Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(117)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

Issue 315383003: Linux sandbox: restrict prctl in the baseline. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Android header workaround. Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/common/sandbox_linux/bpf_renderer_policy_linux.cc ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
index 5b8badf8300d7fb9744bc4c12698181db9749805..a9fb1044778dd8ab28424bbc8afe1b2191b9f921 100644
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -36,7 +36,6 @@ bool IsBaselinePolicyAllowed(int sysno) {
SyscallSets::IsAllowedGeneralIo(sysno) ||
SyscallSets::IsAllowedGetOrModifySocket(sysno) ||
SyscallSets::IsAllowedGettime(sysno) ||
- SyscallSets::IsAllowedPrctl(sysno) ||
SyscallSets::IsAllowedProcessStartOrDeath(sysno) ||
SyscallSets::IsAllowedSignalHandling(sysno) ||
SyscallSets::IsGetSimpleId(sysno) ||
@@ -71,6 +70,7 @@ bool IsBaselinePolicyWatched(int sysno) {
SyscallSets::IsNetworkSocketInformation(sysno) ||
#endif
SyscallSets::IsNuma(sysno) ||
+ SyscallSets::IsPrctl(sysno) ||
SyscallSets::IsProcessGroupOrSession(sysno) ||
#if defined(__i386__)
SyscallSets::IsSocketCall(sysno) ||
@@ -145,6 +145,9 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
if (sysno == __NR_mprotect)
return RestrictMprotectFlags(sandbox);
+ if (sysno == __NR_prctl)
+ return sandbox::RestrictPrctl(sandbox);
+
#if defined(__x86_64__) || defined(__arm__)
if (sysno == __NR_socketpair) {
// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
« no previous file with comments | « content/common/sandbox_linux/bpf_renderer_policy_linux.cc ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698