| Index: sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
|
| diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
|
| index 792807ac72f4c1ee9d7d575e25247ac6cd1ab2b5..5f8785ea376d076abcb153a6a71e863ce4c74def 100644
|
| --- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
|
| +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
|
| @@ -350,7 +350,6 @@ bool SyscallSets::IsKernelInternalApi(int sysno) {
|
| // This should be thought through in conjunction with IsFutex().
|
| bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
|
| switch (sysno) {
|
| - case __NR_clone: // TODO(jln): restrict flags.
|
| case __NR_exit:
|
| case __NR_exit_group:
|
| case __NR_wait4:
|
| @@ -359,6 +358,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
|
| case __NR_waitpid:
|
| #endif
|
| return true;
|
| + case __NR_clone: // Should be parameter-restricted.
|
| case __NR_setns: // Privileged.
|
| case __NR_fork:
|
| #if defined(__i386__) || defined(__x86_64__)
|
|
|
Chromium Code Reviews
Issue 270613008:
Linux sandbox: always restrict clone() in baseline policy. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src