Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2004)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

Issue 180783019: [Android] Define a baseline seccomp-bpf sandbox policy. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fun With Flags! Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h ('k') | content/content_common.gypi » ('j') | content/renderer/renderer_main_platform_delegate_android.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
diff --git a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
new file mode 100644
index 0000000000000000000000000000000000000000..5dac7b4517e0b6741fa1bdfdb2448bb401e3f7e8
--- /dev/null
+++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
@@ -0,0 +1,54 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h"
+
+#include <sys/types.h>
+
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+namespace content {
+
+SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()
+ : SandboxBPFBasePolicy() {}
+
+SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {}
+
+sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall(
+ sandbox::SandboxBPF* sandbox,
+ int sysno) const {
+ bool override_and_allow = false;
+
+ switch (sysno) {
+ case __NR_epoll_pwait:
+ case __NR_flock:
+ case __NR_getpriority:
+ case __NR_ioctl:
+ case __NR_mremap:
+ // File system access cannot be restricted with seccomp-bpf on Android,
+ // since the JVM classloader and other Framework features require file
+ // access. It may be possible to restrict the filesystem with SELinux.
+ // Currently we rely on the app/service UID isolation to create a
+ // filesystem "sandbox".
+#if !defined(__aarch64__)
jochen (gone - plz use gerrit) 2014/04/10 07:37:42 should be ARCH_CPU_ARM64
Robert Sesek 2014/04/10 14:36:24 Done.
+ case __NR_open:
+#endif
+ case __NR_openat:
+ case __NR_pread64:
+ case __NR_rt_sigtimedwait:
+ case __NR_setpriority:
+ case __NR_sigaltstack:
+ case __NR_ugetrlimit:
+ case __NR_uname:
+ override_and_allow = true;
+ break;
+ }
+
+ if (override_and_allow)
+ return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED);
+
+ return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
+}
+
+} // namespace content
« no previous file with comments | « content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h ('k') | content/content_common.gypi » ('j') | content/renderer/renderer_main_platform_delegate_android.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698