Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(187)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf/demo.cc

Issue 293993006: Revert of Remove SandboxBPF's dependency on CompatibilityPolicy (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf/sandbox_bpf.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <errno.h> 5 #include <errno.h>
6 #include <fcntl.h> 6 #include <fcntl.h>
7 #include <linux/unistd.h> 7 #include <linux/unistd.h>
8 #include <netinet/in.h> 8 #include <netinet/in.h>
9 #include <netinet/tcp.h> 9 #include <netinet/tcp.h>
10 #include <netinet/udp.h> 10 #include <netinet/udp.h>
11 #include <pthread.h> 11 #include <pthread.h>
12 #include <signal.h> 12 #include <signal.h>
13 #include <stdarg.h> 13 #include <stdarg.h>
14 #include <stdio.h> 14 #include <stdio.h>
15 #include <stdlib.h> 15 #include <stdlib.h>
16 #include <string.h> 16 #include <string.h>
17 #include <sys/ioctl.h> 17 #include <sys/ioctl.h>
18 #include <sys/ipc.h> 18 #include <sys/ipc.h>
19 #include <sys/mman.h> 19 #include <sys/mman.h>
20 #include <sys/prctl.h> 20 #include <sys/prctl.h>
21 #include <sys/resource.h> 21 #include <sys/resource.h>
22 #include <sys/shm.h> 22 #include <sys/shm.h>
23 #include <sys/socket.h> 23 #include <sys/socket.h>
24 #include <sys/time.h> 24 #include <sys/time.h>
25 #include <sys/types.h> 25 #include <sys/types.h>
26 #include <time.h> 26 #include <time.h>
27 #include <unistd.h> 27 #include <unistd.h>
28 28
29 #include "base/macros.h"
30 #include "base/posix/eintr_wrapper.h" 29 #include "base/posix/eintr_wrapper.h"
31 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" 30 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
32 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
33 #include "sandbox/linux/services/linux_syscalls.h" 31 #include "sandbox/linux/services/linux_syscalls.h"
34 32
35 using sandbox::ErrorCode; 33 using sandbox::ErrorCode;
36 using sandbox::SandboxBPF; 34 using sandbox::SandboxBPF;
37 using sandbox::SandboxBPFPolicy;
38 using sandbox::arch_seccomp_data; 35 using sandbox::arch_seccomp_data;
39 36
40 #define ERR EPERM 37 #define ERR EPERM
41 38
42 // We don't expect our sandbox to do anything useful yet. So, we will fail 39 // We don't expect our sandbox to do anything useful yet. So, we will fail
43 // almost immediately. For now, force the code to continue running. The 40 // almost immediately. For now, force the code to continue running. The
44 // following line should be removed as soon as the sandbox is starting to 41 // following line should be removed as soon as the sandbox is starting to
45 // actually enforce restrictions in a meaningful way: 42 // actually enforce restrictions in a meaningful way:
46 #define _exit(x) do { } while (0) 43 #define _exit(x) do { } while (0)
47 44
(...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after
233 230
234 ptr = strrchr(ptr, '\000'); 231 ptr = strrchr(ptr, '\000');
235 strncat(ptr, msg1, sizeof(buf) - (ptr - buf)); 232 strncat(ptr, msg1, sizeof(buf) - (ptr - buf));
236 233
237 ptr = strrchr(ptr, '\000'); 234 ptr = strrchr(ptr, '\000');
238 if (HANDLE_EINTR(write(2, buf, ptr - buf))) { } 235 if (HANDLE_EINTR(write(2, buf, ptr - buf))) { }
239 236
240 return -ERR; 237 return -ERR;
241 } 238 }
242 239
243 class DemoPolicy : public SandboxBPFPolicy { 240 ErrorCode Evaluator(SandboxBPF* sandbox, int sysno, void *) {
244 public:
245 DemoPolicy() {}
246 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
247 int sysno) const OVERRIDE;
248
249 private:
250 DISALLOW_COPY_AND_ASSIGN(DemoPolicy);
251 };
252
253 ErrorCode DemoPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const {
254 switch (sysno) { 241 switch (sysno) {
255 #if defined(__NR_accept) 242 #if defined(__NR_accept)
256 case __NR_accept: case __NR_accept4: 243 case __NR_accept: case __NR_accept4:
257 #endif 244 #endif
258 case __NR_alarm: 245 case __NR_alarm:
259 case __NR_brk: 246 case __NR_brk:
260 case __NR_clock_gettime: 247 case __NR_clock_gettime:
261 case __NR_close: 248 case __NR_close:
262 case __NR_dup: case __NR_dup2: 249 case __NR_dup: case __NR_dup2:
263 case __NR_epoll_create: case __NR_epoll_ctl: case __NR_epoll_wait: 250 case __NR_epoll_create: case __NR_epoll_ctl: case __NR_epoll_wait:
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after
426 if (argc) { } 413 if (argc) { }
427 if (argv) { } 414 if (argv) { }
428 int proc_fd = open("/proc", O_RDONLY|O_DIRECTORY); 415 int proc_fd = open("/proc", O_RDONLY|O_DIRECTORY);
429 if (SandboxBPF::SupportsSeccompSandbox(proc_fd) != 416 if (SandboxBPF::SupportsSeccompSandbox(proc_fd) !=
430 SandboxBPF::STATUS_AVAILABLE) { 417 SandboxBPF::STATUS_AVAILABLE) {
431 perror("sandbox"); 418 perror("sandbox");
432 _exit(1); 419 _exit(1);
433 } 420 }
434 SandboxBPF sandbox; 421 SandboxBPF sandbox;
435 sandbox.set_proc_fd(proc_fd); 422 sandbox.set_proc_fd(proc_fd);
436 sandbox.SetSandboxPolicy(new DemoPolicy()); 423 sandbox.SetSandboxPolicyDeprecated(Evaluator, NULL);
437 if (!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)) { 424 if (!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)) {
438 fprintf(stderr, "StartSandbox() failed"); 425 fprintf(stderr, "StartSandbox() failed");
439 _exit(1); 426 _exit(1);
440 } 427 }
441 428
442 // Check that we can create threads 429 // Check that we can create threads
443 pthread_t thr; 430 pthread_t thr;
444 if (!pthread_create(&thr, NULL, ThreadFnc, 431 if (!pthread_create(&thr, NULL, ThreadFnc,
445 reinterpret_cast<void *>(0x1234))) { 432 reinterpret_cast<void *>(0x1234))) {
446 void *ret; 433 void *ret;
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
533 perror("pthread_create"); 520 perror("pthread_create");
534 _exit(1); 521 _exit(1);
535 } 522 }
536 } 523 }
537 for (int i = 0; i < kSendmsgStressNumThreads; ++i) { 524 for (int i = 0; i < kSendmsgStressNumThreads; ++i) {
538 pthread_join(sendmsgStressThreads[i], NULL); 525 pthread_join(sendmsgStressThreads[i], NULL);
539 } 526 }
540 527
541 return 0; 528 return 0;
542 } 529 }
OLDNEW
« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf/sandbox_bpf.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698