sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc - Issue 314903002: Linux sandbox: restrict futex operations. - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(205)

My Issues | Starred Open | Closed | All

Unified Diff: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

Issue 314903002: Linux sandbox: restrict futex operations. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Address nit Created 6 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « sandbox/linux/sandbox_linux.gypi ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

index 3380cc851e09052da1236eae00422f710918d180..5b8badf8300d7fb9744bc4c12698181db9749805 100644

--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

@@ -32,13 +32,13 @@ bool IsBaselinePolicyAllowed(int sysno) {

SyscallSets::IsAllowedBasicScheduler(sysno) ||

SyscallSets::IsAllowedEpoll(sysno) ||

SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) ||

+ SyscallSets::IsAllowedFutex(sysno) ||

SyscallSets::IsAllowedGeneralIo(sysno) ||

SyscallSets::IsAllowedGetOrModifySocket(sysno) ||

SyscallSets::IsAllowedGettime(sysno) ||

SyscallSets::IsAllowedPrctl(sysno) ||

SyscallSets::IsAllowedProcessStartOrDeath(sysno) ||

SyscallSets::IsAllowedSignalHandling(sysno) ||

- SyscallSets::IsFutex(sysno) ||

SyscallSets::IsGetSimpleId(sysno) ||

SyscallSets::IsKernelInternalApi(sysno) ||

#if defined(__arm__)

@@ -121,6 +121,9 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno,

return RestrictFcntlCommands(sandbox);

#endif

+ if (sysno == __NR_futex)

+ return RestrictFutex(sandbox);

+

if (sysno == __NR_madvise) {

// Only allow MADV_DONTNEED (aka MADV_FREE).

return sandbox->Cond(2, ErrorCode::TP_32BIT,

« no previous file with comments | « sandbox/linux/sandbox_linux.gypi ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698