Chromium Code Reviews Chromium Code Reviews
Issue 493603003:
sandbox: Update known syscalls to kernel 3.17 (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 45 SyscallSets::IsAllowedProcessStartOrDeath(sysno) || | 45 SyscallSets::IsAllowedProcessStartOrDeath(sysno) || |
| 46 SyscallSets::IsAllowedSignalHandling(sysno) || | 46 SyscallSets::IsAllowedSignalHandling(sysno) || |
| 47 SyscallSets::IsGetSimpleId(sysno) || | 47 SyscallSets::IsGetSimpleId(sysno) || |
| 48 SyscallSets::IsKernelInternalApi(sysno) || | 48 SyscallSets::IsKernelInternalApi(sysno) || |
| 49 #if defined(__arm__) | 49 #if defined(__arm__) |
| 50 SyscallSets::IsArmPrivate(sysno) || | 50 SyscallSets::IsArmPrivate(sysno) || |
| 51 #endif | 51 #endif |
| 52 #if defined(__mips__) | 52 #if defined(__mips__) |
| 53 SyscallSets::IsMipsPrivate(sysno) || | 53 SyscallSets::IsMipsPrivate(sysno) || |
| 54 #endif | 54 #endif |
| 55 SyscallSets::IsAllowedOperationOnFd(sysno); | 55 SyscallSets::IsAllowedOperationOnFd(sysno) || |
| 56 SyscallSets::IsSeccomp(sysno); | |
|
jln (very slow on Chromium)
2014/08/21 23:38:01
We should not allow this system call in general. T
leecam
2014/08/21 23:57:13
Yeah I guess once its set we shouldn't allow it ag
| |
| 56 } | 57 } |
| 57 | 58 |
| 58 // System calls that will trigger the crashing SIGSYS handler. | 59 // System calls that will trigger the crashing SIGSYS handler. |
| 59 bool IsBaselinePolicyWatched(int sysno) { | 60 bool IsBaselinePolicyWatched(int sysno) { |
| 60 return SyscallSets::IsAdminOperation(sysno) || | 61 return SyscallSets::IsAdminOperation(sysno) || |
| 61 SyscallSets::IsAdvancedScheduler(sysno) || | 62 SyscallSets::IsAdvancedScheduler(sysno) || |
| 62 SyscallSets::IsAdvancedTimer(sysno) || | 63 SyscallSets::IsAdvancedTimer(sysno) || |
| 63 SyscallSets::IsAsyncIo(sysno) || | 64 SyscallSets::IsAsyncIo(sysno) || |
| 64 SyscallSets::IsDebug(sysno) || | 65 SyscallSets::IsDebug(sysno) || |
| 65 SyscallSets::IsEventFd(sysno) || | 66 SyscallSets::IsEventFd(sysno) || |
| (...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 231 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 232 DCHECK_EQ(syscall(__NR_getpid), current_pid_); |
| 232 } | 233 } |
| 233 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno); | 234 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno); |
| 234 } | 235 } |
| 235 | 236 |
| 236 ResultExpr BaselinePolicy::InvalidSyscall() const { | 237 ResultExpr BaselinePolicy::InvalidSyscall() const { |
| 237 return CrashSIGSYS(); | 238 return CrashSIGSYS(); |
| 238 } | 239 } |
| 239 | 240 |
| 240 } // namespace sandbox. | 241 } // namespace sandbox. |
| OLD | NEW |
