Chromium Code Reviews
Description[Android] Block __NR_getsockname via EPERM rather than SIGSYS.
While EPERM is not a documented errno return value for getsockname, some systems
issue this syscall and we do not want to permit it. Use EPERM to block it
instead of the baseline-policy SIGSYS so that the process does not crash. (Note
that SELinux would return EACCES for a neverallow getattr on socket files, so
EPERM is a useful differentiator).
This also fixes a bug in the i386 policy that attempts to restrict the
__NR_socketcall arguments. But since those reside in a userspace struct, they
are not safe to consult.
BUG=655300
R=rickyz@chromium.org
Committed: https://crrev.com/1f6acfe7dd08165baad36302b4388248e2854936
Cr-Commit-Position: refs/heads/master@{#430422}
Patch Set 1 #
Messages
Total messages: 7 (2 generated)
|
|||||||||||||||||||