Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(403)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

Issue 775943004: [Android] Get renderers working again under seccomp-bpf. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Address comments Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h " 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h "
6 6
7 #include <sys/syscall.h> 7 #include <sys/syscall.h>
8 #include <sys/types.h> 8 #include <sys/types.h>
9 9
10 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" 10 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
11 11
12 using sandbox::bpf_dsl::Allow; 12 using sandbox::bpf_dsl::Allow;
13 using sandbox::bpf_dsl::ResultExpr; 13 using sandbox::bpf_dsl::ResultExpr;
14 14
15 namespace content { 15 namespace content {
16 16
17 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() 17 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()
18 : SandboxBPFBasePolicy() {} 18 : SandboxBPFBasePolicy() {}
19 19
20 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} 20 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {}
21 21
22 ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const { 22 ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const {
23 bool override_and_allow = false; 23 bool override_and_allow = false;
24 24
25 switch (sysno) { 25 switch (sysno) {
26 // TODO(rsesek): restrict clone parameters. 26 // TODO(rsesek): restrict clone parameters.
27 case __NR_clone: 27 case __NR_clone:
28 case __NR_epoll_pwait: 28 case __NR_epoll_pwait:
29 case __NR_flock: 29 case __NR_flock:
30 #if defined(__x86_64__) || defined(__aarch64__)
31 case __NR_newfstatat:
32 #elif defined(__i386__) || defined(__arm__) || defined(__mips__)
33 case __NR_fstatat64:
34 #endif
30 case __NR_getpriority: 35 case __NR_getpriority:
31 case __NR_ioctl: 36 case __NR_ioctl:
32 case __NR_mremap: 37 case __NR_mremap:
33 // File system access cannot be restricted with seccomp-bpf on Android, 38 // File system access cannot be restricted with seccomp-bpf on Android,
34 // since the JVM classloader and other Framework features require file 39 // since the JVM classloader and other Framework features require file
35 // access. It may be possible to restrict the filesystem with SELinux. 40 // access. It may be possible to restrict the filesystem with SELinux.
36 // Currently we rely on the app/service UID isolation to create a 41 // Currently we rely on the app/service UID isolation to create a
37 // filesystem "sandbox". 42 // filesystem "sandbox".
38 #if !ARCH_CPU_ARM64 43 #if !defined(ARCH_CPU_ARM64)
39 case __NR_open: 44 case __NR_open:
40 #endif 45 #endif
41 case __NR_openat: 46 case __NR_openat:
42 case __NR_pread64: 47 case __NR_pread64:
43 case __NR_rt_sigtimedwait: 48 case __NR_rt_sigtimedwait:
44 case __NR_setpriority: 49 case __NR_setpriority:
50 case __NR_set_tid_address:
45 case __NR_sigaltstack: 51 case __NR_sigaltstack:
46 #if defined(__i386__) || defined(__arm__) 52 #if defined(__i386__) || defined(__arm__)
47 case __NR_ugetrlimit: 53 case __NR_ugetrlimit:
48 #else 54 #else
49 case __NR_getrlimit: 55 case __NR_getrlimit:
50 #endif 56 #endif
51 case __NR_uname: 57 case __NR_uname:
52 override_and_allow = true; 58 override_and_allow = true;
53 break; 59 break;
54 } 60 }
55 61
56 if (override_and_allow) 62 if (override_and_allow)
57 return Allow(); 63 return Allow();
58 64
59 return SandboxBPFBasePolicy::EvaluateSyscall(sysno); 65 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
60 } 66 }
61 67
62 } // namespace content 68 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698