OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ | 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ | 6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
7 | 7 |
| 8 #include <unistd.h> |
| 9 |
8 #include "build/build_config.h" | 10 #include "build/build_config.h" |
9 #include "sandbox/linux/sandbox_export.h" | 11 #include "sandbox/linux/sandbox_export.h" |
10 | 12 |
11 // These are helpers to build seccomp-bpf policies, i.e. policies for a | 13 // These are helpers to build seccomp-bpf policies, i.e. policies for a |
12 // sandbox that reduces the Linux kernel's attack surface. They return an | 14 // sandbox that reduces the Linux kernel's attack surface. They return an |
13 // SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters. | 15 // SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters. |
14 | 16 |
15 namespace sandbox { | 17 namespace sandbox { |
16 | 18 |
17 class ErrorCode; | 19 class ErrorCode; |
(...skipping 30 matching lines...) Expand all Loading... |
48 // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | | 50 // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | |
49 // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. | 51 // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. |
50 SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox); | 52 SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox); |
51 | 53 |
52 #if defined(__i386__) | 54 #if defined(__i386__) |
53 // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), | 55 // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), |
54 // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). | 56 // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). |
55 SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox); | 57 SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox); |
56 #endif | 58 #endif |
57 | 59 |
| 60 // Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or |
| 61 // kill iff the first parameter is |target_pid|, crashing otherwise or if |
| 62 // |sysno| is tkill. |
| 63 ErrorCode RestrictKillTarget(pid_t target_pid, SandboxBPF* sandbox, int sysno); |
| 64 |
58 } // namespace sandbox. | 65 } // namespace sandbox. |
59 | 66 |
60 #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ | 67 #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
OLD | NEW |