| OLD | NEW |
|---|
| 1 #include "debug.h" | 1 #include "debug.h" |
| 2 #include "sandbox_impl.h" | 2 #include "sandbox_impl.h" |
| 3 | 3 |
| 4 namespace playground { | 4 namespace playground { |
| 5 | 5 |
| 6 int Sandbox::sandbox_access(const char *pathname, int mode) { | 6 int Sandbox::sandbox_access(const char *pathname, int mode) { |
| 7 Debug::syscall(__NR_access, "Executing handler"); | 7 Debug::syscall(__NR_access, "Executing handler"); |
| 8 size_t len = strlen(pathname); | 8 size_t len = strlen(pathname); |
| 9 struct Request { | 9 struct Request { |
| 10 int sysnum; | 10 int sysnum; |
| (...skipping 11 matching lines...) Expand all Loading... |
| 22 | 22 |
| 23 long rc; | 23 long rc; |
| 24 SysCalls sys; | 24 SysCalls sys; |
| 25 if (write(sys, processFdPub(), request, sizeof(data)) != (int)sizeof(data) || | 25 if (write(sys, processFdPub(), request, sizeof(data)) != (int)sizeof(data) || |
| 26 read(sys, threadFdPub(), &rc, sizeof(rc)) != sizeof(rc)) { | 26 read(sys, threadFdPub(), &rc, sizeof(rc)) != sizeof(rc)) { |
| 27 die("Failed to forward access() request [sandbox]"); | 27 die("Failed to forward access() request [sandbox]"); |
| 28 } | 28 } |
| 29 return static_cast<int>(rc); | 29 return static_cast<int>(rc); |
| 30 } | 30 } |
| 31 | 31 |
| 32 bool Sandbox::process_access(int parentProc, int sandboxFd, int threadFdPub, | 32 bool Sandbox::process_access(int parentMapsFd, int sandboxFd, int threadFdPub, |
| 33 int threadFd, SecureMem::Args* mem) { | 33 int threadFd, SecureMem::Args* mem) { |
| 34 // Read request | 34 // Read request |
| 35 SysCalls sys; | 35 SysCalls sys; |
| 36 Access access_req; | 36 Access access_req; |
| 37 if (read(sys, sandboxFd, &access_req, sizeof(access_req)) != | 37 if (read(sys, sandboxFd, &access_req, sizeof(access_req)) != |
| 38 sizeof(access_req)) { | 38 sizeof(access_req)) { |
| 39 read_parm_failed: | 39 read_parm_failed: |
| 40 die("Failed to read parameters for access() [process]"); | 40 die("Failed to read parameters for access() [process]"); |
| 41 } | 41 } |
| 42 int rc = -ENAMETOOLONG; | 42 int rc = -ENAMETOOLONG; |
| 43 if (access_req.path_length >= sizeof(mem->pathname)) { | 43 if (access_req.path_length >= sizeof(mem->pathname)) { |
| 44 char buf[32]; | 44 char buf[32]; |
| 45 while (access_req.path_length > 0) { | 45 while (access_req.path_length > 0) { |
| 46 size_t len = access_req.path_length > sizeof(buf) ? | 46 size_t len = access_req.path_length > sizeof(buf) ? |
| 47 sizeof(buf) : access_req.path_length; | 47 sizeof(buf) : access_req.path_length; |
| 48 ssize_t i = read(sys, sandboxFd, buf, len); | 48 ssize_t i = read(sys, sandboxFd, buf, len); |
| 49 if (i <= 0) { | 49 if (i <= 0) { |
| 50 goto read_parm_failed; | 50 goto read_parm_failed; |
| 51 } | 51 } |
| 52 access_req.path_length -= i; | 52 access_req.path_length -= i; |
| 53 } | 53 } |
| 54 if (write(sys, threadFd, &rc, sizeof(rc)) != sizeof(rc)) { | 54 if (write(sys, threadFd, &rc, sizeof(rc)) != sizeof(rc)) { |
| 55 die("Failed to return data from access() [process]"); | 55 die("Failed to return data from access() [process]"); |
| 56 } | 56 } |
| 57 return false; | 57 return false; |
| 58 } | 58 } |
| 59 SecureMem::lockSystemCall(parentProc, mem); | 59 SecureMem::lockSystemCall(parentMapsFd, mem); |
| 60 if (read(sys, sandboxFd, mem->pathname, access_req.path_length) != | 60 if (read(sys, sandboxFd, mem->pathname, access_req.path_length) != |
| 61 (ssize_t)access_req.path_length) { | 61 (ssize_t)access_req.path_length) { |
| 62 goto read_parm_failed; | 62 goto read_parm_failed; |
| 63 } | 63 } |
| 64 mem->pathname[access_req.path_length] = '\000'; | 64 mem->pathname[access_req.path_length] = '\000'; |
| 65 | 65 |
| 66 // TODO(markus): Implement sandboxing policy | 66 // TODO(markus): Implement sandboxing policy |
| 67 Debug::message(("Allowing access to \"" + std::string(mem->pathname) + | 67 Debug::message(("Allowing access to \"" + std::string(mem->pathname) + |
| 68 "\"").c_str()); | 68 "\"").c_str()); |
| 69 | 69 |
| 70 // Tell trusted thread to access the file. | 70 // Tell trusted thread to access the file. |
| 71 SecureMem::sendSystemCall(threadFdPub, true, parentProc, mem, __NR_access, | 71 SecureMem::sendSystemCall(threadFdPub, true, parentMapsFd, mem, __NR_access, |
| 72 mem->pathname - (char*)mem + (char*)mem->self, | 72 mem->pathname - (char*)mem + (char*)mem->self, |
| 73 access_req.mode); | 73 access_req.mode); |
| 74 return true; | 74 return true; |
| 75 } | 75 } |
| 76 | 76 |
| 77 } // namespace | 77 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 371047:
Allow the seccomp sandbox to be enabled, even if the suid sandbox has... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/