| OLD | NEW |
|---|
| 1 #include "debug.h" | 1 #include "debug.h" |
| 2 #include "sandbox_impl.h" | 2 #include "sandbox_impl.h" |
| 3 #include "syscall_table.h" | 3 #include "syscall_table.h" |
| 4 | 4 |
| 5 namespace playground { | 5 namespace playground { |
| 6 | 6 |
| 7 // TODO(markus): change this into a function that returns the address of the ass
embly code. If that isn't possible for sandbox_clone, then move that function in
to a *.S file | 7 // TODO(markus): change this into a function that returns the address of the ass
embly code. If that isn't possible for sandbox_clone, then move that function in
to a *.S file |
| 8 asm( | 8 asm( |
| 9 ".pushsection .text, \"ax\", @progbits\n" | 9 ".pushsection .text, \"ax\", @progbits\n" |
| 10 | 10 |
| (...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 196 void* Sandbox::defaultSystemCallHandler(int syscallNum, void* arg0, void* arg1, | 196 void* Sandbox::defaultSystemCallHandler(int syscallNum, void* arg0, void* arg1, |
| 197 void* arg2, void* arg3, void* arg4, | 197 void* arg2, void* arg3, void* arg4, |
| 198 void* arg5) { | 198 void* arg5) { |
| 199 // TODO(markus): The following comment is currently not true, we do intercept
these system calls. Try to fix that. | 199 // TODO(markus): The following comment is currently not true, we do intercept
these system calls. Try to fix that. |
| 200 | 200 |
| 201 // We try to avoid intercepting read(), write(), and sigreturn(), as | 201 // We try to avoid intercepting read(), write(), and sigreturn(), as |
| 202 // these system calls are not restricted in Seccomp mode. But depending on | 202 // these system calls are not restricted in Seccomp mode. But depending on |
| 203 // the exact instruction sequence in libc, we might not be able to reliably | 203 // the exact instruction sequence in libc, we might not be able to reliably |
| 204 // filter out these system calls at the time when we instrument the code. | 204 // filter out these system calls at the time when we instrument the code. |
| 205 SysCalls sys; | 205 SysCalls sys; |
| 206 unsigned long rc; | 206 long rc; |
| 207 switch (syscallNum) { | 207 switch (syscallNum) { |
| 208 case __NR_read: | 208 case __NR_read: |
| 209 Debug::syscall(syscallNum, "Allowing unrestricted system call"); | 209 Debug::syscall(syscallNum, "Allowing unrestricted system call"); |
| 210 rc = sys.read((long)arg0, arg1, (size_t)arg2); | 210 rc = sys.read((long)arg0, arg1, (size_t)arg2); |
| 211 break; | 211 break; |
| 212 case __NR_write: | 212 case __NR_write: |
| 213 Debug::syscall(syscallNum, "Allowing unrestricted system call"); | 213 Debug::syscall(syscallNum, "Allowing unrestricted system call"); |
| 214 rc = sys.write((long)arg0, arg1, (size_t)arg2); | 214 rc = sys.write((long)arg0, arg1, (size_t)arg2); |
| 215 break; | 215 break; |
| 216 case __NR_rt_sigreturn: | 216 case __NR_rt_sigreturn: |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 249 return (void *)-ENOSYS; | 249 return (void *)-ENOSYS; |
| 250 } | 250 } |
| 251 } | 251 } |
| 252 if (rc < 0) { | 252 if (rc < 0) { |
| 253 rc = -sys.my_errno; | 253 rc = -sys.my_errno; |
| 254 } | 254 } |
| 255 return (void *)rc; | 255 return (void *)rc; |
| 256 } | 256 } |
| 257 | 257 |
| 258 } // namespace | 258 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 177049:
On Linux, move the passing of filedescriptors to a dedicated socketpair(). (Closed)
