Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(67)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc

Issue 299683004: Rewrite all BPF policies to use DSL API Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Overhaul of DSL and implementation Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/common/sandbox_linux/sandbox_bpf_base_policy_linux.cc ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc
diff --git a/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc
index 8a6fa7204f7c599a3b8e880af1b6e8a2db9b0bf9..fe3ee3ce14562deece0314ade921fa7bee613063 100644
--- a/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc
+++ b/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc
@@ -35,6 +35,7 @@
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/services/linux_syscalls.h"
+using namespace sandbox::bpf_dsl;
using sandbox::BaselinePolicy;
using sandbox::SyscallSets;
@@ -76,23 +77,17 @@ class BlacklistDebugAndNumaPolicy : public SandboxBPFBasePolicy {
BlacklistDebugAndNumaPolicy() {}
virtual ~BlacklistDebugAndNumaPolicy() {}
- virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
- int system_call_number) const OVERRIDE;
+ virtual ResultExpr EvaluateSyscall(int system_call_number) const OVERRIDE;
private:
DISALLOW_COPY_AND_ASSIGN(BlacklistDebugAndNumaPolicy);
};
-ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(SandboxBPF* sandbox,
- int sysno) const {
- if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
- // TODO(jln) we should not have to do that in a trivial policy.
- return ErrorCode(ENOSYS);
- }
+ResultExpr BlacklistDebugAndNumaPolicy::EvaluateSyscall(int sysno) const {
if (SyscallSets::IsDebug(sysno) || SyscallSets::IsNuma(sysno))
- return sandbox->Trap(sandbox::CrashSIGSYS_Handler, NULL);
+ return Trap(sandbox::CrashSIGSYS_Handler, NULL);
- return ErrorCode(ErrorCode::ERR_ALLOWED);
+ return Allow();
}
class AllowAllPolicy : public SandboxBPFBasePolicy {
@@ -100,8 +95,7 @@ class AllowAllPolicy : public SandboxBPFBasePolicy {
AllowAllPolicy() {}
virtual ~AllowAllPolicy() {}
- virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
- int system_call_number) const OVERRIDE;
+ virtual ResultExpr EvaluateSyscall(int system_call_number) const OVERRIDE;
private:
DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
@@ -110,13 +104,8 @@ class AllowAllPolicy : public SandboxBPFBasePolicy {
// Allow all syscalls.
// This will still deny x32 or IA32 calls in 64 bits mode or
// 64 bits system calls in compatibility mode.
-ErrorCode AllowAllPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const {
- if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
- // TODO(jln) we should not have to do that in a trivial policy.
- return ErrorCode(ENOSYS);
- } else {
- return ErrorCode(ErrorCode::ERR_ALLOWED);
- }
+ResultExpr AllowAllPolicy::EvaluateSyscall(int sysno) const {
+ return Allow();
}
// If a BPF policy is engaged for |process_type|, run a few sanity checks.
« no previous file with comments | « content/common/sandbox_linux/sandbox_bpf_base_policy_linux.cc ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698