sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h - Issue 2536103002: Linux Sandbox: Whitelist prlimit64 when used as getrlimit

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h

Issue 2536103002: Linux Sandbox: Whitelist prlimit64 when used as getrlimit (Closed)

Patch Set: Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « content/common/sandbox_linux/bpf_renderer_policy_linux.cc ('k') | sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_	5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_

6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_	6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_

7	7

8 #include <unistd.h>	8 #include <unistd.h>

9	9

10 #include "build/build_config.h"	10 #include "build/build_config.h"

(...skipping 80 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
91 // CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID. In particular, this disallows	91 // CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID. In particular, this disallows

92 // access to arbitrary per-{process,thread} CPU-time clock IDs (such as those	92 // access to arbitrary per-{process,thread} CPU-time clock IDs (such as those

93 // returned by {clock,pthread}_getcpuclockid), which can leak information	93 // returned by {clock,pthread}_getcpuclockid), which can leak information

94 // about the state of the host OS.	94 // about the state of the host OS.

95 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictClockID();	95 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictClockID();

96	96

97 // Restrict the flags argument to getrandom() to allow only no flags, or	97 // Restrict the flags argument to getrandom() to allow only no flags, or

98 // GRND_NONBLOCK.	98 // GRND_NONBLOCK.

99 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetRandom();	99 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetRandom();

100	100

	101 // Restrict \|new_limit\| to NULL, and \|pid\| to the calling process (or 0) for

	102 // prlimit64(). This allows only getting rlimits on the current process.

	103 // Otherwise, fail gracefully; see crbug.com/160157.

	104 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid);

	105

101 } // namespace sandbox.	106 } // namespace sandbox.

102	107

103 #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_	108 #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_

OLD	NEW