sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc - Issue 317373003: Merge 274934 "Linux sandbox: restrict futex operations." - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(844)

My Issues | Starred Open | Closed | All

Unified Diff: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

Issue 317373003: Merge 274934 "Linux sandbox: restrict futex operations." (Closed) Base URL: svn://svn.chromium.org/chrome/branches/1985/src/

Patch Set: Created 6 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « sandbox/linux/sandbox_linux.gypi ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

===================================================================

--- sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc (revision 275489)

+++ sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc (working copy)

@@ -32,13 +32,13 @@

SyscallSets::IsAllowedBasicScheduler(sysno) ||

SyscallSets::IsAllowedEpoll(sysno) ||

SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) ||

+ SyscallSets::IsAllowedFutex(sysno) ||

SyscallSets::IsAllowedGeneralIo(sysno) ||

SyscallSets::IsAllowedGetOrModifySocket(sysno) ||

SyscallSets::IsAllowedGettime(sysno) ||

SyscallSets::IsAllowedPrctl(sysno) ||

SyscallSets::IsAllowedProcessStartOrDeath(sysno) ||

SyscallSets::IsAllowedSignalHandling(sysno) ||

- SyscallSets::IsFutex(sysno) ||

SyscallSets::IsGetSimpleId(sysno) ||

SyscallSets::IsKernelInternalApi(sysno) ||

#if defined(__arm__)

@@ -111,6 +111,9 @@

}

#endif

+ if (sysno == __NR_futex)

+ return RestrictFutex(sandbox);

+

if (sysno == __NR_madvise) {

// Only allow MADV_DONTNEED (aka MADV_FREE).

return sandbox->Cond(2, ErrorCode::TP_32BIT,

« no previous file with comments | « sandbox/linux/sandbox_linux.gypi ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698