OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" | 5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" |
6 | 6 |
7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
8 #include <errno.h> | 8 #include <errno.h> |
9 #include <fcntl.h> | 9 #include <fcntl.h> |
10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
11 #include <sys/stat.h> | 11 #include <sys/stat.h> |
12 #include <sys/types.h> | 12 #include <sys/types.h> |
13 #include <unistd.h> | 13 #include <unistd.h> |
14 | 14 |
15 #include <string> | 15 #include <string> |
16 #include <vector> | 16 #include <vector> |
17 | 17 |
18 #include "base/bind.h" | 18 #include "base/bind.h" |
19 #include "base/compiler_specific.h" | 19 #include "base/compiler_specific.h" |
20 #include "base/logging.h" | 20 #include "base/logging.h" |
21 #include "base/memory/scoped_ptr.h" | 21 #include "base/memory/scoped_ptr.h" |
22 #include "build/build_config.h" | 22 #include "build/build_config.h" |
23 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" | 23 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" |
24 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" | 24 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
| 25 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
25 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" | 26 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
26 #include "sandbox/linux/services/linux_syscalls.h" | 27 #include "sandbox/linux/services/linux_syscalls.h" |
27 | 28 |
28 using sandbox::SyscallSets; | 29 using sandbox::SyscallSets; |
29 using sandbox::bpf_dsl::Allow; | 30 using sandbox::bpf_dsl::Allow; |
30 using sandbox::bpf_dsl::Arg; | 31 using sandbox::bpf_dsl::Arg; |
31 using sandbox::bpf_dsl::Error; | 32 using sandbox::bpf_dsl::Error; |
32 using sandbox::bpf_dsl::If; | 33 using sandbox::bpf_dsl::If; |
33 using sandbox::bpf_dsl::ResultExpr; | 34 using sandbox::bpf_dsl::ResultExpr; |
34 | 35 |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
144 case __NR_sysinfo: | 145 case __NR_sysinfo: |
145 case __NR_uname: | 146 case __NR_uname: |
146 return Allow(); | 147 return Allow(); |
147 // Allow only AF_UNIX for |domain|. | 148 // Allow only AF_UNIX for |domain|. |
148 case __NR_socket: | 149 case __NR_socket: |
149 case __NR_socketpair: { | 150 case __NR_socketpair: { |
150 const Arg<int> domain(0); | 151 const Arg<int> domain(0); |
151 return If(domain == AF_UNIX, Allow()).Else(Error(EPERM)); | 152 return If(domain == AF_UNIX, Allow()).Else(Error(EPERM)); |
152 } | 153 } |
153 #endif // defined(__arm__) | 154 #endif // defined(__arm__) |
| 155 case __NR_ioprio_get: // IO scheduler. |
| 156 case __NR_ioprio_set: |
| 157 return sandbox::RestrictIoPrioGetSet(GetPolicyPid()); |
| 158 case __NR_sched_get_priority_max: |
| 159 case __NR_sched_get_priority_min: |
| 160 return Allow(); |
| 161 case __NR_sched_getaffinity: |
| 162 case __NR_sched_getattr: |
| 163 case __NR_sched_getparam: |
| 164 case __NR_sched_getscheduler: |
| 165 case __NR_sched_rr_get_interval: |
| 166 case __NR_sched_setaffinity: |
| 167 case __NR_sched_setattr: |
| 168 case __NR_sched_setparam: |
| 169 case __NR_sched_setscheduler: |
| 170 return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno); |
154 default: | 171 default: |
155 if (SyscallSets::IsAdvancedScheduler(sysno)) | |
156 return Allow(); | |
157 | |
158 // Default to the generic GPU policy. | 172 // Default to the generic GPU policy. |
159 return GpuProcessPolicy::EvaluateSyscall(sysno); | 173 return GpuProcessPolicy::EvaluateSyscall(sysno); |
160 } | 174 } |
161 } | 175 } |
162 | 176 |
163 bool CrosArmGpuProcessPolicy::PreSandboxHook() { | 177 bool CrosArmGpuProcessPolicy::PreSandboxHook() { |
164 DCHECK(IsChromeOS() && IsArchitectureArm()); | 178 DCHECK(IsChromeOS() && IsArchitectureArm()); |
165 // Create a new broker process. | 179 // Create a new broker process. |
166 DCHECK(!broker_process()); | 180 DCHECK(!broker_process()); |
167 | 181 |
(...skipping 13 matching lines...) Expand all Loading... |
181 // Preload the Tegra V4L2 (video decode acceleration) library. | 195 // Preload the Tegra V4L2 (video decode acceleration) library. |
182 dlopen("/usr/lib/libtegrav4l2.so", dlopen_flag); | 196 dlopen("/usr/lib/libtegrav4l2.so", dlopen_flag); |
183 // Resetting errno since platform-specific libraries will fail on other | 197 // Resetting errno since platform-specific libraries will fail on other |
184 // platforms. | 198 // platforms. |
185 errno = 0; | 199 errno = 0; |
186 | 200 |
187 return true; | 201 return true; |
188 } | 202 } |
189 | 203 |
190 } // namespace content | 204 } // namespace content |
OLD | NEW |