Chromium Code Reviews Chromium Code Reviews
Issue 1705243002:
[Android] Permit sched_getparam(), pwrite64(), and getsockopt() under Seccomp. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc |
| diff --git a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc |
| index dd7d1c58c6d8174c455dfcded219de3954fe97ae..a24b6862617b30d0dcf30c39169814c0583bbbf0 100644 |
| --- a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc |
| +++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc |
| @@ -82,7 +82,9 @@ ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const { |
| #endif |
| case __NR_openat: |
| case __NR_pread64: |
| + case __NR_pwrite64: |
| case __NR_rt_sigtimedwait: |
| + case __NR_sched_getparam: |
|
mdempsky
2016/02/17 21:54:52
It is possible/reasonable to restrict which pids c
Robert Sesek
2016/02/17 22:50:11
No, because Bionic passes a TID to this in its pth
|
| case __NR_setpriority: |
| case __NR_set_tid_address: |
| case __NR_sigaltstack: |
| @@ -99,8 +101,9 @@ ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const { |
| // is demultiplexed below. |
| #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || \ |
| defined(__mips__) |
| - case __NR_socket: |
| + case __NR_getsockopt: |
| case __NR_connect: |
| + case __NR_socket: |
| #endif |
| // Ptrace is allowed so the Breakpad Microdumper can fork in a renderer |
| @@ -129,6 +132,7 @@ ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const { |
| .ElseIf(AllOf(socketcall == SYS_SOCKET, |
| RestrictSocketArguments(domain, type, protocol)), |
| Allow()) |
| + .ElseIf(socketcall == SYS_GETSOCKOPT, Allow()) |
| .Else(Error(EPERM)); |
| } |
| #endif |
