Index: components/nacl/loader/nonsfi/nonsfi_sandbox.cc |
diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc |
index 7ffb20e68b16160997ee7190b612eaaad7b08a6f..f22f4a467bc8cb951f159bc3120f44c414692edf 100644 |
--- a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc |
+++ b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc |
@@ -80,19 +80,26 @@ ErrorCode RestrictClockID(SandboxBPF* sb) { |
// returned by {clock,pthread}_getcpuclockid), which can leak information |
// about the state of the host OS. |
COMPILE_ASSERT(4 == sizeof(clockid_t), clockid_is_not_32bit); |
- return sb->Cond(0, ErrorCode::TP_32BIT, |
- ErrorCode::OP_EQUAL, CLOCK_MONOTONIC, |
- ErrorCode(ErrorCode::ERR_ALLOWED), |
- sb->Cond(0, ErrorCode::TP_32BIT, |
- ErrorCode::OP_EQUAL, CLOCK_PROCESS_CPUTIME_ID, |
- ErrorCode(ErrorCode::ERR_ALLOWED), |
- sb->Cond(0, ErrorCode::TP_32BIT, |
- ErrorCode::OP_EQUAL, CLOCK_REALTIME, |
- ErrorCode(ErrorCode::ERR_ALLOWED), |
- sb->Cond(0, ErrorCode::TP_32BIT, |
- ErrorCode::OP_EQUAL, CLOCK_THREAD_CPUTIME_ID, |
- ErrorCode(ErrorCode::ERR_ALLOWED), |
- sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))))); |
+ ErrorCode result = sb->Cond(0, ErrorCode::TP_32BIT, |
+ ErrorCode::OP_EQUAL, CLOCK_MONOTONIC, |
+ ErrorCode(ErrorCode::ERR_ALLOWED), |
+ sb->Cond(0, ErrorCode::TP_32BIT, |
+ ErrorCode::OP_EQUAL, CLOCK_PROCESS_CPUTIME_ID, |
+ ErrorCode(ErrorCode::ERR_ALLOWED), |
+ sb->Cond(0, ErrorCode::TP_32BIT, |
+ ErrorCode::OP_EQUAL, CLOCK_REALTIME, |
+ ErrorCode(ErrorCode::ERR_ALLOWED), |
+ sb->Cond(0, ErrorCode::TP_32BIT, |
+ ErrorCode::OP_EQUAL, CLOCK_THREAD_CPUTIME_ID, |
+ ErrorCode(ErrorCode::ERR_ALLOWED), |
+ sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))))); |
+#if defined(OS_CHROMEOS) |
+ // Allow the special clock for Chrome OS used by Chrome tracing. |
+ result = sb->Cond(0, ErrorCode::TP_32BIT, |
+ ErrorCode::OP_EQUAL, CLOCK_SYSTEM_TRACE, |
+ ErrorCode(ErrorCode::ERR_ALLOWED), result); |
+#endif |
+ return result; |
} |
ErrorCode RestrictClone(SandboxBPF* sb) { |