| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 79 SyscallSets::IsArmPciConfig(sysno) || | 79 SyscallSets::IsArmPciConfig(sysno) || |
| 80 #endif | 80 #endif |
| 81 SyscallSets::IsTimer(sysno); | 81 SyscallSets::IsTimer(sysno); |
| 82 } | 82 } |
| 83 | 83 |
| 84 // |fs_denied_errno| is the errno return for denied filesystem access. | 84 // |fs_denied_errno| is the errno return for denied filesystem access. |
| 85 ErrorCode EvaluateSyscallImpl(int fs_denied_errno, | 85 ErrorCode EvaluateSyscallImpl(int fs_denied_errno, |
| 86 pid_t current_pid, | 86 pid_t current_pid, |
| 87 SandboxBPF* sandbox, | 87 SandboxBPF* sandbox, |
| 88 int sysno) { | 88 int sysno) { |
| 89 #if defined(ADDRESS_SANITIZER) |
| 90 if (sysno == __NR_sigaltstack) { |
| 91 // Required for better stack overflow detection in ASan. Disallowed in |
| 92 // non-ASan builds. |
| 93 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 94 } |
| 95 #endif |
| 89 if (IsBaselinePolicyAllowed(sysno)) { | 96 if (IsBaselinePolicyAllowed(sysno)) { |
| 90 return ErrorCode(ErrorCode::ERR_ALLOWED); | 97 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 91 } | 98 } |
| 92 | 99 |
| 93 #if defined(__x86_64__) || defined(__arm__) | 100 #if defined(__x86_64__) || defined(__arm__) |
| 94 if (sysno == __NR_socketpair) { | 101 if (sysno == __NR_socketpair) { |
| 95 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. | 102 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
| 96 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); | 103 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); |
| 97 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, | 104 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, |
| 98 ErrorCode(ErrorCode::ERR_ALLOWED), | 105 ErrorCode(ErrorCode::ERR_ALLOWED), |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 183 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, | 190 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, |
| 184 int sysno) const { | 191 int sysno) const { |
| 185 // Make sure that this policy is used in the creating process. | 192 // Make sure that this policy is used in the creating process. |
| 186 if (1 == sysno) { | 193 if (1 == sysno) { |
| 187 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 194 DCHECK_EQ(syscall(__NR_getpid), current_pid_); |
| 188 } | 195 } |
| 189 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); | 196 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); |
| 190 } | 197 } |
| 191 | 198 |
| 192 } // namespace sandbox. | 199 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 253753003:
Enable use_sigaltstack=1 for ASan builds. This will ease the stack overflow detection. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src