Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(165)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 13529027: Switch Linux Auru ports over to POSIX SHM instead of legacy SYSV SHM. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « content/browser/renderer_host/render_widget_helper.cc ('k') | content/common/view_messages.h » ('j') | ui/surface/transport_dib_posix.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <asm/unistd.h> 5 #include <asm/unistd.h>
6 #include <dlfcn.h> 6 #include <dlfcn.h>
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <linux/audit.h> 9 #include <linux/audit.h>
10 #include <linux/filter.h> 10 #include <linux/filter.h>
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after
81 } 81 }
82 82
83 inline bool IsArchitectureArm() { 83 inline bool IsArchitectureArm() {
84 #if defined(__arm__) 84 #if defined(__arm__)
85 return true; 85 return true;
86 #else 86 #else
87 return false; 87 return false;
88 #endif 88 #endif
89 } 89 }
90 90
91 inline bool IsUsingToolKitGtk() {
92 #if defined(TOOLKIT_GTK)
93 return true;
94 #else
95 return false;
96 #endif
97 }
98
91 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { 99 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
92 int syscall = args.nr; 100 int syscall = args.nr;
93 if (syscall >= 1024) 101 if (syscall >= 1024)
94 syscall = 0; 102 syscall = 0;
95 // Encode 8-bits of the 1st two arguments too, so we can discern which socket 103 // Encode 8-bits of the 1st two arguments too, so we can discern which socket
96 // type, which fcntl, ... etc., without being likely to hit a mapped 104 // type, which fcntl, ... etc., without being likely to hit a mapped
97 // address. 105 // address.
98 // Do not encode more bits here without thinking about increasing the 106 // Do not encode more bits here without thinking about increasing the
99 // likelihood of collision with mapped pages. 107 // likelihood of collision with mapped pages.
100 syscall |= ((args.args[0] & 0xffUL) << 12); 108 syscall |= ((args.args[0] & 0xffUL) << 12);
(...skipping 1278 matching lines...) Expand 10 before | Expand all | Expand 10 after
1379 case __NR_sched_getscheduler: 1387 case __NR_sched_getscheduler:
1380 case __NR_sched_setscheduler: 1388 case __NR_sched_setscheduler:
1381 case __NR_setpriority: 1389 case __NR_setpriority:
1382 case __NR_sysinfo: 1390 case __NR_sysinfo:
1383 case __NR_times: 1391 case __NR_times:
1384 case __NR_uname: 1392 case __NR_uname:
1385 return ErrorCode(ErrorCode::ERR_ALLOWED); 1393 return ErrorCode(ErrorCode::ERR_ALLOWED);
1386 case __NR_prlimit64: 1394 case __NR_prlimit64:
1387 return ErrorCode(EPERM); // See crbug.com/160157. 1395 return ErrorCode(EPERM); // See crbug.com/160157.
1388 default: 1396 default:
1389 // These need further tightening. 1397 if (IsUsingToolKitGtk()) {
1390 #if defined(__x86_64__) || defined(__arm__) 1398 #if defined(__x86_64__) || defined(__arm__)
1391 if (IsSystemVSharedMemory(sysno)) 1399 if (IsSystemVSharedMemory(sysno))
1392 return ErrorCode(ErrorCode::ERR_ALLOWED); 1400 return ErrorCode(ErrorCode::ERR_ALLOWED);
1393 #endif 1401 #endif
1394 #if defined(__i386__) 1402 #if defined(__i386__)
1395 if (IsSystemVIpc(sysno)) 1403 if (IsSystemVIpc(sysno))
1396 return ErrorCode(ErrorCode::ERR_ALLOWED); 1404 return ErrorCode(ErrorCode::ERR_ALLOWED);
1397 #endif 1405 #endif
1406 }
1398 1407
1399 // Default on the baseline policy. 1408 // Default on the baseline policy.
1400 return BaselinePolicy(sandbox, sysno); 1409 return BaselinePolicy(sandbox, sysno);
1401 } 1410 }
1402 } 1411 }
1403 1412
1404 ErrorCode FlashProcessPolicy(Sandbox *sandbox, int sysno, void *) { 1413 ErrorCode FlashProcessPolicy(Sandbox *sandbox, int sysno, void *) {
1405 switch (sysno) { 1414 switch (sysno) {
1406 case __NR_sched_get_priority_max: 1415 case __NR_sched_get_priority_max:
1407 case __NR_sched_get_priority_min: 1416 case __NR_sched_get_priority_min:
1408 case __NR_sched_getaffinity: 1417 case __NR_sched_getaffinity:
1409 case __NR_sched_getparam: 1418 case __NR_sched_getparam:
1410 case __NR_sched_getscheduler: 1419 case __NR_sched_getscheduler:
1411 case __NR_sched_setscheduler: 1420 case __NR_sched_setscheduler:
1412 case __NR_times: 1421 case __NR_times:
1413 return ErrorCode(ErrorCode::ERR_ALLOWED); 1422 return ErrorCode(ErrorCode::ERR_ALLOWED);
1414 case __NR_ioctl: 1423 case __NR_ioctl:
1415 return ErrorCode(ENOTTY); // Flash Access. 1424 return ErrorCode(ENOTTY); // Flash Access.
1416 default: 1425 default:
1417 // These need further tightening. 1426 if (IsUsingToolKitGtk()) {
1418 #if defined(__x86_64__) || defined(__arm__) 1427 #if defined(__x86_64__) || defined(__arm__)
1419 if (IsSystemVSharedMemory(sysno)) 1428 if (IsSystemVSharedMemory(sysno))
1420 return ErrorCode(ErrorCode::ERR_ALLOWED); 1429 return ErrorCode(ErrorCode::ERR_ALLOWED);
1421 #endif 1430 #endif
1422 #if defined(__i386__) 1431 #if defined(__i386__)
1423 if (IsSystemVIpc(sysno)) 1432 if (IsSystemVIpc(sysno))
1424 return ErrorCode(ErrorCode::ERR_ALLOWED); 1433 return ErrorCode(ErrorCode::ERR_ALLOWED);
1425 #endif 1434 #endif
1435 }
1426 1436
1427 // Default on the baseline policy. 1437 // Default on the baseline policy.
1428 return BaselinePolicy(sandbox, sysno); 1438 return BaselinePolicy(sandbox, sysno);
1429 } 1439 }
1430 } 1440 }
1431 1441
1432 ErrorCode BlacklistDebugAndNumaPolicy(Sandbox *sandbox, int sysno, void *) { 1442 ErrorCode BlacklistDebugAndNumaPolicy(Sandbox *sandbox, int sysno, void *) {
1433 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1443 if (!Sandbox::IsValidSyscallNumber(sysno)) {
1434 // TODO(jln) we should not have to do that in a trivial policy. 1444 // TODO(jln) we should not have to do that in a trivial policy.
1435 return ErrorCode(ENOSYS); 1445 return ErrorCode(ENOSYS);
(...skipping 187 matching lines...) Expand 10 before | Expand all | Expand 10 after
1623 // should enable it, enable it or die. 1633 // should enable it, enable it or die.
1624 bool started_sandbox = StartBpfSandbox(command_line, process_type); 1634 bool started_sandbox = StartBpfSandbox(command_line, process_type);
1625 CHECK(started_sandbox); 1635 CHECK(started_sandbox);
1626 return true; 1636 return true;
1627 } 1637 }
1628 #endif 1638 #endif
1629 return false; 1639 return false;
1630 } 1640 }
1631 1641
1632 } // namespace content 1642 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/renderer_host/render_widget_helper.cc ('k') | content/common/view_messages.h » ('j') | ui/surface/transport_dib_posix.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698