Linux sandbox: add seccomp IOCTL and flag constants + prctl constants

Add seccomp ioctl numbers and newer seccomp flags necessary for the
USER_NOTIF broker.

Also adds linux_prctl.h for prctl constants like PR_SET_PTRACER.

Bug: 1117351
Change-Id: Idf56efcb189f1b20f13b23bacc71dd1b38786c4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407064
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#811121}

sandbox/linux/BUILD.gn

@@ -437,6 +437,7 @@ source_set("sandbox_services_headers") {
     "system_headers/i386_linux_ucontext.h",
     "system_headers/linux_filter.h",
     "system_headers/linux_futex.h",
+    "system_headers/linux_prctl.h",
     "system_headers/linux_seccomp.h",
     "system_headers/linux_signal.h",
     "system_headers/linux_syscalls.h",

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

@@ -28,6 +28,7 @@
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/system_headers/linux_futex.h"
+#include "sandbox/linux/system_headers/linux_prctl.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 #include "sandbox/linux/system_headers/linux_time.h"
 
@@ -51,19 +52,6 @@
 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
 #endif
 
-#if !defined(PR_SET_TIMERSLACK)
-#define PR_SET_TIMERSLACK 29
-#endif
-
-// https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/private/bionic_prctl.h
-#if !defined(PR_SET_VMA)
-#define PR_SET_VMA 0x53564d41
-#endif
-
-#ifndef PR_SET_PTRACER
-#define PR_SET_PTRACER 0x59616d61
-#endif
-
 #endif  // defined(OS_ANDROID)
 
 #if defined(__arm__) && !defined(MAP_STACK)

sandbox/linux/services/yama.cc

@@ -17,14 +17,7 @@
 #include "base/files/scoped_file.h"
 #include "base/notreached.h"
 #include "base/posix/eintr_wrapper.h"
-
-#if !defined(PR_SET_PTRACER_ANY)
-#define PR_SET_PTRACER_ANY ((unsigned long)-1)
-#endif
-
-#if !defined(PR_SET_PTRACER)
-#define PR_SET_PTRACER 0x59616d61
-#endif
+#include "sandbox/linux/system_headers/linux_prctl.h"
 
 namespace sandbox {
 

sandbox/linux/system_headers/linux_prctl.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PRCTL_H_
+#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PRCTL_H_
+
+#include "build/build_config.h"
+
+#if !defined(PR_SET_PDEATHSIG)
+#define PR_SET_PDEATHSIG 1
+#endif
+
+#if !defined(PR_SET_TIMERSLACK)
+#define PR_SET_TIMERSLACK 29
+#endif
+
+#if defined(OS_ANDROID)
+
+// https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/private/bionic_prctl.h
+#if !defined(PR_SET_VMA)
+#define PR_SET_VMA 0x53564d41
+#endif
+
+#endif  // defined(OS_ANDROID)
+
+#if !defined(PR_SET_PTRACER)
+#define PR_SET_PTRACER 0x59616d61
+#endif
+
+#if !defined(PR_SET_PTRACER_ANY)
+#define PR_SET_PTRACER_ANY ((unsigned long)-1)
+#endif
+
+#endif  // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PRCTL_H_

sandbox/linux/system_headers/linux_seccomp.h

@@ -7,6 +7,12 @@
 
 #include <stdint.h>
 
+#include "build/build_config.h"
+
+#if !defined(OS_NACL_NONSFI)
+#include <sys/ioctl.h>
+#endif
+
 // The Seccomp2 kernel ABI is not part of older versions of glibc.
 // As we can't break compilation with these versions of the library,
 // we explicitly define all missing symbols.
@@ -19,15 +25,19 @@
 #ifndef EM_ARM
 #define EM_ARM    40
 #endif
+
 #ifndef EM_386
 #define EM_386    3
 #endif
+
 #ifndef EM_X86_64
 #define EM_X86_64 62
 #endif
+
 #ifndef EM_MIPS
 #define EM_MIPS   8
 #endif
+
 #ifndef EM_AARCH64
 #define EM_AARCH64 183
 #endif
@@ -35,24 +45,31 @@
 #ifndef __AUDIT_ARCH_64BIT
 #define __AUDIT_ARCH_64BIT 0x80000000
 #endif
+
 #ifndef __AUDIT_ARCH_LE
 #define __AUDIT_ARCH_LE    0x40000000
 #endif
+
 #ifndef AUDIT_ARCH_ARM
 #define AUDIT_ARCH_ARM    (EM_ARM|__AUDIT_ARCH_LE)
 #endif
+
 #ifndef AUDIT_ARCH_I386
 #define AUDIT_ARCH_I386   (EM_386|__AUDIT_ARCH_LE)
 #endif
+
 #ifndef AUDIT_ARCH_X86_64
 #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #endif
+
 #ifndef AUDIT_ARCH_MIPSEL
 #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE)
 #endif
+
 #ifndef AUDIT_ARCH_MIPSEL64
 #define AUDIT_ARCH_MIPSEL64 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #endif
+
 #ifndef AUDIT_ARCH_AARCH64
 #define AUDIT_ARCH_AARCH64 (EM_AARCH64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
 #endif
@@ -62,23 +79,29 @@
 #define PR_SET_SECCOMP               22
 #define PR_GET_SECCOMP               21
 #endif
+
 #ifndef PR_SET_NO_NEW_PRIVS
 #define PR_SET_NO_NEW_PRIVS          38
 #define PR_GET_NO_NEW_PRIVS          39
 #endif
+
 #ifndef IPC_64
 #define IPC_64                   0x0100
 #endif
+
 #ifndef PR_SET_SPECULATION_CTRL
 #define PR_SET_SPECULATION_CTRL 53
 #define PR_GET_SPECULATION_CTRL 52
 #endif
+
 #ifndef PR_SPEC_INDIRECT_BRANCH
 #define PR_SPEC_INDIRECT_BRANCH 1
 #endif
+
 #ifndef PR_SPEC_PRCTL
 #define PR_SPEC_PRCTL (1UL << 0)
 #endif
+
 #ifndef PR_SPEC_FORCE_DISABLE
 #define PR_SPEC_FORCE_DISABLE (1UL << 3)
 #endif
@@ -98,15 +121,32 @@
 #ifndef SECCOMP_SET_MODE_FILTER
 #define SECCOMP_SET_MODE_FILTER 1
 #endif
+#ifndef SECCOMP_GET_NOTIF_SIZES
+#define SECCOMP_GET_NOTIF_SIZES 3
+#endif
+
 #ifndef SECCOMP_FILTER_FLAG_TSYNC
 #define SECCOMP_FILTER_FLAG_TSYNC 1
 #endif
+
 #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
 #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
 #endif
 
-// In the future, if we add fields to this struct and then access them, they
-// might be out-of-bounds on an older kernel. So before adding to this struct,
+#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
+#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
+#endif
+
+#ifndef SECCOMP_FILTER_FLAG_TSYNC_ESRCH
+#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4)
+#endif
+
+#ifndef SECCOMP_ADDFD_FLAG_SETFD
+#define SECCOMP_ADDFD_FLAG_SETFD (1UL << 0)
+#endif
+
+// In the future, if we add fields to these structs and then access them, they
+// might be out-of-bounds on an older kernel. So before adding to these structs,
 // make sure to annotate them with a comment that it may be unsafe to access
 // those fields on older kernels.
 struct arch_seccomp_data {
@@ -116,18 +156,66 @@ struct arch_seccomp_data {
   uint64_t args[6];
 };
 
+struct seccomp_notif_sizes {
+  uint16_t seccomp_notif;
+  uint16_t seccomp_notif_resp;
+  uint16_t seccomp_data;
+};
+
+struct seccomp_notif {
+  uint64_t id;
+  uint32_t pid;
+  uint32_t flags;
+  struct arch_seccomp_data data;
+};
+
+struct seccomp_notif_resp {
+  uint64_t id;
+  int64_t val;
+  int32_t error;
+  uint32_t flags;
+};
+
+struct seccomp_notif_addfd {
+  uint64_t id;
+  uint32_t flags;
+  uint32_t srcfd;
+  uint32_t newfd;
+  uint32_t newfd_flags;
+};
+
+// sys/ioctl.h is not available in pnacl toolchain.
+#if !defined(OS_NACL_NONSFI)
+#define SECCOMP_IOC_MAGIC '!'
+#define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
+#define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
+#define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type)
+#define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type)
+
+// Flags for seccomp notification fd ioctl.
+#define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
+#define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, struct seccomp_notif_resp)
+// Note: SECCOMP_IOCTL_NOTIF_ID_VALID is now defined with SECCOMP_IOW, but
+// kernels are expected to support the (now incorrect) ioctl number for the
+// foreseeable future.
+#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, uint64_t)
+// On success, the return value is the remote process's added fd number
+#define SECCOMP_IOCTL_NOTIF_ADDFD SECCOMP_IOW(3, struct seccomp_notif_addfd)
+#endif  // !defined(OS_NACL_NONSFI)
+
 #ifndef SECCOMP_RET_KILL
 // Return values supported for BPF filter programs. Please note that the
 // "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only
 // ever be used internally, and would result in the kernel killing our process.
-#define SECCOMP_RET_KILL    0x00000000U  // Kill the task immediately
-#define SECCOMP_RET_INVALID 0x00010000U  // Illegal return value
-#define SECCOMP_RET_TRAP    0x00030000U  // Disallow and force a SIGSYS
-#define SECCOMP_RET_ERRNO   0x00050000U  // Returns an errno
-#define SECCOMP_RET_TRACE   0x7ff00000U  // Pass to a tracer or disallow
-#define SECCOMP_RET_ALLOW   0x7fff0000U  // Allow
-#define SECCOMP_RET_ACTION  0xffff0000U  // Masks for the return value
-#define SECCOMP_RET_DATA    0x0000ffffU  //   sections
+#define SECCOMP_RET_KILL 0x00000000U        // Kill the task immediately
+#define SECCOMP_RET_INVALID 0x00010000U     // Illegal return value
+#define SECCOMP_RET_TRAP 0x00030000U        // Disallow and force a SIGSYS
+#define SECCOMP_RET_ERRNO 0x00050000U       // Returns an errno
+#define SECCOMP_RET_USER_NOTIF 0x7fc00000U  // Notifies userspace
+#define SECCOMP_RET_TRACE 0x7ff00000U       // Pass to a tracer or disallow
+#define SECCOMP_RET_ALLOW 0x7fff0000U       // Allow
+#define SECCOMP_RET_ACTION 0xffff0000U      // Masks for the return value
+#define SECCOMP_RET_DATA 0x0000ffffU        //   sections
 #else
 #define SECCOMP_RET_INVALID 0x00010000U  // Illegal return value
 #endif