| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| (...skipping 216 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 227 } | 227 } |
| 228 | 228 |
| 229 // In any other case crash the program with our SIGSYS handler. | 229 // In any other case crash the program with our SIGSYS handler. |
| 230 return CrashSIGSYS(); | 230 return CrashSIGSYS(); |
| 231 } | 231 } |
| 232 | 232 |
| 233 } // namespace. | 233 } // namespace. |
| 234 | 234 |
| 235 // Unfortunately C++03 doesn't allow delegated constructors. | 235 // Unfortunately C++03 doesn't allow delegated constructors. |
| 236 // Call other constructor when C++11 lands. | 236 // Call other constructor when C++11 lands. |
| 237 BaselinePolicy::BaselinePolicy() | 237 BaselinePolicy::BaselinePolicy() : BaselinePolicy(EPERM) {} |
| 238 : fs_denied_errno_(EPERM), current_pid_(syscall(__NR_getpid)) {} | |
| 239 | 238 |
| 240 BaselinePolicy::BaselinePolicy(int fs_denied_errno) | 239 BaselinePolicy::BaselinePolicy(int fs_denied_errno) |
| 241 : fs_denied_errno_(fs_denied_errno), current_pid_(syscall(__NR_getpid)) {} | 240 : fs_denied_errno_(fs_denied_errno), policy_pid_(syscall(__NR_getpid)) {} |
| 242 | 241 |
| 243 BaselinePolicy::~BaselinePolicy() { | 242 BaselinePolicy::~BaselinePolicy() { |
| 244 // Make sure that this policy is created, used and destroyed by a single | 243 // Make sure that this policy is created, used and destroyed by a single |
| 245 // process. | 244 // process. |
| 246 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 245 DCHECK_EQ(syscall(__NR_getpid), policy_pid_); |
| 247 } | 246 } |
| 248 | 247 |
| 249 ResultExpr BaselinePolicy::EvaluateSyscall(int sysno) const { | 248 ResultExpr BaselinePolicy::EvaluateSyscall(int sysno) const { |
| 250 // Sanity check that we're only called with valid syscall numbers. | 249 // Sanity check that we're only called with valid syscall numbers. |
| 251 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); | 250 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); |
| 252 // Make sure that this policy is used in the creating process. | 251 // Make sure that this policy is used in the creating process. |
| 253 if (1 == sysno) { | 252 if (1 == sysno) { |
| 254 DCHECK_EQ(syscall(__NR_getpid), current_pid_); | 253 DCHECK_EQ(syscall(__NR_getpid), policy_pid_); |
| 255 } | 254 } |
| 256 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno); | 255 return EvaluateSyscallImpl(fs_denied_errno_, policy_pid_, sysno); |
| 257 } | 256 } |
| 258 | 257 |
| 259 ResultExpr BaselinePolicy::InvalidSyscall() const { | 258 ResultExpr BaselinePolicy::InvalidSyscall() const { |
| 260 return CrashSIGSYS(); | 259 return CrashSIGSYS(); |
| 261 } | 260 } |
| 262 | 261 |
| 263 } // namespace sandbox. | 262 } // namespace sandbox. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 598203004:
Linux sandbox: Restrict sched_* syscalls on the GPU and ppapi processes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master