Apply an initial seccomp filter policy for Pepper Flash.

I'll send out a separate mail about the shmat() situation -- for now, a
shipping seccomp filter sandbox is better than no filtering.
Review URL: https://chromiumcodereview.appspot.com/10105009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@132501 0039d316-1c4b-4281-b951-d872f2087c98

content/browser/gpu/gpu_process_host.cc

@@ -676,6 +676,7 @@ bool GpuProcessHost::LaunchGpuProcess(const std::string& channel_id) {
     switches::kDisableGpuDriverBugWorkarounds,
     switches::kDisableGpuSandbox,
     switches::kReduceGpuSandbox,
+    switches::kDisableSeccompFilterSandbox,
     switches::kDisableGpuVsync,
     switches::kDisableGpuWatchdog,
     switches::kDisableImageTransportSurface,

content/browser/ppapi_plugin_process_host.cc

@@ -167,6 +167,7 @@ bool PpapiPluginProcessHost::Init(const content::PepperPluginInfo& info) {
     // going to explode.
     static const char* kPluginForwardSwitches[] = {
       switches::kNoSandbox,
+      switches::kDisableSeccompFilterSandbox,
       switches::kPpapiFlashArgs,
       switches::kPpapiStartupDialog
     };

content/common/sandbox_init_linux.cc

@@ -194,6 +194,57 @@ static void ApplyGPUPolicy(std::vector<struct sock_filter>* program) {
   EmitFailSyscall(__NR_access, ENOENT, program);
 }
 
+static void ApplyFlashPolicy(std::vector<struct sock_filter>* program) {
+  // "Hot" syscalls go first.
+  EmitAllowSyscall(__NR_futex, program);
+  EmitAllowSyscall(__NR_write, program);
+  EmitAllowSyscall(__NR_epoll_wait, program);
+  EmitAllowSyscall(__NR_read, program);
+  EmitAllowSyscall(__NR_times, program);
+
+  // Less hot syscalls.
+  EmitAllowSyscall(__NR_clone, program);
+  EmitAllowSyscall(__NR_set_robust_list, program);
+  EmitAllowSyscall(__NR_getuid, program);
+  EmitAllowSyscall(__NR_geteuid, program);
+  EmitAllowSyscall(__NR_getgid, program);
+  EmitAllowSyscall(__NR_getegid, program);
+  EmitAllowSyscall(__NR_epoll_create, program);
+  EmitAllowSyscall(__NR_fcntl, program);
+  EmitAllowSyscall(__NR_socketpair, program);
+  EmitAllowSyscall(__NR_pipe, program);
+  EmitAllowSyscall(__NR_epoll_ctl, program);
+  EmitAllowSyscall(__NR_gettid, program);
+  EmitAllowSyscall(__NR_prctl, program);
+  EmitAllowSyscall(__NR_fstat, program);
+  EmitAllowSyscall(__NR_sendmsg, program);
+  EmitAllowSyscall(__NR_mmap, program);
+  EmitAllowSyscall(__NR_munmap, program);
+  EmitAllowSyscall(__NR_mprotect, program);
+  EmitAllowSyscall(__NR_madvise, program);
+  EmitAllowSyscall(__NR_rt_sigaction, program);
+  EmitAllowSyscall(__NR_rt_sigprocmask, program);
+  EmitAllowSyscall(__NR_wait4, program);
+  EmitAllowSyscall(__NR_exit_group, program);
+  EmitAllowSyscall(__NR_exit, program);
+  EmitAllowSyscall(__NR_rt_sigreturn, program);
+  EmitAllowSyscall(__NR_restart_syscall, program);
+  EmitAllowSyscall(__NR_close, program);
+  EmitAllowSyscall(__NR_recvmsg, program);
+  EmitAllowSyscall(__NR_lseek, program);
+  EmitAllowSyscall(__NR_brk, program);
+  EmitAllowSyscall(__NR_sched_yield, program);
+
+  // These are under investigation, and hopefully not here for the long term.
+  EmitAllowSyscall(__NR_shmctl, program);
+  EmitAllowSyscall(__NR_shmat, program);
+  EmitAllowSyscall(__NR_shmdt, program);
+
+  EmitFailSyscall(__NR_open, ENOENT, program);
+  EmitFailSyscall(__NR_execve, ENOENT, program);
+  EmitFailSyscall(__NR_access, ENOENT, program);
+}
+
 static bool CanUseSeccompFilters() {
   int ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, 0, 0, 0);
   if (ret != 0 && errno == EFAULT)
@@ -219,7 +270,8 @@ namespace content {
 
 void InitializeSandbox() {
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-  if (command_line.HasSwitch(switches::kNoSandbox))
+  if (command_line.HasSwitch(switches::kNoSandbox) ||
+      command_line.HasSwitch(switches::kDisableSeccompFilterSandbox))
     return;
 
   std::string process_type =
@@ -238,6 +290,8 @@ void InitializeSandbox() {
 
   if (process_type == switches::kGpuProcess) {
     ApplyGPUPolicy(&program);
+  } else if (process_type == switches::kPpapiPluginProcess) {
+    ApplyFlashPolicy(&program);
   } else {
     NOTREACHED();
   }

content/ppapi_plugin/ppapi_plugin_main.cc

@@ -17,6 +17,10 @@
 #include "sandbox/src/sandbox.h"
 #endif
 
+#if defined(OS_LINUX)
+#include "content/public/common/sandbox_init.h"
+#endif
+
 #if defined(OS_WIN)
 sandbox::TargetServices* g_target_services = NULL;
 #else
@@ -44,6 +48,10 @@ int PpapiPluginMain(const content::MainFunctionParams& parameters) {
   MessageLoop main_message_loop;
   base::PlatformThread::SetName("CrPPAPIMain");
 
+#if defined(OS_LINUX)
+  content::InitializeSandbox();
+#endif
+
   ChildProcess ppapi_process;
   ppapi_process.set_main_thread(new PpapiThread(false));  // Not a broker.
 

content/public/common/content_switches.cc

@@ -171,6 +171,9 @@ const char kDisableSmoothScrolling[]        = "disable-smooth-scrolling";
 // Disable the seccomp sandbox (Linux only)
 const char kDisableSeccompSandbox[]         = "disable-seccomp-sandbox";
 
+// Disable the seccomp filter sandbox (Linux only)
+const char kDisableSeccompFilterSandbox[]   = "disable-seccomp-filter-sandbox";
+
 // Disable session storage.
 const char kDisableSessionStorage[]         = "disable-session-storage";
 

content/public/common/content_switches.h

@@ -63,6 +63,7 @@ extern const char kDisableRemoteFonts[];
 extern const char kDisableRendererAccessibility[];
 extern const char kDisableSSLFalseStart[];
 extern const char kDisableSeccompSandbox[];
+extern const char kDisableSeccompFilterSandbox[];
 extern const char kDisableSessionStorage[];
 extern const char kDisableSharedWorkers[];
 extern const char kDisableSiteSpecificQuirks[];