OLD | NEW |
(Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
" |
| 6 |
| 7 #include <sys/types.h> |
| 8 |
| 9 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 10 |
| 11 namespace content { |
| 12 |
| 13 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() |
| 14 : SandboxBPFBasePolicy() {} |
| 15 |
| 16 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} |
| 17 |
| 18 sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall( |
| 19 sandbox::SandboxBPF* sandbox, |
| 20 int sysno) const { |
| 21 bool override_and_allow = false; |
| 22 |
| 23 switch (sysno) { |
| 24 case __NR_epoll_pwait: |
| 25 case __NR_flock: |
| 26 case __NR_getpriority: |
| 27 case __NR_ioctl: |
| 28 case __NR_mremap: |
| 29 // File system access cannot be restricted with seccomp-bpf on Android, |
| 30 // since the JVM classloader and other Framework features require file |
| 31 // access. It may be possible to restrict the filesystem with SELinux. |
| 32 // Currently we rely on the app/service UID isolation to create a |
| 33 // filesystem "sandbox". |
| 34 #if !ARCH_CPU_ARM64 |
| 35 case __NR_open: |
| 36 #endif |
| 37 case __NR_openat: |
| 38 case __NR_pread64: |
| 39 case __NR_rt_sigtimedwait: |
| 40 case __NR_setpriority: |
| 41 case __NR_sigaltstack: |
| 42 case __NR_ugetrlimit: |
| 43 case __NR_uname: |
| 44 override_and_allow = true; |
| 45 break; |
| 46 } |
| 47 |
| 48 if (override_and_allow) |
| 49 return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED); |
| 50 |
| 51 return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); |
| 52 } |
| 53 |
| 54 } // namespace content |
OLD | NEW |