<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[187455] trunk/Source/WebKit2</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/187455">187455</a></dd>
<dt>Author</dt> <dd>mcatanzaro@igalia.com</dd>
<dt>Date</dt> <dd>2015-07-27 15:18:58 -0700 (Mon, 27 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>[Seccomp] Set appropriate filters when trapping syscalls by default
https://bugs.webkit.org/show_bug.cgi?id=142983
If we trap syscalls by default, we must not set separate filters to trap
anything here, since it will fail causing us to crash.
But also, there are some things we must allow unconditionally even when
trapping by default. sigreturn, obviously. Also, let's whitelist brk
here instead of in platform-specific code.
Reviewed by Žan Doberšek.
* Shared/linux/SeccompFilters/SeccompBroker.cpp:
(WebKit::SeccompBroker::launchProcess): Don't trap sigprocmask or sigaction unless allow is
the default action. Also, allow sigreturn and brk is allow is not the default.
* Shared/linux/SeccompFilters/SeccompFilters.cpp: Added
(WebKit::SeccompFilters::defaultAction):
* Shared/linux/SeccompFilters/SeccompFilters.h: Added defaultAction</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2SharedlinuxSeccompFiltersSeccompBrokercpp">trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompBroker.cpp</a></li>
<li><a href="#trunkSourceWebKit2SharedlinuxSeccompFiltersSeccompFilterscpp">trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp</a></li>
<li><a href="#trunkSourceWebKit2SharedlinuxSeccompFiltersSeccompFiltersh">trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (187454 => 187455)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2015-07-27 22:10:55 UTC (rev 187454)
+++ trunk/Source/WebKit2/ChangeLog 2015-07-27 22:18:58 UTC (rev 187455)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2015-07-27 Michael Catanzaro <mcatanzaro@igalia.com>
+
+ [Seccomp] Set appropriate filters when trapping syscalls by default
+ https://bugs.webkit.org/show_bug.cgi?id=142983
+
+ If we trap syscalls by default, we must not set separate filters to trap
+ anything here, since it will fail causing us to crash.
+
+ But also, there are some things we must allow unconditionally even when
+ trapping by default. sigreturn, obviously. Also, let's whitelist brk
+ here instead of in platform-specific code.
+
+ Reviewed by Žan Doberšek.
+
+ * Shared/linux/SeccompFilters/SeccompBroker.cpp:
+ (WebKit::SeccompBroker::launchProcess): Don't trap sigprocmask or sigaction unless allow is
+ the default action. Also, allow sigreturn and brk is allow is not the default.
+ * Shared/linux/SeccompFilters/SeccompFilters.cpp: Added
+ (WebKit::SeccompFilters::defaultAction):
+ * Shared/linux/SeccompFilters/SeccompFilters.h: Added defaultAction
+
</ins><span class="cx"> 2015-07-27 Matthew Daiter <mdaiter@apple.com>
</span><span class="cx">
</span><span class="cx"> Renamed duplicate vectors inside UserMediaPermissionRequestProxy
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedlinuxSeccompFiltersSeccompBrokercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompBroker.cpp (187454 => 187455)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompBroker.cpp 2015-07-27 22:10:55 UTC (rev 187454)
+++ trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompBroker.cpp 2015-07-27 22:18:58 UTC (rev 187455)
</span><span class="lines">@@ -268,28 +268,40 @@
</span><span class="cx"> if (initialized)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- // The sigprocmask filters bellow are needed to trap sigprocmask()
- // so we can prevent the running processes from blocking SIGSYS.
- filters->addRule("sigprocmask", SeccompFilters::Trap,
- 0, SeccompFilters::Equal, SIG_BLOCK,
- 1, SeccompFilters::NotEqual, 0);
- filters->addRule("sigprocmask", SeccompFilters::Trap,
- 0, SeccompFilters::Equal, SIG_SETMASK,
- 1, SeccompFilters::NotEqual, 0);
- filters->addRule("rt_sigprocmask", SeccompFilters::Trap,
- 0, SeccompFilters::Equal, SIG_BLOCK,
- 1, SeccompFilters::NotEqual, 0);
- filters->addRule("rt_sigprocmask", SeccompFilters::Trap,
- 0, SeccompFilters::Equal, SIG_SETMASK,
- 1, SeccompFilters::NotEqual, 0);
</del><ins>+ if (filters->defaultAction() == SeccompFilters::Allow) {
+ // The sigprocmask filters bellow are needed to trap sigprocmask()
+ // so we can prevent the running processes from blocking SIGSYS.
+ filters->addRule("sigprocmask", SeccompFilters::Trap,
+ 0, SeccompFilters::Equal, SIG_BLOCK,
+ 1, SeccompFilters::NotEqual, 0);
+ filters->addRule("sigprocmask", SeccompFilters::Trap,
+ 0, SeccompFilters::Equal, SIG_SETMASK,
+ 1, SeccompFilters::NotEqual, 0);
+ filters->addRule("rt_sigprocmask", SeccompFilters::Trap,
+ 0, SeccompFilters::Equal, SIG_BLOCK,
+ 1, SeccompFilters::NotEqual, 0);
+ filters->addRule("rt_sigprocmask", SeccompFilters::Trap,
+ 0, SeccompFilters::Equal, SIG_SETMASK,
+ 1, SeccompFilters::NotEqual, 0);
</ins><span class="cx">
</span><del>- // The sigaction filters bellow are needed to trap sigaction()
- // so we can prevent the running processes from handling SIGSYS.
- filters->addRule("sigaction", SeccompFilters::Trap,
- 0, SeccompFilters::Equal, SIGSYS);
- filters->addRule("rt_sigaction", SeccompFilters::Trap,
- 0, SeccompFilters::Equal, SIGSYS);
</del><ins>+ // The sigaction filters bellow are needed to trap sigaction()
+ // so we can prevent the running processes from handling SIGSYS.
+ filters->addRule("sigaction", SeccompFilters::Trap,
+ 0, SeccompFilters::Equal, SIGSYS);
+ filters->addRule("rt_sigaction", SeccompFilters::Trap,
+ 0, SeccompFilters::Equal, SIGSYS);
+ }
</ins><span class="cx">
</span><ins>+ if (filters->defaultAction() != SeccompFilters::Allow) {
+ // Needed for the SIGSYS handler to work.
+ filters->addRule("sigreturn", SeccompFilters::Allow);
+ filters->addRule("rt_sigreturn", SeccompFilters::Allow);
+
+ // Needed by malloc and free. We must never trap a syscall inside either
+ // because we need them in our SIGSYS handler and they are nonreentrant.
+ filters->addRule("brk", SeccompFilters::Allow);
+ }
+
</ins><span class="cx"> SeccompBroker seccompBroker;
</span><span class="cx"> seccompBroker.setSyscallPolicy(policy);
</span><span class="cx"> seccompBroker.initialize();
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedlinuxSeccompFiltersSeccompFilterscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp (187454 => 187455)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp 2015-07-27 22:10:55 UTC (rev 187454)
+++ trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.cpp 2015-07-27 22:18:58 UTC (rev 187455)
</span><span class="lines">@@ -96,6 +96,23 @@
</span><span class="cx"> m_initialized = true;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+SeccompFilters::Action SeccompFilters::defaultAction() const
+{
+ uint32_t value;
+ if (seccomp_attr_get(m_context, SCMP_FLTATR_ACT_DEFAULT, &value) == -1)
+ CRASH();
+
+ Action result = static_cast<Action>(value);
+ switch (result) {
+ case Allow:
+ case Kill:
+ case Trap:
+ return result;
+ }
+
+ CRASH();
+}
+
</ins><span class="cx"> } // namespace WebKit
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(SECCOMP_FILTERS)
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedlinuxSeccompFiltersSeccompFiltersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.h (187454 => 187455)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.h 2015-07-27 22:10:55 UTC (rev 187454)
+++ trunk/Source/WebKit2/Shared/linux/SeccompFilters/SeccompFilters.h 2015-07-27 22:18:58 UTC (rev 187455)
</span><span class="lines">@@ -59,6 +59,8 @@
</span><span class="cx">
</span><span class="cx"> void initialize();
</span><span class="cx">
</span><ins>+ Action defaultAction() const;
+
</ins><span class="cx"> private:
</span><span class="cx"> virtual void platformInitialize() { }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>