Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1556)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc

Issue 270613008: Linux sandbox: always restrict clone() in baseline policy. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Disable on ASAN and TSAN. Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" 5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <signal.h> 8 #include <signal.h>
9 #include <sys/ptrace.h> 9 #include <sys/ptrace.h>
10 10
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after
67 67
68 private: 68 private:
69 scoped_ptr<SandboxBPFPolicy> baseline_policy_; 69 scoped_ptr<SandboxBPFPolicy> baseline_policy_;
70 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); 70 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy);
71 }; 71 };
72 72
73 ErrorCode NaClBPFSandboxPolicy::EvaluateSyscall( 73 ErrorCode NaClBPFSandboxPolicy::EvaluateSyscall(
74 sandbox::SandboxBPF* sb, int sysno) const { 74 sandbox::SandboxBPF* sb, int sysno) const {
75 DCHECK(baseline_policy_); 75 DCHECK(baseline_policy_);
76 switch (sysno) { 76 switch (sysno) {
77 case __NR_clone: // TODO(jln): restrict parameters.
77 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls, 78 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls,
78 // see if it can be restricted a bit. 79 // see if it can be restricted a bit.
79 #if defined(__x86_64__) || defined(__arm__) 80 #if defined(__x86_64__) || defined(__arm__)
80 // transport_common.cc needs this. 81 // transport_common.cc needs this.
81 case __NR_accept: 82 case __NR_accept:
82 case __NR_setsockopt: 83 case __NR_setsockopt:
83 #elif defined(__i386__) 84 #elif defined(__i386__)
84 case __NR_socketcall: 85 case __NR_socketcall:
85 #endif 86 #endif
86 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is 87 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after
169 scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy())); 170 scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy()));
170 if (sandbox_is_initialized) { 171 if (sandbox_is_initialized) {
171 RunSandboxSanityChecks(); 172 RunSandboxSanityChecks();
172 return true; 173 return true;
173 } 174 }
174 #endif // defined(USE_SECCOMP_BPF) 175 #endif // defined(USE_SECCOMP_BPF)
175 return false; 176 return false;
176 } 177 }
177 178
178 } // namespace nacl 179 } // namespace nacl
OLDNEW
« no previous file with comments | « no previous file | content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698