Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(225)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

Issue 2536103002: Linux Sandbox: Whitelist prlimit64 when used as getrlimit (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
index 43f633ed78e398654441e2c182b1614ce0176360..061bfb480322ce27c95a844436c8a0775d02c37d 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -361,4 +361,12 @@ ResultExpr RestrictGetRandom() {
return If((flags & ~kGoodFlags) == 0, Allow()).Else(CrashSIGSYS());
}
+ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid) {
+ const Arg<pid_t> pid(0);
+ const Arg<uintptr_t> new_limit(2);
+ // Only allow 'get' operations, and only for the current process.
+ return If(AllOf(new_limit == 0, AnyOf(pid == 0, pid == target_pid)), Allow())
+ .Else(Error(EPERM));
+}
+
} // namespace sandbox.
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698