Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(54)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf/sandbox_bpf.cc

Issue 604123002: Linux sandbox: fill all parameters when detecting seccomp syscall. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Nit Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
6 6
7 // Some headers on Android are missing cdefs: crbug.com/172337. 7 // Some headers on Android are missing cdefs: crbug.com/172337.
8 // (We can't use OS_ANDROID here since build_config.h is not included). 8 // (We can't use OS_ANDROID here since build_config.h is not included).
9 #if defined(ANDROID) 9 #if defined(ANDROID)
10 #include <sys/cdefs.h> 10 #include <sys/cdefs.h>
(...skipping 474 matching lines...) Expand 10 before | Expand all | Expand 10 after
485 } 485 }
486 } 486 }
487 return status_; 487 return status_;
488 } 488 }
489 489
490 // static 490 // static
491 SandboxBPF::SandboxStatus 491 SandboxBPF::SandboxStatus
492 SandboxBPF::SupportsSeccompThreadFilterSynchronization() { 492 SandboxBPF::SupportsSeccompThreadFilterSynchronization() {
493 // Applying NO_NEW_PRIVS, a BPF filter, and synchronizing the filter across 493 // Applying NO_NEW_PRIVS, a BPF filter, and synchronizing the filter across
494 // the thread group are all handled atomically by this syscall. 494 // the thread group are all handled atomically by this syscall.
495 int rv = syscall(__NR_seccomp); 495 const int rv = syscall(
496 __NR_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, NULL);
496 497
497 // The system call should have failed with EINVAL. 498 if (rv == -1 && errno == EFAULT) {
498 if (rv != -1) { 499 return STATUS_AVAILABLE;
499 NOTREACHED(); 500 } else {
500 return STATUS_UNKNOWN; 501 // TODO(jln): turn these into DCHECK after 417888 is considered fixed.
502 CHECK_EQ(-1, rv);
503 CHECK(ENOSYS == errno || EINVAL == errno);
504 return STATUS_UNSUPPORTED;
501 } 505 }
502
503 if (errno == EINVAL || errno == EFAULT)
504 return STATUS_AVAILABLE;
505
506 // errno is probably ENOSYS, indicating the system call is not available.
507 DCHECK_EQ(errno, ENOSYS);
508 return STATUS_UNSUPPORTED;
509 } 506 }
510 507
511 void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; } 508 void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
512 509
513 bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) { 510 bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
514 CHECK(thread_state == PROCESS_SINGLE_THREADED || 511 CHECK(thread_state == PROCESS_SINGLE_THREADED ||
515 thread_state == PROCESS_MULTI_THREADED); 512 thread_state == PROCESS_MULTI_THREADED);
516 513
517 if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) { 514 if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
518 SANDBOX_DIE( 515 SANDBOX_DIE(
(...skipping 617 matching lines...) Expand 10 before | Expand all | Expand 10 after
1136 } 1133 }
1137 } 1134 }
1138 1135
1139 ErrorCode SandboxBPF::Kill(const char* msg) { 1136 ErrorCode SandboxBPF::Kill(const char* msg) {
1140 return Trap(BPFFailure, const_cast<char*>(msg)); 1137 return Trap(BPFFailure, const_cast<char*>(msg));
1141 } 1138 }
1142 1139
1143 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN; 1140 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
1144 1141
1145 } // namespace sandbox 1142 } // namespace sandbox
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698