Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(358)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/syscall_sets.h

Issue 670183003: Update from chromium 62675d9fb31fb8cedc40f68e78e8445a74f362e7 (Closed) Base URL: git@github.com:domokit/mojo.git@master
Patch Set: Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc ('k') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_
6 #define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_
7
8 #include "base/basictypes.h"
9 #include "build/build_config.h"
10 #include "sandbox/sandbox_export.h"
11
12 // These are helpers to build seccomp-bpf policies, i.e. policies for a
13 // sandbox that reduces the Linux kernel's attack surface. Given their
14 // nature, they don't have any clear semantics and are completely
15 // "implementation-defined".
16
17 namespace sandbox {
18
19 class SANDBOX_EXPORT SyscallSets {
20 public:
21 static bool IsKill(int sysno);
22 static bool IsAllowedGettime(int sysno);
23 static bool IsCurrentDirectory(int sysno);
24 static bool IsUmask(int sysno);
25 // System calls that directly access the file system. They might acquire
26 // a new file descriptor or otherwise perform an operation directly
27 // via a path.
28 static bool IsFileSystem(int sysno);
29 static bool IsAllowedFileSystemAccessViaFd(int sysno);
30 static bool IsDeniedFileSystemAccessViaFd(int sysno);
31 static bool IsGetSimpleId(int sysno);
32 static bool IsProcessPrivilegeChange(int sysno);
33 static bool IsProcessGroupOrSession(int sysno);
34 static bool IsAllowedSignalHandling(int sysno);
35 static bool IsAllowedOperationOnFd(int sysno);
36 static bool IsKernelInternalApi(int sysno);
37 // This should be thought through in conjunction with IsFutex().
38 static bool IsAllowedProcessStartOrDeath(int sysno);
39 // It's difficult to restrict those, but there is attack surface here.
40 static bool IsAllowedFutex(int sysno);
41 static bool IsAllowedEpoll(int sysno);
42 static bool IsAllowedGetOrModifySocket(int sysno);
43 static bool IsDeniedGetOrModifySocket(int sysno);
44
45 #if defined(__i386__) || defined(__mips__)
46 // Big multiplexing system call for sockets.
47 static bool IsSocketCall(int sysno);
48 #endif
49
50 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
51 defined(__aarch64__)
52 static bool IsNetworkSocketInformation(int sysno);
53 #endif
54
55 static bool IsAllowedAddressSpaceAccess(int sysno);
56 static bool IsAllowedGeneralIo(int sysno);
57 static bool IsPrctl(int sysno);
58 static bool IsSeccomp(int sysno);
59 static bool IsAllowedBasicScheduler(int sysno);
60 static bool IsAdminOperation(int sysno);
61 static bool IsKernelModule(int sysno);
62 static bool IsGlobalFSViewChange(int sysno);
63 static bool IsFsControl(int sysno);
64 static bool IsNuma(int sysno);
65 static bool IsMessageQueue(int sysno);
66 static bool IsGlobalProcessEnvironment(int sysno);
67 static bool IsDebug(int sysno);
68 static bool IsGlobalSystemStatus(int sysno);
69 static bool IsEventFd(int sysno);
70 // Asynchronous I/O API.
71 static bool IsAsyncIo(int sysno);
72 static bool IsKeyManagement(int sysno);
73 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
74 static bool IsSystemVSemaphores(int sysno);
75 #endif
76 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
77 // These give a lot of ambient authority and bypass the setuid sandbox.
78 static bool IsSystemVSharedMemory(int sysno);
79 #endif
80
81 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
82 static bool IsSystemVMessageQueue(int sysno);
83 #endif
84
85 #if defined(__i386__) || defined(__mips__)
86 // Big system V multiplexing system call.
87 static bool IsSystemVIpc(int sysno);
88 #endif
89
90 static bool IsAnySystemV(int sysno);
91 static bool IsAdvancedScheduler(int sysno);
92 static bool IsInotify(int sysno);
93 static bool IsFaNotify(int sysno);
94 static bool IsTimer(int sysno);
95 static bool IsAdvancedTimer(int sysno);
96 static bool IsExtendedAttributes(int sysno);
97 static bool IsMisc(int sysno);
98 #if defined(__arm__)
99 static bool IsArmPciConfig(int sysno);
100 static bool IsArmPrivate(int sysno);
101 #endif // defined(__arm__)
102 #if defined(__mips__)
103 static bool IsMipsPrivate(int sysno);
104 static bool IsMipsMisc(int sysno);
105 #endif // defined(__mips__)
106 private:
107 DISALLOW_IMPLICIT_CONSTRUCTORS(SyscallSets);
108 };
109
110 } // namespace sandbox.
111
112 #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_
OLDNEW
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc ('k') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698