// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
// Some headers on Android are missing cdefs: crbug.com/172337.
// (We can't use OS_ANDROID here since build_config.h is not included).
#if defined(ANDROID)
#include <sys/cdefs.h>
#endif
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <time.h>
#include <unistd.h>
#include "base/compiler_specific.h"
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
#include "base/posix/eintr_wrapper.h"
#include "sandbox/linux/seccomp-bpf/codegen.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
#include "sandbox/linux/seccomp-bpf/syscall.h"
#include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
#include "sandbox/linux/seccomp-bpf/verifier.h"
namespace sandbox {
namespace {
const int kExpectedExitCode = 100;
int popcount(uint32_t x) {
return __builtin_popcount(x);
}
#if !defined(NDEBUG)
void WriteFailedStderrSetupMessage(int out_fd) {
const char* error_string = strerror(errno);
static const char msg[] =
"You have reproduced a puzzling issue.\n"
"Please, report to crbug.com/152530!\n"
"Failed to set up stderr: ";
if (HANDLE_EINTR(write(out_fd, msg, sizeof(msg) - 1)) > 0 && error_string &&
HANDLE_EINTR(write(out_fd, error_string, strlen(error_string))) > 0 &&
HANDLE_EINTR(write(out_fd, "\n", 1))) {
}
}
#endif // !defined(NDEBUG)
// We define a really simple sandbox policy. It is just good enough for us
// to tell that the sandbox has actually been activated.
ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const));
ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) {
switch (sysnum) {
case __NR_getpid:
// Return EPERM so that we can check that the filter actually ran.
return ErrorCode(EPERM);
case __NR_exit_group:
// Allow exit() with a non-default return code.
return ErrorCode(ErrorCode::ERR_ALLOWED);
default:
// Make everything else fail in an easily recognizable way.
return ErrorCode(EINVAL);
}
}
void ProbeProcess(void) {
if (syscall(__NR_getpid) < 0 && errno == EPERM) {
syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
}
}
ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) {
if (!SandboxBPF::IsValidSyscallNumber(sysnum)) {
return ErrorCode(ENOSYS);
}
return ErrorCode(ErrorCode::ERR_ALLOWED);
}
void TryVsyscallProcess(void) {
time_t current_time;
// time() is implemented as a vsyscall. With an older glibc, with
// vsyscall=emulate and some versions of the seccomp BPF patch
// we may get SIGKILL-ed. Detect this!
if (time(¤t_time) != static_cast<time_t>(-1)) {
syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
}
}
bool IsSingleThreaded(int proc_fd) {
if (proc_fd < 0) {
// Cannot determine whether program is single-threaded. Hope for
// the best...
return true;
}
struct stat sb;
int task = -1;
if ((task = openat(proc_fd, "self/task", O_RDONLY | O_DIRECTORY)) < 0 ||
fstat(task, &sb) != 0 || sb.st_nlink != 3 || IGNORE_EINTR(close(task))) {
if (task >= 0) {
if (IGNORE_EINTR(close(task))) {
}
}
return false;
}
return true;
}
bool IsDenied(const ErrorCode& code) {
return (code.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP ||
(code.err() >= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MIN_ERRNO) &&
code.err() <= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MAX_ERRNO));
}
// Function that can be passed as a callback function to CodeGen::Traverse().
// Checks whether the "insn" returns an UnsafeTrap() ErrorCode. If so, it
// sets the "bool" variable pointed to by "aux".
void CheckForUnsafeErrorCodes(Instruction* insn, void* aux) {
bool* is_unsafe = static_cast<bool*>(aux);
if (!*is_unsafe) {
if (BPF_CLASS(insn->code) == BPF_RET && insn->k > SECCOMP_RET_TRAP &&
insn->k - SECCOMP_RET_TRAP <= SECCOMP_RET_DATA) {
const ErrorCode& err =
Trap::ErrorCodeFromTrapId(insn->k & SECCOMP_RET_DATA);
if (err.error_type() != ErrorCode::ET_INVALID && !err.safe()) {
*is_unsafe = true;
}
}
}
}
// A Trap() handler that returns an "errno" value. The value is encoded
// in the "aux" parameter.
intptr_t ReturnErrno(const struct arch_seccomp_data&, void* aux) {
// TrapFnc functions report error by following the native kernel convention
// of returning an exit code in the range of -1..-4096. They do not try to
// set errno themselves. The glibc wrapper that triggered the SIGSYS will
// ultimately do so for us.
int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
return -err;
}
// Function that can be passed as a callback function to CodeGen::Traverse().
// Checks whether the "insn" returns an errno value from a BPF filter. If so,
// it rewrites the instruction to instead call a Trap() handler that does
// the same thing. "aux" is ignored.
void RedirectToUserspace(Instruction* insn, void* aux) {
// When inside an UnsafeTrap() callback, we want to allow all system calls.
// This means, we must conditionally disable the sandbox -- and that's not
// something that kernel-side BPF filters can do, as they cannot inspect
// any state other than the syscall arguments.
// But if we redirect all error handlers to user-space, then we can easily
// make this decision.
// The performance penalty for this extra round-trip to user-space is not
// actually that bad, as we only ever pay it for denied system calls; and a
// typical program has very few of these.
SandboxBPF* sandbox = static_cast<SandboxBPF*>(aux);
if (BPF_CLASS(insn->code) == BPF_RET &&
(insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
insn->k = sandbox->Trap(ReturnErrno,
reinterpret_cast<void*>(insn->k & SECCOMP_RET_DATA)).err();
}
}
// This wraps an existing policy and changes its behavior to match the changes
// made by RedirectToUserspace(). This is part of the framework that allows BPF
// evaluation in userland.
// TODO(markus): document the code inside better.
class RedirectToUserSpacePolicyWrapper : public SandboxBPFPolicy {
public:
explicit RedirectToUserSpacePolicyWrapper(
const SandboxBPFPolicy* wrapped_policy)
: wrapped_policy_(wrapped_policy) {
DCHECK(wrapped_policy_);
}
virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
int system_call_number) const OVERRIDE {
ErrorCode err =
wrapped_policy_->EvaluateSyscall(sandbox_compiler, system_call_number);
if ((err.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
return sandbox_compiler->Trap(
ReturnErrno, reinterpret_cast<void*>(err.err() & SECCOMP_RET_DATA));
}
return err;
}
private:
const SandboxBPFPolicy* wrapped_policy_;
DISALLOW_COPY_AND_ASSIGN(RedirectToUserSpacePolicyWrapper);
};
intptr_t BPFFailure(const struct arch_seccomp_data&, void* aux) {
SANDBOX_DIE(static_cast<char*>(aux));
}
// This class allows compatibility with the old, deprecated SetSandboxPolicy.
class CompatibilityPolicy : public SandboxBPFPolicy {
public:
CompatibilityPolicy(SandboxBPF::EvaluateSyscall syscall_evaluator, void* aux)
: syscall_evaluator_(syscall_evaluator), aux_(aux) {
DCHECK(syscall_evaluator_);
}
virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
int system_call_number) const OVERRIDE {
return syscall_evaluator_(sandbox_compiler, system_call_number, aux_);
}
private:
SandboxBPF::EvaluateSyscall syscall_evaluator_;
void* aux_;
DISALLOW_COPY_AND_ASSIGN(CompatibilityPolicy);
};
} // namespace
SandboxBPF::SandboxBPF()
: quiet_(false),
proc_fd_(-1),
conds_(new Conds),
sandbox_has_started_(false) {}
SandboxBPF::~SandboxBPF() {
// It is generally unsafe to call any memory allocator operations or to even
// call arbitrary destructors after having installed a new policy. We just
// have no way to tell whether this policy would allow the system calls that
// the constructors can trigger.
// So, we normally destroy all of our complex state prior to starting the
// sandbox. But this won't happen, if the Sandbox object was created and
// never actually used to set up a sandbox. So, just in case, we are
// destroying any remaining state.
// The "if ()" statements are technically superfluous. But let's be explicit
// that we really don't want to run any code, when we already destroyed
// objects before setting up the sandbox.
if (conds_) {
delete conds_;
}
}
bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
return SyscallIterator::IsValid(sysnum);
}
bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
EvaluateSyscall syscall_evaluator,
void* aux) {
// Block all signals before forking a child process. This prevents an
// attacker from manipulating our test by sending us an unexpected signal.
sigset_t old_mask, new_mask;
if (sigfillset(&new_mask) || sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {
SANDBOX_DIE("sigprocmask() failed");
}
int fds[2];
if (pipe2(fds, O_NONBLOCK | O_CLOEXEC)) {
SANDBOX_DIE("pipe() failed");
}
if (fds[0] <= 2 || fds[1] <= 2) {
SANDBOX_DIE("Process started without standard file descriptors");
}
// This code is using fork() and should only ever run single-threaded.
// Most of the code below is "async-signal-safe" and only minor changes
// would be needed to support threads.
DCHECK(IsSingleThreaded(proc_fd_));
pid_t pid = fork();
if (pid < 0) {
// Die if we cannot fork(). We would probably fail a little later
// anyway, as the machine is likely very close to running out of
// memory.
// But what we don't want to do is return "false", as a crafty
// attacker might cause fork() to fail at will and could trick us
// into running without a sandbox.
sigprocmask(SIG_SETMASK, &old_mask, NULL); // OK, if it fails
SANDBOX_DIE("fork() failed unexpectedly");
}
// In the child process
if (!pid) {
// Test a very simple sandbox policy to verify that we can
// successfully turn on sandboxing.
Die::EnableSimpleExit();
errno = 0;
if (IGNORE_EINTR(close(fds[0]))) {
// This call to close() has been failing in strange ways. See
// crbug.com/152530. So we only fail in debug mode now.
#if !defined(NDEBUG)
WriteFailedStderrSetupMessage(fds[1]);
SANDBOX_DIE(NULL);
#endif
}
if (HANDLE_EINTR(dup2(fds[1], 2)) != 2) {
// Stderr could very well be a file descriptor to .xsession-errors, or
// another file, which could be backed by a file system that could cause
// dup2 to fail while trying to close stderr. It's important that we do
// not fail on trying to close stderr.
// If dup2 fails here, we will continue normally, this means that our
// parent won't cause a fatal failure if something writes to stderr in
// this child.
#if !defined(NDEBUG)
// In DEBUG builds, we still want to get a report.
WriteFailedStderrSetupMessage(fds[1]);
SANDBOX_DIE(NULL);
#endif
}
if (IGNORE_EINTR(close(fds[1]))) {
// This call to close() has been failing in strange ways. See
// crbug.com/152530. So we only fail in debug mode now.
#if !defined(NDEBUG)
WriteFailedStderrSetupMessage(fds[1]);
SANDBOX_DIE(NULL);
#endif
}
SetSandboxPolicyDeprecated(syscall_evaluator, aux);
StartSandbox();
// Run our code in the sandbox.
code_in_sandbox();
// code_in_sandbox() is not supposed to return here.
SANDBOX_DIE(NULL);
}
// In the parent process.
if (IGNORE_EINTR(close(fds[1]))) {
SANDBOX_DIE("close() failed");
}
if (sigprocmask(SIG_SETMASK, &old_mask, NULL)) {
SANDBOX_DIE("sigprocmask() failed");
}
int status;
if (HANDLE_EINTR(waitpid(pid, &status, 0)) != pid) {
SANDBOX_DIE("waitpid() failed unexpectedly");
}
bool rc = WIFEXITED(status) && WEXITSTATUS(status) == kExpectedExitCode;
// If we fail to support sandboxing, there might be an additional
// error message. If so, this was an entirely unexpected and fatal
// failure. We should report the failure and somebody must fix
// things. This is probably a security-critical bug in the sandboxing
// code.
if (!rc) {
char buf[4096];
ssize_t len = HANDLE_EINTR(read(fds[0], buf, sizeof(buf) - 1));
if (len > 0) {
while (len > 1 && buf[len - 1] == '\n') {
--len;
}
buf[len] = '\000';
SANDBOX_DIE(buf);
}
}
if (IGNORE_EINTR(close(fds[0]))) {
SANDBOX_DIE("close() failed");
}
return rc;
}
bool SandboxBPF::KernelSupportSeccompBPF() {
return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) &&
RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0);
}
SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
// It the sandbox is currently active, we clearly must have support for
// sandboxing.
if (status_ == STATUS_ENABLED) {
return status_;
}
// Even if the sandbox was previously available, something might have
// changed in our run-time environment. Check one more time.
if (status_ == STATUS_AVAILABLE) {
if (!IsSingleThreaded(proc_fd)) {
status_ = STATUS_UNAVAILABLE;
}
return status_;
}
if (status_ == STATUS_UNAVAILABLE && IsSingleThreaded(proc_fd)) {
// All state transitions resulting in STATUS_UNAVAILABLE are immediately
// preceded by STATUS_AVAILABLE. Furthermore, these transitions all
// happen, if and only if they are triggered by the process being multi-
// threaded.
// In other words, if a single-threaded process is currently in the
// STATUS_UNAVAILABLE state, it is safe to assume that sandboxing is
// actually available.
status_ = STATUS_AVAILABLE;
return status_;
}
// If we have not previously checked for availability of the sandbox or if
// we otherwise don't believe to have a good cached value, we have to
// perform a thorough check now.
if (status_ == STATUS_UNKNOWN) {
// We create our own private copy of a "Sandbox" object. This ensures that
// the object does not have any policies configured, that might interfere
// with the tests done by "KernelSupportSeccompBPF()".
SandboxBPF sandbox;
// By setting "quiet_ = true" we suppress messages for expected and benign
// failures (e.g. if the current kernel lacks support for BPF filters).
sandbox.quiet_ = true;
sandbox.set_proc_fd(proc_fd);
status_ = sandbox.KernelSupportSeccompBPF() ? STATUS_AVAILABLE
: STATUS_UNSUPPORTED;
// As we are performing our tests from a child process, the run-time
// environment that is visible to the sandbox is always guaranteed to be
// single-threaded. Let's check here whether the caller is single-
// threaded. Otherwise, we mark the sandbox as temporarily unavailable.
if (status_ == STATUS_AVAILABLE && !IsSingleThreaded(proc_fd)) {
status_ = STATUS_UNAVAILABLE;
}
}
return status_;
}
void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
void SandboxBPF::StartSandbox() {
if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
SANDBOX_DIE(
"Trying to start sandbox, even though it is known to be "
"unavailable");
} else if (sandbox_has_started_ || !conds_) {
SANDBOX_DIE(
"Cannot repeatedly start sandbox. Create a separate Sandbox "
"object instead.");
}
if (proc_fd_ < 0) {
proc_fd_ = open("/proc", O_RDONLY | O_DIRECTORY);
}
if (proc_fd_ < 0) {
// For now, continue in degraded mode, if we can't access /proc.
// In the future, we might want to tighten this requirement.
}
if (!IsSingleThreaded(proc_fd_)) {
SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
}
// We no longer need access to any files in /proc. We want to do this
// before installing the filters, just in case that our policy denies
// close().
if (proc_fd_ >= 0) {
if (IGNORE_EINTR(close(proc_fd_))) {
SANDBOX_DIE("Failed to close file descriptor for /proc");
}
proc_fd_ = -1;
}
// Install the filters.
InstallFilter();
// We are now inside the sandbox.
status_ = STATUS_ENABLED;
}
void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) {
for (SyscallIterator iter(true); !iter.Done();) {
uint32_t sysnum = iter.Next();
if (!IsDenied(policy->EvaluateSyscall(this, sysnum))) {
SANDBOX_DIE(
"Policies should deny system calls that are outside the "
"expected range (typically MIN_SYSCALL..MAX_SYSCALL)");
}
}
return;
}
// Deprecated API, supported with a wrapper to the new API.
void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
void* aux) {
if (sandbox_has_started_ || !conds_) {
SANDBOX_DIE("Cannot change policy after sandbox has started");
}
SetSandboxPolicy(new CompatibilityPolicy(syscall_evaluator, aux));
}
// Don't take a scoped_ptr here, polymorphism make their use awkward.
void SandboxBPF::SetSandboxPolicy(SandboxBPFPolicy* policy) {
DCHECK(!policy_);
if (sandbox_has_started_ || !conds_) {
SANDBOX_DIE("Cannot change policy after sandbox has started");
}
PolicySanityChecks(policy);
policy_.reset(policy);
}
void SandboxBPF::InstallFilter() {
// We want to be very careful in not imposing any requirements on the
// policies that are set with SetSandboxPolicy(). This means, as soon as
// the sandbox is active, we shouldn't be relying on libraries that could
// be making system calls. This, for example, means we should avoid
// using the heap and we should avoid using STL functions.
// Temporarily copy the contents of the "program" vector into a
// stack-allocated array; and then explicitly destroy that object.
// This makes sure we don't ex- or implicitly call new/delete after we
// installed the BPF filter program in the kernel. Depending on the
// system memory allocator that is in effect, these operators can result
// in system calls to things like munmap() or brk().
Program* program = AssembleFilter(false /* force_verification */);
struct sock_filter bpf[program->size()];
const struct sock_fprog prog = {static_cast<unsigned short>(program->size()),
bpf};
memcpy(bpf, &(*program)[0], sizeof(bpf));
delete program;
// Make an attempt to release memory that is no longer needed here, rather
// than in the destructor. Try to avoid as much as possible to presume of
// what will be possible to do in the new (sandboxed) execution environment.
delete conds_;
conds_ = NULL;
policy_.reset();
// Install BPF filter program
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to enable no-new-privs");
} else {
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to turn on BPF filters");
}
}
sandbox_has_started_ = true;
return;
}
SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) {
#if !defined(NDEBUG)
force_verification = true;
#endif
// Verify that the user pushed a policy.
DCHECK(policy_);
// Assemble the BPF filter program.
CodeGen* gen = new CodeGen();
if (!gen) {
SANDBOX_DIE("Out of memory");
}
// If the architecture doesn't match SECCOMP_ARCH, disallow the
// system call.
Instruction* tail;
Instruction* head = gen->MakeInstruction(
BPF_LD + BPF_W + BPF_ABS,
SECCOMP_ARCH_IDX,
tail = gen->MakeInstruction(
BPF_JMP + BPF_JEQ + BPF_K,
SECCOMP_ARCH,
NULL,
gen->MakeInstruction(
BPF_RET + BPF_K,
Kill("Invalid audit architecture in BPF filter"))));
bool has_unsafe_traps = false;
{
// Evaluate all possible system calls and group their ErrorCodes into
// ranges of identical codes.
Ranges ranges;
FindRanges(&ranges);
// Compile the system call ranges to an optimized BPF jumptable
Instruction* jumptable =
AssembleJumpTable(gen, ranges.begin(), ranges.end());
// If there is at least one UnsafeTrap() in our program, the entire sandbox
// is unsafe. We need to modify the program so that all non-
// SECCOMP_RET_ALLOW ErrorCodes are handled in user-space. This will then
// allow us to temporarily disable sandboxing rules inside of callbacks to
// UnsafeTrap().
gen->Traverse(jumptable, CheckForUnsafeErrorCodes, &has_unsafe_traps);
// Grab the system call number, so that we can implement jump tables.
Instruction* load_nr =
gen->MakeInstruction(BPF_LD + BPF_W + BPF_ABS, SECCOMP_NR_IDX);
// If our BPF program has unsafe jumps, enable support for them. This
// test happens very early in the BPF filter program. Even before we
// consider looking at system call numbers.
// As support for unsafe jumps essentially defeats all the security
// measures that the sandbox provides, we print a big warning message --
// and of course, we make sure to only ever enable this feature if it
// is actually requested by the sandbox policy.
if (has_unsafe_traps) {
if (SandboxSyscall(-1) == -1 && errno == ENOSYS) {
SANDBOX_DIE(
"Support for UnsafeTrap() has not yet been ported to this "
"architecture");
}
if (!policy_->EvaluateSyscall(this, __NR_rt_sigprocmask)
.Equals(ErrorCode(ErrorCode::ERR_ALLOWED)) ||
!policy_->EvaluateSyscall(this, __NR_rt_sigreturn)
.Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
#if defined(__NR_sigprocmask)
||
!policy_->EvaluateSyscall(this, __NR_sigprocmask)
.Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
#endif
#if defined(__NR_sigreturn)
||
!policy_->EvaluateSyscall(this, __NR_sigreturn)
.Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
#endif
) {
SANDBOX_DIE(
"Invalid seccomp policy; if using UnsafeTrap(), you must "
"unconditionally allow sigreturn() and sigprocmask()");
}
if (!Trap::EnableUnsafeTrapsInSigSysHandler()) {
// We should never be able to get here, as UnsafeTrap() should never
// actually return a valid ErrorCode object unless the user set the
// CHROME_SANDBOX_DEBUGGING environment variable; and therefore,
// "has_unsafe_traps" would always be false. But better double-check
// than enabling dangerous code.
SANDBOX_DIE("We'd rather die than enable unsafe traps");
}
gen->Traverse(jumptable, RedirectToUserspace, this);
// Allow system calls, if they originate from our magic return address
// (which we can query by calling SandboxSyscall(-1)).
uintptr_t syscall_entry_point =
static_cast<uintptr_t>(SandboxSyscall(-1));
uint32_t low = static_cast<uint32_t>(syscall_entry_point);
#if __SIZEOF_POINTER__ > 4
uint32_t hi = static_cast<uint32_t>(syscall_entry_point >> 32);
#endif
// BPF cannot do native 64bit comparisons. On 64bit architectures, we
// have to compare both 32bit halves of the instruction pointer. If they
// match what we expect, we return ERR_ALLOWED. If either or both don't
// match, we continue evalutating the rest of the sandbox policy.
Instruction* escape_hatch = gen->MakeInstruction(
BPF_LD + BPF_W + BPF_ABS,
SECCOMP_IP_LSB_IDX,
gen->MakeInstruction(
BPF_JMP + BPF_JEQ + BPF_K,
low,
#if __SIZEOF_POINTER__ > 4
gen->MakeInstruction(
BPF_LD + BPF_W + BPF_ABS,
SECCOMP_IP_MSB_IDX,
gen->MakeInstruction(
BPF_JMP + BPF_JEQ + BPF_K,
hi,
#endif
gen->MakeInstruction(BPF_RET + BPF_K,
ErrorCode(ErrorCode::ERR_ALLOWED)),
#if __SIZEOF_POINTER__ > 4
load_nr)),
#endif
load_nr));
gen->JoinInstructions(tail, escape_hatch);
} else {
gen->JoinInstructions(tail, load_nr);
}
tail = load_nr;
// On Intel architectures, verify that system call numbers are in the
// expected number range. The older i386 and x86-64 APIs clear bit 30
// on all system calls. The newer x32 API always sets bit 30.
#if defined(__i386__) || defined(__x86_64__)
Instruction* invalidX32 = gen->MakeInstruction(
BPF_RET + BPF_K, Kill("Illegal mixing of system call ABIs").err_);
Instruction* checkX32 =
#if defined(__x86_64__) && defined(__ILP32__)
gen->MakeInstruction(
BPF_JMP + BPF_JSET + BPF_K, 0x40000000, 0, invalidX32);
#else
gen->MakeInstruction(
BPF_JMP + BPF_JSET + BPF_K, 0x40000000, invalidX32, 0);
#endif
gen->JoinInstructions(tail, checkX32);
tail = checkX32;
#endif
// Append jump table to our pre-amble
gen->JoinInstructions(tail, jumptable);
}
// Turn the DAG into a vector of instructions.
Program* program = new Program();
gen->Compile(head, program);
delete gen;
// Make sure compilation resulted in BPF program that executes
// correctly. Otherwise, there is an internal error in our BPF compiler.
// There is really nothing the caller can do until the bug is fixed.
if (force_verification) {
// Verification is expensive. We only perform this step, if we are
// compiled in debug mode, or if the caller explicitly requested
// verification.
VerifyProgram(*program, has_unsafe_traps);
}
return program;
}
void SandboxBPF::VerifyProgram(const Program& program, bool has_unsafe_traps) {
// If we previously rewrote the BPF program so that it calls user-space
// whenever we return an "errno" value from the filter, then we have to
// wrap our system call evaluator to perform the same operation. Otherwise,
// the verifier would also report a mismatch in return codes.
scoped_ptr<const RedirectToUserSpacePolicyWrapper> redirected_policy(
new RedirectToUserSpacePolicyWrapper(policy_.get()));
const char* err = NULL;
if (!Verifier::VerifyBPF(this,
program,
has_unsafe_traps ? *redirected_policy : *policy_,
&err)) {
CodeGen::PrintProgram(program);
SANDBOX_DIE(err);
}
}
void SandboxBPF::FindRanges(Ranges* ranges) {
// Please note that "struct seccomp_data" defines system calls as a signed
// int32_t, but BPF instructions always operate on unsigned quantities. We
// deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
// and then verifying that the rest of the number range (both positive and
// negative) all return the same ErrorCode.
uint32_t old_sysnum = 0;
ErrorCode old_err = policy_->EvaluateSyscall(this, old_sysnum);
ErrorCode invalid_err = policy_->EvaluateSyscall(this, MIN_SYSCALL - 1);
for (SyscallIterator iter(false); !iter.Done();) {
uint32_t sysnum = iter.Next();
ErrorCode err = policy_->EvaluateSyscall(this, static_cast<int>(sysnum));
if (!iter.IsValid(sysnum) && !invalid_err.Equals(err)) {
// A proper sandbox policy should always treat system calls outside of
// the range MIN_SYSCALL..MAX_SYSCALL (i.e. anything that returns
// "false" for SyscallIterator::IsValid()) identically. Typically, all
// of these system calls would be denied with the same ErrorCode.
SANDBOX_DIE("Invalid seccomp policy");
}
if (!err.Equals(old_err) || iter.Done()) {
ranges->push_back(Range(old_sysnum, sysnum - 1, old_err));
old_sysnum = sysnum;
old_err = err;
}
}
}
Instruction* SandboxBPF::AssembleJumpTable(CodeGen* gen,
Ranges::const_iterator start,
Ranges::const_iterator stop) {
// We convert the list of system call ranges into jump table that performs
// a binary search over the ranges.
// As a sanity check, we need to have at least one distinct ranges for us
// to be able to build a jump table.
if (stop - start <= 0) {
SANDBOX_DIE("Invalid set of system call ranges");
} else if (stop - start == 1) {
// If we have narrowed things down to a single range object, we can
// return from the BPF filter program.
return RetExpression(gen, start->err);
}
// Pick the range object that is located at the mid point of our list.
// We compare our system call number against the lowest valid system call
// number in this range object. If our number is lower, it is outside of
// this range object. If it is greater or equal, it might be inside.
Ranges::const_iterator mid = start + (stop - start) / 2;
// Sub-divide the list of ranges and continue recursively.
Instruction* jf = AssembleJumpTable(gen, start, mid);
Instruction* jt = AssembleJumpTable(gen, mid, stop);
return gen->MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
}
Instruction* SandboxBPF::RetExpression(CodeGen* gen, const ErrorCode& err) {
if (err.error_type_ == ErrorCode::ET_COND) {
return CondExpression(gen, err);
} else {
return gen->MakeInstruction(BPF_RET + BPF_K, err);
}
}
Instruction* SandboxBPF::CondExpression(CodeGen* gen, const ErrorCode& cond) {
// We can only inspect the six system call arguments that are passed in
// CPU registers.
if (cond.argno_ < 0 || cond.argno_ >= 6) {
SANDBOX_DIE(
"Internal compiler error; invalid argument number "
"encountered");
}
// BPF programs operate on 32bit entities. Load both halfs of the 64bit
// system call argument and then generate suitable conditional statements.
Instruction* msb_head = gen->MakeInstruction(
BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARG_MSB_IDX(cond.argno_));
Instruction* msb_tail = msb_head;
Instruction* lsb_head = gen->MakeInstruction(
BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARG_LSB_IDX(cond.argno_));
Instruction* lsb_tail = lsb_head;
// Emit a suitable comparison statement.
switch (cond.op_) {
case ErrorCode::OP_EQUAL:
// Compare the least significant bits for equality
lsb_tail = gen->MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K,
static_cast<uint32_t>(cond.value_),
RetExpression(gen, *cond.passed_),
RetExpression(gen, *cond.failed_));
gen->JoinInstructions(lsb_head, lsb_tail);
// If we are looking at a 64bit argument, we need to also compare the
// most significant bits.
if (cond.width_ == ErrorCode::TP_64BIT) {
msb_tail =
gen->MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K,
static_cast<uint32_t>(cond.value_ >> 32),
lsb_head,
RetExpression(gen, *cond.failed_));
gen->JoinInstructions(msb_head, msb_tail);
}
break;
case ErrorCode::OP_HAS_ALL_BITS:
// Check the bits in the LSB half of the system call argument. Our
// OP_HAS_ALL_BITS operator passes, iff all of the bits are set. This is
// different from the kernel's BPF_JSET operation which passes, if any of
// the bits are set.
// Of course, if there is only a single set bit (or none at all), then
// things get easier.
{
uint32_t lsb_bits = static_cast<uint32_t>(cond.value_);
int lsb_bit_count = popcount(lsb_bits);
if (lsb_bit_count == 0) {
// No bits are set in the LSB half. The test will always pass.
lsb_head = RetExpression(gen, *cond.passed_);
lsb_tail = NULL;
} else if (lsb_bit_count == 1) {
// Exactly one bit is set in the LSB half. We can use the BPF_JSET
// operator.
lsb_tail = gen->MakeInstruction(BPF_JMP + BPF_JSET + BPF_K,
lsb_bits,
RetExpression(gen, *cond.passed_),
RetExpression(gen, *cond.failed_));
gen->JoinInstructions(lsb_head, lsb_tail);
} else {
// More than one bit is set in the LSB half. We need to combine
// BPF_AND and BPF_JEQ to test whether all of these bits are in fact
// set in the system call argument.
gen->JoinInstructions(
lsb_head,
gen->MakeInstruction(BPF_ALU + BPF_AND + BPF_K,
lsb_bits,
lsb_tail = gen->MakeInstruction(
BPF_JMP + BPF_JEQ + BPF_K,
lsb_bits,
RetExpression(gen, *cond.passed_),
RetExpression(gen, *cond.failed_))));
}
}
// If we are looking at a 64bit argument, we need to also check the bits
// in the MSB half of the system call argument.
if (cond.width_ == ErrorCode::TP_64BIT) {
uint32_t msb_bits = static_cast<uint32_t>(cond.value_ >> 32);
int msb_bit_count = popcount(msb_bits);
if (msb_bit_count == 0) {
// No bits are set in the MSB half. The test will always pass.
msb_head = lsb_head;
} else if (msb_bit_count == 1) {
// Exactly one bit is set in the MSB half. We can use the BPF_JSET
// operator.
msb_tail = gen->MakeInstruction(BPF_JMP + BPF_JSET + BPF_K,
msb_bits,
lsb_head,
RetExpression(gen, *cond.failed_));
gen->JoinInstructions(msb_head, msb_tail);
} else {
// More than one bit is set in the MSB half. We need to combine
// BPF_AND and BPF_JEQ to test whether all of these bits are in fact
// set in the system call argument.
gen->JoinInstructions(
msb_head,
gen->MakeInstruction(
BPF_ALU + BPF_AND + BPF_K,
msb_bits,
gen->MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K,
msb_bits,
lsb_head,
RetExpression(gen, *cond.failed_))));
}
}
break;
case ErrorCode::OP_HAS_ANY_BITS:
// Check the bits in the LSB half of the system call argument. Our
// OP_HAS_ANY_BITS operator passes, iff any of the bits are set. This maps
// nicely to the kernel's BPF_JSET operation.
{
uint32_t lsb_bits = static_cast<uint32_t>(cond.value_);
if (!lsb_bits) {
// No bits are set in the LSB half. The test will always fail.
lsb_head = RetExpression(gen, *cond.failed_);
lsb_tail = NULL;
} else {
lsb_tail = gen->MakeInstruction(BPF_JMP + BPF_JSET + BPF_K,
lsb_bits,
RetExpression(gen, *cond.passed_),
RetExpression(gen, *cond.failed_));
gen->JoinInstructions(lsb_head, lsb_tail);
}
}
// If we are looking at a 64bit argument, we need to also check the bits
// in the MSB half of the system call argument.
if (cond.width_ == ErrorCode::TP_64BIT) {
uint32_t msb_bits = static_cast<uint32_t>(cond.value_ >> 32);
if (!msb_bits) {
// No bits are set in the MSB half. The test will always fail.
msb_head = lsb_head;
} else {
msb_tail = gen->MakeInstruction(BPF_JMP + BPF_JSET + BPF_K,
msb_bits,
RetExpression(gen, *cond.passed_),
lsb_head);
gen->JoinInstructions(msb_head, msb_tail);
}
}
break;
default:
// TODO(markus): Need to add support for OP_GREATER
SANDBOX_DIE("Not implemented");
break;
}
// Ensure that we never pass a 64bit value, when we only expect a 32bit
// value. This is somewhat complicated by the fact that on 64bit systems,
// callers could legitimately pass in a non-zero value in the MSB, iff the
// LSB has been sign-extended into the MSB.
if (cond.width_ == ErrorCode::TP_32BIT) {
if (cond.value_ >> 32) {
SANDBOX_DIE(
"Invalid comparison of a 32bit system call argument "
"against a 64bit constant; this test is always false.");
}
Instruction* invalid_64bit = RetExpression(gen, Unexpected64bitArgument());
#if __SIZEOF_POINTER__ > 4
invalid_64bit = gen->MakeInstruction(
BPF_JMP + BPF_JEQ + BPF_K,
0xFFFFFFFF,
gen->MakeInstruction(BPF_LD + BPF_W + BPF_ABS,
SECCOMP_ARG_LSB_IDX(cond.argno_),
gen->MakeInstruction(BPF_JMP + BPF_JGE + BPF_K,
0x80000000,
lsb_head,
invalid_64bit)),
invalid_64bit);
#endif
gen->JoinInstructions(
msb_tail,
gen->MakeInstruction(
BPF_JMP + BPF_JEQ + BPF_K, 0, lsb_head, invalid_64bit));
}
return msb_head;
}
ErrorCode SandboxBPF::Unexpected64bitArgument() {
return Kill("Unexpected 64bit argument detected");
}
ErrorCode SandboxBPF::Trap(Trap::TrapFnc fnc, const void* aux) {
return Trap::MakeTrap(fnc, aux, true /* Safe Trap */);
}
ErrorCode SandboxBPF::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) {
return Trap::MakeTrap(fnc, aux, false /* Unsafe Trap */);
}
intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) {
return SandboxSyscall(args.nr,
static_cast<intptr_t>(args.args[0]),
static_cast<intptr_t>(args.args[1]),
static_cast<intptr_t>(args.args[2]),
static_cast<intptr_t>(args.args[3]),
static_cast<intptr_t>(args.args[4]),
static_cast<intptr_t>(args.args[5]));
}
ErrorCode SandboxBPF::Cond(int argno,
ErrorCode::ArgType width,
ErrorCode::Operation op,
uint64_t value,
const ErrorCode& passed,
const ErrorCode& failed) {
return ErrorCode(argno,
width,
op,
value,
&*conds_->insert(passed).first,
&*conds_->insert(failed).first);
}
ErrorCode SandboxBPF::Kill(const char* msg) {
return Trap(BPFFailure, const_cast<char*>(msg));
}
SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
} // namespace sandbox