Google's Chromium sandbox
Posted Aug 20, 2009 8:59 UTC (Thu) by mingo
In reply to: Google's Chromium sandbox
Parent article: Google's Chromium sandbox
Btw., (and i raised this on lkml too in the past - at that time the code i referred to was not upstream yet), there's a way you could further increase the restrictions (and hence, the security) of the untrusted seccomp thread: by the use of the C expressions filter engine that is included in the upstream kernel. (right now used by ftrace and will also be used by perfcounters)
The engine accepts an ASCII C-ish expression runtime, such as:
"fd <= 2 && addr == 0x1234000 && len == 4096"
... and turns/parses that into a cached list of safe predicaments that the kernel will execute atomically on syscall arguments. Once parsed (by the kernel), the execution of the filter expression is very fast.
Despite it being used for tracing currently, the filter engine is generic and can be reused not just to limit trace entries of syscalls, but also to restrict execution on syscalls.
This is real, working code very close to what you need. With latest -tip you can use the filter engine on a per syscall basis, and the kernel knows about the parameter names of system calls. So on a testbox i can do this:
# cd /debug/tracing/events/syscalls/sys_enter_read
# echo "fd <= 2 && buf == 0x120000 && count == 1024" > filter
# cat filter
fd <= 2 && buf == 0x120000 && count == 1024
... and from that point on the kernel can execute that filter expression to limit trace entries that match the expression.
All you need is a small extension to seccomp to allow the installation of such expressions from user-space, by passing in the ASCII string. The filter engine can be used by unprivileged user-space as well. (but obviously the untrusted sandboxed thread should not be allowed to modify it.)
The filter engine has no deep dependence on tracing (other than being used by it currently) - it is a safe parser and atomic script execution engine that can be utilized by unprivileged tasks too and so it could be reused in seccomp and could be reused by other Linux security frameworks as well, such as selinux or netfilter.
to post comments)