sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc - Issue 430363003: Linux sandbox: restrict setpriority() in baseline policy. - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(772)

My Issues | Starred Open | Closed | All

Unified Diff: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

Issue 430363003: Linux sandbox: restrict setpriority() in baseline policy. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Better comment and rename. Created 6 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

index 05cef744720f95d33e3cad8da7a40117dde53688..913d4f691b8e5a290ffacef9ba48d198c6ac265a 100644

--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

@@ -150,6 +150,9 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,

if (sysno == __NR_futex)

return RestrictFutex();

+ if (sysno == __NR_getpriority || sysno ==__NR_setpriority)

+ return RestrictGetSetpriority(current_pid);

+

if (sysno == __NR_madvise) {

// Only allow MADV_DONTNEED (aka MADV_FREE).

const Arg<int> advice(2);

@@ -171,7 +174,7 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,

return RestrictMprotectFlags();

if (sysno == __NR_prctl)

- return sandbox::RestrictPrctl();

+ return RestrictPrctl();

#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \

defined(__aarch64__)

« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc » ('J')

Powered by Google App Engine

This is Rietveld 408576698