sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc - Issue 314903002: Linux sandbox: restrict futex operations.

Unified Diff: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

Issue 314903002: Linux sandbox: restrict futex operations. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h ('k') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

index 29c591035972264ed4765f6dde198591c4efb881..121babebe7f48f11a9fc242e5450f30da58bb748 100644

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

@@ -7,6 +7,7 @@

#include <errno.h>

#include <fcntl.h>

+#include <linux/futex.h>

#include <linux/net.h>

#include <sched.h>

#include <signal.h>

@@ -246,4 +247,26 @@ ErrorCode RestrictKillTarget(pid_t target_pid, SandboxBPF* sandbox, int sysno) {

}

+ErrorCode RestrictFutex(SandboxBPF* sandbox) {

+ const int banned_futex_bits =

mdempsky 2014/06/04 04:55:34 kBannedFutexBits? Also, I don't think this does w

jln (very slow on Chromium) 2014/06/04 19:30:23 I think it's correct, but you're right that this s

+ ~(FUTEX_CMD_MASK | FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME);

+ return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,

+ banned_futex_bits,