OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
146 // fork() is never used as a system call (clone() is used instead), but we | 146 // fork() is never used as a system call (clone() is used instead), but we |
147 // have seen it in fallback code on Android. | 147 // have seen it in fallback code on Android. |
148 if (sysno == __NR_fork) { | 148 if (sysno == __NR_fork) { |
149 return Error(EPERM); | 149 return Error(EPERM); |
150 } | 150 } |
151 #endif | 151 #endif |
152 | 152 |
153 if (sysno == __NR_futex) | 153 if (sysno == __NR_futex) |
154 return RestrictFutex(); | 154 return RestrictFutex(); |
155 | 155 |
| 156 if (sysno == __NR_set_robust_list) |
| 157 return Error(EPERM); |
| 158 |
156 if (sysno == __NR_getpriority || sysno ==__NR_setpriority) | 159 if (sysno == __NR_getpriority || sysno ==__NR_setpriority) |
157 return RestrictGetSetpriority(current_pid); | 160 return RestrictGetSetpriority(current_pid); |
158 | 161 |
159 if (sysno == __NR_madvise) { | 162 if (sysno == __NR_madvise) { |
160 // Only allow MADV_DONTNEED (aka MADV_FREE). | 163 // Only allow MADV_DONTNEED (aka MADV_FREE). |
161 const Arg<int> advice(2); | 164 const Arg<int> advice(2); |
162 return If(advice == MADV_DONTNEED, Allow()).Else(Error(EPERM)); | 165 return If(advice == MADV_DONTNEED, Allow()).Else(Error(EPERM)); |
163 } | 166 } |
164 | 167 |
165 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \ | 168 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \ |
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
251 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 254 DCHECK_EQ(syscall(__NR_getpid), current_pid_); |
252 } | 255 } |
253 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno); | 256 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno); |
254 } | 257 } |
255 | 258 |
256 ResultExpr BaselinePolicy::InvalidSyscall() const { | 259 ResultExpr BaselinePolicy::InvalidSyscall() const { |
257 return CrashSIGSYS(); | 260 return CrashSIGSYS(); |
258 } | 261 } |
259 | 262 |
260 } // namespace sandbox. | 263 } // namespace sandbox. |
OLD | NEW |