// Copyright (c) 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ #include <unistd.h> #include "build/build_config.h" #include "sandbox/sandbox_export.h" // These are helpers to build seccomp-bpf policies, i.e. policies for a // sandbox that reduces the Linux kernel's attack surface. They return an // SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters. namespace sandbox { class ErrorCode; class SandboxBPF; // Allow clone(2) for threads. // Reject fork(2) attempts with EPERM. // Don't restrict on ASAN. // Crash if anything else is attempted. SANDBOX_EXPORT ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox); // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. // Crash if anything else is attempted. SANDBOX_EXPORT ErrorCode RestrictPrctl(SandboxBPF* sandbox); // Allow TCGETS and FIONREAD. // Crash if anything else is attempted. SANDBOX_EXPORT ErrorCode RestrictIoctl(SandboxBPF* sandbox); // Restrict the flags argument in mmap(2). // Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | // MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE. // Crash if any other flag is used. SANDBOX_EXPORT ErrorCode RestrictMmapFlags(SandboxBPF* sandbox); // Restrict the prot argument in mprotect(2). // Only allow: PROT_READ | PROT_WRITE | PROT_EXEC. SANDBOX_EXPORT ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox); // Restrict fcntl(2) cmd argument to: // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, // F_SETLK, F_SETLKW and F_GETLK. // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox); #if defined(__i386__) // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox); #endif // Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or // kill iff the first parameter is |target_pid|, crashing otherwise or if // |sysno| is tkill. ErrorCode RestrictKillTarget(pid_t target_pid, SandboxBPF* sandbox, int sysno); // Crash if FUTEX_CMP_REQUEUE_PI is used in the second argument of futex(2). ErrorCode RestrictFutex(SandboxBPF* sandbox); } // namespace sandbox. #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_