| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
" | 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/net.h> | 9 #include <linux/net.h> |
| 10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 80 #endif | 80 #endif |
| 81 #if defined(__x86_64__) || defined(__aarch64__) | 81 #if defined(__x86_64__) || defined(__aarch64__) |
| 82 case __NR_newfstatat: | 82 case __NR_newfstatat: |
| 83 case __NR_getdents64: | 83 case __NR_getdents64: |
| 84 #elif defined(__i386__) || defined(__arm__) || defined(__mips__) | 84 #elif defined(__i386__) || defined(__arm__) || defined(__mips__) |
| 85 case __NR_fstatat64: | 85 case __NR_fstatat64: |
| 86 case __NR_getdents: | 86 case __NR_getdents: |
| 87 #endif | 87 #endif |
| 88 case __NR_getpriority: | 88 case __NR_getpriority: |
| 89 case __NR_ioctl: | 89 case __NR_ioctl: |
| 90 #if defined(__i386__) |
| 91 // While mincore is on multiple arches, it is only used on Android by x86. |
| 92 case __NR_mincore: // https://crbug.com/701137 |
| 93 #endif |
| 90 case __NR_mremap: | 94 case __NR_mremap: |
| 91 #if defined(__i386__) | 95 #if defined(__i386__) |
| 92 // Used on pre-N to initialize threads in ART. | 96 // Used on pre-N to initialize threads in ART. |
| 93 case __NR_modify_ldt: | 97 case __NR_modify_ldt: |
| 94 #endif | 98 #endif |
| 95 case __NR_msync: | 99 case __NR_msync: |
| 96 // File system access cannot be restricted with seccomp-bpf on Android, | 100 // File system access cannot be restricted with seccomp-bpf on Android, |
| 97 // since the JVM classloader and other Framework features require file | 101 // since the JVM classloader and other Framework features require file |
| 98 // access. It may be possible to restrict the filesystem with SELinux. | 102 // access. It may be possible to restrict the filesystem with SELinux. |
| 99 // Currently we rely on the app/service UID isolation to create a | 103 // Currently we rely on the app/service UID isolation to create a |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 173 .Else(Error(EPERM)); | 177 .Else(Error(EPERM)); |
| 174 } | 178 } |
| 175 | 179 |
| 176 // https://crbug.com/655300 | 180 // https://crbug.com/655300 |
| 177 if (sysno == __NR_getsockname) { | 181 if (sysno == __NR_getsockname) { |
| 178 // Rather than blocking with SIGSYS, just return an error. This is not | 182 // Rather than blocking with SIGSYS, just return an error. This is not |
| 179 // documented to be a valid errno, but we will use it anyways. | 183 // documented to be a valid errno, but we will use it anyways. |
| 180 return Error(EPERM); | 184 return Error(EPERM); |
| 181 } | 185 } |
| 182 | 186 |
| 183 // https://crbug.com/682488 | 187 // https://crbug.com/682488, https://crbug.com/701137 |
| 184 if (sysno == __NR_setsockopt) { | 188 if (sysno == __NR_setsockopt) { |
| 185 // The baseline policy applies other restrictions to setsockopt. | 189 // The baseline policy applies other restrictions to setsockopt. |
| 186 const Arg<int> level(1); | 190 const Arg<int> level(1); |
| 187 const Arg<int> option(2); | 191 const Arg<int> option(2); |
| 188 return If(AllOf(level == SOL_SOCKET, option == SO_SNDTIMEO), Allow()) | 192 return If(AllOf(level == SOL_SOCKET, |
| 193 AnyOf(option == SO_SNDTIMEO, |
| 194 option == SO_RCVTIMEO, |
| 195 option == SO_REUSEADDR)), |
| 196 Allow()) |
| 189 .Else(SandboxBPFBasePolicy::EvaluateSyscall(sysno)); | 197 .Else(SandboxBPFBasePolicy::EvaluateSyscall(sysno)); |
| 190 } | 198 } |
| 191 #elif defined(__i386__) | 199 #elif defined(__i386__) |
| 192 if (sysno == __NR_socketcall) { | 200 if (sysno == __NR_socketcall) { |
| 193 // The baseline policy allows other socketcall sub-calls. | 201 // The baseline policy allows other socketcall sub-calls. |
| 194 const Arg<int> socketcall(0); | 202 const Arg<int> socketcall(0); |
| 195 return Switch(socketcall) | 203 return Switch(socketcall) |
| 196 .CASES((SYS_CONNECT, | 204 .CASES((SYS_CONNECT, |
| 197 SYS_SOCKET, | 205 SYS_SOCKET, |
| 198 SYS_SETSOCKOPT, | 206 SYS_SETSOCKOPT, |
| 199 SYS_GETSOCKOPT), | 207 SYS_GETSOCKOPT), |
| 200 Allow()) | 208 Allow()) |
| 201 .Default(SandboxBPFBasePolicy::EvaluateSyscall(sysno)); | 209 .Default(SandboxBPFBasePolicy::EvaluateSyscall(sysno)); |
| 202 } | 210 } |
| 203 #endif | 211 #endif |
| 204 | 212 |
| 205 if (override_and_allow) | 213 if (override_and_allow) |
| 206 return Allow(); | 214 return Allow(); |
| 207 | 215 |
| 208 return SandboxBPFBasePolicy::EvaluateSyscall(sysno); | 216 return SandboxBPFBasePolicy::EvaluateSyscall(sysno); |
| 209 } | 217 } |
| 210 | 218 |
| 211 } // namespace content | 219 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2762683002:
[Android] Seccomp whitelist expansion for M58. (Closed)
