diff --git a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc index c3b1605f..dd7d1c5 100644 --- a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc +++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
@@ -4,17 +4,51 @@ #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h" +#include <errno.h> +#include <fcntl.h> +#include <linux/net.h> +#include <sys/socket.h> #include <sys/syscall.h> #include <sys/types.h> #include "build/build_config.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" +using sandbox::bpf_dsl::AllOf; using sandbox::bpf_dsl::Allow; +using sandbox::bpf_dsl::AnyOf; +using sandbox::bpf_dsl::Arg; +using sandbox::bpf_dsl::BoolExpr; +using sandbox::bpf_dsl::If; +using sandbox::bpf_dsl::Error; using sandbox::bpf_dsl::ResultExpr; namespace content { +#ifndef SOCK_CLOEXEC +#define SOCK_CLOEXEC O_CLOEXEC +#endif + +#ifndef SOCK_NONBLOCK +#define SOCK_NONBLOCK O_NONBLOCK +#endif + +namespace { + +// Restricts the arguments to sys_socket() to AF_UNIX. Returns a BoolExpr that +// evaluates to true if the syscall should be allowed. +BoolExpr RestrictSocketArguments(const Arg<int>& domain, + const Arg<int>& type, + const Arg<int>& protocol) { + const int kSockFlags = SOCK_CLOEXEC | SOCK_NONBLOCK; + return AllOf(domain == AF_UNIX, + AnyOf((type & ~kSockFlags) == SOCK_DGRAM, + (type & ~kSockFlags) == SOCK_STREAM), + protocol == 0); +} + +} // namespace + SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() : SandboxBPFBasePolicy() {} @@ -30,8 +64,10 @@ case __NR_flock: #if defined(__x86_64__) || defined(__aarch64__) case __NR_newfstatat: + case __NR_getdents64: #elif defined(__i386__) || defined(__arm__) || defined(__mips__) case __NR_fstatat64: + case __NR_getdents: #endif case __NR_getpriority: case __NR_ioctl: @@ -56,10 +92,47 @@ case __NR_getrlimit: #endif case __NR_uname: + + // Permit socket operations so that renderers can connect to logd and + // debuggerd. The arguments to socket() are further restricted below. + // Note that on i386, both of these calls map to __NR_socketcall, which + // is demultiplexed below. +#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || \ + defined(__mips__) + case __NR_socket: + case __NR_connect: +#endif + + // Ptrace is allowed so the Breakpad Microdumper can fork in a renderer + // and then ptrace the parent. + case __NR_ptrace: override_and_allow = true; break; } +#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || \ + defined(__mips__) + if (sysno == __NR_socket) { + const Arg<int> domain(0); + const Arg<int> type(1); + const Arg<int> protocol(2); + return If(RestrictSocketArguments(domain, type, protocol), Allow()) + .Else(Error(EPERM)); + } +#elif defined(__i386__) + if (sysno == __NR_socketcall) { + const Arg<int> socketcall(0); + const Arg<int> domain(1); + const Arg<int> type(2); + const Arg<int> protocol(3); + return If(socketcall == SYS_CONNECT, Allow()) + .ElseIf(AllOf(socketcall == SYS_SOCKET, + RestrictSocketArguments(domain, type, protocol)), + Allow()) + .Else(Error(EPERM)); + } +#endif + if (override_and_allow) return Allow();
diff --git a/content/renderer/render_thread_impl.cc b/content/renderer/render_thread_impl.cc index 963cc42..473d5a0 100644 --- a/content/renderer/render_thread_impl.cc +++ b/content/renderer/render_thread_impl.cc
@@ -538,6 +538,8 @@ return ".plus"; if (host == "inbox.google.com") return ".inbox"; + if (host == "calendar.google.com") + return ".calendar"; if (host == "www.youtube.com") return ".youtube"; if (IsAlexaTop10NonGoogleSite(host))
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc index 4b98366..57bffc0 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -52,6 +52,10 @@ #define PR_SET_TIMERSLACK_PID 41 #endif +#ifndef PR_SET_PTRACER +#define PR_SET_PTRACER 0x59616d61 +#endif + #endif // defined(OS_ANDROID) #if defined(__arm__) && !defined(MAP_STACK) @@ -143,7 +147,7 @@ .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE #if defined(OS_ANDROID) , - PR_SET_VMA, PR_SET_TIMERSLACK_PID + PR_SET_VMA, PR_SET_TIMERSLACK_PID, PR_SET_PTRACER #endif ), Allow())
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml index 284a319..36a873f 100644 --- a/tools/metrics/histograms/histograms.xml +++ b/tools/metrics/histograms/histograms.xml
@@ -87359,13 +87359,14 @@ </histogram_suffixes> <histogram_suffixes name="V8SpecialApps" separator="."> + <suffix name="calendar" label="Custom histogram for Calendar"/> <suffix name="docs" label="Custom histogram for Google Docs and Drive"/> <suffix name="gmail" label="Custom histogram for GMail"/> <suffix name="inbox" label="Custom histogram for Inbox"/> <suffix name="plus" label="Custom histogram for Google+"/> - <suffix name="youtube" label="Custom histogram for Youtube"/> <suffix name="top10" label="Custom histogram for Alexa's Top10 non-Google sites"/> + <suffix name="youtube" label="Custom histogram for Youtube"/> <affected-histogram name="V8.MemoryExternalFragmentationTotal"/> <affected-histogram name="V8.MemoryHeapCommitted"/> <affected-histogram name="V8.MemoryHeapSampleTotalCommitted"/>