content/common/sandbox_linux/bpf_renderer_policy_linux.cc - Issue 299683004: Rewrite all BPF policies to use DSL API

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_linux/bpf_renderer_policy_linux.cc

Issue 299683004: Rewrite all BPF policies to use DSL API Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Overhaul of DSL and implementation Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « content/common/sandbox_linux/bpf_renderer_policy_linux.h ('k') | content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: content/common/sandbox_linux/bpf_renderer_policy_linux.cc

diff --git a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc

index 267977866946bde9f14e1d9c9022d8052f52454c..d8e13dc950156cdc89195baaddd4653f77693988 100644

--- a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc

+++ b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc

@@ -9,11 +9,13 @@

#include "base/basictypes.h"

#include "build/build_config.h"

#include "content/common/sandbox_linux/sandbox_linux.h"

+#include "sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h"

#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"

#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"

#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"

#include "sandbox/linux/services/linux_syscalls.h"

+using namespace sandbox::bpf_dsl;

using sandbox::SyscallSets;

namespace content {

@@ -21,13 +23,12 @@ namespace content {

RendererProcessPolicy::RendererProcessPolicy() {}

RendererProcessPolicy::~RendererProcessPolicy() {}

-ErrorCode RendererProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,

- int sysno) const {

+ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {

switch (sysno) {

case __NR_ioctl:

- return sandbox::RestrictIoctl(sandbox);

+ return sandbox::RestrictIoctl();

case __NR_prctl:

- return sandbox::RestrictPrctl(sandbox);

+ return sandbox::RestrictPrctl();

// Allow the system calls below.

// The baseline policy allows __NR_clock_gettime. Allow

// clock_getres() for V8. crbug.com/329053.

@@ -54,12 +55,12 @@ ErrorCode RendererProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,

case __NR_sysinfo:

case __NR_times:

case __NR_uname:

- return ErrorCode(ErrorCode::ERR_ALLOWED);

+ return Allow();

case __NR_prlimit64:

- return ErrorCode(EPERM); // See crbug.com/160157.

+ return Error(EPERM); // See crbug.com/160157.

default:

// Default on the content baseline policy.

- return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);

+ return SandboxBPFBasePolicy::EvaluateSyscall(sysno);

}