OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
90 if (sysno == __NR_sigaltstack) { | 90 if (sysno == __NR_sigaltstack) { |
91 // Required for better stack overflow detection in ASan. Disallowed in | 91 // Required for better stack overflow detection in ASan. Disallowed in |
92 // non-ASan builds. | 92 // non-ASan builds. |
93 return ErrorCode(ErrorCode::ERR_ALLOWED); | 93 return ErrorCode(ErrorCode::ERR_ALLOWED); |
94 } | 94 } |
95 #endif | 95 #endif |
96 if (IsBaselinePolicyAllowed(sysno)) { | 96 if (IsBaselinePolicyAllowed(sysno)) { |
97 return ErrorCode(ErrorCode::ERR_ALLOWED); | 97 return ErrorCode(ErrorCode::ERR_ALLOWED); |
98 } | 98 } |
99 | 99 |
| 100 if (sysno == __NR_clone) { |
| 101 return RestrictCloneToThreadsAndEPERMFork(sandbox); |
| 102 } |
| 103 |
100 #if defined(__x86_64__) || defined(__arm__) | 104 #if defined(__x86_64__) || defined(__arm__) |
101 if (sysno == __NR_socketpair) { | 105 if (sysno == __NR_socketpair) { |
102 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. | 106 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
103 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); | 107 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); |
104 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, | 108 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, |
105 ErrorCode(ErrorCode::ERR_ALLOWED), | 109 ErrorCode(ErrorCode::ERR_ALLOWED), |
106 sandbox->Trap(CrashSIGSYS_Handler, NULL)); | 110 sandbox->Trap(CrashSIGSYS_Handler, NULL)); |
107 } | 111 } |
108 #endif | 112 #endif |
109 | 113 |
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
190 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, | 194 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, |
191 int sysno) const { | 195 int sysno) const { |
192 // Make sure that this policy is used in the creating process. | 196 // Make sure that this policy is used in the creating process. |
193 if (1 == sysno) { | 197 if (1 == sysno) { |
194 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 198 DCHECK_EQ(syscall(__NR_getpid), current_pid_); |
195 } | 199 } |
196 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); | 200 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno); |
197 } | 201 } |
198 | 202 |
199 } // namespace sandbox. | 203 } // namespace sandbox. |
OLD | NEW |