OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <utility> | 8 #include <utility> |
9 | 9 |
10 #include "base/macros.h" | 10 #include "base/macros.h" |
11 #include "build/build_config.h" | 11 #include "build/build_config.h" |
| 12 #include "sandbox/sandbox_features.h" |
12 | 13 |
13 #if defined(USE_SECCOMP_BPF) | 14 #if BUILDFLAG(USE_SECCOMP_BPF) |
14 | 15 |
15 #include <errno.h> | 16 #include <errno.h> |
16 #include <signal.h> | 17 #include <signal.h> |
17 #include <sys/ptrace.h> | 18 #include <sys/ptrace.h> |
18 #include <sys/types.h> | 19 #include <sys/types.h> |
19 #include <unistd.h> | 20 #include <unistd.h> |
20 | 21 |
21 #include "base/callback.h" | 22 #include "base/callback.h" |
22 #include "base/command_line.h" | 23 #include "base/command_line.h" |
23 #include "base/compiler_specific.h" | 24 #include "base/compiler_specific.h" |
24 #include "base/files/scoped_file.h" | 25 #include "base/files/scoped_file.h" |
25 #include "base/logging.h" | 26 #include "base/logging.h" |
26 #include "components/nacl/common/nacl_switches.h" | 27 #include "components/nacl/common/nacl_switches.h" |
27 #include "content/public/common/sandbox_init.h" | 28 #include "content/public/common/sandbox_init.h" |
28 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 29 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
29 #include "sandbox/linux/bpf_dsl/policy.h" | 30 #include "sandbox/linux/bpf_dsl/policy.h" |
30 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 31 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
31 #include "sandbox/linux/system_headers/linux_syscalls.h" | 32 #include "sandbox/linux/system_headers/linux_syscalls.h" |
32 | 33 |
33 #endif // defined(USE_SECCOMP_BPF) | 34 #endif // BUILDFLAG(USE_SECCOMP_BPF) |
34 | 35 |
35 namespace nacl { | 36 namespace nacl { |
36 | 37 |
37 #if defined(USE_SECCOMP_BPF) | 38 #if BUILDFLAG(USE_SECCOMP_BPF) |
38 | 39 |
39 namespace { | 40 namespace { |
40 | 41 |
41 using sandbox::bpf_dsl::Allow; | 42 using sandbox::bpf_dsl::Allow; |
42 using sandbox::bpf_dsl::Error; | 43 using sandbox::bpf_dsl::Error; |
43 using sandbox::bpf_dsl::ResultExpr; | 44 using sandbox::bpf_dsl::ResultExpr; |
44 | 45 |
45 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::Policy { | 46 class NaClBPFSandboxPolicy : public sandbox::bpf_dsl::Policy { |
46 public: | 47 public: |
47 NaClBPFSandboxPolicy() | 48 NaClBPFSandboxPolicy() |
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
156 // Without the sandbox on, this ptrace call would ESRCH instead. | 157 // Without the sandbox on, this ptrace call would ESRCH instead. |
157 CHECK_EQ(EPERM, errno); | 158 CHECK_EQ(EPERM, errno); |
158 } | 159 } |
159 | 160 |
160 } // namespace | 161 } // namespace |
161 | 162 |
162 #else | 163 #else |
163 | 164 |
164 #error "Seccomp-bpf disabled on supported architecture!" | 165 #error "Seccomp-bpf disabled on supported architecture!" |
165 | 166 |
166 #endif // defined(USE_SECCOMP_BPF) | 167 #endif // BUILDFLAG(USE_SECCOMP_BPF) |
167 | 168 |
168 bool InitializeBPFSandbox(base::ScopedFD proc_fd) { | 169 bool InitializeBPFSandbox(base::ScopedFD proc_fd) { |
169 #if defined(USE_SECCOMP_BPF) | 170 #if BUILDFLAG(USE_SECCOMP_BPF) |
170 bool sandbox_is_initialized = content::InitializeSandbox( | 171 bool sandbox_is_initialized = content::InitializeSandbox( |
171 std::unique_ptr<sandbox::bpf_dsl::Policy>(new NaClBPFSandboxPolicy), | 172 std::unique_ptr<sandbox::bpf_dsl::Policy>(new NaClBPFSandboxPolicy), |
172 std::move(proc_fd)); | 173 std::move(proc_fd)); |
173 if (sandbox_is_initialized) { | 174 if (sandbox_is_initialized) { |
174 RunSandboxSanityChecks(); | 175 RunSandboxSanityChecks(); |
175 return true; | 176 return true; |
176 } | 177 } |
177 #endif // defined(USE_SECCOMP_BPF) | 178 #endif // BUILDFLAG(USE_SECCOMP_BPF) |
178 return false; | 179 return false; |
179 } | 180 } |
180 | 181 |
181 } // namespace nacl | 182 } // namespace nacl |
OLD | NEW |