| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
" | 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
" |
| 6 | 6 |
| 7 #include <sys/types.h> | 7 #include <sys/types.h> |
| 8 | 8 |
| 9 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 9 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 10 | 10 |
| 11 namespace content { | 11 namespace content { |
| 12 | 12 |
| 13 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() | 13 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() |
| 14 : SandboxBPFBasePolicy() {} | 14 : SandboxBPFBasePolicy() {} |
| 15 | 15 |
| 16 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} | 16 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} |
| 17 | 17 |
| 18 sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall( | 18 sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall( |
| 19 sandbox::SandboxBPF* sandbox, | 19 sandbox::SandboxBPF* sandbox, |
| 20 int sysno) const { | 20 int sysno) const { |
| 21 bool override_and_allow = false; | 21 bool override_and_allow = false; |
| 22 | 22 |
| 23 switch (sysno) { | 23 switch (sysno) { |
| 24 // TODO(rsesek): restrict clone parameters. |
| 25 case __NR_clone: |
| 24 case __NR_epoll_pwait: | 26 case __NR_epoll_pwait: |
| 25 case __NR_flock: | 27 case __NR_flock: |
| 26 case __NR_getpriority: | 28 case __NR_getpriority: |
| 27 case __NR_ioctl: | 29 case __NR_ioctl: |
| 28 case __NR_mremap: | 30 case __NR_mremap: |
| 29 // File system access cannot be restricted with seccomp-bpf on Android, | 31 // File system access cannot be restricted with seccomp-bpf on Android, |
| 30 // since the JVM classloader and other Framework features require file | 32 // since the JVM classloader and other Framework features require file |
| 31 // access. It may be possible to restrict the filesystem with SELinux. | 33 // access. It may be possible to restrict the filesystem with SELinux. |
| 32 // Currently we rely on the app/service UID isolation to create a | 34 // Currently we rely on the app/service UID isolation to create a |
| 33 // filesystem "sandbox". | 35 // filesystem "sandbox". |
| (...skipping 15 matching lines...) Expand all Loading... |
| 49 break; | 51 break; |
| 50 } | 52 } |
| 51 | 53 |
| 52 if (override_and_allow) | 54 if (override_and_allow) |
| 53 return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED); | 55 return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED); |
| 54 | 56 |
| 55 return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); | 57 return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); |
| 56 } | 58 } |
| 57 | 59 |
| 58 } // namespace content | 60 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 270613008:
Linux sandbox: always restrict clone() in baseline policy. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src