OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h " | |
6 | |
7 #include <sys/types.h> | |
8 | |
9 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | |
10 | |
11 namespace content { | |
12 | |
13 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() | |
14 : SandboxBPFBasePolicy() {} | |
15 | |
16 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} | |
17 | |
18 sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall( | |
19 sandbox::SandboxBPF* sandbox, | |
20 int sysno) const { | |
21 bool override_and_allow = false; | |
22 | |
23 switch (sysno) { | |
24 case __NR_epoll_pwait: | |
25 case __NR_flock: | |
26 case __NR_getpriority: | |
27 case __NR_ioctl: | |
28 case __NR_mremap: | |
29 // File system access cannot be restricted with seccomp-bpf on Android, | |
30 // since the JVM classloader and other Framework features require file | |
31 // access. It may be possible to restrict the filesystem with SELinux. | |
32 // Currently we rely on the app/service UID isolation to create a | |
33 // filesystem "sandbox". | |
34 #if !defined(__aarch64__) | |
jochen (gone - plz use gerrit)
2014/04/10 07:37:42
should be ARCH_CPU_ARM64
Robert Sesek
2014/04/10 14:36:24
Done.
| |
35 case __NR_open: | |
36 #endif | |
37 case __NR_openat: | |
38 case __NR_pread64: | |
39 case __NR_rt_sigtimedwait: | |
40 case __NR_setpriority: | |
41 case __NR_sigaltstack: | |
42 case __NR_ugetrlimit: | |
43 case __NR_uname: | |
44 override_and_allow = true; | |
45 break; | |
46 } | |
47 | |
48 if (override_and_allow) | |
49 return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED); | |
50 | |
51 return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); | |
52 } | |
53 | |
54 } // namespace content | |
OLD | NEW |