| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
| 6 | 6 |
| 7 #include "build/build_config.h" | 7 #include "build/build_config.h" |
| 8 #include "sandbox/linux/services/linux_syscalls.h" | 8 #include "sandbox/linux/services/linux_syscalls.h" |
| 9 | 9 |
| 10 namespace sandbox { | 10 namespace sandbox { |
| (...skipping 11 matching lines...) Expand all Loading... |
| 22 return true; | 22 return true; |
| 23 default: | 23 default: |
| 24 return false; | 24 return false; |
| 25 } | 25 } |
| 26 } | 26 } |
| 27 | 27 |
| 28 bool SyscallSets::IsAllowedGettime(int sysno) { | 28 bool SyscallSets::IsAllowedGettime(int sysno) { |
| 29 switch (sysno) { | 29 switch (sysno) { |
| 30 case __NR_clock_gettime: | 30 case __NR_clock_gettime: |
| 31 case __NR_gettimeofday: | 31 case __NR_gettimeofday: |
| 32 #if defined(__i386__) || defined(__x86_64__) | 32 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 33 case __NR_time: | 33 case __NR_time: |
| 34 #endif | 34 #endif |
| 35 return true; | 35 return true; |
| 36 case __NR_adjtimex: // Privileged. | 36 case __NR_adjtimex: // Privileged. |
| 37 case __NR_clock_adjtime: // Privileged. | 37 case __NR_clock_adjtime: // Privileged. |
| 38 case __NR_clock_getres: // Could be allowed. | 38 case __NR_clock_getres: // Could be allowed. |
| 39 case __NR_clock_nanosleep: // Could be allowed. | 39 case __NR_clock_nanosleep: // Could be allowed. |
| 40 case __NR_clock_settime: // Privileged. | 40 case __NR_clock_settime: // Privileged. |
| 41 #if defined(__i386__) | 41 #if defined(__i386__) || defined(__mips__) |
| 42 case __NR_ftime: // Obsolete. | 42 case __NR_ftime: // Obsolete. |
| 43 #endif | 43 #endif |
| 44 case __NR_settimeofday: // Privileged. | 44 case __NR_settimeofday: // Privileged. |
| 45 #if defined(__i386__) | 45 #if defined(__i386__) || defined(__mips__) |
| 46 case __NR_stime: | 46 case __NR_stime: |
| 47 #endif | 47 #endif |
| 48 default: | 48 default: |
| 49 return false; | 49 return false; |
| 50 } | 50 } |
| 51 } | 51 } |
| 52 | 52 |
| 53 bool SyscallSets::IsCurrentDirectory(int sysno) { | 53 bool SyscallSets::IsCurrentDirectory(int sysno) { |
| 54 switch (sysno) { | 54 switch (sysno) { |
| 55 case __NR_getcwd: | 55 case __NR_getcwd: |
| (...skipping 26 matching lines...) Expand all Loading... |
| 82 #if defined(__i386__) || defined(__arm__) | 82 #if defined(__i386__) || defined(__arm__) |
| 83 case __NR_chown32: | 83 case __NR_chown32: |
| 84 #endif | 84 #endif |
| 85 case __NR_creat: | 85 case __NR_creat: |
| 86 case __NR_execve: | 86 case __NR_execve: |
| 87 case __NR_faccessat: // EPERM not a valid errno. | 87 case __NR_faccessat: // EPERM not a valid errno. |
| 88 case __NR_fchmodat: | 88 case __NR_fchmodat: |
| 89 case __NR_fchownat: // Should be called chownat ? | 89 case __NR_fchownat: // Should be called chownat ? |
| 90 #if defined(__x86_64__) | 90 #if defined(__x86_64__) |
| 91 case __NR_newfstatat: // fstatat(). EPERM not a valid errno. | 91 case __NR_newfstatat: // fstatat(). EPERM not a valid errno. |
| 92 #elif defined(__i386__) || defined(__arm__) | 92 #elif defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 93 case __NR_fstatat64: | 93 case __NR_fstatat64: |
| 94 #endif | 94 #endif |
| 95 case __NR_futimesat: // Should be called utimesat ? | 95 case __NR_futimesat: // Should be called utimesat ? |
| 96 case __NR_lchown: | 96 case __NR_lchown: |
| 97 #if defined(__i386__) || defined(__arm__) | 97 #if defined(__i386__) || defined(__arm__) |
| 98 case __NR_lchown32: | 98 case __NR_lchown32: |
| 99 #endif | 99 #endif |
| 100 case __NR_link: | 100 case __NR_link: |
| 101 case __NR_linkat: | 101 case __NR_linkat: |
| 102 case __NR_lookup_dcookie: // ENOENT not a valid errno. | 102 case __NR_lookup_dcookie: // ENOENT not a valid errno. |
| 103 case __NR_lstat: // EPERM not a valid errno. | 103 case __NR_lstat: // EPERM not a valid errno. |
| 104 #if defined(__i386__) | 104 #if defined(__i386__) |
| 105 case __NR_oldlstat: | 105 case __NR_oldlstat: |
| 106 #endif | 106 #endif |
| 107 #if defined(__i386__) || defined(__arm__) | 107 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 108 case __NR_lstat64: | 108 case __NR_lstat64: |
| 109 #endif | 109 #endif |
| 110 case __NR_mkdir: | 110 case __NR_mkdir: |
| 111 case __NR_mkdirat: | 111 case __NR_mkdirat: |
| 112 case __NR_mknod: | 112 case __NR_mknod: |
| 113 case __NR_mknodat: | 113 case __NR_mknodat: |
| 114 case __NR_open: | 114 case __NR_open: |
| 115 case __NR_openat: | 115 case __NR_openat: |
| 116 case __NR_readlink: // EPERM not a valid errno. | 116 case __NR_readlink: // EPERM not a valid errno. |
| 117 case __NR_readlinkat: | 117 case __NR_readlinkat: |
| 118 case __NR_rename: | 118 case __NR_rename: |
| 119 case __NR_renameat: | 119 case __NR_renameat: |
| 120 case __NR_rmdir: | 120 case __NR_rmdir: |
| 121 case __NR_stat: // EPERM not a valid errno. | 121 case __NR_stat: // EPERM not a valid errno. |
| 122 #if defined(__i386__) | 122 #if defined(__i386__) |
| 123 case __NR_oldstat: | 123 case __NR_oldstat: |
| 124 #endif | 124 #endif |
| 125 #if defined(__i386__) || defined(__arm__) | 125 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 126 case __NR_stat64: | 126 case __NR_stat64: |
| 127 #endif | 127 #endif |
| 128 case __NR_statfs: // EPERM not a valid errno. | 128 case __NR_statfs: // EPERM not a valid errno. |
| 129 #if defined(__i386__) || defined(__arm__) | 129 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 130 case __NR_statfs64: | 130 case __NR_statfs64: |
| 131 #endif | 131 #endif |
| 132 case __NR_symlink: | 132 case __NR_symlink: |
| 133 case __NR_symlinkat: | 133 case __NR_symlinkat: |
| 134 case __NR_truncate: | 134 case __NR_truncate: |
| 135 #if defined(__i386__) || defined(__arm__) | 135 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 136 case __NR_truncate64: | 136 case __NR_truncate64: |
| 137 #endif | 137 #endif |
| 138 case __NR_unlink: | 138 case __NR_unlink: |
| 139 case __NR_unlinkat: | 139 case __NR_unlinkat: |
| 140 case __NR_uselib: // Neither EPERM, nor ENOENT are valid errno. | 140 case __NR_uselib: // Neither EPERM, nor ENOENT are valid errno. |
| 141 case __NR_ustat: // Same as above. Deprecated. | 141 case __NR_ustat: // Same as above. Deprecated. |
| 142 #if defined(__i386__) || defined(__x86_64__) | 142 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 143 case __NR_utime: | 143 case __NR_utime: |
| 144 #endif | 144 #endif |
| 145 case __NR_utimensat: // New. | 145 case __NR_utimensat: // New. |
| 146 case __NR_utimes: | 146 case __NR_utimes: |
| 147 return true; | 147 return true; |
| 148 default: | 148 default: |
| 149 return false; | 149 return false; |
| 150 } | 150 } |
| 151 } | 151 } |
| 152 | 152 |
| 153 bool SyscallSets::IsAllowedFileSystemAccessViaFd(int sysno) { | 153 bool SyscallSets::IsAllowedFileSystemAccessViaFd(int sysno) { |
| 154 switch (sysno) { | 154 switch (sysno) { |
| 155 case __NR_fstat: | 155 case __NR_fstat: |
| 156 #if defined(__i386__) || defined(__arm__) | 156 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 157 case __NR_fstat64: | 157 case __NR_fstat64: |
| 158 #endif | 158 #endif |
| 159 return true; | 159 return true; |
| 160 // TODO(jln): these should be denied gracefully as well (moved below). | 160 // TODO(jln): these should be denied gracefully as well (moved below). |
| 161 #if defined(__i386__) || defined(__x86_64__) | 161 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 162 case __NR_fadvise64: // EPERM not a valid errno. | 162 case __NR_fadvise64: // EPERM not a valid errno. |
| 163 #endif | 163 #endif |
| 164 #if defined(__i386__) | 164 #if defined(__i386__) |
| 165 case __NR_fadvise64_64: | 165 case __NR_fadvise64_64: |
| 166 #endif | 166 #endif |
| 167 #if defined(__arm__) | 167 #if defined(__arm__) |
| 168 case __NR_arm_fadvise64_64: | 168 case __NR_arm_fadvise64_64: |
| 169 #endif | 169 #endif |
| 170 case __NR_fdatasync: // EPERM not a valid errno. | 170 case __NR_fdatasync: // EPERM not a valid errno. |
| 171 case __NR_flock: // EPERM not a valid errno. | 171 case __NR_flock: // EPERM not a valid errno. |
| 172 case __NR_fstatfs: // Give information about the whole filesystem. | 172 case __NR_fstatfs: // Give information about the whole filesystem. |
| 173 #if defined(__i386__) || defined(__arm__) | 173 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 174 case __NR_fstatfs64: | 174 case __NR_fstatfs64: |
| 175 #endif | 175 #endif |
| 176 case __NR_fsync: // EPERM not a valid errno. | 176 case __NR_fsync: // EPERM not a valid errno. |
| 177 #if defined(__i386__) | 177 #if defined(__i386__) |
| 178 case __NR_oldfstat: | 178 case __NR_oldfstat: |
| 179 #endif | 179 #endif |
| 180 #if defined(__i386__) || defined(__x86_64__) | 180 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 181 case __NR_sync_file_range: // EPERM not a valid errno. | 181 case __NR_sync_file_range: // EPERM not a valid errno. |
| 182 #elif defined(__arm__) | 182 #elif defined(__arm__) |
| 183 case __NR_arm_sync_file_range: // EPERM not a valid errno. | 183 case __NR_arm_sync_file_range: // EPERM not a valid errno. |
| 184 #endif | 184 #endif |
| 185 default: | 185 default: |
| 186 return false; | 186 return false; |
| 187 } | 187 } |
| 188 } | 188 } |
| 189 | 189 |
| 190 // EPERM is a good errno for any of these. | 190 // EPERM is a good errno for any of these. |
| 191 bool SyscallSets::IsDeniedFileSystemAccessViaFd(int sysno) { | 191 bool SyscallSets::IsDeniedFileSystemAccessViaFd(int sysno) { |
| 192 switch (sysno) { | 192 switch (sysno) { |
| 193 case __NR_fallocate: | 193 case __NR_fallocate: |
| 194 case __NR_fchmod: | 194 case __NR_fchmod: |
| 195 case __NR_fchown: | 195 case __NR_fchown: |
| 196 case __NR_ftruncate: | 196 case __NR_ftruncate: |
| 197 #if defined(__i386__) || defined(__arm__) | 197 #if defined(__i386__) || defined(__arm__) |
| 198 case __NR_fchown32: | 198 case __NR_fchown32: |
| 199 #endif |
| 200 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 199 case __NR_ftruncate64: | 201 case __NR_ftruncate64: |
| 200 #endif | 202 #endif |
| 201 case __NR_getdents: // EPERM not a valid errno. | 203 case __NR_getdents: // EPERM not a valid errno. |
| 202 case __NR_getdents64: // EPERM not a valid errno. | 204 case __NR_getdents64: // EPERM not a valid errno. |
| 203 #if defined(__i386__) | 205 #if defined(__i386__) || defined(__mips__) |
| 204 case __NR_readdir: | 206 case __NR_readdir: |
| 205 #endif | 207 #endif |
| 206 return true; | 208 return true; |
| 207 default: | 209 default: |
| 208 return false; | 210 return false; |
| 209 } | 211 } |
| 210 } | 212 } |
| 211 | 213 |
| 212 bool SyscallSets::IsGetSimpleId(int sysno) { | 214 bool SyscallSets::IsGetSimpleId(int sysno) { |
| 213 switch (sysno) { | 215 switch (sysno) { |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 281 default: | 283 default: |
| 282 return false; | 284 return false; |
| 283 } | 285 } |
| 284 } | 286 } |
| 285 | 287 |
| 286 bool SyscallSets::IsAllowedSignalHandling(int sysno) { | 288 bool SyscallSets::IsAllowedSignalHandling(int sysno) { |
| 287 switch (sysno) { | 289 switch (sysno) { |
| 288 case __NR_rt_sigaction: | 290 case __NR_rt_sigaction: |
| 289 case __NR_rt_sigprocmask: | 291 case __NR_rt_sigprocmask: |
| 290 case __NR_rt_sigreturn: | 292 case __NR_rt_sigreturn: |
| 291 #if defined(__i386__) || defined(__arm__) | 293 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 292 case __NR_sigaction: | 294 case __NR_sigaction: |
| 293 case __NR_sigprocmask: | 295 case __NR_sigprocmask: |
| 294 case __NR_sigreturn: | 296 case __NR_sigreturn: |
| 295 #endif | 297 #endif |
| 296 return true; | 298 return true; |
| 297 case __NR_rt_sigpending: | 299 case __NR_rt_sigpending: |
| 298 case __NR_rt_sigqueueinfo: | 300 case __NR_rt_sigqueueinfo: |
| 299 case __NR_rt_sigsuspend: | 301 case __NR_rt_sigsuspend: |
| 300 case __NR_rt_sigtimedwait: | 302 case __NR_rt_sigtimedwait: |
| 301 case __NR_rt_tgsigqueueinfo: | 303 case __NR_rt_tgsigqueueinfo: |
| 302 case __NR_sigaltstack: | 304 case __NR_sigaltstack: |
| 303 case __NR_signalfd: | 305 case __NR_signalfd: |
| 304 case __NR_signalfd4: | 306 case __NR_signalfd4: |
| 305 #if defined(__i386__) || defined(__arm__) | 307 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 306 case __NR_sigpending: | 308 case __NR_sigpending: |
| 307 case __NR_sigsuspend: | 309 case __NR_sigsuspend: |
| 308 #endif | 310 #endif |
| 309 #if defined(__i386__) | 311 #if defined(__i386__) || defined(__mips__) |
| 310 case __NR_signal: | 312 case __NR_signal: |
| 311 case __NR_sgetmask: // Obsolete. | 313 case __NR_sgetmask: // Obsolete. |
| 312 case __NR_ssetmask: | 314 case __NR_ssetmask: |
| 313 #endif | 315 #endif |
| 314 default: | 316 default: |
| 315 return false; | 317 return false; |
| 316 } | 318 } |
| 317 } | 319 } |
| 318 | 320 |
| 319 bool SyscallSets::IsAllowedOperationOnFd(int sysno) { | 321 bool SyscallSets::IsAllowedOperationOnFd(int sysno) { |
| 320 switch (sysno) { | 322 switch (sysno) { |
| 321 case __NR_close: | 323 case __NR_close: |
| 322 case __NR_dup: | 324 case __NR_dup: |
| 323 case __NR_dup2: | 325 case __NR_dup2: |
| 324 case __NR_dup3: | 326 case __NR_dup3: |
| 325 #if defined(__x86_64__) || defined(__arm__) | 327 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
| 326 case __NR_shutdown: | 328 case __NR_shutdown: |
| 327 #endif | 329 #endif |
| 328 return true; | 330 return true; |
| 329 case __NR_fcntl: | 331 case __NR_fcntl: |
| 330 #if defined(__i386__) || defined(__arm__) | 332 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 331 case __NR_fcntl64: | 333 case __NR_fcntl64: |
| 332 #endif | 334 #endif |
| 333 default: | 335 default: |
| 334 return false; | 336 return false; |
| 335 } | 337 } |
| 336 } | 338 } |
| 337 | 339 |
| 338 bool SyscallSets::IsKernelInternalApi(int sysno) { | 340 bool SyscallSets::IsKernelInternalApi(int sysno) { |
| 339 switch (sysno) { | 341 switch (sysno) { |
| 340 case __NR_restart_syscall: | 342 case __NR_restart_syscall: |
| (...skipping 15 matching lines...) Expand all Loading... |
| 356 case __NR_waitid: | 358 case __NR_waitid: |
| 357 #if defined(__i386__) | 359 #if defined(__i386__) |
| 358 case __NR_waitpid: | 360 case __NR_waitpid: |
| 359 #endif | 361 #endif |
| 360 return true; | 362 return true; |
| 361 case __NR_clone: // Should be parameter-restricted. | 363 case __NR_clone: // Should be parameter-restricted. |
| 362 case __NR_setns: // Privileged. | 364 case __NR_setns: // Privileged. |
| 363 case __NR_fork: | 365 case __NR_fork: |
| 364 #if defined(__i386__) || defined(__x86_64__) | 366 #if defined(__i386__) || defined(__x86_64__) |
| 365 case __NR_get_thread_area: | 367 case __NR_get_thread_area: |
| 368 #endif |
| 369 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 366 case __NR_set_thread_area: | 370 case __NR_set_thread_area: |
| 367 #endif | 371 #endif |
| 368 case __NR_set_tid_address: | 372 case __NR_set_tid_address: |
| 369 case __NR_unshare: | 373 case __NR_unshare: |
| 374 #if !defined(__mips__) |
| 370 case __NR_vfork: | 375 case __NR_vfork: |
| 376 #endif |
| 371 default: | 377 default: |
| 372 return false; | 378 return false; |
| 373 } | 379 } |
| 374 } | 380 } |
| 375 | 381 |
| 376 // It's difficult to restrict those, but there is attack surface here. | 382 // It's difficult to restrict those, but there is attack surface here. |
| 377 bool SyscallSets::IsAllowedFutex(int sysno) { | 383 bool SyscallSets::IsAllowedFutex(int sysno) { |
| 378 switch (sysno) { | 384 switch (sysno) { |
| 379 case __NR_get_robust_list: | 385 case __NR_get_robust_list: |
| 380 case __NR_set_robust_list: | 386 case __NR_set_robust_list: |
| (...skipping 22 matching lines...) Expand all Loading... |
| 403 return false; | 409 return false; |
| 404 } | 410 } |
| 405 } | 411 } |
| 406 | 412 |
| 407 bool SyscallSets::IsAllowedGetOrModifySocket(int sysno) { | 413 bool SyscallSets::IsAllowedGetOrModifySocket(int sysno) { |
| 408 switch (sysno) { | 414 switch (sysno) { |
| 409 case __NR_pipe: | 415 case __NR_pipe: |
| 410 case __NR_pipe2: | 416 case __NR_pipe2: |
| 411 return true; | 417 return true; |
| 412 default: | 418 default: |
| 413 #if defined(__x86_64__) || defined(__arm__) | 419 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
| 414 case __NR_socketpair: // We will want to inspect its argument. | 420 case __NR_socketpair: // We will want to inspect its argument. |
| 415 #endif | 421 #endif |
| 416 return false; | 422 return false; |
| 417 } | 423 } |
| 418 } | 424 } |
| 419 | 425 |
| 420 bool SyscallSets::IsDeniedGetOrModifySocket(int sysno) { | 426 bool SyscallSets::IsDeniedGetOrModifySocket(int sysno) { |
| 421 switch (sysno) { | 427 switch (sysno) { |
| 422 #if defined(__x86_64__) || defined(__arm__) | 428 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
| 423 case __NR_accept: | 429 case __NR_accept: |
| 424 case __NR_accept4: | 430 case __NR_accept4: |
| 425 case __NR_bind: | 431 case __NR_bind: |
| 426 case __NR_connect: | 432 case __NR_connect: |
| 427 case __NR_socket: | 433 case __NR_socket: |
| 428 case __NR_listen: | 434 case __NR_listen: |
| 429 return true; | 435 return true; |
| 430 #endif | 436 #endif |
| 431 default: | 437 default: |
| 432 return false; | 438 return false; |
| 433 } | 439 } |
| 434 } | 440 } |
| 435 | 441 |
| 436 #if defined(__i386__) | 442 #if defined(__i386__) || defined(__mips__) |
| 437 // Big multiplexing system call for sockets. | 443 // Big multiplexing system call for sockets. |
| 438 bool SyscallSets::IsSocketCall(int sysno) { | 444 bool SyscallSets::IsSocketCall(int sysno) { |
| 439 switch (sysno) { | 445 switch (sysno) { |
| 440 case __NR_socketcall: | 446 case __NR_socketcall: |
| 441 return true; | 447 return true; |
| 442 default: | 448 default: |
| 443 return false; | 449 return false; |
| 444 } | 450 } |
| 445 } | 451 } |
| 446 #endif | 452 #endif |
| 447 | 453 |
| 448 #if defined(__x86_64__) || defined(__arm__) | 454 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
| 449 bool SyscallSets::IsNetworkSocketInformation(int sysno) { | 455 bool SyscallSets::IsNetworkSocketInformation(int sysno) { |
| 450 switch (sysno) { | 456 switch (sysno) { |
| 451 case __NR_getpeername: | 457 case __NR_getpeername: |
| 452 case __NR_getsockname: | 458 case __NR_getsockname: |
| 453 case __NR_getsockopt: | 459 case __NR_getsockopt: |
| 454 case __NR_setsockopt: | 460 case __NR_setsockopt: |
| 455 return true; | 461 return true; |
| 456 default: | 462 default: |
| 457 return false; | 463 return false; |
| 458 } | 464 } |
| 459 } | 465 } |
| 460 #endif | 466 #endif |
| 461 | 467 |
| 462 bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) { | 468 bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) { |
| 463 switch (sysno) { | 469 switch (sysno) { |
| 464 case __NR_brk: | 470 case __NR_brk: |
| 465 case __NR_mlock: | 471 case __NR_mlock: |
| 466 case __NR_munlock: | 472 case __NR_munlock: |
| 467 case __NR_munmap: | 473 case __NR_munmap: |
| 468 return true; | 474 return true; |
| 469 case __NR_madvise: | 475 case __NR_madvise: |
| 470 case __NR_mincore: | 476 case __NR_mincore: |
| 471 case __NR_mlockall: | 477 case __NR_mlockall: |
| 472 #if defined(__i386__) || defined(__x86_64__) | 478 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 473 case __NR_mmap: | 479 case __NR_mmap: |
| 474 #endif | 480 #endif |
| 475 #if defined(__i386__) || defined(__arm__) | 481 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 476 case __NR_mmap2: | 482 case __NR_mmap2: |
| 477 #endif | 483 #endif |
| 478 #if defined(__i386__) || defined(__x86_64__) | 484 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 479 case __NR_modify_ldt: | 485 case __NR_modify_ldt: |
| 480 #endif | 486 #endif |
| 481 case __NR_mprotect: | 487 case __NR_mprotect: |
| 482 case __NR_mremap: | 488 case __NR_mremap: |
| 483 case __NR_msync: | 489 case __NR_msync: |
| 484 case __NR_munlockall: | 490 case __NR_munlockall: |
| 485 case __NR_readahead: | 491 case __NR_readahead: |
| 486 case __NR_remap_file_pages: | 492 case __NR_remap_file_pages: |
| 487 #if defined(__i386__) | 493 #if defined(__i386__) |
| 488 case __NR_vm86: | 494 case __NR_vm86: |
| 489 case __NR_vm86old: | 495 case __NR_vm86old: |
| 490 #endif | 496 #endif |
| 491 default: | 497 default: |
| 492 return false; | 498 return false; |
| 493 } | 499 } |
| 494 } | 500 } |
| 495 | 501 |
| 496 bool SyscallSets::IsAllowedGeneralIo(int sysno) { | 502 bool SyscallSets::IsAllowedGeneralIo(int sysno) { |
| 497 switch (sysno) { | 503 switch (sysno) { |
| 498 case __NR_lseek: | 504 case __NR_lseek: |
| 499 #if defined(__i386__) || defined(__arm__) | 505 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 500 case __NR__llseek: | 506 case __NR__llseek: |
| 501 #endif | 507 #endif |
| 502 case __NR_poll: | 508 case __NR_poll: |
| 503 case __NR_ppoll: | 509 case __NR_ppoll: |
| 504 case __NR_pselect6: | 510 case __NR_pselect6: |
| 505 case __NR_read: | 511 case __NR_read: |
| 506 case __NR_readv: | 512 case __NR_readv: |
| 507 #if defined(__arm__) | 513 #if defined(__arm__) || defined(__mips__) |
| 508 case __NR_recv: | 514 case __NR_recv: |
| 509 #endif | 515 #endif |
| 510 #if defined(__x86_64__) || defined(__arm__) | 516 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
| 511 case __NR_recvfrom: // Could specify source. | 517 case __NR_recvfrom: // Could specify source. |
| 512 case __NR_recvmsg: // Could specify source. | 518 case __NR_recvmsg: // Could specify source. |
| 513 #endif | 519 #endif |
| 514 #if defined(__i386__) || defined(__x86_64__) | 520 #if defined(__i386__) || defined(__x86_64__) |
| 515 case __NR_select: | 521 case __NR_select: |
| 516 #endif | 522 #endif |
| 517 #if defined(__i386__) || defined(__arm__) | 523 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 518 case __NR__newselect: | 524 case __NR__newselect: |
| 519 #endif | 525 #endif |
| 520 #if defined(__arm__) | 526 #if defined(__arm__) |
| 521 case __NR_send: | 527 case __NR_send: |
| 522 #endif | 528 #endif |
| 523 #if defined(__x86_64__) || defined(__arm__) | 529 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
| 524 case __NR_sendmsg: // Could specify destination. | 530 case __NR_sendmsg: // Could specify destination. |
| 525 case __NR_sendto: // Could specify destination. | 531 case __NR_sendto: // Could specify destination. |
| 526 #endif | 532 #endif |
| 527 case __NR_write: | 533 case __NR_write: |
| 528 case __NR_writev: | 534 case __NR_writev: |
| 529 return true; | 535 return true; |
| 530 case __NR_ioctl: // Can be very powerful. | 536 case __NR_ioctl: // Can be very powerful. |
| 531 case __NR_pread64: | 537 case __NR_pread64: |
| 532 case __NR_preadv: | 538 case __NR_preadv: |
| 533 case __NR_pwrite64: | 539 case __NR_pwrite64: |
| 534 case __NR_pwritev: | 540 case __NR_pwritev: |
| 535 case __NR_recvmmsg: // Could specify source. | 541 case __NR_recvmmsg: // Could specify source. |
| 536 case __NR_sendfile: | 542 case __NR_sendfile: |
| 537 #if defined(__i386__) || defined(__arm__) | 543 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 538 case __NR_sendfile64: | 544 case __NR_sendfile64: |
| 539 #endif | 545 #endif |
| 540 case __NR_sendmmsg: // Could specify destination. | 546 case __NR_sendmmsg: // Could specify destination. |
| 541 case __NR_splice: | 547 case __NR_splice: |
| 542 case __NR_tee: | 548 case __NR_tee: |
| 543 case __NR_vmsplice: | 549 case __NR_vmsplice: |
| 544 default: | 550 default: |
| 545 return false; | 551 return false; |
| 546 } | 552 } |
| 547 } | 553 } |
| (...skipping 10 matching lines...) Expand all Loading... |
| 558 } | 564 } |
| 559 } | 565 } |
| 560 | 566 |
| 561 bool SyscallSets::IsAllowedBasicScheduler(int sysno) { | 567 bool SyscallSets::IsAllowedBasicScheduler(int sysno) { |
| 562 switch (sysno) { | 568 switch (sysno) { |
| 563 case __NR_sched_yield: | 569 case __NR_sched_yield: |
| 564 case __NR_pause: | 570 case __NR_pause: |
| 565 case __NR_nanosleep: | 571 case __NR_nanosleep: |
| 566 return true; | 572 return true; |
| 567 case __NR_getpriority: | 573 case __NR_getpriority: |
| 568 #if defined(__i386__) || defined(__arm__) | 574 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 569 case __NR_nice: | 575 case __NR_nice: |
| 570 #endif | 576 #endif |
| 571 case __NR_setpriority: | 577 case __NR_setpriority: |
| 572 default: | 578 default: |
| 573 return false; | 579 return false; |
| 574 } | 580 } |
| 575 } | 581 } |
| 576 | 582 |
| 577 bool SyscallSets::IsAdminOperation(int sysno) { | 583 bool SyscallSets::IsAdminOperation(int sysno) { |
| 578 switch (sysno) { | 584 switch (sysno) { |
| 579 #if defined(__i386__) || defined(__arm__) | 585 #if defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 580 case __NR_bdflush: | 586 case __NR_bdflush: |
| 581 #endif | 587 #endif |
| 582 case __NR_kexec_load: | 588 case __NR_kexec_load: |
| 583 case __NR_reboot: | 589 case __NR_reboot: |
| 584 case __NR_setdomainname: | 590 case __NR_setdomainname: |
| 585 case __NR_sethostname: | 591 case __NR_sethostname: |
| 586 case __NR_syslog: | 592 case __NR_syslog: |
| 587 return true; | 593 return true; |
| 588 default: | 594 default: |
| 589 return false; | 595 return false; |
| 590 } | 596 } |
| 591 } | 597 } |
| 592 | 598 |
| 593 bool SyscallSets::IsKernelModule(int sysno) { | 599 bool SyscallSets::IsKernelModule(int sysno) { |
| 594 switch (sysno) { | 600 switch (sysno) { |
| 595 #if defined(__i386__) || defined(__x86_64__) | 601 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 596 case __NR_create_module: | 602 case __NR_create_module: |
| 597 case __NR_get_kernel_syms: // Should ENOSYS. | 603 case __NR_get_kernel_syms: // Should ENOSYS. |
| 598 case __NR_query_module: | 604 case __NR_query_module: |
| 599 #endif | 605 #endif |
| 600 case __NR_delete_module: | 606 case __NR_delete_module: |
| 601 case __NR_init_module: | 607 case __NR_init_module: |
| 602 return true; | 608 return true; |
| 603 default: | 609 default: |
| 604 return false; | 610 return false; |
| 605 } | 611 } |
| (...skipping 10 matching lines...) Expand all Loading... |
| 616 } | 622 } |
| 617 } | 623 } |
| 618 | 624 |
| 619 bool SyscallSets::IsFsControl(int sysno) { | 625 bool SyscallSets::IsFsControl(int sysno) { |
| 620 switch (sysno) { | 626 switch (sysno) { |
| 621 case __NR_mount: | 627 case __NR_mount: |
| 622 case __NR_nfsservctl: | 628 case __NR_nfsservctl: |
| 623 case __NR_quotactl: | 629 case __NR_quotactl: |
| 624 case __NR_swapoff: | 630 case __NR_swapoff: |
| 625 case __NR_swapon: | 631 case __NR_swapon: |
| 626 #if defined(__i386__) | 632 #if defined(__i386__) || defined(__mips__) |
| 627 case __NR_umount: | 633 case __NR_umount: |
| 628 #endif | 634 #endif |
| 629 case __NR_umount2: | 635 case __NR_umount2: |
| 630 return true; | 636 return true; |
| 631 default: | 637 default: |
| 632 return false; | 638 return false; |
| 633 } | 639 } |
| 634 } | 640 } |
| 635 | 641 |
| 636 bool SyscallSets::IsNuma(int sysno) { | 642 bool SyscallSets::IsNuma(int sysno) { |
| 637 switch (sysno) { | 643 switch (sysno) { |
| 638 case __NR_get_mempolicy: | 644 case __NR_get_mempolicy: |
| 639 case __NR_getcpu: | 645 case __NR_getcpu: |
| 640 case __NR_mbind: | 646 case __NR_mbind: |
| 641 #if defined(__i386__) || defined(__x86_64__) | 647 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 642 case __NR_migrate_pages: | 648 case __NR_migrate_pages: |
| 643 #endif | 649 #endif |
| 644 case __NR_move_pages: | 650 case __NR_move_pages: |
| 645 case __NR_set_mempolicy: | 651 case __NR_set_mempolicy: |
| 646 return true; | 652 return true; |
| 647 default: | 653 default: |
| 648 return false; | 654 return false; |
| 649 } | 655 } |
| 650 } | 656 } |
| 651 | 657 |
| 652 bool SyscallSets::IsMessageQueue(int sysno) { | 658 bool SyscallSets::IsMessageQueue(int sysno) { |
| 653 switch (sysno) { | 659 switch (sysno) { |
| 654 case __NR_mq_getsetattr: | 660 case __NR_mq_getsetattr: |
| 655 case __NR_mq_notify: | 661 case __NR_mq_notify: |
| 656 case __NR_mq_open: | 662 case __NR_mq_open: |
| 657 case __NR_mq_timedreceive: | 663 case __NR_mq_timedreceive: |
| 658 case __NR_mq_timedsend: | 664 case __NR_mq_timedsend: |
| 659 case __NR_mq_unlink: | 665 case __NR_mq_unlink: |
| 660 return true; | 666 return true; |
| 661 default: | 667 default: |
| 662 return false; | 668 return false; |
| 663 } | 669 } |
| 664 } | 670 } |
| 665 | 671 |
| 666 bool SyscallSets::IsGlobalProcessEnvironment(int sysno) { | 672 bool SyscallSets::IsGlobalProcessEnvironment(int sysno) { |
| 667 switch (sysno) { | 673 switch (sysno) { |
| 668 case __NR_acct: // Privileged. | 674 case __NR_acct: // Privileged. |
| 669 #if defined(__i386__) || defined(__x86_64__) | 675 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 670 case __NR_getrlimit: | 676 case __NR_getrlimit: |
| 671 #endif | 677 #endif |
| 672 #if defined(__i386__) || defined(__arm__) | 678 #if defined(__i386__) || defined(__arm__) |
| 673 case __NR_ugetrlimit: | 679 case __NR_ugetrlimit: |
| 674 #endif | 680 #endif |
| 675 #if defined(__i386__) | 681 #if defined(__i386__) || defined(__mips__) |
| 676 case __NR_ulimit: | 682 case __NR_ulimit: |
| 677 #endif | 683 #endif |
| 678 case __NR_getrusage: | 684 case __NR_getrusage: |
| 679 case __NR_personality: // Can change its personality as well. | 685 case __NR_personality: // Can change its personality as well. |
| 680 case __NR_prlimit64: // Like setrlimit / getrlimit. | 686 case __NR_prlimit64: // Like setrlimit / getrlimit. |
| 681 case __NR_setrlimit: | 687 case __NR_setrlimit: |
| 682 case __NR_times: | 688 case __NR_times: |
| 683 return true; | 689 return true; |
| 684 default: | 690 default: |
| 685 return false; | 691 return false; |
| 686 } | 692 } |
| 687 } | 693 } |
| 688 | 694 |
| 689 bool SyscallSets::IsDebug(int sysno) { | 695 bool SyscallSets::IsDebug(int sysno) { |
| 690 switch (sysno) { | 696 switch (sysno) { |
| 691 case __NR_ptrace: | 697 case __NR_ptrace: |
| 692 case __NR_process_vm_readv: | 698 case __NR_process_vm_readv: |
| 693 case __NR_process_vm_writev: | 699 case __NR_process_vm_writev: |
| 694 #if defined(__i386__) || defined(__x86_64__) | 700 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 695 case __NR_kcmp: | 701 case __NR_kcmp: |
| 696 #endif | 702 #endif |
| 697 return true; | 703 return true; |
| 698 default: | 704 default: |
| 699 return false; | 705 return false; |
| 700 } | 706 } |
| 701 } | 707 } |
| 702 | 708 |
| 703 bool SyscallSets::IsGlobalSystemStatus(int sysno) { | 709 bool SyscallSets::IsGlobalSystemStatus(int sysno) { |
| 704 switch (sysno) { | 710 switch (sysno) { |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 787 case __NR_msgget: | 793 case __NR_msgget: |
| 788 case __NR_msgrcv: | 794 case __NR_msgrcv: |
| 789 case __NR_msgsnd: | 795 case __NR_msgsnd: |
| 790 return true; | 796 return true; |
| 791 default: | 797 default: |
| 792 return false; | 798 return false; |
| 793 } | 799 } |
| 794 } | 800 } |
| 795 #endif | 801 #endif |
| 796 | 802 |
| 797 #if defined(__i386__) | 803 #if defined(__i386__) || defined(__mips__) |
| 798 // Big system V multiplexing system call. | 804 // Big system V multiplexing system call. |
| 799 bool SyscallSets::IsSystemVIpc(int sysno) { | 805 bool SyscallSets::IsSystemVIpc(int sysno) { |
| 800 switch (sysno) { | 806 switch (sysno) { |
| 801 case __NR_ipc: | 807 case __NR_ipc: |
| 802 return true; | 808 return true; |
| 803 default: | 809 default: |
| 804 return false; | 810 return false; |
| 805 } | 811 } |
| 806 } | 812 } |
| 807 #endif | 813 #endif |
| 808 | 814 |
| 809 bool SyscallSets::IsAnySystemV(int sysno) { | 815 bool SyscallSets::IsAnySystemV(int sysno) { |
| 810 #if defined(__x86_64__) || defined(__arm__) | 816 #if defined(__x86_64__) || defined(__arm__) |
| 811 return IsSystemVMessageQueue(sysno) || IsSystemVSemaphores(sysno) || | 817 return IsSystemVMessageQueue(sysno) || IsSystemVSemaphores(sysno) || |
| 812 IsSystemVSharedMemory(sysno); | 818 IsSystemVSharedMemory(sysno); |
| 813 #elif defined(__i386__) | 819 #elif defined(__i386__) || defined(__mips__) |
| 814 return IsSystemVIpc(sysno); | 820 return IsSystemVIpc(sysno); |
| 815 #endif | 821 #endif |
| 816 } | 822 } |
| 817 | 823 |
| 818 bool SyscallSets::IsAdvancedScheduler(int sysno) { | 824 bool SyscallSets::IsAdvancedScheduler(int sysno) { |
| 819 switch (sysno) { | 825 switch (sysno) { |
| 820 case __NR_ioprio_get: // IO scheduler. | 826 case __NR_ioprio_get: // IO scheduler. |
| 821 case __NR_ioprio_set: | 827 case __NR_ioprio_set: |
| 822 case __NR_sched_get_priority_max: | 828 case __NR_sched_get_priority_max: |
| 823 case __NR_sched_get_priority_min: | 829 case __NR_sched_get_priority_min: |
| (...skipping 28 matching lines...) Expand all Loading... |
| 852 case __NR_fanotify_mark: | 858 case __NR_fanotify_mark: |
| 853 return true; | 859 return true; |
| 854 default: | 860 default: |
| 855 return false; | 861 return false; |
| 856 } | 862 } |
| 857 } | 863 } |
| 858 | 864 |
| 859 bool SyscallSets::IsTimer(int sysno) { | 865 bool SyscallSets::IsTimer(int sysno) { |
| 860 switch (sysno) { | 866 switch (sysno) { |
| 861 case __NR_getitimer: | 867 case __NR_getitimer: |
| 862 #if defined(__i386__) || defined(__x86_64__) | 868 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 863 case __NR_alarm: | 869 case __NR_alarm: |
| 864 #endif | 870 #endif |
| 865 case __NR_setitimer: | 871 case __NR_setitimer: |
| 866 return true; | 872 return true; |
| 867 default: | 873 default: |
| 868 return false; | 874 return false; |
| 869 } | 875 } |
| 870 } | 876 } |
| 871 | 877 |
| 872 bool SyscallSets::IsAdvancedTimer(int sysno) { | 878 bool SyscallSets::IsAdvancedTimer(int sysno) { |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 908 // Various system calls that need to be researched. | 914 // Various system calls that need to be researched. |
| 909 // TODO(jln): classify this better. | 915 // TODO(jln): classify this better. |
| 910 bool SyscallSets::IsMisc(int sysno) { | 916 bool SyscallSets::IsMisc(int sysno) { |
| 911 switch (sysno) { | 917 switch (sysno) { |
| 912 case __NR_name_to_handle_at: | 918 case __NR_name_to_handle_at: |
| 913 case __NR_open_by_handle_at: | 919 case __NR_open_by_handle_at: |
| 914 case __NR_perf_event_open: | 920 case __NR_perf_event_open: |
| 915 case __NR_syncfs: | 921 case __NR_syncfs: |
| 916 case __NR_vhangup: | 922 case __NR_vhangup: |
| 917 // The system calls below are not implemented. | 923 // The system calls below are not implemented. |
| 918 #if defined(__i386__) || defined(__x86_64__) | 924 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 919 case __NR_afs_syscall: | 925 case __NR_afs_syscall: |
| 920 #endif | 926 #endif |
| 921 #if defined(__i386__) | 927 #if defined(__i386__) || defined(__mips__) |
| 922 case __NR_break: | 928 case __NR_break: |
| 923 #endif | 929 #endif |
| 924 #if defined(__i386__) || defined(__x86_64__) | 930 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 925 case __NR_getpmsg: | 931 case __NR_getpmsg: |
| 926 #endif | 932 #endif |
| 927 #if defined(__i386__) | 933 #if defined(__i386__) || defined(__mips__) |
| 928 case __NR_gtty: | 934 case __NR_gtty: |
| 929 case __NR_idle: | 935 case __NR_idle: |
| 930 case __NR_lock: | 936 case __NR_lock: |
| 931 case __NR_mpx: | 937 case __NR_mpx: |
| 932 case __NR_prof: | 938 case __NR_prof: |
| 933 case __NR_profil: | 939 case __NR_profil: |
| 934 #endif | 940 #endif |
| 935 #if defined(__i386__) || defined(__x86_64__) | 941 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
| 936 case __NR_putpmsg: | 942 case __NR_putpmsg: |
| 937 #endif | 943 #endif |
| 938 #if defined(__x86_64__) | 944 #if defined(__x86_64__) |
| 939 case __NR_security: | 945 case __NR_security: |
| 940 #endif | 946 #endif |
| 941 #if defined(__i386__) | 947 #if defined(__i386__) || defined(__mips__) |
| 942 case __NR_stty: | 948 case __NR_stty: |
| 943 #endif | 949 #endif |
| 944 #if defined(__x86_64__) | 950 #if defined(__x86_64__) |
| 945 case __NR_tuxcall: | 951 case __NR_tuxcall: |
| 946 #endif | 952 #endif |
| 947 case __NR_vserver: | 953 case __NR_vserver: |
| 948 return true; | 954 return true; |
| 949 default: | 955 default: |
| 950 return false; | 956 return false; |
| 951 } | 957 } |
| (...skipping 18 matching lines...) Expand all Loading... |
| 970 case __ARM_NR_set_tls: | 976 case __ARM_NR_set_tls: |
| 971 case __ARM_NR_usr26: | 977 case __ARM_NR_usr26: |
| 972 case __ARM_NR_usr32: | 978 case __ARM_NR_usr32: |
| 973 return true; | 979 return true; |
| 974 default: | 980 default: |
| 975 return false; | 981 return false; |
| 976 } | 982 } |
| 977 } | 983 } |
| 978 #endif // defined(__arm__) | 984 #endif // defined(__arm__) |
| 979 | 985 |
| 986 #if defined(__mips__) |
| 987 bool SyscallSets::IsMipsPrivate(int sysno) { |
| 988 switch (sysno) { |
| 989 case __NR_cacheflush: |
| 990 case __NR_cachectl: |
| 991 return true; |
| 992 default: |
| 993 return false; |
| 994 } |
| 995 } |
| 996 |
| 997 bool SyscallSets::IsMipsMisc(int sysno) { |
| 998 switch (sysno) { |
| 999 case __NR_sysmips: |
| 1000 case __NR_unused150: |
| 1001 return true; |
| 1002 default: |
| 1003 return false; |
| 1004 } |
| 1005 } |
| 1006 #endif // defined(__mips__) |
| 980 } // namespace sandbox. | 1007 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 260793003:
[MIPS] Add seccomp bpf support (Closed)
Base URL: https://git.chromium.org/git/chromium/src.git@master