| Index: sandbox/linux/seccomp-bpf/sandbox_bpf.cc
|
| diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
|
| index c5c6f61c904fe31523f1802cc2a3d9d5fc87e772..18bd30fb910134b8f601c116fe65e2bef399db89 100644
|
| --- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
|
| +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
|
| @@ -22,10 +22,10 @@
|
|
|
| #include "base/compiler_specific.h"
|
| #include "base/logging.h"
|
| -#include "base/macros.h"
|
| #include "base/memory/scoped_ptr.h"
|
| #include "base/posix/eintr_wrapper.h"
|
| #include "sandbox/linux/seccomp-bpf/codegen.h"
|
| +#include "sandbox/linux/seccomp-bpf/sandbox_bpf_compatibility_policy.h"
|
| #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
|
| #include "sandbox/linux/seccomp-bpf/syscall.h"
|
| #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
|
| @@ -57,26 +57,20 @@
|
|
|
| // We define a really simple sandbox policy. It is just good enough for us
|
| // to tell that the sandbox has actually been activated.
|
| -class ProbePolicy : public SandboxBPFPolicy {
|
| - public:
|
| - ProbePolicy() {}
|
| - virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysnum) const OVERRIDE {
|
| - switch (sysnum) {
|
| - case __NR_getpid:
|
| - // Return EPERM so that we can check that the filter actually ran.
|
| - return ErrorCode(EPERM);
|
| - case __NR_exit_group:
|
| - // Allow exit() with a non-default return code.
|
| - return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| - default:
|
| - // Make everything else fail in an easily recognizable way.
|
| - return ErrorCode(EINVAL);
|
| - }
|
| - }
|
| -
|
| - private:
|
| - DISALLOW_COPY_AND_ASSIGN(ProbePolicy);
|
| -};
|
| +ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const));
|
| +ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) {
|
| + switch (sysnum) {
|
| + case __NR_getpid:
|
| + // Return EPERM so that we can check that the filter actually ran.
|
| + return ErrorCode(EPERM);
|
| + case __NR_exit_group:
|
| + // Allow exit() with a non-default return code.
|
| + return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| + default:
|
| + // Make everything else fail in an easily recognizable way.
|
| + return ErrorCode(EINVAL);
|
| + }
|
| +}
|
|
|
| void ProbeProcess(void) {
|
| if (syscall(__NR_getpid) < 0 && errno == EPERM) {
|
| @@ -84,17 +78,10 @@
|
| }
|
| }
|
|
|
| -class AllowAllPolicy : public SandboxBPFPolicy {
|
| - public:
|
| - AllowAllPolicy() {}
|
| - virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysnum) const OVERRIDE {
|
| - DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum));
|
| - return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| - }
|
| -
|
| - private:
|
| - DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
|
| -};
|
| +ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) {
|
| + DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum));
|
| + return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| +}
|
|
|
| void TryVsyscallProcess(void) {
|
| time_t current_time;
|
| @@ -252,7 +239,8 @@
|
| }
|
|
|
| bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
|
| - scoped_ptr<SandboxBPFPolicy> policy) {
|
| + EvaluateSyscall syscall_evaluator,
|
| + void* aux) {
|
| // Block all signals before forking a child process. This prevents an
|
| // attacker from manipulating our test by sending us an unexpected signal.
|
| sigset_t old_mask, new_mask;
|
| @@ -322,7 +310,7 @@
|
| #endif
|
| }
|
|
|
| - SetSandboxPolicy(policy.release());
|
| + SetSandboxPolicyDeprecated(syscall_evaluator, aux);
|
| if (!StartSandbox(PROCESS_SINGLE_THREADED)) {
|
| SANDBOX_DIE(NULL);
|
| }
|
| @@ -371,11 +359,8 @@
|
| }
|
|
|
| bool SandboxBPF::KernelSupportSeccompBPF() {
|
| - return RunFunctionInPolicy(ProbeProcess,
|
| - scoped_ptr<SandboxBPFPolicy>(new ProbePolicy())) &&
|
| - RunFunctionInPolicy(
|
| - TryVsyscallProcess,
|
| - scoped_ptr<SandboxBPFPolicy>(new AllowAllPolicy()));
|
| + return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) &&
|
| + RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0);
|
| }
|
|
|
| SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
|
| @@ -488,6 +473,15 @@
|
| SANDBOX_DIE("Policies should deny invalid system calls.");
|
| }
|
| return;
|
| +}
|
| +
|
| +// Deprecated API, supported with a wrapper to the new API.
|
| +void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
|
| + void* aux) {
|
| + if (sandbox_has_started_ || !conds_) {
|
| + SANDBOX_DIE("Cannot change policy after sandbox has started");
|
| + }
|
| + SetSandboxPolicy(new CompatibilityPolicy<void>(syscall_evaluator, aux));
|
| }
|
|
|
| // Don't take a scoped_ptr here, polymorphism make their use awkward.
|
|
|
Chromium Code Reviews
Issue 293993006:
Revert of Remove SandboxBPF's dependency on CompatibilityPolicy (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src