OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <sys/mman.h> | 8 #include <sys/mman.h> |
9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
10 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
(...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
180 if (sysno == __NR_mprotect) | 180 if (sysno == __NR_mprotect) |
181 return RestrictMprotectFlags(); | 181 return RestrictMprotectFlags(); |
182 | 182 |
183 if (sysno == __NR_prctl) | 183 if (sysno == __NR_prctl) |
184 return RestrictPrctl(); | 184 return RestrictPrctl(); |
185 | 185 |
186 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \ | 186 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \ |
187 defined(__aarch64__) | 187 defined(__aarch64__) |
188 if (sysno == __NR_socketpair) { | 188 if (sysno == __NR_socketpair) { |
189 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. | 189 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |
190 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); | 190 static_assert(AF_UNIX == PF_UNIX, |
| 191 "af_unix and pf_unix should not be different"); |
191 const Arg<int> domain(0); | 192 const Arg<int> domain(0); |
192 return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS()); | 193 return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS()); |
193 } | 194 } |
194 #endif | 195 #endif |
195 | 196 |
196 if (SyscallSets::IsKill(sysno)) { | 197 if (SyscallSets::IsKill(sysno)) { |
197 return RestrictKillTarget(current_pid, sysno); | 198 return RestrictKillTarget(current_pid, sysno); |
198 } | 199 } |
199 | 200 |
200 if (SyscallSets::IsFileSystem(sysno) || | 201 if (SyscallSets::IsFileSystem(sysno) || |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
255 DCHECK_EQ(sys_getpid(), policy_pid_); | 256 DCHECK_EQ(sys_getpid(), policy_pid_); |
256 } | 257 } |
257 return EvaluateSyscallImpl(fs_denied_errno_, policy_pid_, sysno); | 258 return EvaluateSyscallImpl(fs_denied_errno_, policy_pid_, sysno); |
258 } | 259 } |
259 | 260 |
260 ResultExpr BaselinePolicy::InvalidSyscall() const { | 261 ResultExpr BaselinePolicy::InvalidSyscall() const { |
261 return CrashSIGSYS(); | 262 return CrashSIGSYS(); |
262 } | 263 } |
263 | 264 |
264 } // namespace sandbox. | 265 } // namespace sandbox. |
OLD | NEW |