[Android] Define a baseline seccomp-bpf sandbox policy.

This is not used in production yet, since Android kernels do not have seccomp mode two support, yet. BUG=308763, 166704 Review URL: https://codereview.chromium.org/180783019 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@263017 0039d316-1c4b-4281-b951-d872f2087c98

[Android] Define a baseline seccomp-bpf sandbox policy.
This is not used in production yet, since Android kernels do not have seccomp mode two support, yet. BUG=308763, 166704 Review URL: https://codereview.chromium.org/180783019 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@263017 0039d316-1c4b-4281-b951-d872f2087c98
0e343eda · rsesek@chromium.org · 42c42826 · 0e343eda · 0e343eda · 0e343eda
Commit 0e343eda authored Apr 10, 2014 by rsesek@chromium.org
8 changed files
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -1094,6 +1094,7 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
    switches::kEnablePinch,
    switches::kEnablePreparsedJsCaching,
    switches::kEnableRepaintAfterLayout,
+    switches::kEnableSeccompFilterSandbox,
    switches::kEnableServiceWorker,
    switches::kEnableSkiaBenchmarking,
    switches::kEnableSoftwareCompositing,

--- a/content/common/sandbox_linux/OWNERS
+++ b/content/common/sandbox_linux/OWNERS
 cevans@chromium.org
 jln@chromium.org
 jorgelo@chromium.org
+rsesek@chromium.org
--- a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
+++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h"
+
+#include <sys/types.h>
+
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+namespace content {
+
+SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()
+    : SandboxBPFBasePolicy() {}
+
+SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {}
+
+sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall(
+    sandbox::SandboxBPF* sandbox,
+    int sysno) const {
+  bool override_and_allow = false;
+
+  switch (sysno) {
+    case __NR_epoll_pwait:
+    case __NR_flock:
+    case __NR_getpriority:
+    case __NR_ioctl:
+    case __NR_mremap:
+    // File system access cannot be restricted with seccomp-bpf on Android,
+    // since the JVM classloader and other Framework features require file
+    // access. It may be possible to restrict the filesystem with SELinux.
+    // Currently we rely on the app/service UID isolation to create a
+    // filesystem "sandbox".
+#if !ARCH_CPU_ARM64
+    case __NR_open:
+#endif
+    case __NR_openat:
+    case __NR_pread64:
+    case __NR_rt_sigtimedwait:
+    case __NR_setpriority:
+    case __NR_sigaltstack:
+    case __NR_ugetrlimit:
+    case __NR_uname:
+      override_and_allow = true;
+      break;
+  }
+
+  if (override_and_allow)
+    return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED);
+
+  return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
+}
+
+}  // namespace content
--- a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
+++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_
+#define CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_
+
+#include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
+#include "sandbox/linux/seccomp-bpf/errorcode.h"
+
+namespace content {
+
+// This class builds on top of the generic Linux baseline policy to reduce
+// Linux kernel attack surface. It augments the list of allowed syscalls to
+// allow ones required by the Android runtime.
+class SandboxBPFBasePolicyAndroid : public SandboxBPFBasePolicy {
+ public:
+  SandboxBPFBasePolicyAndroid();
+  virtual ~SandboxBPFBasePolicyAndroid();
+
+  // sandbox::SandboxBPFPolicy:
+  virtual sandbox::ErrorCode EvaluateSyscall(
+      sandbox::SandboxBPF* sandbox_compiler,
+      int system_call_number) const OVERRIDE;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(SandboxBPFBasePolicyAndroid);
+};
+
+}  // namespace content
+
+#endif  // CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_
--- a/content/content_common.gypi
+++ b/content/content_common.gypi
@@ -392,6 +392,8 @@
    'common/sandbox_init_mac.cc',
    'common/sandbox_init_mac.h',
    'common/sandbox_init_win.cc',
+    'common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc',
+    'common/sandbox_linux/android/sandbox_bpf_base_policy_android.h',
    'common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc',
    'common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h',
    'common/sandbox_linux/bpf_gpu_policy_linux.cc',
@@ -451,6 +453,14 @@
    'common/zygote_commands_linux.h',
    'port/common/input_event_ack_state.h',
  ],
+  'target_conditions': [
+    ['OS=="android"', {
+      'sources/': [
+        ['include', '^common/sandbox_linux/sandbox_bpf_base_policy_linux\\.cc$'],
+        ['include', '^common/sandbox_linux/sandbox_bpf_base_policy_linux\\.h$'],
+      ],
+    }],
+  ],
  'conditions': [
    ['use_aura==1', {
      'sources!': [

--- a/content/public/common/content_switches.cc
+++ b/content/public/common/content_switches.cc
@@ -521,6 +521,11 @@ const char kEnableTargetedStyleRecalc[] =
 // is denied by the sandbox.
 const char kEnableSandboxLogging[]          = "enable-sandbox-logging";

+// Enables seccomp-bpf support for Android. Requires experimental kernel
+// support. <http://crbug.com/166704>
+const char kEnableSeccompFilterSandbox[] =
+    "enable-seccomp-filter-sandbox";
+
 // Enables the Skia benchmarking extension
 const char kEnableSkiaBenchmarking[]        = "enable-skia-benchmarking";


--- a/content/public/common/content_switches.h
+++ b/content/public/common/content_switches.h
@@ -154,6 +154,7 @@ CONTENT_EXPORT extern const char kEnablePrivilegedWebGLExtensions[];
 CONTENT_EXPORT extern const char kEnableRegionBasedColumns[];
 CONTENT_EXPORT extern const char kEnableRepaintAfterLayout[];
 CONTENT_EXPORT extern const char kEnableSandboxLogging[];
+extern const char kEnableSeccompFilterSandbox[];
 extern const char kEnableSkiaBenchmarking[];
 CONTENT_EXPORT extern const char kEnableSmoothScrolling[];
 CONTENT_EXPORT extern const char kEnableSoftwareCompositing[];

--- a/content/renderer/renderer_main_platform_delegate_android.cc
+++ b/content/renderer/renderer_main_platform_delegate_android.cc
@@ -3,10 +3,14 @@
 // found in the LICENSE file.

 #include "content/renderer/renderer_main_platform_delegate.h"
+
+#include "base/command_line.h"
 #include "base/logging.h"
+#include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h"
+#include "content/public/common/content_switches.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

 #ifdef ENABLE_VTUNE_JIT_INTERFACE
-#include "content/public/common/content_switches.h"
 #include "v8/src/third_party/vtune/v8-vtune.h"
 #endif

@@ -36,6 +40,14 @@ bool RendererMainPlatformDelegate::InitSandboxTests(bool no_sandbox) {
 }

 bool RendererMainPlatformDelegate::EnableSandbox() {
+  if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kEnableSeccompFilterSandbox)) {
+    return true;
+  }
+
+  sandbox::SandboxBPF sandbox;
+  sandbox.SetSandboxPolicy(new SandboxBPFBasePolicyAndroid());
+  CHECK(sandbox.StartSandbox(sandbox::SandboxBPF::PROCESS_MULTI_THREADED));
  return true;
 }