content/common/android/sandbox_bpf_base_policy_android.cc - Issue 180783019: [Android] Define a baseline seccomp-bpf sandbox policy.

Side by Side Diff: content/common/android/sandbox_bpf_base_policy_android.cc

Issue 180783019: [Android] Define a baseline seccomp-bpf sandbox policy. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Move to //content Created 6 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2014 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "content/common/android/sandbox_bpf_base_policy_android.h"

	6

	7 #include <sys/types.h>

	8

	9 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"

	10 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

	11

	12 namespace content {

	13

	14 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()

	15 : SandboxBPFBasePolicy() {}

	16

	17 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {}

	18

	19 sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall(

	20 sandbox::SandboxBPF* sandbox,

	21 int sysno) const {

	22 bool allowed = false;

	23

	24 switch (sysno) {

	25 case __NR_open:
	jln (very slow on Chromium) 2014/03/31 22:57:43 libc have tended in the past to deprecate open in libc have tended in the past to deprecate open in favor of openat. You could add openat already, for future compatibility. Also FYI, ARM64 doesn't have open() anymore. Could you also add a comment to NR_open specifically. It breaks our traditional model, so explain that we expect uid separation to restrict file access and that this policy can only retrict the kernel's attack surface. Maybe even put it in a "section" of its own to make this extra clear. Also I'm a bit surprised that stat() / access() are not required, but that's not bad news :) Robert Sesek 2014/04/08 20:33:45 Added __NR_openat and put __NR_open behind __aarch Show quoted text On 2014/03/31 22:57:43, jln wrote: > libc have tended in the past to deprecate open in favor of openat. You could add > openat already, for future compatibility. Also FYI, ARM64 doesn't have open() > anymore. Added __NR_openat and put __NR_open behind __aarch64__. Show quoted text > Could you also add a comment to NR_open specifically. It breaks our traditional > model, so explain that we expect uid separation to restrict file access and that > this policy can only retrict the kernel's attack surface. Done. Show quoted text > Maybe even put it in a "section" of its own to make this extra clear. I initially had it in sections (c.f. "Why the extra space?"), but I've collapsed it all. Show quoted text > Also I'm a bit surprised that stat() / access() are not required, but that's not > bad news :) Me too shrug.
	26
	jln (very slow on Chromium) 2014/03/31 22:57:43 Why the extra space? Why the extra space? Robert Sesek 2014/04/08 20:33:45 Done. Show quoted text On 2014/03/31 22:57:43, jln wrote: > Why the extra space? Done.
	27 case __NR_uname:

	28

	29 case __NR_flock:
	jln (very slow on Chromium) 2014/03/31 22:57:43 Please, sort these in alphabetical order Please, sort these in alphabetical order Robert Sesek 2014/04/08 20:33:45 Done. Show quoted text On 2014/03/31 22:57:43, jln wrote: > Please, sort these in alphabetical order Done.
	30 case __NR_sigaltstack:

	31 case __NR_rt_sigtimedwait:

	32 case __NR_mremap:

	33 case __NR_ioctl:

	34 case __NR_pread64:

	35 case __NR_getpriority:

	36 case __NR_setpriority:

	37 case __NR_ugetrlimit:

	38 allowed = true;

	39 break;

	40 }

	41

	42 if (allowed)
	jln (very slow on Chromium) 2014/03/31 22:57:43 Nit: I find the construct a bit misleading, becaus Nit: I find the construct a bit misleading, because one could be tempted to disallow a system call by setting allow = false. Maybe rename "allowed" with "override_and_allow"? Robert Sesek 2014/04/08 20:33:45 Done. Show quoted text On 2014/03/31 22:57:43, jln wrote: > Nit: I find the construct a bit misleading, because one could be tempted to > disallow a system call by setting allow = false. > > Maybe rename "allowed" with "override_and_allow"? Done.
	43 return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED);

	44

	45 return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);

	46 }

	47

	48 } // namespace content

OLD	NEW

« no previous file with comments | « content/common/android/sandbox_bpf_base_policy_android.h ('k') | content/content_common.gypi » ('j') | content/content_common.gypi » ('J')