Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(37)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc

Issue 270613008: Linux sandbox: always restrict clone() in baseline policy. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Disable on ASAN and TSAN. Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ('k') | sandbox/linux/tests/unit_tests.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
6 6
7 #include "build/build_config.h" 7 #include "build/build_config.h"
8 #include "sandbox/linux/services/linux_syscalls.h" 8 #include "sandbox/linux/services/linux_syscalls.h"
9 9
10 namespace sandbox { 10 namespace sandbox {
(...skipping 332 matching lines...) Expand 10 before | Expand all | Expand 10 after
343 #endif 343 #endif
344 return true; 344 return true;
345 default: 345 default:
346 return false; 346 return false;
347 } 347 }
348 } 348 }
349 349
350 // This should be thought through in conjunction with IsFutex(). 350 // This should be thought through in conjunction with IsFutex().
351 bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) { 351 bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
352 switch (sysno) { 352 switch (sysno) {
353 case __NR_clone: // TODO(jln): restrict flags.
354 case __NR_exit: 353 case __NR_exit:
355 case __NR_exit_group: 354 case __NR_exit_group:
356 case __NR_wait4: 355 case __NR_wait4:
357 case __NR_waitid: 356 case __NR_waitid:
358 #if defined(__i386__) 357 #if defined(__i386__)
359 case __NR_waitpid: 358 case __NR_waitpid:
360 #endif 359 #endif
361 return true; 360 return true;
361 case __NR_clone: // Should be parameter-restricted.
362 case __NR_setns: // Privileged. 362 case __NR_setns: // Privileged.
363 case __NR_fork: 363 case __NR_fork:
364 #if defined(__i386__) || defined(__x86_64__) 364 #if defined(__i386__) || defined(__x86_64__)
365 case __NR_get_thread_area: 365 case __NR_get_thread_area:
366 case __NR_set_thread_area: 366 case __NR_set_thread_area:
367 #endif 367 #endif
368 case __NR_set_tid_address: 368 case __NR_set_tid_address:
369 case __NR_unshare: 369 case __NR_unshare:
370 case __NR_vfork: 370 case __NR_vfork:
371 default: 371 default:
(...skipping 599 matching lines...) Expand 10 before | Expand all | Expand 10 after
971 case __ARM_NR_usr26: 971 case __ARM_NR_usr26:
972 case __ARM_NR_usr32: 972 case __ARM_NR_usr32:
973 return true; 973 return true;
974 default: 974 default:
975 return false; 975 return false;
976 } 976 }
977 } 977 }
978 #endif // defined(__arm__) 978 #endif // defined(__arm__)
979 979
980 } // namespace sandbox. 980 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ('k') | sandbox/linux/tests/unit_tests.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698