Index: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc |
diff --git a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..a3ef17f88c07e093e0d94cca0629c0b82b7df4e1 |
--- /dev/null |
+++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc |
@@ -0,0 +1,54 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h" |
+ |
+#include <sys/types.h> |
+ |
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
+ |
+namespace content { |
+ |
+SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() |
+ : SandboxBPFBasePolicy() {} |
+ |
+SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} |
+ |
+sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall( |
+ sandbox::SandboxBPF* sandbox, |
+ int sysno) const { |
+ bool override_and_allow = false; |
+ |
+ switch (sysno) { |
+ case __NR_epoll_pwait: |
+ case __NR_flock: |
+ case __NR_getpriority: |
+ case __NR_ioctl: |
+ case __NR_mremap: |
+ // File system access cannot be restricted with seccomp-bpf on Android, |
+ // since the JVM classloader and other Framework features require file |
+ // access. It may be possible to restrict the filesystem with SELinux. |
+ // Currently we rely on the app/service UID isolation to create a |
+ // filesystem "sandbox". |
+#if !ARCH_CPU_ARM64 |
+ case __NR_open: |
+#endif |
+ case __NR_openat: |
+ case __NR_pread64: |
+ case __NR_rt_sigtimedwait: |
+ case __NR_setpriority: |
+ case __NR_sigaltstack: |
+ case __NR_ugetrlimit: |
+ case __NR_uname: |
+ override_and_allow = true; |
+ break; |
+ } |
+ |
+ if (override_and_allow) |
+ return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED); |
+ |
+ return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); |
+} |
+ |
+} // namespace content |