Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(250)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_init_linux.cc

Issue 10260024: Policy tweaks to address syscall failures seen in 20.0.115.1 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/public/common/sandbox_init.h" 5 #include "content/public/common/sandbox_init.h"
6 6
7 #if defined(OS_LINUX) && defined(__x86_64__) 7 #if defined(OS_LINUX) && defined(__x86_64__)
8 8
9 #include <asm/unistd.h> 9 #include <asm/unistd.h>
10 #include <errno.h> 10 #include <errno.h>
(...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after
192 EmitAllowSyscall(__NR_read, program); 192 EmitAllowSyscall(__NR_read, program);
193 EmitAllowSyscall(__NR_ioctl, program); 193 EmitAllowSyscall(__NR_ioctl, program);
194 EmitAllowSyscall(__NR_poll, program); 194 EmitAllowSyscall(__NR_poll, program);
195 EmitAllowSyscall(__NR_epoll_wait, program); 195 EmitAllowSyscall(__NR_epoll_wait, program);
196 EmitAllowSyscall(__NR_recvfrom, program); 196 EmitAllowSyscall(__NR_recvfrom, program);
197 EmitAllowSyscall(__NR_write, program); 197 EmitAllowSyscall(__NR_write, program);
198 EmitAllowSyscall(__NR_writev, program); 198 EmitAllowSyscall(__NR_writev, program);
199 EmitAllowSyscall(__NR_gettid, program); 199 EmitAllowSyscall(__NR_gettid, program);
200 200
201 // Less hot syscalls. 201 // Less hot syscalls.
202 EmitAllowSyscall(__NR_clock_gettime, program);
202 EmitAllowSyscall(__NR_futex, program); 203 EmitAllowSyscall(__NR_futex, program);
203 EmitAllowSyscall(__NR_madvise, program); 204 EmitAllowSyscall(__NR_madvise, program);
204 EmitAllowSyscall(__NR_sendmsg, program); 205 EmitAllowSyscall(__NR_sendmsg, program);
205 EmitAllowSyscall(__NR_recvmsg, program); 206 EmitAllowSyscall(__NR_recvmsg, program);
206 EmitAllowSyscall(__NR_eventfd2, program); 207 EmitAllowSyscall(__NR_eventfd2, program);
207 EmitAllowSyscall(__NR_pipe, program); 208 EmitAllowSyscall(__NR_pipe, program);
208 EmitAllowSyscall(__NR_mmap, program); 209 EmitAllowSyscall(__NR_mmap, program);
209 EmitAllowSyscall(__NR_mprotect, program); 210 EmitAllowSyscall(__NR_mprotect, program);
210 EmitAllowSyscall(__NR_clone, program); 211 EmitAllowSyscall(__NR_clone, program);
211 EmitAllowSyscall(__NR_set_robust_list, program); 212 EmitAllowSyscall(__NR_set_robust_list, program);
(...skipping 15 matching lines...) Expand all
227 EmitAllowSyscall(__NR_munmap, program); 228 EmitAllowSyscall(__NR_munmap, program);
228 EmitAllowSyscall(__NR_dup, program); 229 EmitAllowSyscall(__NR_dup, program);
229 EmitAllowSyscall(__NR_mlock, program); 230 EmitAllowSyscall(__NR_mlock, program);
230 EmitAllowSyscall(__NR_munlock, program); 231 EmitAllowSyscall(__NR_munlock, program);
231 EmitAllowSyscall(__NR_exit, program); 232 EmitAllowSyscall(__NR_exit, program);
232 EmitAllowSyscall(__NR_exit_group, program); 233 EmitAllowSyscall(__NR_exit_group, program);
233 EmitAllowSyscall(__NR_getpid, program); // Seen in Nvidia binary driver. 234 EmitAllowSyscall(__NR_getpid, program); // Seen in Nvidia binary driver.
234 EmitAllowSyscall(__NR_getppid, program); // Seen in ATI binary driver. 235 EmitAllowSyscall(__NR_getppid, program); // Seen in ATI binary driver.
235 EmitAllowKillSelf(SIGTERM, program); // GPU watchdog. 236 EmitAllowKillSelf(SIGTERM, program); // GPU watchdog.
236 237
238 // Generally, filename-based syscalls will fail with ENOENT to behave
239 // similarly to a possible future setuid sandbox.
237 EmitFailSyscall(__NR_open, ENOENT, program); 240 EmitFailSyscall(__NR_open, ENOENT, program);
238 EmitFailSyscall(__NR_access, ENOENT, program); 241 EmitFailSyscall(__NR_access, ENOENT, program);
242 EmitFailSyscall(__NR_mkdir, ENOENT, program); // Nvidia binary driver.
243 EmitFailSyscall(__NR_readlink, ENOENT, program); // ATI binary driver.
239 } 244 }
240 245
241 static void ApplyFlashPolicy(std::vector<struct sock_filter>* program) { 246 static void ApplyFlashPolicy(std::vector<struct sock_filter>* program) {
242 // "Hot" syscalls go first. 247 // "Hot" syscalls go first.
243 EmitAllowSyscall(__NR_futex, program); 248 EmitAllowSyscall(__NR_futex, program);
244 EmitAllowSyscall(__NR_write, program); 249 EmitAllowSyscall(__NR_write, program);
245 EmitAllowSyscall(__NR_epoll_wait, program); 250 EmitAllowSyscall(__NR_epoll_wait, program);
246 EmitAllowSyscall(__NR_read, program); 251 EmitAllowSyscall(__NR_read, program);
247 EmitAllowSyscall(__NR_times, program); 252 EmitAllowSyscall(__NR_times, program);
248 253
249 // Less hot syscalls. 254 // Less hot syscalls.
255 EmitAllowSyscall(__NR_gettimeofday, program);
jln (very slow on Chromium) 2012/04/30 23:44:29 This still misses sigreturn and restart_syscall
250 EmitAllowSyscall(__NR_clone, program); 256 EmitAllowSyscall(__NR_clone, program);
251 EmitAllowSyscall(__NR_set_robust_list, program); 257 EmitAllowSyscall(__NR_set_robust_list, program);
252 EmitAllowSyscall(__NR_getuid, program); 258 EmitAllowSyscall(__NR_getuid, program);
253 EmitAllowSyscall(__NR_geteuid, program); 259 EmitAllowSyscall(__NR_geteuid, program);
254 EmitAllowSyscall(__NR_getgid, program); 260 EmitAllowSyscall(__NR_getgid, program);
255 EmitAllowSyscall(__NR_getegid, program); 261 EmitAllowSyscall(__NR_getegid, program);
256 EmitAllowSyscall(__NR_epoll_create, program); 262 EmitAllowSyscall(__NR_epoll_create, program);
257 EmitAllowSyscall(__NR_fcntl, program); 263 EmitAllowSyscall(__NR_fcntl, program);
258 EmitAllowSyscall(__NR_socketpair, program); 264 EmitAllowSyscall(__NR_socketpair, program);
259 EmitAllowSyscall(__NR_pipe, program); 265 EmitAllowSyscall(__NR_pipe, program);
(...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after
352 358
353 namespace content { 359 namespace content {
354 360
355 void InitializeSandbox() { 361 void InitializeSandbox() {
356 } 362 }
357 363
358 } // namespace content 364 } // namespace content
359 365
360 #endif 366 #endif
361 367
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698