0ct0pu5/bromite
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove patches not yet tailored for Android

Browse source
This commit is contained in:
csagan5 2022-04-16 10:12:07 +02:00 committed by Yifeng Wu
parent 35048036fc
commit 328c86b4cc
4 changed files with 0 additions and 551 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -4,9 +4,6 @@
* mark sites as visited when they have an already-parsed OpenSearch descriptor
* disable TLS resumption by default (thanks to @uazo)
* partition DoH requests by top-frame NIK (thanks to @uazo)
* restrict creation of dynamic code
* forbid dynamic code generation on Linux
* remove mremap from system call whitelist
# 100.0.4896.83
* update zh_CN translations (thanks to @zhmars)

334
build/patches/Forbid-dynamic-code-generation-on-Linux.patch
View file

@ -1,334 +0,0 @@
From: qua3k <cliffmaceyak@gmail.com>
Date: Thu, 4 Nov 2021 00:00:00 +0000
Subject: Forbid dynamic code generation on Linux
The Windows sandbox prevents dynamic code generation via setting
MITIGATION_DYNAMIC_CODE_DISABLE on certain processes; prevent dynamic
code generation in the same processes on Linux via seccomp-bpf.
---
.../policy/linux/bpf_audio_policy_linux.cc | 18 +++++++++++
sandbox/policy/linux/bpf_cdm_policy_linux.cc | 12 +++++++
.../policy/linux/bpf_ppapi_policy_linux.cc | 12 +++++++
.../bpf_print_compositor_policy_linux.cc | 12 +++++++
.../policy/linux/bpf_renderer_policy_linux.cc | 21 +++++++++++-
.../policy/linux/bpf_renderer_policy_linux.h | 5 ++-
.../policy/linux/bpf_service_policy_linux.cc | 21 ++++++++++++
.../policy/linux/bpf_service_policy_linux.h | 5 ++-
.../bpf_speech_recognition_policy_linux.cc | 12 +++++++
.../policy/linux/bpf_utility_policy_linux.cc | 12 +++++++
.../policy/linux/sandbox_seccomp_bpf_linux.cc | 32 ++++++++++++++++---
11 files changed, 155 insertions(+), 7 deletions(-)
diff --git a/sandbox/policy/linux/bpf_audio_policy_linux.cc b/sandbox/policy/linux/bpf_audio_policy_linux.cc
--- a/sandbox/policy/linux/bpf_audio_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_audio_policy_linux.cc
@@ -118,6 +118,24 @@ ResultExpr AudioProcessPolicy::EvaluateSyscall(int system_call_number) const {
const Arg<int> domain(0);
return If(domain == AF_UNIX, Allow()).Else(Error(EPERM));
}
+#endif
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
+#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || \
+ defined(__aarch64__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_64_BITS))
+ case __NR_shmat:
+ return RestrictShmatFlags();
#endif
default:
#if defined(__x86_64__)
diff --git a/sandbox/policy/linux/bpf_cdm_policy_linux.cc b/sandbox/policy/linux/bpf_cdm_policy_linux.cc
--- a/sandbox/policy/linux/bpf_cdm_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_cdm_policy_linux.cc
@@ -49,6 +49,18 @@ ResultExpr CdmProcessPolicy::EvaluateSyscall(int sysno) const {
return RestrictSchedTarget(GetPolicyPid(), sysno);
case __NR_prlimit64:
return RestrictPrlimitToGetrlimit(GetPolicyPid());
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
// Default on the content baseline policy.
return BPFBasePolicy::EvaluateSyscall(sysno);
diff --git a/sandbox/policy/linux/bpf_ppapi_policy_linux.cc b/sandbox/policy/linux/bpf_ppapi_policy_linux.cc
--- a/sandbox/policy/linux/bpf_ppapi_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_ppapi_policy_linux.cc
@@ -40,6 +40,18 @@ ResultExpr PpapiProcessPolicy::EvaluateSyscall(int sysno) const {
return RestrictSchedTarget(GetPolicyPid(), sysno);
case __NR_ioctl:
return Error(ENOTTY); // Flash Access.
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
// Default on the baseline policy.
return BPFBasePolicy::EvaluateSyscall(sysno);
diff --git a/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc b/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
--- a/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
@@ -45,6 +45,18 @@ ResultExpr PrintCompositorProcessPolicy::EvaluateSyscall(int sysno) const {
case __NR_times:
case __NR_uname:
return Allow();
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
// Default on the content baseline policy.
return BPFBasePolicy::EvaluateSyscall(sysno);
diff --git a/sandbox/policy/linux/bpf_renderer_policy_linux.cc b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
@@ -48,10 +48,29 @@ ResultExpr RestrictIoctl() {
} // namespace
-RendererProcessPolicy::RendererProcessPolicy() {}
+RendererProcessPolicy::RendererProcessPolicy(bool is_jit_disabled)
+ : is_jit_disabled_(is_jit_disabled) {}
RendererProcessPolicy::~RendererProcessPolicy() {}
ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
+
+ if (is_jit_disabled_) {
+ switch (sysno) {
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
+ }
+ }
+
switch (sysno) {
// The baseline policy allows __NR_clock_gettime. Allow
// clock_getres() for V8. crbug.com/329053.
diff --git a/sandbox/policy/linux/bpf_renderer_policy_linux.h b/sandbox/policy/linux/bpf_renderer_policy_linux.h
--- a/sandbox/policy/linux/bpf_renderer_policy_linux.h
+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.h
@@ -13,7 +13,7 @@ namespace policy {
// This policy can be used by both renderer and worker processes.
class RendererProcessPolicy : public BPFBasePolicy {
public:
- RendererProcessPolicy();
+ explicit RendererProcessPolicy(bool is_jit_disabled);
RendererProcessPolicy(const RendererProcessPolicy&) = delete;
RendererProcessPolicy& operator=(const RendererProcessPolicy&) = delete;
@@ -21,6 +21,9 @@ class RendererProcessPolicy : public BPFBasePolicy {
~RendererProcessPolicy() override;
bpf_dsl::ResultExpr EvaluateSyscall(int system_call_number) const override;
+
+ private:
+ const bool is_jit_disabled_; // Disable dynamic code generation if jitless
};
} // namespace policy
diff --git a/sandbox/policy/linux/bpf_service_policy_linux.cc b/sandbox/policy/linux/bpf_service_policy_linux.cc
--- a/sandbox/policy/linux/bpf_service_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_service_policy_linux.cc
@@ -20,7 +20,28 @@ using sandbox::bpf_dsl::ResultExpr;
namespace sandbox {
namespace policy {
+ServiceProcessPolicy::ServiceProcessPolicy(bool is_jit_disabled)
+ : is_jit_disabled_(is_jit_disabled) {}
+
ResultExpr ServiceProcessPolicy::EvaluateSyscall(int sysno) const {
+
+ if (is_jit_disabled_) {
+ switch (sysno) {
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
+ }
+ }
+
switch (sysno) {
case __NR_ioctl:
return RestrictIoctl();
diff --git a/sandbox/policy/linux/bpf_service_policy_linux.h b/sandbox/policy/linux/bpf_service_policy_linux.h
--- a/sandbox/policy/linux/bpf_service_policy_linux.h
+++ b/sandbox/policy/linux/bpf_service_policy_linux.h
@@ -16,13 +16,16 @@ namespace policy {
// Consider UtilityProcessPolicy if this is too restrictive.
class ServiceProcessPolicy : public BPFBasePolicy {
public:
- ServiceProcessPolicy() = default;
+ explicit ServiceProcessPolicy(bool is_jit_disabled);
~ServiceProcessPolicy() override = default;
bpf_dsl::ResultExpr EvaluateSyscall(int system_call_number) const override;
ServiceProcessPolicy(const ServiceProcessPolicy&) = delete;
ServiceProcessPolicy& operator=(const ServiceProcessPolicy&) = delete;
+
+ private:
+ const bool is_jit_disabled_; // Disable dynamic code generation if jitless
};
} // namespace policy
diff --git a/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc b/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc
--- a/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc
@@ -37,6 +37,18 @@ ResultExpr SpeechRecognitionProcessPolicy::EvaluateSyscall(
case __NR_sched_setscheduler:
// Used for starting an AudioStream when recognizing microphone data.
return RestrictSchedTarget(GetPolicyPid(), system_call_number);
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
auto* sandbox_linux = SandboxLinux::GetInstance();
if (sandbox_linux->ShouldBrokerHandleSyscall(system_call_number))
diff --git a/sandbox/policy/linux/bpf_utility_policy_linux.cc b/sandbox/policy/linux/bpf_utility_policy_linux.cc
--- a/sandbox/policy/linux/bpf_utility_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_utility_policy_linux.cc
@@ -46,6 +46,18 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const {
case __NR_times:
case __NR_uname:
return Allow();
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
// Default on the content baseline policy.
return BPFBasePolicy::EvaluateSyscall(sysno);
diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc
--- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc
+++ b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc
@@ -30,6 +30,8 @@
#include "base/files/scoped_file.h"
#include "base/posix/eintr_wrapper.h"
+#include "base/strings/string_split.h"
+#include "gin/gin_features.h"
#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
@@ -51,6 +53,7 @@
#include "sandbox/policy/linux/bpf_service_policy_linux.h"
#include "sandbox/policy/linux/bpf_speech_recognition_policy_linux.h"
#include "sandbox/policy/linux/bpf_utility_policy_linux.h"
+#include "third_party/blink/public/common/switches.h"
#if BUILDFLAG(IS_CHROMEOS_ASH)
#include "sandbox/policy/features.h"
@@ -164,8 +167,29 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
switch (sandbox_type) {
case sandbox::mojom::Sandbox::kGpu:
return GetGpuProcessSandbox(options.use_amd_specific_policies);
- case sandbox::mojom::Sandbox::kRenderer:
- return std::make_unique<RendererProcessPolicy>();
+ case sandbox::mojom::Sandbox::kRenderer: {
+ const base::CommandLine& command_line =
+ *base::CommandLine::ForCurrentProcess();
+ bool dynamic_code_can_be_disabled = false;
+ if (base::FeatureList::IsEnabled(features::kV8NoJIT)) {
+ dynamic_code_can_be_disabled = true;
+ }
+ else if (command_line.HasSwitch(blink::switches::kJavaScriptFlags)) {
+ std::string js_flags =
+ command_line.GetSwitchValueASCII(blink::switches::kJavaScriptFlags);
+ std::vector<base::StringPiece> js_flag_list = base::SplitStringPiece(
+ js_flags, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+ for (const auto& js_flag : js_flag_list) {
+ if (js_flag == "--jitless") {
+ // If v8 is running jitless then there is no need for the ability to
+ // mark writable pages as executable to be available to the process.
+ dynamic_code_can_be_disabled = true;
+ break;
+ }
+ }
+ }
+ return std::make_unique<RendererProcessPolicy>(dynamic_code_can_be_disabled);
+ }
#if BUILDFLAG(ENABLE_PLUGINS)
case sandbox::mojom::Sandbox::kPpapi:
return std::make_unique<PpapiProcessPolicy>();
@@ -185,9 +209,9 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
case sandbox::mojom::Sandbox::kAudio:
return std::make_unique<AudioProcessPolicy>();
case sandbox::mojom::Sandbox::kService:
- return std::make_unique<ServiceProcessPolicy>();
+ return std::make_unique<ServiceProcessPolicy>(true);
case sandbox::mojom::Sandbox::kServiceWithJit:
- return std::make_unique<ServiceProcessPolicy>();
+ return std::make_unique<ServiceProcessPolicy>(false);
case sandbox::mojom::Sandbox::kSpeechRecognition:
return std::make_unique<SpeechRecognitionProcessPolicy>();
#if BUILDFLAG(IS_CHROMEOS_ASH)
--
2.25.1

70
build/patches/Remove-mremap-from-system-call-whitelist.patch
View file

@ -1,70 +0,0 @@
From: qua3k <cliffmaceyak@gmail.com>
Date: Fri, 19 Nov 2021 00:00:00 +0000
Subject: Remove mremap from system call whitelist
It's not used in PartitionAlloc and should be removed.
---
sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc | 1 -
sandbox/policy/linux/bpf_cdm_policy_linux.cc | 1 -
sandbox/policy/linux/bpf_print_compositor_policy_linux.cc | 1 -
sandbox/policy/linux/bpf_service_policy_linux.cc | 1 -
sandbox/policy/linux/bpf_utility_policy_linux.cc | 1 -
5 files changed, 5 deletions(-)
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -566,7 +566,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
case __NR_modify_ldt:
#endif
case __NR_mprotect:
- case __NR_mremap:
case __NR_msync:
case __NR_munlockall:
case __NR_readahead:
diff --git a/sandbox/policy/linux/bpf_cdm_policy_linux.cc b/sandbox/policy/linux/bpf_cdm_policy_linux.cc
--- a/sandbox/policy/linux/bpf_cdm_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_cdm_policy_linux.cc
@@ -39,7 +39,6 @@ ResultExpr CdmProcessPolicy::EvaluateSyscall(int sysno) const {
#if defined(__i386__) || defined(__arm__)
case __NR_ugetrlimit:
#endif
- case __NR_mremap: // https://crbug.com/546204
case __NR_pwrite64:
case __NR_sysinfo:
case __NR_times:
diff --git a/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc b/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
--- a/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
@@ -39,7 +39,6 @@ ResultExpr PrintCompositorProcessPolicy::EvaluateSyscall(int sysno) const {
#if defined(__i386__) || defined(__arm__)
case __NR_ugetrlimit:
#endif
- case __NR_mremap: // https://crbug.com/546204
case __NR_pwrite64:
case __NR_sysinfo:
case __NR_times:
diff --git a/sandbox/policy/linux/bpf_service_policy_linux.cc b/sandbox/policy/linux/bpf_service_policy_linux.cc
--- a/sandbox/policy/linux/bpf_service_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_service_policy_linux.cc
@@ -53,7 +53,6 @@ ResultExpr ServiceProcessPolicy::EvaluateSyscall(int sysno) const {
#if defined(__i386__) || defined(__arm__)
case __NR_ugetrlimit:
#endif
- case __NR_mremap: // https://crbug.com/546204
case __NR_pwrite64:
case __NR_times:
return Allow();
diff --git a/sandbox/policy/linux/bpf_utility_policy_linux.cc b/sandbox/policy/linux/bpf_utility_policy_linux.cc
--- a/sandbox/policy/linux/bpf_utility_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_utility_policy_linux.cc
@@ -40,7 +40,6 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const {
#if defined(__i386__) || defined(__arm__)
case __NR_ugetrlimit:
#endif
- case __NR_mremap: // https://crbug.com/546204
case __NR_pwrite64:
case __NR_sysinfo:
case __NR_times:
--
2.25.1

144
build/patches/Restrict-creation-of-dynamic-code.patch
View file

@ -1,144 +0,0 @@
From: qua3k <cliffmaceyak@gmail.com>
Date: Thu, 4 Nov 2021 00:00:00 +0000
Subject: Restrict creation of dynamic code
This commit has three parts, utilizing seccomp-bpf to prevent:
1. the creation of executable anonymous mappings
2. the creation of writable and executable file mappings
3. making a non-executable mapping executable
It's inspired by PaX MPROTECT restrictions.
---
.../syscall_parameters_restrictions.cc | 55 +++++++++++++++++++
.../syscall_parameters_restrictions.h | 18 ++++++
2 files changed, 73 insertions(+)
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -15,6 +15,7 @@
#include <sys/prctl.h>
#include <sys/ptrace.h>
#include <sys/resource.h>
+#include <sys/shm.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
@@ -227,6 +228,31 @@ ResultExpr RestrictMmapFlags() {
return If((flags & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
}
+ResultExpr RestrictMmapFlagsNoWX() {
+ // The flags you see are actually the allowed ones, and the variable is a
+ // "denied" mask because of the negation operator.
+ // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
+ // MAP_POPULATE.
+ // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries.
+
+ const Arg<int> prot(2);
+ const Arg<int> flags(3);
+
+ const BoolExpr is_mapping_w_x = (prot & (PROT_WRITE | PROT_EXEC)) != (PROT_WRITE | PROT_EXEC);
+
+ const BoolExpr is_anon_mapping_nx =
+ AllOf((prot & PROT_EXEC) == 0,
+ (flags & MAP_ANONYMOUS) == MAP_ANONYMOUS);
+
+ const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_STACK |
+ MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE |
+ MAP_LOCKED;
+
+ return If(is_anon_mapping_nx, Allow())
+ .ElseIf(AllOf(is_mapping_w_x, (flags & ~kAllowedMask) == 0), Allow())
+ .Else(CrashSIGSYS());
+}
+
ResultExpr RestrictMprotectFlags() {
// The flags you see are actually the allowed ones, and the variable is a
// "denied" mask because of the negation operator.
@@ -245,6 +271,24 @@ ResultExpr RestrictMprotectFlags() {
return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
}
+ResultExpr RestrictMprotectFlagsNoWX() {
+ // The flags you see are actually the allowed ones, and the variable is a
+ // "denied" mask because of the negation operator.
+ // Significantly, we don't permit making non-executable pages executable,
+ // as well as weird undocumented flags such as PROT_GROWSDOWN.
+#if defined(ARCH_CPU_ARM64)
+ // Allows PROT_MTE and PROT_BTI (as explained higher up) on only Arm
+ // platforms.
+ const uint64_t kArchSpecificFlags = PROT_MTE | PROT_BTI;
+#else
+ const uint64_t kArchSpecificFlags = 0;
+#endif
+ const uint64_t kAllowedMask =
+ PROT_READ | PROT_WRITE | kArchSpecificFlags;
+ const Arg<int> prot(2);
+ return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
+}
+
ResultExpr RestrictFcntlCommands() {
// We also restrict the flags in F_SETFL. We don't want to permit flags with
// a history of trouble such as O_DIRECT. The flags you see are actually the
@@ -281,6 +325,17 @@ ResultExpr RestrictFcntlCommands() {
// clang-format on
}
+ResultExpr RestrictShmatFlags() {
+ // The flags you see are actually the allowed ones, and the variable is a
+ // "denied" mask because of the negation operator.
+ // Significantly, we don't permit flags that allow for dynamic code
+ // generation such as SHM_EXEC.
+ const uint64_t kAllowedMask =
+ 0 | SHM_RND | SHM_RDONLY | SHM_REMAP;
+ const Arg<int> shmflg(2);
+ return If((shmflg & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
+}
+
#if defined(__i386__) || defined(__mips__)
ResultExpr RestrictSocketcallCommand() {
// Unfortunately, we are unable to restrict the first parameter to
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
@@ -37,11 +37,25 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictIoctl();
// Crash if any other flag is used.
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlags();
+// Restrict mmap(2) arguments to:
+// Allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
+// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
+// Crash if any other flag is used.
+// Also, in prots, restrict the allowed protections to:
+// PROT_READ | PROT_WRITE ^ PROT_EXEC.
+// PROT_BTI | PROT_MTE is additionally allowed on 64-bit Arm.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlagsNoWX();
+
// Restrict the prot argument in mprotect(2).
// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
// PROT_BTI | PROT_MTE is additionally allowed on 64-bit Arm.
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags();
+// Restrict the prot argument in mprotect(2).
+// Only allow: PROT_READ | PROT_WRITE.
+// PROT_BTI | PROT_MTE is additionally allowed on 64-bit Arm.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlagsNoWX();
+
// Restrict fcntl(2) cmd argument to:
// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
// F_SETLK, F_SETLKW and F_GETLK.
@@ -49,6 +63,10 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags();
// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFcntlCommands();
+// Restrict the shmflg argument in shmat(2).
+// Only allow: SHM_RND | SHM_RDONLY | SHM_REMAP.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictShmatFlags();
+
#if defined(__i386__) || defined(__mips__)
// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
--
2.25.1