Allow limited prlimit64 calls in a utility sandbox

This allows the prlimit64 syscall in utility processes, with the contingency that it only operates on the calling process's PID and it always has the |new_limit| arg set to null. The getrlimit() implementation is backed by this syscall on Linux, and the utility sandbox config already allows SYS_getrlimit. The restrictions above prevent callers from changing the process's own limits, and from querying or changing other process's limits. Bug: 1052045 Change-Id: Iabe81ea2791b5c3d604a9176c7463e9d00ff6cbe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2086814Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Ken Rockot <rockot@google.com> Cr-Commit-Position: refs/heads/master@{#746833}

Allow limited prlimit64 calls in a utility sandbox
This allows the prlimit64 syscall in utility processes, with the contingency that it only operates on the calling process's PID and it always has the |new_limit| arg set to null. The getrlimit() implementation is backed by this syscall on Linux, and the utility sandbox config already allows SYS_getrlimit. The restrictions above prevent callers from changing the process's own limits, and from querying or changing other process's limits. Bug: 1052045 Change-Id: Iabe81ea2791b5c3d604a9176c7463e9d00ff6cbe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2086814Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Ken Rockot <rockot@google.com> Cr-Commit-Position: refs/heads/master@{#746833}
6f1949a3 · Ken Rockot · Commit Bot · 22c420e7 · 6f1949a3 · 6f1949a3
Commit 6f1949a3 authored Mar 04, 2020 by Ken Rockot Committed by Commit Bot Mar 04, 2020
3 changed files
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -405,6 +405,15 @@ ResultExpr RestrictPrlimit(pid_t target_pid) {
  return If(AnyOf(pid == 0, pid == target_pid), Allow()).Else(Error(EPERM));
 }
+ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid) {
+  const Arg<pid_t> pid(0);
+  const Arg<uintptr_t> new_limit(2);
+  // Only allow operations for the current process, and only with |new_limit|
+  // set to null.
+  return If(AllOf(new_limit == 0, AnyOf(pid == 0, pid == target_pid)), Allow())
+      .Else(Error(EPERM));
+}
 #if !defined(OS_NACL_NONSFI)
 ResultExpr RestrictPtrace() {
  const Arg<int> request(0);

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
@@ -104,6 +104,11 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetRandom();
 // gracefully; see crbug.com/160157.
 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimit(pid_t target_pid);
+// Restrict |pid| to the calling process (or 0) for prlimit64(), and require the
+// |new_limit_ argument to be null.  This allows only getting limits on the
+// current process. Otherwise fail gracefully.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid);
 // Restrict ptrace() to just read operations that are needed for crash
 // reporting. See https://crbug.com/933418 for details.
 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPtrace();

--- a/services/service_manager/sandbox/linux/bpf_utility_policy_linux.cc
+++ b/services/service_manager/sandbox/linux/bpf_utility_policy_linux.cc
@@ -27,6 +27,9 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const {
  switch (sysno) {
    case __NR_ioctl:
      return sandbox::RestrictIoctl();
+    case __NR_prlimit64:
+      // Restrict prlimit() to reference only the calling process.
+      return sandbox::RestrictPrlimitToGetrlimit(GetPolicyPid());
    // Allow the system calls below.
    case __NR_fdatasync:
    case __NR_fsync: