sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h - Issue 226083005: Linux sandbox: componentize almost everything.

Unified Diff: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h

Issue 226083005: Linux sandbox: componentize almost everything. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Update dependencies. Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h

diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h

index 65b7c4721987000e56afb399169b29d111d1a6f5..aa1e0d101053488ea6277413c0582082c88770b7 100644

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h

+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h

@@ -6,10 +6,11 @@

#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_

#include "build/build_config.h"

+#include "sandbox/linux/sandbox_export.h"

// These are helpers to build seccomp-bpf policies, i.e. policies for a

// sandbox that reduces the Linux kernel's attack surface. They return an

-// ErrorCode suitable to restrict certain system call parameters.

+// SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters.

namespace sandbox {

@@ -20,37 +21,38 @@ class SandboxBPF;

// Reject fork(2) attempts with EPERM.

// Don't restrict on ASAN.

// Crash if anything else is attempted.

-ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);

+SANDBOX_EXPORT ErrorCode

+ RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);

// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.

// Crash if anything else is attempted.

-ErrorCode RestrictPrctl(SandboxBPF* sandbox);

+SANDBOX_EXPORT ErrorCode RestrictPrctl(SandboxBPF* sandbox);

// Allow TCGETS and FIONREAD.

// Crash if anything else is attempted.

-ErrorCode RestrictIoctl(SandboxBPF* sandbox);

+SANDBOX_EXPORT ErrorCode RestrictIoctl(SandboxBPF* sandbox);

// Restrict the flags argument in mmap(2).

// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |

// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.

// Crash if any other flag is used.

-ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);

+SANDBOX_EXPORT ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);

// Restrict the prot argument in mprotect(2).

// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.

-ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);

+SANDBOX_EXPORT ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);

// Restrict fcntl(2) cmd argument to:

// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,

// F_SETLK, F_SETLKW and F_GETLK.

// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |

// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.

-ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);

+SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);

#if defined(__i386__)

// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),

// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).

-ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);

+SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);

#endif

} // namespace sandbox.

« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h ('k') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.h » ('j') | no next file with comments »