| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 6 | 6 |
| 7 // Some headers on Android are missing cdefs: crbug.com/172337. | 7 // Some headers on Android are missing cdefs: crbug.com/172337. |
| 8 // (We can't use OS_ANDROID here since build_config.h is not included). | 8 // (We can't use OS_ANDROID here since build_config.h is not included). |
| 9 #if defined(ANDROID) | 9 #if defined(ANDROID) |
| 10 #include <sys/cdefs.h> | 10 #include <sys/cdefs.h> |
| (...skipping 23 matching lines...) Expand all Loading... |
| 34 #include "sandbox/linux/bpf_dsl/policy_compiler.h" | 34 #include "sandbox/linux/bpf_dsl/policy_compiler.h" |
| 35 #include "sandbox/linux/seccomp-bpf/codegen.h" | 35 #include "sandbox/linux/seccomp-bpf/codegen.h" |
| 36 #include "sandbox/linux/seccomp-bpf/die.h" | 36 #include "sandbox/linux/seccomp-bpf/die.h" |
| 37 #include "sandbox/linux/seccomp-bpf/errorcode.h" | 37 #include "sandbox/linux/seccomp-bpf/errorcode.h" |
| 38 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" | 38 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" |
| 39 #include "sandbox/linux/seccomp-bpf/syscall.h" | 39 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 40 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" | 40 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" |
| 41 #include "sandbox/linux/seccomp-bpf/trap.h" | 41 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 42 #include "sandbox/linux/seccomp-bpf/verifier.h" | 42 #include "sandbox/linux/seccomp-bpf/verifier.h" |
| 43 #include "sandbox/linux/services/linux_syscalls.h" | 43 #include "sandbox/linux/services/linux_syscalls.h" |
| 44 #include "sandbox/linux/services/syscall_wrappers.h" |
| 44 | 45 |
| 45 using sandbox::bpf_dsl::Allow; | 46 using sandbox::bpf_dsl::Allow; |
| 46 using sandbox::bpf_dsl::Error; | 47 using sandbox::bpf_dsl::Error; |
| 47 using sandbox::bpf_dsl::ResultExpr; | 48 using sandbox::bpf_dsl::ResultExpr; |
| 48 | 49 |
| 49 namespace sandbox { | 50 namespace sandbox { |
| 50 | 51 |
| 51 namespace { | 52 namespace { |
| 52 | 53 |
| 53 const int kExpectedExitCode = 100; | 54 const int kExpectedExitCode = 100; |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 85 // Make everything else fail in an easily recognizable way. | 86 // Make everything else fail in an easily recognizable way. |
| 86 return Error(EINVAL); | 87 return Error(EINVAL); |
| 87 } | 88 } |
| 88 } | 89 } |
| 89 | 90 |
| 90 private: | 91 private: |
| 91 DISALLOW_COPY_AND_ASSIGN(ProbePolicy); | 92 DISALLOW_COPY_AND_ASSIGN(ProbePolicy); |
| 92 }; | 93 }; |
| 93 | 94 |
| 94 void ProbeProcess(void) { | 95 void ProbeProcess(void) { |
| 95 if (syscall(__NR_getpid) < 0 && errno == EPERM) { | 96 if (sys_getpid() < 0 && errno == EPERM) { |
| 96 syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode)); | 97 sys_exit_group(kExpectedExitCode); |
| 97 } | 98 } |
| 98 } | 99 } |
| 99 | 100 |
| 100 class AllowAllPolicy : public bpf_dsl::Policy { | 101 class AllowAllPolicy : public bpf_dsl::Policy { |
| 101 public: | 102 public: |
| 102 AllowAllPolicy() {} | 103 AllowAllPolicy() {} |
| 103 virtual ~AllowAllPolicy() {} | 104 virtual ~AllowAllPolicy() {} |
| 104 | 105 |
| 105 virtual ResultExpr EvaluateSyscall(int sysnum) const override { | 106 virtual ResultExpr EvaluateSyscall(int sysnum) const override { |
| 106 DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum)); | 107 DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum)); |
| 107 return Allow(); | 108 return Allow(); |
| 108 } | 109 } |
| 109 | 110 |
| 110 private: | 111 private: |
| 111 DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy); | 112 DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy); |
| 112 }; | 113 }; |
| 113 | 114 |
| 114 void TryVsyscallProcess(void) { | 115 void TryVsyscallProcess(void) { |
| 115 time_t current_time; | 116 time_t current_time; |
| 116 // time() is implemented as a vsyscall. With an older glibc, with | 117 // time() is implemented as a vsyscall. With an older glibc, with |
| 117 // vsyscall=emulate and some versions of the seccomp BPF patch | 118 // vsyscall=emulate and some versions of the seccomp BPF patch |
| 118 // we may get SIGKILL-ed. Detect this! | 119 // we may get SIGKILL-ed. Detect this! |
| 119 if (time(¤t_time) != static_cast<time_t>(-1)) { | 120 if (time(¤t_time) != static_cast<time_t>(-1)) { |
| 120 syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode)); | 121 sys_exit_group(kExpectedExitCode); |
| 121 } | 122 } |
| 122 } | 123 } |
| 123 | 124 |
| 124 bool IsSingleThreaded(int proc_fd) { | 125 bool IsSingleThreaded(int proc_fd) { |
| 125 if (proc_fd < 0) { | 126 if (proc_fd < 0) { |
| 126 // Cannot determine whether program is single-threaded. Hope for | 127 // Cannot determine whether program is single-threaded. Hope for |
| 127 // the best... | 128 // the best... |
| 128 return true; | 129 return true; |
| 129 } | 130 } |
| 130 | 131 |
| (...skipping 383 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 514 static_cast<intptr_t>(args.args[1]), | 515 static_cast<intptr_t>(args.args[1]), |
| 515 static_cast<intptr_t>(args.args[2]), | 516 static_cast<intptr_t>(args.args[2]), |
| 516 static_cast<intptr_t>(args.args[3]), | 517 static_cast<intptr_t>(args.args[3]), |
| 517 static_cast<intptr_t>(args.args[4]), | 518 static_cast<intptr_t>(args.args[4]), |
| 518 static_cast<intptr_t>(args.args[5])); | 519 static_cast<intptr_t>(args.args[5])); |
| 519 } | 520 } |
| 520 | 521 |
| 521 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN; | 522 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN; |
| 522 | 523 |
| 523 } // namespace sandbox | 524 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 754433003:
Update from https://crrev.com/305340 (Closed)
Base URL: git@github.com:domokit/mojo.git@master