| Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
| diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
| index 217bdac679391d8829fe9bce1f6a85921c1e8c41..4c4467014017cf92e47826c0f20756875aba8a4c 100644
|
| --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
| +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
| @@ -13,6 +13,7 @@
|
|
|
| #include "base/logging.h"
|
| #include "build/build_config.h"
|
| +#include "sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h"
|
| #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
|
| #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
|
| #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
|
| @@ -23,6 +24,8 @@
|
| // Changing this implementation will have an effect on *all* policies.
|
| // Currently this means: Renderer/Worker, GPU, Flash and NaCl.
|
|
|
| +using namespace sandbox::bpf_dsl;
|
| +
|
| namespace sandbox {
|
|
|
| namespace {
|
| @@ -82,97 +85,101 @@ bool IsBaselinePolicyWatched(int sysno) {
|
| }
|
|
|
| // |fs_denied_errno| is the errno return for denied filesystem access.
|
| -ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
|
| - pid_t current_pid,
|
| - SandboxBPF* sandbox,
|
| - int sysno) {
|
| +ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
|
| + pid_t current_pid,
|
| + int sysno) {
|
| #if defined(ADDRESS_SANITIZER)
|
| if (sysno == __NR_sigaltstack) {
|
| // Required for better stack overflow detection in ASan. Disallowed in
|
| // non-ASan builds.
|
| - return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| + return Allow();
|
| }
|
| #endif
|
| if (IsBaselinePolicyAllowed(sysno)) {
|
| - return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| + return Allow();
|
| }
|
|
|
| if (sysno == __NR_clone) {
|
| - return RestrictCloneToThreadsAndEPERMFork(sandbox);
|
| + return RestrictCloneToThreadsAndEPERMFork();
|
| }
|
|
|
| #if defined(__x86_64__) || defined(__arm__)
|
| if (sysno == __NR_socketpair) {
|
| // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
|
| COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
|
| - return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,
|
| - ErrorCode(ErrorCode::ERR_ALLOWED),
|
| - sandbox->Trap(CrashSIGSYS_Handler, NULL));
|
| + const Arg<int> domain_arg(0);
|
| + return If(domain_arg == AF_UNIX).Then(
|
| + Allow()
|
| + ).Else(
|
| + bpf_dsl::Trap(CrashSIGSYS_Handler, NULL)
|
| + );
|
| }
|
| #endif
|
|
|
| if (sysno == __NR_madvise) {
|
| // Only allow MADV_DONTNEED (aka MADV_FREE).
|
| - return sandbox->Cond(2, ErrorCode::TP_32BIT,
|
| - ErrorCode::OP_EQUAL, MADV_DONTNEED,
|
| - ErrorCode(ErrorCode::ERR_ALLOWED),
|
| - ErrorCode(EPERM));
|
| + const Arg<int> advice_arg(2);
|
| + return If(advice_arg == MADV_DONTNEED).Then(
|
| + Allow()
|
| + ).Else(
|
| + Error(EPERM)
|
| + );
|
| }
|
|
|
| #if defined(__i386__) || defined(__x86_64__)
|
| if (sysno == __NR_mmap)
|
| - return RestrictMmapFlags(sandbox);
|
| + return RestrictMmapFlags();
|
| #endif
|
|
|
| #if defined(__i386__) || defined(__arm__)
|
| if (sysno == __NR_mmap2)
|
| - return RestrictMmapFlags(sandbox);
|
| + return RestrictMmapFlags();
|
| #endif
|
|
|
| if (sysno == __NR_mprotect)
|
| - return RestrictMprotectFlags(sandbox);
|
| + return RestrictMprotectFlags();
|
|
|
| if (sysno == __NR_fcntl)
|
| - return RestrictFcntlCommands(sandbox);
|
| + return RestrictFcntlCommands();
|
|
|
| #if defined(__i386__) || defined(__arm__)
|
| if (sysno == __NR_fcntl64)
|
| - return RestrictFcntlCommands(sandbox);
|
| + return RestrictFcntlCommands();
|
| #endif
|
|
|
| if (SyscallSets::IsKill(sysno)) {
|
| - return RestrictKillTarget(current_pid, sandbox, sysno);
|
| + return RestrictKillTarget(current_pid, sysno);
|
| }
|
|
|
| if (SyscallSets::IsFileSystem(sysno) ||
|
| SyscallSets::IsCurrentDirectory(sysno)) {
|
| - return ErrorCode(fs_denied_errno);
|
| + return Error(fs_denied_errno);
|
| }
|
|
|
| if (SyscallSets::IsAnySystemV(sysno)) {
|
| - return ErrorCode(EPERM);
|
| + return Error(EPERM);
|
| }
|
|
|
| if (SyscallSets::IsUmask(sysno) ||
|
| SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) ||
|
| SyscallSets::IsDeniedGetOrModifySocket(sysno) ||
|
| SyscallSets::IsProcessPrivilegeChange(sysno)) {
|
| - return ErrorCode(EPERM);
|
| + return Error(EPERM);
|
| }
|
|
|
| #if defined(__i386__)
|
| if (SyscallSets::IsSocketCall(sysno))
|
| - return RestrictSocketcallCommand(sandbox);
|
| + return RestrictSocketcallCommand();
|
| #endif
|
|
|
| if (IsBaselinePolicyWatched(sysno)) {
|
| // Previously unseen syscalls. TODO(jln): some of these should
|
| // be denied gracefully right away.
|
| - return sandbox->Trap(CrashSIGSYS_Handler, NULL);
|
| + return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
|
| }
|
|
|
| // In any other case crash the program with our SIGSYS handler.
|
| - return sandbox->Trap(CrashSIGSYS_Handler, NULL);
|
| + return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
|
| }
|
|
|
| } // namespace.
|
| @@ -191,13 +198,12 @@ BaselinePolicy::~BaselinePolicy() {
|
| DCHECK_EQ(syscall(__NR_getpid), current_pid_);
|
| }
|
|
|
| -ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox,
|
| - int sysno) const {
|
| +ResultExpr BaselinePolicy::EvaluateSyscall(int sysno) const {
|
| // Make sure that this policy is used in the creating process.
|
| if (1 == sysno) {
|
| DCHECK_EQ(syscall(__NR_getpid), current_pid_);
|
| }
|
| - return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sandbox, sysno);
|
| + return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno);
|
| }
|
|
|
| } // namespace sandbox.
|
|
|
Chromium Code Reviews
Issue 299683004:
Rewrite all BPF policies to use DSL API
Base URL: svn://svn.chromium.org/chrome/trunk/src