Index: content/common/android/sandbox_bpf_base_policy_android.cc |
diff --git a/content/common/android/sandbox_bpf_base_policy_android.cc b/content/common/android/sandbox_bpf_base_policy_android.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..3294e687c54687f4c174e323879a58119d5d1004 |
--- /dev/null |
+++ b/content/common/android/sandbox_bpf_base_policy_android.cc |
@@ -0,0 +1,48 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "content/common/android/sandbox_bpf_base_policy_android.h" |
+ |
+#include <sys/types.h> |
+ |
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
+ |
+namespace content { |
+ |
+SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() |
+ : SandboxBPFBasePolicy() {} |
+ |
+SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} |
+ |
+sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall( |
+ sandbox::SandboxBPF* sandbox, |
+ int sysno) const { |
+ bool allowed = false; |
+ |
+ switch (sysno) { |
+ case __NR_open: |
jln (very slow on Chromium)
2014/03/31 22:57:43
libc have tended in the past to deprecate open in
Robert Sesek
2014/04/08 20:33:45
Added __NR_openat and put __NR_open behind __aarch
|
+ |
jln (very slow on Chromium)
2014/03/31 22:57:43
Why the extra space?
Robert Sesek
2014/04/08 20:33:45
Done.
|
+ case __NR_uname: |
+ |
+ case __NR_flock: |
jln (very slow on Chromium)
2014/03/31 22:57:43
Please, sort these in alphabetical order
Robert Sesek
2014/04/08 20:33:45
Done.
|
+ case __NR_sigaltstack: |
+ case __NR_rt_sigtimedwait: |
+ case __NR_mremap: |
+ case __NR_ioctl: |
+ case __NR_pread64: |
+ case __NR_getpriority: |
+ case __NR_setpriority: |
+ case __NR_ugetrlimit: |
+ allowed = true; |
+ break; |
+ } |
+ |
+ if (allowed) |
jln (very slow on Chromium)
2014/03/31 22:57:43
Nit: I find the construct a bit misleading, becaus
Robert Sesek
2014/04/08 20:33:45
Done.
|
+ return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED); |
+ |
+ return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); |
+} |
+ |
+} // namespace content |