-parameter \ + -Wno-missing-field-initializers \ + -fvisibility=hidden \ + -pipe \ + -fPIC \ + -fno-tree-sra \ + -fuse-ld=gold \ + -Wno-psabi \ + -ffunction-sections \ + -funwind-tables \ + -g \ + -fstack-protector \ + -fno-short-enums \ + -finline-limit=64 \ + -Wa,--noexecstack \ + -U_FORTIFY_SOURCE \ + -Wno-extra \ + -Wno-ignored-qualifiers \ + -Wno-type-limits \ + -Os \ + -g \ + -fomit-frame-pointer \ + -fdata-sections \ + -ffunction-sections + +MY_DEFS_Debug := \ + '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ + '-D_FILE_OFFSET_BITS=64' \ + '-DNO_TCMALLOC' \ + '-DDISABLE_NACL' \ + '-DCHROMIUM_BUILD' \ + '-DUSE_LIBJPEG_TURBO=1' \ + '-DUSE_PROPRIETARY_CODECS' \ + '-DENABLE_CONFIGURATION_POLICY' \ + '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ + '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ + '-DUSE_OPENSSL=1' \ + '-DENABLE_EGLIMAGE=1' \ + '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ + '-DENABLE_MANAGED_USERS=1' \ + '-D__STDC_CONSTANT_MACROS' \ + '-D__STDC_FORMAT_MACROS' \ + '-DANDROID' \ + '-D__GNU_SOURCE=1' \ + '-DUSE_STLPORT=1' \ + '-D_STLP_USE_PTR_SPECIALIZATIONS=1' \ + '-DCHROME_BUILD_ID=""' \ + '-DDYNAMIC_ANNOTATIONS_ENABLED=1' \ + '-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \ + '-D_DEBUG' + + +# Include paths placed before CFLAGS/CPPFLAGS +LOCAL_C_INCLUDES_Debug := \ + $(LOCAL_PATH) \ + $(PWD)/frameworks/wilhelm/include \ + $(PWD)/bionic \ + $(PWD)/external/stlport/stlport + + +# Flags passed to only C++ (and not C) files. +LOCAL_CPPFLAGS_Debug := \ + -fno-rtti \ + -fno-threadsafe-statics \ + -fvisibility-inlines-hidden \ + -Wsign-compare \ + -Wno-abi \ + -Wno-error=c++0x-compat \ + -Wno-non-virtual-dtor \ + -Wno-sign-promo + + +# Flags passed to both C and C++ files. +MY_CFLAGS_Release := \ + -fstack-protector \ + --param=ssp-buffer-size=4 \ + -Werror \ + -fno-exceptions \ + -fno-strict-aliasing \ + -Wall \ + -Wno-unused-parameter \ + -Wno-missing-field-initializers \ + -fvisibility=hidden \ + -pipe \ + -fPIC \ + -fno-tree-sra \ + -fuse-ld=gold \ + -Wno-psabi \ + -ffunction-sections \ + -funwind-tables \ + -g \ + -fstack-protector \ + -fno-short-enums \ + -finline-limit=64 \ + -Wa,--noexecstack \ + -U_FORTIFY_SOURCE \ + -Wno-extra \ + -Wno-ignored-qualifiers \ + -Wno-type-limits \ + -Os \ + -fno-ident \ + -fdata-sections \ + -ffunction-sections \ + -fomit-frame-pointer + +MY_DEFS_Release := \ + '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ + '-D_FILE_OFFSET_BITS=64' \ + '-DNO_TCMALLOC' \ + '-DDISABLE_NACL' \ + '-DCHROMIUM_BUILD' \ + '-DUSE_LIBJPEG_TURBO=1' \ + '-DUSE_PROPRIETARY_CODECS' \ + '-DENABLE_CONFIGURATION_POLICY' \ + '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ + '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ + '-DUSE_OPENSSL=1' \ + '-DENABLE_EGLIMAGE=1' \ + '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ + '-DENABLE_MANAGED_USERS=1' \ + '-D__STDC_CONSTANT_MACROS' \ + '-D__STDC_FORMAT_MACROS' \ + '-DANDROID' \ + '-D__GNU_SOURCE=1' \ + '-DUSE_STLPORT=1' \ + '-D_STLP_USE_PTR_SPECIALIZATIONS=1' \ + '-DCHROME_BUILD_ID=""' \ + '-DNDEBUG' \ + '-DNVALGRIND' \ + '-DDYNAMIC_ANNOTATIONS_ENABLED=0' \ + '-D_FORTIFY_SOURCE=2' + + +# Include paths placed before CFLAGS/CPPFLAGS +LOCAL_C_INCLUDES_Release := \ + $(LOCAL_PATH) \ + $(PWD)/frameworks/wilhelm/include \ + $(PWD)/bionic \ + $(PWD)/external/stlport/stlport + + +# Flags passed to only C++ (and not C) files. +LOCAL_CPPFLAGS_Release := \ + -fno-rtti \ + -fno-threadsafe-statics \ + -fvisibility-inlines-hidden \ + -Wsign-compare \ + -Wno-abi \ + -Wno-error=c++0x-compat \ + -Wno-non-virtual-dtor \ + -Wno-sign-promo + + +LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION)) +LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION)) +LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION)) +### Rules for final target. + +LOCAL_LDFLAGS_Debug := \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ + -fPIC \ + -Wl,-z,relro \ + -Wl,-z,now \ + -fuse-ld=gold \ + -nostdlib \ + -Wl,--no-undefined \ + -Wl,--exclude-libs=ALL \ + -Wl,--icf=safe \ + -Wl,--fatal-warnings \ + -Wl,--gc-sections \ + -Wl,--warn-shared-textrel \ + -Wl,-O1 \ + -Wl,--as-needed + + +LOCAL_LDFLAGS_Release := \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ + -fPIC \ + -Wl,-z,relro \ + -Wl,-z,now \ + -fuse-ld=gold \ + -nostdlib \ + -Wl,--no-undefined \ + -Wl,--exclude-libs=ALL \ + -Wl,--icf=safe \ + -Wl,-O1 \ + -Wl,--as-needed \ + -Wl,--gc-sections \ + -Wl,--fatal-warnings \ + -Wl,--warn-shared-textrel + + +LOCAL_LDFLAGS := $(LOCAL_LDFLAGS_$(GYP_CONFIGURATION)) + +LOCAL_STATIC_LIBRARIES := + +# Enable grouping to fix circular references +LOCAL_GROUP_STATIC_LIBRARIES := true + +LOCAL_SHARED_LIBRARIES := \ + libstlport \ + libdl + +# Add target alias to "gyp_all_modules" target. +.PHONY: gyp_all_modules +gyp_all_modules: sandbox_seccomp_bpf_helpers_gyp + +# Alias gyp target name. +.PHONY: seccomp_bpf_helpers +seccomp_bpf_helpers: sandbox_seccomp_bpf_helpers_gyp + +include $(BUILD_STATIC_LIBRARY) diff --git a/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk b/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk new file mode 100644 index 0000000000..4244bbc43a --- /dev/null +++ b/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk @@ -0,0 +1,261 @@ +# This file is generated by gyp; do not edit. + +include $(CLEAR_VARS) + +LOCAL_MODULE_CLASS := STATIC_LIBRARIES +LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp +LOCAL_MODULE_SUFFIX := .a +LOCAL_MODULE_TAGS := optional +gyp_intermediate_dir := $(call local-intermediates-dir) +gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared) + +# Make sure our deps are built first. +GYP_TARGET_DEPENDENCIES := + +GYP_GENERATED_OUTPUTS := + +# Make sure our deps and generated files are built first. +LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS) + +LOCAL_CPP_EXTENSION := .cc +LOCAL_GENERATED_SOURCES := + +GYP_COPIED_SOURCE_ORIGIN_DIRS := + +LOCAL_SRC_FILES := \ + sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc \ + sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc \ + sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc \ + sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc + + +# Flags passed to both C and C++ files. +MY_CFLAGS_Debug := \ + --param=ssp-buffer-size=4 \ + -Werror \ + -fno-exceptions \ + -fno-strict-aliasing \ + -Wall \ + -Wno-unused-parameter \ + -Wno-missing-field-initializers \ + -fvisibility=hidden \ + -pipe \ + -fPIC \ + -m32 \ + -mmmx \ + -march=pentium4 \ + -msse2 \ + -mfpmath=sse \ + -fuse-ld=gold \ + -ffunction-sections \ + -funwind-tables \ + -g \ + -fno-short-enums \ + -finline-limit=64 \ + -Wa,--noexecstack \ + -U_FORTIFY_SOURCE \ + -Wno-extra \ + -Wno-ignored-qualifiers \ + -Wno-type-limits \ + -fno-stack-protector \ + -Os \ + -g \ + -fomit-frame-pointer \ + -fdata-sections \ + -ffunction-sections + +MY_DEFS_Debug := \ + '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ + '-D_FILE_OFFSET_BITS=64' \ + '-DNO_TCMALLOC' \ + '-DDISABLE_NACL' \ + '-DCHROMIUM_BUILD' \ + '-DUSE_LIBJPEG_TURBO=1' \ + '-DUSE_PROPRIETARY_CODECS' \ + '-DENABLE_CONFIGURATION_POLICY' \ + '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ + '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ + '-DUSE_OPENSSL=1' \ + '-DENABLE_EGLIMAGE=1' \ + '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ + '-DENABLE_MANAGED_USERS=1' \ + '-D__STDC_CONSTANT_MACROS' \ + '-D__STDC_FORMAT_MACROS' \ + '-DANDROID' \ + '-D__GNU_SOURCE=1' \ + '-DUSE_STLPORT=1' \ + '-D_STLP_USE_PTR_SPECIALIZATIONS=1' \ + '-DCHROME_BUILD_ID=""' \ + '-DDYNAMIC_ANNOTATIONS_ENABLED=1' \ + '-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \ + '-D_DEBUG' + + +# Include paths placed before CFLAGS/CPPFLAGS +LOCAL_C_INCLUDES_Debug := \ + $(LOCAL_PATH) \ + $(PWD)/frameworks/wilhelm/include \ + $(PWD)/bionic \ + $(PWD)/external/stlport/stlport + + +# Flags passed to only C++ (and not C) files. +LOCAL_CPPFLAGS_Debug := \ + -fno-rtti \ + -fno-threadsafe-statics \ + -fvisibility-inlines-hidden \ + -Wsign-compare \ + -Wno-error=c++0x-compat \ + -Wno-non-virtual-dtor \ + -Wno-sign-promo + + +# Flags passed to both C and C++ files. +MY_CFLAGS_Release := \ + --param=ssp-buffer-size=4 \ + -Werror \ + -fno-exceptions \ + -fno-strict-aliasing \ + -Wall \ + -Wno-unused-parameter \ + -Wno-missing-field-initializers \ + -fvisibility=hidden \ + -pipe \ + -fPIC \ + -m32 \ + -mmmx \ + -march=pentium4 \ + -msse2 \ + -mfpmath=sse \ + -fuse-ld=gold \ + -ffunction-sections \ + -funwind-tables \ + -g \ + -fno-short-enums \ + -finline-limit=64 \ + -Wa,--noexecstack \ + -U_FORTIFY_SOURCE \ + -Wno-extra \ + -Wno-ignored-qualifiers \ + -Wno-type-limits \ + -fno-stack-protector \ + -Os \ + -fno-ident \ + -fdata-sections \ + -ffunction-sections \ + -fomit-frame-pointer \ + -fno-unwind-tables \ + -fno-asynchronous-unwind-tables + +MY_DEFS_Release := \ + '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ + '-D_FILE_OFFSET_BITS=64' \ + '-DNO_TCMALLOC' \ + '-DDISABLE_NACL' \ + '-DCHROMIUM_BUILD' \ + '-DUSE_LIBJPEG_TURBO=1' \ + '-DUSE_PROPRIETARY_CODECS' \ + '-DENABLE_CONFIGURATION_POLICY' \ + '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ + '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ + '-DUSE_OPENSSL=1' \ + '-DENABLE_EGLIMAGE=1' \ + '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ + '-DENABLE_MANAGED_USERS=1' \ + '-D__STDC_CONSTANT_MACROS' \ + '-D__STDC_FORMAT_MACROS' \ + '-DANDROID' \ + '-D__GNU_SOURCE=1' \ + '-DUSE_STLPORT=1' \ + '-D_STLP_USE_PTR_SPECIALIZATIONS=1' \ + '-DCHROME_BUILD_ID=""' \ + '-DNDEBUG' \ + '-DNVALGRIND' \ + '-DDYNAMIC_ANNOTATIONS_ENABLED=0' \ + '-D_FORTIFY_SOURCE=2' + + +# Include paths placed before CFLAGS/CPPFLAGS +LOCAL_C_INCLUDES_Release := \ + $(LOCAL_PATH) \ + $(PWD)/frameworks/wilhelm/include \ + $(PWD)/bionic \ + $(PWD)/external/stlport/stlport + + +# Flags passed to only C++ (and not C) files. +LOCAL_CPPFLAGS_Release := \ + -fno-rtti \ + -fno-threadsafe-statics \ + -fvisibility-inlines-hidden \ + -Wsign-compare \ + -Wno-error=c++0x-compat \ + -Wno-non-virtual-dtor \ + -Wno-sign-promo + + +LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION)) +LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION)) +LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION)) +### Rules for final target. + +LOCAL_LDFLAGS_Debug := \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ + -fPIC \ + -m32 \ + -fuse-ld=gold \ + -nostdlib \ + -Wl,--no-undefined \ + -Wl,--exclude-libs=ALL \ + -Wl,--fatal-warnings \ + -Wl,--gc-sections \ + -Wl,--warn-shared-textrel \ + -Wl,-O1 \ + -Wl,--as-needed + + +LOCAL_LDFLAGS_Release := \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ + -fPIC \ + -m32 \ + -fuse-ld=gold \ + -nostdlib \ + -Wl,--no-undefined \ + -Wl,--exclude-libs=ALL \ + -Wl,-O1 \ + -Wl,--as-needed \ + -Wl,--gc-sections \ + -Wl,--fatal-warnings \ + -Wl,--warn-shared-textrel + + +LOCAL_LDFLAGS := $(LOCAL_LDFLAGS_$(GYP_CONFIGURATION)) + +LOCAL_STATIC_LIBRARIES := + +# Enable grouping to fix circular references +LOCAL_GROUP_STATIC_LIBRARIES := true + +LOCAL_SHARED_LIBRARIES := \ + libstlport \ + libdl + +# Add target alias to "gyp_all_modules" target. +.PHONY: gyp_all_modules +gyp_all_modules: sandbox_seccomp_bpf_helpers_gyp + +# Alias gyp target name. +.PHONY: seccomp_bpf_helpers +seccomp_bpf_helpers: sandbox_seccomp_bpf_helpers_gyp + +include $(BUILD_STATIC_LIBRARY) diff --git a/sandbox/seccomp_bpf_helpers.target.linux-arm.mk b/sandbox/seccomp_bpf_helpers.target.linux-arm.mk new file mode 100644 index 0000000000..91cd25a132 --- /dev/null +++ b/sandbox/seccomp_bpf_helpers.target.linux-arm.mk @@ -0,0 +1,261 @@ +# This file is generated by gyp; do not edit. + +include $(CLEAR_VARS) + +LOCAL_MODULE_CLASS := STATIC_LIBRARIES +LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp +LOCAL_MODULE_SUFFIX := .a +LOCAL_MODULE_TAGS := optional +gyp_intermediate_dir := $(call local-intermediates-dir) +gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared) + +# Make sure our deps are built first. +GYP_TARGET_DEPENDENCIES := + +GYP_GENERATED_OUTPUTS := + +# Make sure our deps and generated files are built first. +LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS) + +LOCAL_CPP_EXTENSION := .cc +LOCAL_GENERATED_SOURCES := + +GYP_COPIED_SOURCE_ORIGIN_DIRS := + +LOCAL_SRC_FILES := \ + sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc \ + sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc \ + sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc \ + sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc + + +# Flags passed to both C and C++ files. +MY_CFLAGS_Debug := \ + -fstack-protector \ + --param=ssp-buffer-size=4 \ + -Werror \ + -fno-exceptions \ + -fno-strict-aliasing \ + -Wall \ + -Wno-unused-parameter \ + -Wno-missing-field-initializers \ + -fvisibility=hidden \ + -pipe \ + -fPIC \ + -fno-tree-sra \ + -fuse-ld=gold \ + -Wno-psabi \ + -ffunction-sections \ + -funwind-tables \ + -g \ + -fstack-protector \ + -fno-short-enums \ + -finline-limit=64 \ + -Wa,--noexecstack \ + -U_FORTIFY_SOURCE \ + -Wno-extra \ + -Wno-ignored-qualifiers \ + -Wno-type-limits \ + -Os \ + -g \ + -fomit-frame-pointer \ + -fdata-sections \ + -ffunction-sections + +MY_DEFS_Debug := \ + '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ + '-D_FILE_OFFSET_BITS=64' \ + '-DNO_TCMALLOC' \ + '-DDISABLE_NACL' \ + '-DCHROMIUM_BUILD' \ + '-DUSE_LIBJPEG_TURBO=1' \ + '-DUSE_PROPRIETARY_CODECS' \ + '-DENABLE_CONFIGURATION_POLICY' \ + '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ + '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ + '-DUSE_OPENSSL=1' \ + '-DENABLE_EGLIMAGE=1' \ + '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ + '-DENABLE_MANAGED_USERS=1' \ + '-D__STDC_CONSTANT_MACROS' \ + '-D__STDC_FORMAT_MACROS' \ + '-DANDROID' \ + '-D__GNU_SOURCE=1' \ + '-DUSE_STLPORT=1' \ + '-D_STLP_USE_PTR_SPECIALIZATIONS=1' \ + '-DCHROME_BUILD_ID=""' \ + '-DDYNAMIC_ANNOTATIONS_ENABLED=1' \ + '-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \ + '-D_DEBUG' + + +# Include paths placed before CFLAGS/CPPFLAGS +LOCAL_C_INCLUDES_Debug := \ + $(LOCAL_PATH) \ + $(PWD)/frameworks/wilhelm/include \ + $(PWD)/bionic \ + $(PWD)/external/stlport/stlport + + +# Flags passed to only C++ (and not C) files. +LOCAL_CPPFLAGS_Debug := \ + -fno-rtti \ + -fno-threadsafe-statics \ + -fvisibility-inlines-hidden \ + -Wsign-compare \ + -Wno-abi \ + -Wno-error=c++0x-compat \ + -Wno-non-virtual-dtor \ + -Wno-sign-promo + + +# Flags passed to both C and C++ files. +MY_CFLAGS_Release := \ + -fstack-protector \ + --param=ssp-buffer-size=4 \ + -Werror \ + -fno-exceptions \ + -fno-strict-aliasing \ + -Wall \ + -Wno-unused-parameter \ + -Wno-missing-field-initializers \ + -fvisibility=hidden \ + -pipe \ + -fPIC \ + -fno-tree-sra \ + -fuse-ld=gold \ + -Wno-psabi \ + -ffunction-sections \ + -funwind-tables \ + -g \ + -fstack-protector \ + -fno-short-enums \ + -finline-limit=64 \ + -Wa,--noexecstack \ + -U_FORTIFY_SOURCE \ + -Wno-extra \ + -Wno-ignored-qualifiers \ + -Wno-type-limits \ + -Os \ + -fno-ident \ + -fdata-sections \ + -ffunction-sections \ + -fomit-frame-pointer + +MY_DEFS_Release := \ + '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ + '-D_FILE_OFFSET_BITS=64' \ + '-DNO_TCMALLOC' \ + '-DDISABLE_NACL' \ + '-DCHROMIUM_BUILD' \ + '-DUSE_LIBJPEG_TURBO=1' \ + '-DUSE_PROPRIETARY_CODECS' \ + '-DENABLE_CONFIGURATION_POLICY' \ + '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ + '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ + '-DUSE_OPENSSL=1' \ + '-DENABLE_EGLIMAGE=1' \ + '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ + '-DENABLE_MANAGED_USERS=1' \ + '-D__STDC_CONSTANT_MACROS' \ + '-D__STDC_FORMAT_MACROS' \ + '-DANDROID' \ + '-D__GNU_SOURCE=1' \ + '-DUSE_STLPORT=1' \ + '-D_STLP_USE_PTR_SPECIALIZATIONS=1' \ + '-DCHROME_BUILD_ID=""' \ + '-DNDEBUG' \ + '-DNVALGRIND' \ + '-DDYNAMIC_ANNOTATIONS_ENABLED=0' \ + '-D_FORTIFY_SOURCE=2' + + +# Include paths placed before CFLAGS/CPPFLAGS +LOCAL_C_INCLUDES_Release := \ + $(LOCAL_PATH) \ + $(PWD)/frameworks/wilhelm/include \ + $(PWD)/bionic \ + $(PWD)/external/stlport/stlport + + +# Flags passed to only C++ (and not C) files. +LOCAL_CPPFLAGS_Release := \ + -fno-rtti \ + -fno-threadsafe-statics \ + -fvisibility-inlines-hidden \ + -Wsign-compare \ + -Wno-abi \ + -Wno-error=c++0x-compat \ + -Wno-non-virtual-dtor \ + -Wno-sign-promo + + +LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION)) +LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION)) +LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION)) +### Rules for final target. + +LOCAL_LDFLAGS_Debug := \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ + -fPIC \ + -Wl,-z,relro \ + -Wl,-z,now \ + -fuse-ld=gold \ + -nostdlib \ + -Wl,--no-undefined \ + -Wl,--exclude-libs=ALL \ + -Wl,--icf=safe \ + -Wl,--fatal-warnings \ + -Wl,--gc-sections \ + -Wl,--warn-shared-textrel \ + -Wl,-O1 \ + -Wl,--as-needed + + +LOCAL_LDFLAGS_Release := \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ + -fPIC \ + -Wl,-z,relro \ + -Wl,-z,now \ + -fuse-ld=gold \ + -nostdlib \ + -Wl,--no-undefined \ + -Wl,--exclude-libs=ALL \ + -Wl,--icf=safe \ + -Wl,-O1 \ + -Wl,--as-needed \ + -Wl,--gc-sections \ + -Wl,--fatal-warnings \ + -Wl,--warn-shared-textrel + + +LOCAL_LDFLAGS := $(LOCAL_LDFLAGS_$(GYP_CONFIGURATION)) + +LOCAL_STATIC_LIBRARIES := + +# Enable grouping to fix circular references +LOCAL_GROUP_STATIC_LIBRARIES := true + +LOCAL_SHARED_LIBRARIES := \ + libstlport \ + libdl + +# Add target alias to "gyp_all_modules" target. +.PHONY: gyp_all_modules +gyp_all_modules: sandbox_seccomp_bpf_helpers_gyp + +# Alias gyp target name. +.PHONY: seccomp_bpf_helpers +seccomp_bpf_helpers: sandbox_seccomp_bpf_helpers_gyp + +include $(BUILD_STATIC_LIBRARY) diff --git a/sandbox/seccomp_bpf_helpers.target.linux-x86.mk b/sandbox/seccomp_bpf_helpers.target.linux-x86.mk new file mode 100644 index 0000000000..4244bbc43a --- /dev/null +++ b/sandbox/seccomp_bpf_helpers.target.linux-x86.mk @@ -0,0 +1,261 @@ +# This file is generated by gyp; do not edit. + +include $(CLEAR_VARS) + +LOCAL_MODULE_CLASS := STATIC_LIBRARIES +LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp +LOCAL_MODULE_SUFFIX := .a +LOCAL_MODULE_TAGS := optional +gyp_intermediate_dir := $(call local-intermediates-dir) +gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared) + +# Make sure our deps are built first. +GYP_TARGET_DEPENDENCIES := + +GYP_GENERATED_OUTPUTS := + +# Make sure our deps and generated files are built first. +LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS) + +LOCAL_CPP_EXTENSION := .cc +LOCAL_GENERATED_SOURCES := + +GYP_COPIED_SOURCE_ORIGIN_DIRS := + +LOCAL_SRC_FILES := \ + sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc \ + sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc \ + sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc \ + sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc + + +# Flags passed to both C and C++ files. +MY_CFLAGS_Debug := \ + --param=ssp-buffer-size=4 \ + -Werror \ + -fno-exceptions \ + -fno-strict-aliasing \ + -Wall \ + -Wno-unused-parameter \ + -Wno-missing-field-initializers \ + -fvisibility=hidden \ + -pipe \ + -fPIC \ + -m32 \ + -mmmx \ + -march=pentium4 \ + -msse2 \ + -mfpmath=sse \ + -fuse-ld=gold \ + -ffunction-sections \ + -funwind-tables \ + -g \ + -fno-short-enums \ + -finline-limit=64 \ + -Wa,--noexecstack \ + -U_FORTIFY_SOURCE \ + -Wno-extra \ + -Wno-ignored-qualifiers \ + -Wno-type-limits \ + -fno-stack-protector \ + -Os \ + -g \ + -fomit-frame-pointer \ + -fdata-sections \ + -ffunction-sections + +MY_DEFS_Debug := \ + '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ + '-D_FILE_OFFSET_BITS=64' \ + '-DNO_TCMALLOC' \ + '-DDISABLE_NACL' \ + '-DCHROMIUM_BUILD' \ + '-DUSE_LIBJPEG_TURBO=1' \ + '-DUSE_PROPRIETARY_CODECS' \ + '-DENABLE_CONFIGURATION_POLICY' \ + '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ + '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ + '-DUSE_OPENSSL=1' \ + '-DENABLE_EGLIMAGE=1' \ + '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ + '-DENABLE_MANAGED_USERS=1' \ + '-D__STDC_CONSTANT_MACROS' \ + '-D__STDC_FORMAT_MACROS' \ + '-DANDROID' \ + '-D__GNU_SOURCE=1' \ + '-DUSE_STLPORT=1' \ + '-D_STLP_USE_PTR_SPECIALIZATIONS=1' \ + '-DCHROME_BUILD_ID=""' \ + '-DDYNAMIC_ANNOTATIONS_ENABLED=1' \ + '-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \ + '-D_DEBUG' + + +# Include paths placed before CFLAGS/CPPFLAGS +LOCAL_C_INCLUDES_Debug := \ + $(LOCAL_PATH) \ + $(PWD)/frameworks/wilhelm/include \ + $(PWD)/bionic \ + $(PWD)/external/stlport/stlport + + +# Flags passed to only C++ (and not C) files. +LOCAL_CPPFLAGS_Debug := \ + -fno-rtti \ + -fno-threadsafe-statics \ + -fvisibility-inlines-hidden \ + -Wsign-compare \ + -Wno-error=c++0x-compat \ + -Wno-non-virtual-dtor \ + -Wno-sign-promo + + +# Flags passed to both C and C++ files. +MY_CFLAGS_Release := \ + --param=ssp-buffer-size=4 \ + -Werror \ + -fno-exceptions \ + -fno-strict-aliasing \ + -Wall \ + -Wno-unused-parameter \ + -Wno-missing-field-initializers \ + -fvisibility=hidden \ + -pipe \ + -fPIC \ + -m32 \ + -mmmx \ + -march=pentium4 \ + -msse2 \ + -mfpmath=sse \ + -fuse-ld=gold \ + -ffunction-sections \ + -funwind-tables \ + -g \ + -fno-short-enums \ + -finline-limit=64 \ + -Wa,--noexecstack \ + -U_FORTIFY_SOURCE \ + -Wno-extra \ + -Wno-ignored-qualifiers \ + -Wno-type-limits \ + -fno-stack-protector \ + -Os \ + -fno-ident \ + -fdata-sections \ + -ffunction-sections \ + -fomit-frame-pointer \ + -fno-unwind-tables \ + -fno-asynchronous-unwind-tables + +MY_DEFS_Release := \ + '-DANGLE_DX11' \ + '-DV8_DEPRECATION_WARNINGS' \ + '-D_FILE_OFFSET_BITS=64' \ + '-DNO_TCMALLOC' \ + '-DDISABLE_NACL' \ + '-DCHROMIUM_BUILD' \ + '-DUSE_LIBJPEG_TURBO=1' \ + '-DUSE_PROPRIETARY_CODECS' \ + '-DENABLE_CONFIGURATION_POLICY' \ + '-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \ + '-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \ + '-DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC' \ + '-DUSE_OPENSSL=1' \ + '-DENABLE_EGLIMAGE=1' \ + '-DCLD_VERSION=1' \ + '-DENABLE_PRINTING=1' \ + '-DENABLE_MANAGED_USERS=1' \ + '-D__STDC_CONSTANT_MACROS' \ + '-D__STDC_FORMAT_MACROS' \ + '-DANDROID' \ + '-D__GNU_SOURCE=1' \ + '-DUSE_STLPORT=1' \ + '-D_STLP_USE_PTR_SPECIALIZATIONS=1' \ + '-DCHROME_BUILD_ID=""' \ + '-DNDEBUG' \ + '-DNVALGRIND' \ + '-DDYNAMIC_ANNOTATIONS_ENABLED=0' \ + '-D_FORTIFY_SOURCE=2' + + +# Include paths placed before CFLAGS/CPPFLAGS +LOCAL_C_INCLUDES_Release := \ + $(LOCAL_PATH) \ + $(PWD)/frameworks/wilhelm/include \ + $(PWD)/bionic \ + $(PWD)/external/stlport/stlport + + +# Flags passed to only C++ (and not C) files. +LOCAL_CPPFLAGS_Release := \ + -fno-rtti \ + -fno-threadsafe-statics \ + -fvisibility-inlines-hidden \ + -Wsign-compare \ + -Wno-error=c++0x-compat \ + -Wno-non-virtual-dtor \ + -Wno-sign-promo + + +LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION)) +LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION)) +LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION)) +### Rules for final target. + +LOCAL_LDFLAGS_Debug := \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ + -fPIC \ + -m32 \ + -fuse-ld=gold \ + -nostdlib \ + -Wl,--no-undefined \ + -Wl,--exclude-libs=ALL \ + -Wl,--fatal-warnings \ + -Wl,--gc-sections \ + -Wl,--warn-shared-textrel \ + -Wl,-O1 \ + -Wl,--as-needed + + +LOCAL_LDFLAGS_Release := \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ + -fPIC \ + -m32 \ + -fuse-ld=gold \ + -nostdlib \ + -Wl,--no-undefined \ + -Wl,--exclude-libs=ALL \ + -Wl,-O1 \ + -Wl,--as-needed \ + -Wl,--gc-sections \ + -Wl,--fatal-warnings \ + -Wl,--warn-shared-textrel + + +LOCAL_LDFLAGS := $(LOCAL_LDFLAGS_$(GYP_CONFIGURATION)) + +LOCAL_STATIC_LIBRARIES := + +# Enable grouping to fix circular references +LOCAL_GROUP_STATIC_LIBRARIES := true + +LOCAL_SHARED_LIBRARIES := \ + libstlport \ + libdl + +# Add target alias to "gyp_all_modules" target. +.PHONY: gyp_all_modules +gyp_all_modules: sandbox_seccomp_bpf_helpers_gyp + +# Alias gyp target name. +.PHONY: seccomp_bpf_helpers +seccomp_bpf_helpers: sandbox_seccomp_bpf_helpers_gyp + +include $(BUILD_STATIC_LIBRARY) diff --git a/sandbox/win/sandbox_win.gypi b/sandbox/win/sandbox_win.gypi index 881a6506ac..1fa82794bb 100644 --- a/sandbox/win/sandbox_win.gypi +++ b/sandbox/win/sandbox_win.gypi @@ -93,6 +93,7 @@ 'src/restricted_token.cc', 'src/restricted_token.h', 'src/sandbox_factory.h', + 'src/sandbox_globals.cc', 'src/sandbox_nt_types.h', 'src/sandbox_nt_util.cc', 'src/sandbox_nt_util.h', diff --git a/sandbox/win/src/nt_internals.h b/sandbox/win/src/nt_internals.h index 1423be4937..e0c74ac1fb 100644 --- a/sandbox/win/src/nt_internals.h +++ b/sandbox/win/src/nt_internals.h @@ -1,4 +1,4 @@ -// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -601,6 +601,11 @@ typedef size_t (__cdecl *strlenFunction)( typedef size_t (__cdecl *wcslenFunction)( IN const wchar_t* _Str); +typedef void* (__cdecl *memcpyFunction)( + IN void* dest, + IN const void* src, + IN size_t count); + typedef NTSTATUS (WINAPI *RtlAnsiStringToUnicodeStringFunction)( IN OUT PUNICODE_STRING DestinationString, IN PANSI_STRING SourceString, diff --git a/sandbox/win/src/policy_broker.cc b/sandbox/win/src/policy_broker.cc index fbe4619077..dc5e18c28b 100644 --- a/sandbox/win/src/policy_broker.cc +++ b/sandbox/win/src/policy_broker.cc @@ -73,6 +73,7 @@ bool SetupNtdllImports(TargetProcess *child) { INIT_GLOBAL_RTL(_strnicmp); INIT_GLOBAL_RTL(strlen); INIT_GLOBAL_RTL(wcslen); + INIT_GLOBAL_RTL(memcpy); #ifndef NDEBUG // Verify that the structure is fully initialized. diff --git a/sandbox/win/src/sandbox.cc b/sandbox/win/src/sandbox.cc index 9e4ab08a09..d26daa434e 100644 --- a/sandbox/win/src/sandbox.cc +++ b/sandbox/win/src/sandbox.cc @@ -11,7 +11,7 @@ namespace sandbox { // The section for IPC and policy. -SANDBOX_INTERCEPT HANDLE g_shared_section = NULL; +SANDBOX_INTERCEPT HANDLE g_shared_section; static bool s_is_broker = false; diff --git a/sandbox/win/src/sandbox_globals.cc b/sandbox/win/src/sandbox_globals.cc new file mode 100644 index 0000000000..b4ab523921 --- /dev/null +++ b/sandbox/win/src/sandbox_globals.cc @@ -0,0 +1,18 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <windows.h> + +#include "sandbox/win/src/sandbox_nt_types.h" +#include "sandbox/win/src/sandbox_types.h" + +namespace sandbox { + +// The section for IPC and policy. +SANDBOX_INTERCEPT HANDLE g_shared_section = NULL; + +// This is the list of all imported symbols from ntdll.dll. +SANDBOX_INTERCEPT NtExports g_nt = {}; + +} // namespace sandbox diff --git a/sandbox/win/src/sandbox_nt_types.h b/sandbox/win/src/sandbox_nt_types.h index 1303ac2627..46820cfb9f 100644 --- a/sandbox/win/src/sandbox_nt_types.h +++ b/sandbox/win/src/sandbox_nt_types.h @@ -31,6 +31,7 @@ struct NtExports { _strnicmpFunction _strnicmp; strlenFunction strlen; wcslenFunction wcslen; + memcpyFunction memcpy; }; // This is the value used for the ntdll level allocator. diff --git a/sandbox/win/src/sandbox_nt_util.cc b/sandbox/win/src/sandbox_nt_util.cc index 7131461128..613d4859dd 100644 --- a/sandbox/win/src/sandbox_nt_util.cc +++ b/sandbox/win/src/sandbox_nt_util.cc @@ -11,7 +11,7 @@ namespace sandbox { // This is the list of all imported symbols from ntdll.dll. -SANDBOX_INTERCEPT NtExports g_nt = { NULL }; +SANDBOX_INTERCEPT NtExports g_nt; } // namespace sandbox @@ -208,15 +208,7 @@ bool ValidParameter(void* buffer, size_t size, RequiredAccess intent) { NTSTATUS CopyData(void* destination, const void* source, size_t bytes) { NTSTATUS ret = STATUS_SUCCESS; __try { - if (SandboxFactory::GetTargetServices()->GetState()->InitCalled()) { - memcpy(destination, source, bytes); - } else { - const char* from = reinterpret_cast<const char*>(source); - char* to = reinterpret_cast<char*>(destination); - for (size_t i = 0; i < bytes; i++) { - to[i] = from[i]; - } - } + g_nt.memcpy(destination, source, bytes); } __except(EXCEPTION_EXECUTE_HANDLER) { ret = GetExceptionCode(); } diff --git a/sandbox/win/src/sandbox_nt_util.h b/sandbox/win/src/sandbox_nt_util.h index e5d45fa2f2..7c543f2ac3 100644 --- a/sandbox/win/src/sandbox_nt_util.h +++ b/sandbox/win/src/sandbox_nt_util.h @@ -45,6 +45,8 @@ void __cdecl operator delete(void* memory, void* buffer, #define VERIFY_SUCCESS(action) (action) #endif +#define CHECK_NT(condition) { (condition) ? (void)0 : __debugbreak(); } + #define NOTREACHED_NT() DCHECK_NT(false) namespace sandbox { @@ -94,7 +96,6 @@ enum RequiredAccess { // write) bool ValidParameter(void* buffer, size_t size, RequiredAccess intent); - // Copies data from a user buffer to our buffer. Returns the operation status. NTSTATUS CopyData(void* destination, const void* source, size_t bytes); diff --git a/sandbox/win/src/sandbox_utils.cc b/sandbox/win/src/sandbox_utils.cc index f4511a4751..9c561c9eb9 100644 --- a/sandbox/win/src/sandbox_utils.cc +++ b/sandbox/win/src/sandbox_utils.cc @@ -28,11 +28,11 @@ void InitObjectAttribs(const std::wstring& name, if (!RtlInitUnicodeString) { HMODULE ntdll = ::GetModuleHandle(kNtdllName); RtlInitUnicodeString = reinterpret_cast<RtlInitUnicodeStringFunction>( - GetProcAddress(ntdll, "RtlInitUnicodeString")); + GetProcAddress(ntdll, "RtlInitUnicodeString")); DCHECK(RtlInitUnicodeString); } RtlInitUnicodeString(uni_name, name.c_str()); InitializeObjectAttributes(obj_attr, uni_name, attributes, root, NULL); } -}; // namespace sandbox +} // namespace sandbox diff --git a/sandbox/win/src/sandbox_utils.h b/sandbox/win/src/sandbox_utils.h index 78e76fbc73..9a906754f1 100644 --- a/sandbox/win/src/sandbox_utils.h +++ b/sandbox/win/src/sandbox_utils.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SANDBOX_UTILS_H__ -#define SANDBOX_SRC_SANDBOX_UTILS_H__ +#ifndef SANDBOX_SRC_SANDBOX_UTILS_H_ +#define SANDBOX_SRC_SANDBOX_UTILS_H_ #include <windows.h> #include <string> @@ -22,6 +22,6 @@ void InitObjectAttribs(const std::wstring& name, OBJECT_ATTRIBUTES* obj_attr, UNICODE_STRING* uni_name); -}; // namespace sandbox +} // namespace sandbox -#endif // SANDBOX_SRC_SANDBOX_UTILS_H__ +#endif // SANDBOX_SRC_SANDBOX_UTILS_H_ diff --git a/sandbox/win/src/service_resolver.cc b/sandbox/win/src/service_resolver.cc index bae698c457..92f21a7c2c 100644 --- a/sandbox/win/src/service_resolver.cc +++ b/sandbox/win/src/service_resolver.cc @@ -1,11 +1,12 @@ -// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "sandbox/win/src/service_resolver.h" -#include "base/logging.h" #include "base/win/pe_image.h" +#include "sandbox/win/src/internal_types.h" +#include "sandbox/win/src/sandbox_nt_util.h" namespace sandbox { @@ -24,7 +25,6 @@ NTSTATUS ServiceResolverThunk::ResolveInterceptor( NTSTATUS ServiceResolverThunk::ResolveTarget(const void* module, const char* function_name, void** address) { - DCHECK(address); if (NULL == module) return STATUS_UNSUCCESSFUL; @@ -32,11 +32,15 @@ NTSTATUS ServiceResolverThunk::ResolveTarget(const void* module, *address = module_image.GetProcAddress(function_name); if (NULL == *address) { - NOTREACHED(); + NOTREACHED_NT(); return STATUS_UNSUCCESSFUL; } return STATUS_SUCCESS; } +void ServiceResolverThunk::AllowLocalPatches() { + ntdll_base_ = ::GetModuleHandle(kNtdllName); +} + } // namespace sandbox diff --git a/sandbox/win/src/service_resolver.h b/sandbox/win/src/service_resolver.h index 3eb9e08381..0089692204 100644 --- a/sandbox/win/src/service_resolver.h +++ b/sandbox/win/src/service_resolver.h @@ -43,6 +43,9 @@ class ServiceResolverThunk : public ResolverThunk { // Implementation of Resolver::GetThunkSize. virtual size_t GetThunkSize() const; + // Call this to set up ntdll_base_ which will allow for local patches. + virtual void AllowLocalPatches(); + protected: // The unit test will use this member to allow local patch on a buffer. HMODULE ntdll_base_; diff --git a/sandbox/win/src/service_resolver_64.cc b/sandbox/win/src/service_resolver_64.cc index 32de53a43f..473ddbc7f1 100644 --- a/sandbox/win/src/service_resolver_64.cc +++ b/sandbox/win/src/service_resolver_64.cc @@ -4,8 +4,8 @@ #include "sandbox/win/src/service_resolver.h" -#include "base/logging.h" #include "base/memory/scoped_ptr.h" +#include "sandbox/win/src/sandbox_nt_util.h" #include "sandbox/win/src/win_utils.h" namespace { @@ -144,14 +144,14 @@ bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const { NTSTATUS ServiceResolverThunk::PerformPatch(void* local_thunk, void* remote_thunk) { - ServiceFullThunk* full_local_thunk = reinterpret_cast<ServiceFullThunk*>( - local_thunk); - ServiceFullThunk* full_remote_thunk = reinterpret_cast<ServiceFullThunk*>( - remote_thunk); + ServiceFullThunk* full_local_thunk = + reinterpret_cast<ServiceFullThunk*>(local_thunk); + ServiceFullThunk* full_remote_thunk = + reinterpret_cast<ServiceFullThunk*>(remote_thunk); // Patch the original code. ServiceEntry local_service; - DCHECK_GE(GetInternalThunkSize(), sizeof(local_service)); + DCHECK_NT(GetInternalThunkSize() >= sizeof(local_service)); if (!SetInternalThunk(&local_service, sizeof(local_service), NULL, interceptor_)) return STATUS_UNSUCCESSFUL; @@ -181,12 +181,12 @@ NTSTATUS ServiceResolverThunk::PerformPatch(void* local_thunk, } bool Wow64ResolverThunk::IsFunctionAService(void* local_thunk) const { - NOTREACHED(); + NOTREACHED_NT(); return false; } bool Win2kResolverThunk::IsFunctionAService(void* local_thunk) const { - NOTREACHED(); + NOTREACHED_NT(); return false; } diff --git a/sandbox/win/src/service_resolver_unittest.cc b/sandbox/win/src/service_resolver_unittest.cc index 59105cc49d..b01fedfbf0 100644 --- a/sandbox/win/src/service_resolver_unittest.cc +++ b/sandbox/win/src/service_resolver_unittest.cc @@ -44,7 +44,7 @@ class ResolverThunkTest : public T { EXPECT_EQ(STATUS_SUCCESS, ret); target_ = fake_target_; - ntdll_base_ = ::GetModuleHandle(L"ntdll.dll"); + return ret; }; @@ -108,6 +108,8 @@ NTSTATUS PatchNtdllWithResolver(const char* function, bool relaxed, scoped_ptr<char[]> thunk(new char[thunk_size]); size_t used; + resolver->AllowLocalPatches(); + NTSTATUS ret = resolver->Setup(ntdll_base, NULL, function, NULL, function_entry, thunk.get(), thunk_size, &used); @@ -224,4 +226,41 @@ TEST(ServiceResolverTest, MultiplePatchedServices) { #endif } +TEST(ServiceResolverTest, LocalPatchesAllowed) { + sandbox::ServiceResolverThunk* resolver = GetTestResolver(true); + + HMODULE ntdll_base = ::GetModuleHandle(L"ntdll.dll"); + ASSERT_TRUE(NULL != ntdll_base); + + const char kFunctionName[] = "NtClose"; + + void* target = ::GetProcAddress(ntdll_base, kFunctionName); + ASSERT_TRUE(NULL != target); + + BYTE service[50]; + memcpy(service, target, sizeof(service)); + static_cast<WinXpResolverTest*>(resolver)->set_target(service); + + // Any pointer will do as an interception_entry_point + void* function_entry = resolver; + size_t thunk_size = resolver->GetThunkSize(); + scoped_ptr<char[]> thunk(new char[thunk_size]); + size_t used; + + NTSTATUS ret = STATUS_UNSUCCESSFUL; + + // First try patching without having allowed local patches. + ret = resolver->Setup(ntdll_base, NULL, kFunctionName, NULL, + function_entry, thunk.get(), thunk_size, + &used); + EXPECT_FALSE(NT_SUCCESS(ret)); + + // Now allow local patches and check that things work. + resolver->AllowLocalPatches(); + ret = resolver->Setup(ntdll_base, NULL, kFunctionName, NULL, + function_entry, thunk.get(), thunk_size, + &used); + EXPECT_EQ(STATUS_SUCCESS, ret); +} + } // namespace diff --git a/sandbox/win/src/win_utils.cc b/sandbox/win/src/win_utils.cc index f5c479a35a..cb366a6e75 100644 --- a/sandbox/win/src/win_utils.cc +++ b/sandbox/win/src/win_utils.cc @@ -6,10 +6,10 @@ #include <map> -#include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "sandbox/win/src/internal_types.h" #include "sandbox/win/src/nt_internals.h" +#include "sandbox/win/src/sandbox_nt_util.h" namespace { @@ -104,7 +104,7 @@ DWORD IsReparsePoint(const std::wstring& full_path, bool* result) { error != ERROR_PATH_NOT_FOUND && error != ERROR_INVALID_NAME) { // Unexpected error. - NOTREACHED(); + NOTREACHED_NT(); return error; } } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) { @@ -124,7 +124,7 @@ DWORD IsReparsePoint(const std::wstring& full_path, bool* result) { // we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar. bool SameObject(HANDLE handle, const wchar_t* full_path) { std::wstring path(full_path); - DCHECK(!path.empty()); + DCHECK_NT(!path.empty()); // Check if it's a pipe. if (IsPipe(path)) @@ -319,5 +319,5 @@ void ResolveNTFunctionPtr(const char* name, void* ptr) { *function_ptr = ::GetProcAddress(ntdll, name); } - CHECK(*function_ptr); + CHECK_NT(*function_ptr); } |