Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(154)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 13529027: Switch Linux Auru ports over to POSIX SHM instead of legacy SYSV SHM. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « content/browser/renderer_host/render_widget_helper.cc ('k') | content/common/view_messages.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <asm/unistd.h> 5 #include <asm/unistd.h>
6 #include <dlfcn.h> 6 #include <dlfcn.h>
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <linux/audit.h> 9 #include <linux/audit.h>
10 #include <linux/filter.h> 10 #include <linux/filter.h>
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
86 } 86 }
87 87
88 inline bool IsArchitectureArm() { 88 inline bool IsArchitectureArm() {
89 #if defined(__arm__) 89 #if defined(__arm__)
90 return true; 90 return true;
91 #else 91 #else
92 return false; 92 return false;
93 #endif 93 #endif
94 } 94 }
95 95
96 inline bool IsUsingToolKitGtk() {
97 #if defined(TOOLKIT_GTK)
98 return true;
99 #else
100 return false;
101 #endif
102 }
103
96 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { 104 intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
97 int syscall = args.nr; 105 int syscall = args.nr;
98 if (syscall >= 1024) 106 if (syscall >= 1024)
99 syscall = 0; 107 syscall = 0;
100 // Encode 8-bits of the 1st two arguments too, so we can discern which socket 108 // Encode 8-bits of the 1st two arguments too, so we can discern which socket
101 // type, which fcntl, ... etc., without being likely to hit a mapped 109 // type, which fcntl, ... etc., without being likely to hit a mapped
102 // address. 110 // address.
103 // Do not encode more bits here without thinking about increasing the 111 // Do not encode more bits here without thinking about increasing the
104 // likelihood of collision with mapped pages. 112 // likelihood of collision with mapped pages.
105 syscall |= ((args.args[0] & 0xffUL) << 12); 113 syscall |= ((args.args[0] & 0xffUL) << 12);
(...skipping 1334 matching lines...) Expand 10 before | Expand all | Expand 10 after
1440 case __NR_sched_getscheduler: 1448 case __NR_sched_getscheduler:
1441 case __NR_sched_setscheduler: 1449 case __NR_sched_setscheduler:
1442 case __NR_setpriority: 1450 case __NR_setpriority:
1443 case __NR_sysinfo: 1451 case __NR_sysinfo:
1444 case __NR_times: 1452 case __NR_times:
1445 case __NR_uname: 1453 case __NR_uname:
1446 return ErrorCode(ErrorCode::ERR_ALLOWED); 1454 return ErrorCode(ErrorCode::ERR_ALLOWED);
1447 case __NR_prlimit64: 1455 case __NR_prlimit64:
1448 return ErrorCode(EPERM); // See crbug.com/160157. 1456 return ErrorCode(EPERM); // See crbug.com/160157.
1449 default: 1457 default:
1450 // These need further tightening. 1458 if (IsUsingToolKitGtk()) {
1451 #if defined(__x86_64__) || defined(__arm__) 1459 #if defined(__x86_64__) || defined(__arm__)
1452 if (IsSystemVSharedMemory(sysno)) 1460 if (IsSystemVSharedMemory(sysno))
1453 return ErrorCode(ErrorCode::ERR_ALLOWED); 1461 return ErrorCode(ErrorCode::ERR_ALLOWED);
1454 #endif 1462 #endif
1455 #if defined(__i386__) 1463 #if defined(__i386__)
1456 if (IsSystemVIpc(sysno)) 1464 if (IsSystemVIpc(sysno))
1457 return ErrorCode(ErrorCode::ERR_ALLOWED); 1465 return ErrorCode(ErrorCode::ERR_ALLOWED);
1458 #endif 1466 #endif
1467 }
1459 1468
1460 // Default on the baseline policy. 1469 // Default on the baseline policy.
1461 return BaselinePolicy(sandbox, sysno); 1470 return BaselinePolicy(sandbox, sysno);
1462 } 1471 }
1463 } 1472 }
1464 1473
1465 ErrorCode FlashProcessPolicy(Sandbox *sandbox, int sysno, void *) { 1474 ErrorCode FlashProcessPolicy(Sandbox *sandbox, int sysno, void *) {
1466 switch (sysno) { 1475 switch (sysno) {
1467 case __NR_clone: 1476 case __NR_clone:
1468 return RestrictCloneToThreadsAndEPERMFork(sandbox); 1477 return RestrictCloneToThreadsAndEPERMFork(sandbox);
1469 case __NR_sched_get_priority_max: 1478 case __NR_sched_get_priority_max:
1470 case __NR_sched_get_priority_min: 1479 case __NR_sched_get_priority_min:
1471 case __NR_sched_getaffinity: 1480 case __NR_sched_getaffinity:
1472 case __NR_sched_getparam: 1481 case __NR_sched_getparam:
1473 case __NR_sched_getscheduler: 1482 case __NR_sched_getscheduler:
1474 case __NR_sched_setscheduler: 1483 case __NR_sched_setscheduler:
1475 case __NR_times: 1484 case __NR_times:
1476 return ErrorCode(ErrorCode::ERR_ALLOWED); 1485 return ErrorCode(ErrorCode::ERR_ALLOWED);
1477 case __NR_ioctl: 1486 case __NR_ioctl:
1478 return ErrorCode(ENOTTY); // Flash Access. 1487 return ErrorCode(ENOTTY); // Flash Access.
1479 default: 1488 default:
1480 // These need further tightening. 1489 if (IsUsingToolKitGtk()) {
1481 #if defined(__x86_64__) || defined(__arm__) 1490 #if defined(__x86_64__) || defined(__arm__)
1482 if (IsSystemVSharedMemory(sysno)) 1491 if (IsSystemVSharedMemory(sysno))
1483 return ErrorCode(ErrorCode::ERR_ALLOWED); 1492 return ErrorCode(ErrorCode::ERR_ALLOWED);
1484 #endif 1493 #endif
1485 #if defined(__i386__) 1494 #if defined(__i386__)
1486 if (IsSystemVIpc(sysno)) 1495 if (IsSystemVIpc(sysno))
1487 return ErrorCode(ErrorCode::ERR_ALLOWED); 1496 return ErrorCode(ErrorCode::ERR_ALLOWED);
1488 #endif 1497 #endif
1498 }
1489 1499
1490 // Default on the baseline policy. 1500 // Default on the baseline policy.
1491 return BaselinePolicy(sandbox, sysno); 1501 return BaselinePolicy(sandbox, sysno);
1492 } 1502 }
1493 } 1503 }
1494 1504
1495 ErrorCode BlacklistDebugAndNumaPolicy(Sandbox *sandbox, int sysno, void *) { 1505 ErrorCode BlacklistDebugAndNumaPolicy(Sandbox *sandbox, int sysno, void *) {
1496 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1506 if (!Sandbox::IsValidSyscallNumber(sysno)) {
1497 // TODO(jln) we should not have to do that in a trivial policy. 1507 // TODO(jln) we should not have to do that in a trivial policy.
1498 return ErrorCode(ENOSYS); 1508 return ErrorCode(ENOSYS);
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after
1737 // should enable it, enable it or die. 1747 // should enable it, enable it or die.
1738 bool started_sandbox = StartBpfSandbox(command_line, process_type); 1748 bool started_sandbox = StartBpfSandbox(command_line, process_type);
1739 CHECK(started_sandbox); 1749 CHECK(started_sandbox);
1740 return true; 1750 return true;
1741 } 1751 }
1742 #endif 1752 #endif
1743 return false; 1753 return false;
1744 } 1754 }
1745 1755
1746 } // namespace content 1756 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/renderer_host/render_widget_helper.cc ('k') | content/common/view_messages.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698