sandbox: Allow set_robust_list(2).

I can't think of a good reason to block it and it generates a ton of logspam. BUG=None TEST=Build for soraka Chrome OS board, deploy. TEST='journalctl -g SECCOMP', no more set_robust_list(2) logs. R=mpdenton@chromium.org, rsesek@chromium.org Change-Id: I8cbfd4176ac7f1c5ef31080c910980c1ed13152b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1700105 Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Auto-Submit: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#676920}

sandbox: Allow set_robust_list(2).
I can't think of a good reason to block it and it generates a ton of logspam. BUG=None TEST=Build for soraka Chrome OS board, deploy. TEST='journalctl -g SECCOMP', no more set_robust_list(2) logs. R=mpdenton@chromium.org, rsesek@chromium.org Change-Id: I8cbfd4176ac7f1c5ef31080c910980c1ed13152b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1700105 Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Auto-Submit: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#676920}
4130bd11 · Jorge Lucangeli Obes · Commit Bot · 728f6439 · 4130bd11
Commit 4130bd11 authored Jul 12, 2019 by Jorge Lucangeli Obes Committed by Commit Bot Jul 12, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 0 deletions

services/service_manager/sandbox/linux/bpf_base_policy_linux.cc ...es/service_manager/sandbox/linux/bpf_base_policy_linux.cc +13 -0

No files found.
--- a/services/service_manager/sandbox/linux/bpf_base_policy_linux.cc
+++ b/services/service_manager/sandbox/linux/bpf_base_policy_linux.cc
@@ -9,7 +9,9 @@
 #include "base/logging.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
+#include "sandbox/linux/system_headers/linux_syscalls.h"

+using sandbox::bpf_dsl::Allow;
 using sandbox::bpf_dsl::ResultExpr;

 namespace service_manager {
@@ -27,6 +29,17 @@ BPFBasePolicy::~BPFBasePolicy() {}

 ResultExpr BPFBasePolicy::EvaluateSyscall(int system_call_number) const {
  DCHECK(baseline_policy_);
+
+  // set_robust_list(2) is part of the futex(2) infrastructure.
+  // Chrome on Linux/Chrome OS will call set_robust_list(2) frequently.
+  // The baseline policy will EPERM set_robust_list(2), but on systems with
+  // SECCOMP logs enabled in auditd this will cause a ton of logspam.
+  // If we're not blocking the entire futex(2) infrastructure, we should allow
+  // set_robust_list(2) and quiet the logspam.
+  if (system_call_number == __NR_set_robust_list) {
+    return Allow();
+  }
+
  return baseline_policy_->EvaluateSyscall(system_call_number);
 }