sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc - Issue 270613008: Linux sandbox: always restrict clone() in baseline policy.

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

Issue 270613008: Linux sandbox: always restrict clone() in baseline policy. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Disable on ASAN and TSAN. Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"	5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"

6	6

7 #include <errno.h>	7 #include <errno.h>

8 #include <sys/mman.h>	8 #include <sys/mman.h>

9 #include <sys/socket.h>	9 #include <sys/socket.h>

10 #include <sys/syscall.h>	10 #include <sys/syscall.h>

(...skipping 79 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
90 if (sysno == __NR_sigaltstack) {	90 if (sysno == __NR_sigaltstack) {

91 // Required for better stack overflow detection in ASan. Disallowed in	91 // Required for better stack overflow detection in ASan. Disallowed in

92 // non-ASan builds.	92 // non-ASan builds.

93 return ErrorCode(ErrorCode::ERR_ALLOWED);	93 return ErrorCode(ErrorCode::ERR_ALLOWED);

94 }	94 }

95 #endif	95 #endif

96 if (IsBaselinePolicyAllowed(sysno)) {	96 if (IsBaselinePolicyAllowed(sysno)) {

97 return ErrorCode(ErrorCode::ERR_ALLOWED);	97 return ErrorCode(ErrorCode::ERR_ALLOWED);

98 }	98 }

99	99

	100 if (sysno == __NR_clone) {

	101 return RestrictCloneToThreadsAndEPERMFork(sandbox);

	102 }

	103

100 #if defined(__x86_64__) \|\| defined(__arm__)	104 #if defined(__x86_64__) \|\| defined(__arm__)

101 if (sysno == __NR_socketpair) {	105 if (sysno == __NR_socketpair) {

102 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.	106 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.

103 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);	107 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);

104 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,	108 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,

105 ErrorCode(ErrorCode::ERR_ALLOWED),	109 ErrorCode(ErrorCode::ERR_ALLOWED),

106 sandbox->Trap(CrashSIGSYS_Handler, NULL));	110 sandbox->Trap(CrashSIGSYS_Handler, NULL));

107 }	111 }

108 #endif	112 #endif

109	113

(...skipping 80 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
190 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox,	194 ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox,

191 int sysno) const {	195 int sysno) const {

192 // Make sure that this policy is used in the creating process.	196 // Make sure that this policy is used in the creating process.

193 if (1 == sysno) {	197 if (1 == sysno) {

194 DCHECK_EQ(syscall(__NR_getpid), current_pid_);	198 DCHECK_EQ(syscall(__NR_getpid), current_pid_);

195 }	199 }

196 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno);	200 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno);

197 }	201 }

198	202

199 } // namespace sandbox.	203 } // namespace sandbox.

OLD	NEW

« no previous file with comments | « sandbox/linux/sandbox_linux_test_sources.gypi ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | no next file with comments »