| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/public/common/sandbox_init.h" | 5 #include "content/public/common/sandbox_init.h" |
| 6 | 6 |
| 7 #if defined(OS_LINUX) && defined(__x86_64__) | 7 #if defined(OS_LINUX) && defined(__x86_64__) |
| 8 | 8 |
| 9 #include <asm/unistd.h> | 9 #include <asm/unistd.h> |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 180 | 180 |
| 181 static void EmitTrap(std::vector<struct sock_filter>* program) { | 181 static void EmitTrap(std::vector<struct sock_filter>* program) { |
| 182 EmitRet(SECCOMP_RET_TRAP, program); | 182 EmitRet(SECCOMP_RET_TRAP, program); |
| 183 } | 183 } |
| 184 | 184 |
| 185 static void EmitAllowKillSelf(int signal, | 185 static void EmitAllowKillSelf(int signal, |
| 186 std::vector<struct sock_filter>* program) { | 186 std::vector<struct sock_filter>* program) { |
| 187 EmitAllowSyscallArgN(__NR_kill, 2, signal, program); | 187 EmitAllowSyscallArgN(__NR_kill, 2, signal, program); |
| 188 } | 188 } |
| 189 | 189 |
| 190 static void EmitAllowGettime(std::vector<struct sock_filter>* program) { |
| 191 EmitAllowSyscall(__NR_clock_gettime, program); |
| 192 EmitAllowSyscall(__NR_gettimeofday, program); |
| 193 } |
| 194 |
| 190 static void ApplyGPUPolicy(std::vector<struct sock_filter>* program) { | 195 static void ApplyGPUPolicy(std::vector<struct sock_filter>* program) { |
| 191 // "Hot" syscalls go first. | 196 // "Hot" syscalls go first. |
| 192 EmitAllowSyscall(__NR_read, program); | 197 EmitAllowSyscall(__NR_read, program); |
| 193 EmitAllowSyscall(__NR_ioctl, program); | 198 EmitAllowSyscall(__NR_ioctl, program); |
| 194 EmitAllowSyscall(__NR_poll, program); | 199 EmitAllowSyscall(__NR_poll, program); |
| 195 EmitAllowSyscall(__NR_epoll_wait, program); | 200 EmitAllowSyscall(__NR_epoll_wait, program); |
| 196 EmitAllowSyscall(__NR_recvfrom, program); | 201 EmitAllowSyscall(__NR_recvfrom, program); |
| 197 EmitAllowSyscall(__NR_write, program); | 202 EmitAllowSyscall(__NR_write, program); |
| 198 EmitAllowSyscall(__NR_writev, program); | 203 EmitAllowSyscall(__NR_writev, program); |
| 199 EmitAllowSyscall(__NR_gettid, program); | 204 EmitAllowSyscall(__NR_gettid, program); |
| 205 EmitAllowSyscall(__NR_sched_yield, program); // Nvidia binary driver. |
| 206 EmitAllowGettime(program); |
| 200 | 207 |
| 201 // Less hot syscalls. | 208 // Less hot syscalls. |
| 202 EmitAllowSyscall(__NR_clock_gettime, program); | |
| 203 EmitAllowSyscall(__NR_futex, program); | 209 EmitAllowSyscall(__NR_futex, program); |
| 204 EmitAllowSyscall(__NR_madvise, program); | 210 EmitAllowSyscall(__NR_madvise, program); |
| 205 EmitAllowSyscall(__NR_sendmsg, program); | 211 EmitAllowSyscall(__NR_sendmsg, program); |
| 206 EmitAllowSyscall(__NR_recvmsg, program); | 212 EmitAllowSyscall(__NR_recvmsg, program); |
| 207 EmitAllowSyscall(__NR_eventfd2, program); | 213 EmitAllowSyscall(__NR_eventfd2, program); |
| 208 EmitAllowSyscall(__NR_pipe, program); | 214 EmitAllowSyscall(__NR_pipe, program); |
| 209 EmitAllowSyscall(__NR_mmap, program); | 215 EmitAllowSyscall(__NR_mmap, program); |
| 210 EmitAllowSyscall(__NR_mprotect, program); | 216 EmitAllowSyscall(__NR_mprotect, program); |
| 211 EmitAllowSyscall(__NR_clone, program); | 217 EmitAllowSyscall(__NR_clone, program); |
| 212 EmitAllowSyscall(__NR_set_robust_list, program); | 218 EmitAllowSyscall(__NR_set_robust_list, program); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 224 EmitAllowSyscall(__NR_restart_syscall, program); | 230 EmitAllowSyscall(__NR_restart_syscall, program); |
| 225 EmitAllowSyscall(__NR_rt_sigreturn, program); | 231 EmitAllowSyscall(__NR_rt_sigreturn, program); |
| 226 EmitAllowSyscall(__NR_brk, program); | 232 EmitAllowSyscall(__NR_brk, program); |
| 227 EmitAllowSyscall(__NR_rt_sigprocmask, program); | 233 EmitAllowSyscall(__NR_rt_sigprocmask, program); |
| 228 EmitAllowSyscall(__NR_munmap, program); | 234 EmitAllowSyscall(__NR_munmap, program); |
| 229 EmitAllowSyscall(__NR_dup, program); | 235 EmitAllowSyscall(__NR_dup, program); |
| 230 EmitAllowSyscall(__NR_mlock, program); | 236 EmitAllowSyscall(__NR_mlock, program); |
| 231 EmitAllowSyscall(__NR_munlock, program); | 237 EmitAllowSyscall(__NR_munlock, program); |
| 232 EmitAllowSyscall(__NR_exit, program); | 238 EmitAllowSyscall(__NR_exit, program); |
| 233 EmitAllowSyscall(__NR_exit_group, program); | 239 EmitAllowSyscall(__NR_exit_group, program); |
| 234 EmitAllowSyscall(__NR_getpid, program); // Seen in Nvidia binary driver. | 240 EmitAllowSyscall(__NR_getpid, program); // Nvidia binary driver. |
| 235 EmitAllowSyscall(__NR_getppid, program); // Seen in ATI binary driver. | 241 EmitAllowSyscall(__NR_getppid, program); // ATI binary driver. |
| 242 EmitAllowSyscall(__NR_lseek, program); // Nvidia binary driver. |
| 236 EmitAllowKillSelf(SIGTERM, program); // GPU watchdog. | 243 EmitAllowKillSelf(SIGTERM, program); // GPU watchdog. |
| 237 | 244 |
| 238 // Generally, filename-based syscalls will fail with ENOENT to behave | 245 // Generally, filename-based syscalls will fail with ENOENT to behave |
| 239 // similarly to a possible future setuid sandbox. | 246 // similarly to a possible future setuid sandbox. |
| 240 EmitFailSyscall(__NR_open, ENOENT, program); | 247 EmitFailSyscall(__NR_open, ENOENT, program); |
| 241 EmitFailSyscall(__NR_access, ENOENT, program); | 248 EmitFailSyscall(__NR_access, ENOENT, program); |
| 242 EmitFailSyscall(__NR_mkdir, ENOENT, program); // Nvidia binary driver. | 249 EmitFailSyscall(__NR_mkdir, ENOENT, program); // Nvidia binary driver. |
| 243 EmitFailSyscall(__NR_readlink, ENOENT, program); // ATI binary driver. | 250 EmitFailSyscall(__NR_readlink, ENOENT, program); // ATI binary driver. |
| 244 } | 251 } |
| 245 | 252 |
| 246 static void ApplyFlashPolicy(std::vector<struct sock_filter>* program) { | 253 static void ApplyFlashPolicy(std::vector<struct sock_filter>* program) { |
| 247 // "Hot" syscalls go first. | 254 // "Hot" syscalls go first. |
| 248 EmitAllowSyscall(__NR_futex, program); | 255 EmitAllowSyscall(__NR_futex, program); |
| 249 EmitAllowSyscall(__NR_write, program); | 256 EmitAllowSyscall(__NR_write, program); |
| 250 EmitAllowSyscall(__NR_epoll_wait, program); | 257 EmitAllowSyscall(__NR_epoll_wait, program); |
| 251 EmitAllowSyscall(__NR_read, program); | 258 EmitAllowSyscall(__NR_read, program); |
| 252 EmitAllowSyscall(__NR_times, program); | 259 EmitAllowSyscall(__NR_times, program); |
| 253 | 260 |
| 254 // Less hot syscalls. | 261 // Less hot syscalls. |
| 255 EmitAllowSyscall(__NR_gettimeofday, program); | 262 EmitAllowGettime(program); |
| 256 EmitAllowSyscall(__NR_clone, program); | 263 EmitAllowSyscall(__NR_clone, program); |
| 257 EmitAllowSyscall(__NR_set_robust_list, program); | 264 EmitAllowSyscall(__NR_set_robust_list, program); |
| 258 EmitAllowSyscall(__NR_getuid, program); | 265 EmitAllowSyscall(__NR_getuid, program); |
| 259 EmitAllowSyscall(__NR_geteuid, program); | 266 EmitAllowSyscall(__NR_geteuid, program); |
| 260 EmitAllowSyscall(__NR_getgid, program); | 267 EmitAllowSyscall(__NR_getgid, program); |
| 261 EmitAllowSyscall(__NR_getegid, program); | 268 EmitAllowSyscall(__NR_getegid, program); |
| 262 EmitAllowSyscall(__NR_epoll_create, program); | 269 EmitAllowSyscall(__NR_epoll_create, program); |
| 263 EmitAllowSyscall(__NR_fcntl, program); | 270 EmitAllowSyscall(__NR_fcntl, program); |
| 264 EmitAllowSyscall(__NR_socketpair, program); | 271 EmitAllowSyscall(__NR_socketpair, program); |
| 265 EmitAllowSyscall(__NR_pipe, program); | 272 EmitAllowSyscall(__NR_pipe, program); |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 358 | 365 |
| 359 namespace content { | 366 namespace content { |
| 360 | 367 |
| 361 void InitializeSandbox() { | 368 void InitializeSandbox() { |
| 362 } | 369 } |
| 363 | 370 |
| 364 } // namespace content | 371 } // namespace content |
| 365 | 372 |
| 366 #endif | 373 #endif |
| 367 | 374 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10383010:
Add a couple more syscalls for the Nvidia binary driver, based on a real-world (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/