docs/seccomp_sandbox_crash_dumping.md - chromium/src - Git at Google

 # seccomp Sandbox Crash Dumping

 Currently, Breakpad relies on facilities that are disallowed inside the Linux
 seccomp sandbox.  Specifically, it sets a signal handler to catch faults
 (currently disallowed), forks a new process, and uses ptrace() (also disallowed)
 to read the memory of the faulted process.

 ## Options

 There are three ways we could do crash dumping of seccomp-sandboxed processes:

 *   Find a way to permit signal handling safely inside the sandbox (see below).
 *   Allow the kernel's core dumper to kick in and write a core file.
     *   This seems risky because this code tends not to be well-tested.
     *   This will not work if the process is chrooted, so it would not work if
         the seccomp sandbox is stacked with the SUID sandbox.
 *   Have an unsandboxed helper process which `ptrace()`s the sandboxed process
     to catch faults.

 ## Signal handling in the seccomp sandbox

 In case a trusted thread faults with a SIGSEGV, we must make sure that an
 untrusted thread cannot register a signal handler that will run in the context
 of the trusted thread.

 Here are some mechanisms that could make this safe:

 *   `sigaltstack()` is per-thread. If we opt not to set a signal stack for
     trusted threads, and set %esp/%rsp to an invalid address, trusted threads
     will die safely if they fault.
     *   This means the trusted thread cannot set a signal stack on behalf of the
         untrusted thread once the latter has switched to seccomp mode. The
         signal stack would have to be set up when the thread is created and not
         subsequently changed.
 *   `clone()` has a `CLONE_SIGHAND` flag. By omitting this flag, trusted and
     untrusted threads can have different sets of signal handlers. This means we
     can opt not to set signal handlers for trusted threads.
     *   Again, per-thread signal handler sets would mean the trusted thread
         cannot change signal handlers on behalf of untrusted threads.
 *   `sigprocmask()/pthread_sigmask()`: These can be used to block signal
     handling in trusted threads.

 ## See also

 *   [LinuxCrashDumping](linux/crash_dumping.md)
 *   [Issue 37728](https://crbug.com/37728)
	# seccomp Sandbox Crash Dumping

	Currently, Breakpad relies on facilities that are disallowed inside the Linux
	seccomp sandbox. Specifically, it sets a signal handler to catch faults
	(currently disallowed), forks a new process, and uses ptrace() (also disallowed)
	to read the memory of the faulted process.

	## Options

	There are three ways we could do crash dumping of seccomp-sandboxed processes:

	* Find a way to permit signal handling safely inside the sandbox (see below).
	* Allow the kernel's core dumper to kick in and write a core file.
	* This seems risky because this code tends not to be well-tested.
	* This will not work if the process is chrooted, so it would not work if
	the seccomp sandbox is stacked with the SUID sandbox.
	* Have an unsandboxed helper process which `ptrace()`s the sandboxed process
	to catch faults.

	## Signal handling in the seccomp sandbox

	In case a trusted thread faults with a SIGSEGV, we must make sure that an
	untrusted thread cannot register a signal handler that will run in the context
	of the trusted thread.

	Here are some mechanisms that could make this safe:

	* `sigaltstack()` is per-thread. If we opt not to set a signal stack for
	trusted threads, and set %esp/%rsp to an invalid address, trusted threads
	will die safely if they fault.
	* This means the trusted thread cannot set a signal stack on behalf of the
	untrusted thread once the latter has switched to seccomp mode. The
	signal stack would have to be set up when the thread is created and not
	subsequently changed.
	* `clone()` has a `CLONE_SIGHAND` flag. By omitting this flag, trusted and
	untrusted threads can have different sets of signal handlers. This means we
	can opt not to set signal handlers for trusted threads.
	* Again, per-thread signal handler sets would mean the trusted thread
	cannot change signal handlers on behalf of untrusted threads.
	* `sigprocmask()/pthread_sigmask()`: These can be used to block signal
	handling in trusted threads.

	## See also

	* [LinuxCrashDumping](linux/crash_dumping.md)
	* [Issue 37728](https://crbug.com/37728)