Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
index 7f4d5590cf86616b006ccc4b04571710deb9c939..47a52d13a494c315d34a5a623cc0d988a128aef6 100644 |
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
@@ -52,7 +52,8 @@ bool IsBaselinePolicyAllowed(int sysno) { |
#if defined(__mips__) |
SyscallSets::IsMipsPrivate(sysno) || |
#endif |
- SyscallSets::IsAllowedOperationOnFd(sysno); |
+ SyscallSets::IsAllowedOperationOnFd(sysno) || |
+ SyscallSets::IsSeccomp(sysno); |
} |
// System calls that will trigger the crashing SIGSYS handler. |
@@ -124,6 +125,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, |
return RestrictCloneToThreadsAndEPERMFork(); |
} |
+#if defined(__aarch64__) |
+ // These are needed for thread creation. |
+ // TODO(leecam): Check jln's fix for this and remove these 'allows'. |
+ if (sysno == __NR_sigaltstack || sysno == __NR_setpriority) |
+ return Allow(); |
+#endif |
+ |
if (sysno == __NR_fcntl) |
return RestrictFcntlCommands(); |
@@ -132,11 +140,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, |
return RestrictFcntlCommands(); |
#endif |
+#if !defined(__aarch64__) |
// fork() is never used as a system call (clone() is used instead), but we |
// have seen it in fallback code on Android. |
if (sysno == __NR_fork) { |
return Error(EPERM); |
} |
+#endif |
if (sysno == __NR_futex) |
return RestrictFutex(); |
@@ -147,7 +157,8 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, |
return If(advice == MADV_DONTNEED, Allow()).Else(Error(EPERM)); |
} |
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) |
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \ |
+ defined(__aarch64__) |
if (sysno == __NR_mmap) |
return RestrictMmapFlags(); |
#endif |
@@ -163,7 +174,8 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, |
if (sysno == __NR_prctl) |
return sandbox::RestrictPrctl(); |
-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) |
+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \ |
+ defined(__aarch64__) |
if (sysno == __NR_socketpair) { |
// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); |