| Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
| diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
| index c72b53adcb2607f9443ed3321abfab02b096ec50..508ae3ebf91176592073a27cb5883c455ec053a1 100644
|
| --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
| +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
| @@ -6,8 +6,10 @@
|
|
|
| #include <errno.h>
|
| #include <sys/mman.h>
|
| -#include <sys/types.h>
|
| #include <sys/socket.h>
|
| +#include <sys/syscall.h>
|
| +#include <sys/types.h>
|
| +#include <unistd.h>
|
|
|
| #include "base/logging.h"
|
| #include "build/build_config.h"
|
| @@ -42,7 +44,6 @@ bool IsBaselinePolicyAllowed(int sysno) {
|
| #if defined(__arm__)
|
| SyscallSets::IsArmPrivate(sysno) ||
|
| #endif
|
| - SyscallSets::IsKill(sysno) ||
|
| SyscallSets::IsAllowedOperationOnFd(sysno);
|
| }
|
|
|
| @@ -63,6 +64,7 @@ bool IsBaselinePolicyWatched(int sysno) {
|
| SyscallSets::IsInotify(sysno) ||
|
| SyscallSets::IsKernelModule(sysno) ||
|
| SyscallSets::IsKeyManagement(sysno) ||
|
| + SyscallSets::IsKill(sysno) ||
|
| SyscallSets::IsMessageQueue(sysno) ||
|
| SyscallSets::IsMisc(sysno) ||
|
| #if defined(__x86_64__)
|
| @@ -80,7 +82,9 @@ bool IsBaselinePolicyWatched(int sysno) {
|
| }
|
|
|
| // |fs_denied_errno| is the errno return for denied filesystem access.
|
| -ErrorCode EvaluateSyscallImpl(int fs_denied_errno, SandboxBPF* sandbox,
|
| +ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
|
| + pid_t current_pid,
|
| + SandboxBPF* sandbox,
|
| int sysno) {
|
| if (IsBaselinePolicyAllowed(sysno)) {
|
| return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| @@ -125,6 +129,10 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno, SandboxBPF* sandbox,
|
| return RestrictFcntlCommands(sandbox);
|
| #endif
|
|
|
| + if (SyscallSets::IsKill(sysno)) {
|
| + return RestrictKillTarget(current_pid, sandbox, sysno);
|
| + }
|
| +
|
| if (SyscallSets::IsFileSystem(sysno) ||
|
| SyscallSets::IsCurrentDirectory(sysno)) {
|
| return ErrorCode(fs_denied_errno);
|
| @@ -151,6 +159,7 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno, SandboxBPF* sandbox,
|
| // be denied gracefully right away.
|
| return sandbox->Trap(CrashSIGSYS_Handler, NULL);
|
| }
|
| +
|
| // In any other case crash the program with our SIGSYS handler.
|
| return sandbox->Trap(CrashSIGSYS_Handler, NULL);
|
| }
|
| @@ -160,16 +169,24 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno, SandboxBPF* sandbox,
|
| // Unfortunately C++03 doesn't allow delegated constructors.
|
| // Call other constructor when C++11 lands.
|
| BaselinePolicy::BaselinePolicy()
|
| - : fs_denied_errno_(EPERM) {}
|
| + : fs_denied_errno_(EPERM), current_pid_(syscall(__NR_getpid)) {}
|
|
|
| BaselinePolicy::BaselinePolicy(int fs_denied_errno)
|
| - : fs_denied_errno_(fs_denied_errno) {}
|
| + : fs_denied_errno_(fs_denied_errno), current_pid_(syscall(__NR_getpid)) {}
|
|
|
| -BaselinePolicy::~BaselinePolicy() {}
|
| +BaselinePolicy::~BaselinePolicy() {
|
| + // Make sure that this policy is created, used and destroyed by a single
|
| + // process.
|
| + DCHECK_EQ(syscall(__NR_getpid), current_pid_);
|
| +}
|
|
|
| ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox,
|
| int sysno) const {
|
| - return EvaluateSyscallImpl(fs_denied_errno_, sandbox, sysno);
|
| + // Make sure that this policy is used in the creating process.
|
| + if (1 == sysno) {
|
| + DCHECK_EQ(syscall(__NR_getpid), current_pid_);
|
| + }
|
| + return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno);
|
| }
|
|
|
| } // namespace sandbox.
|
|
|
Chromium Code Reviews
Issue 258073008:
Linux sandbox: restrict *kill to the current process. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src