sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc - Issue 487143003: sandbox: Add Arm64 support for seccomp-BPF

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

Issue 487143003: sandbox: Add Arm64 support for seccomp-BPF (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Remove IsArchitectureArm64 Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « sandbox/linux/sandbox_linux.gypi ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('j') | sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

index 7f4d5590cf86616b006ccc4b04571710deb9c939..47a52d13a494c315d34a5a623cc0d988a128aef6 100644

--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

@@ -52,7 +52,8 @@ bool IsBaselinePolicyAllowed(int sysno) {

#if defined(__mips__)

SyscallSets::IsMipsPrivate(sysno) ||

#endif

- SyscallSets::IsAllowedOperationOnFd(sysno);

+ SyscallSets::IsAllowedOperationOnFd(sysno) ||

+ SyscallSets::IsSeccomp(sysno);

}

// System calls that will trigger the crashing SIGSYS handler.

@@ -124,6 +125,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,

return RestrictCloneToThreadsAndEPERMFork();

}

+#if defined(__aarch64__)

+ // These are needed for thread creation.

+ // TODO(leecam): Check jln's fix for this and remove these 'allows'.

+ if (sysno == __NR_sigaltstack || sysno == __NR_setpriority)

+ return Allow();

+#endif

if (sysno == __NR_fcntl)

return RestrictFcntlCommands();

@@ -132,11 +140,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,

return RestrictFcntlCommands();

#endif

+#if !defined(__aarch64__)

// fork() is never used as a system call (clone() is used instead), but we

// have seen it in fallback code on Android.

if (sysno == __NR_fork) {

return Error(EPERM);

}

+#endif

if (sysno == __NR_futex)

return RestrictFutex();

@@ -147,7 +157,8 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,

return If(advice == MADV_DONTNEED, Allow()).Else(Error(EPERM));

}

-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)

+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \

+ defined(__aarch64__)

if (sysno == __NR_mmap)

return RestrictMmapFlags();

#endif

@@ -163,7 +174,8 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,

if (sysno == __NR_prctl)

return sandbox::RestrictPrctl();

-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__)

+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \

+ defined(__aarch64__)

if (sysno == __NR_socketpair) {

// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.

COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);