Index: content/common/sandbox_init_linux.cc |
=================================================================== |
--- content/common/sandbox_init_linux.cc (revision 139969) |
+++ content/common/sandbox_init_linux.cc (working copy) |
@@ -48,6 +48,14 @@ |
#define __NR_eventfd2 290 |
#endif |
+#ifndef __NR_process_vm_readv |
+ #define __NR_process_vm_readv 310 |
+#endif |
+ |
+#ifndef __NR_process_vm_writev |
+ #define __NR_process_vm_writev 311 |
+#endif |
+ |
// Constants from very new header files that we can't yet include. |
#ifndef SECCOMP_MODE_FILTER |
#define SECCOMP_MODE_FILTER 2 |
@@ -165,11 +173,24 @@ |
EmitLoad(0, program); |
} |
+static void EmitTrap(std::vector<struct sock_filter>* program) { |
+ EmitRet(SECCOMP_RET_TRAP, program); |
+} |
+ |
+static void EmitAllow(std::vector<struct sock_filter>* program) { |
+ EmitRet(SECCOMP_RET_ALLOW, program); |
+} |
+ |
static void EmitAllowSyscall(int nr, std::vector<struct sock_filter>* program) { |
EmitJEQJF(nr, 1, program); |
- EmitRet(SECCOMP_RET_ALLOW, program); |
+ EmitAllow(program); |
} |
+static void EmitDenySyscall(int nr, std::vector<struct sock_filter>* program) { |
+ EmitJEQJF(nr, 1, program); |
+ EmitTrap(program); |
+} |
+ |
static void EmitAllowSyscallArgN(int nr, |
int arg_nr, |
int arg_val, |
@@ -179,7 +200,7 @@ |
EmitJEQJF(nr, 4, program); |
EmitLoadArg(arg_nr, program); |
EmitJEQJF(arg_val, 1, program); |
- EmitRet(SECCOMP_RET_ALLOW, program); |
+ EmitAllow(program); |
// We trashed syscall_nr so put it back in the accumulator. |
EmitLoad(0, program); |
} |
@@ -190,10 +211,6 @@ |
EmitRet(SECCOMP_RET_ERRNO | err, program); |
} |
-static void EmitTrap(std::vector<struct sock_filter>* program) { |
- EmitRet(SECCOMP_RET_TRAP, program); |
-} |
- |
// TODO(cevans) -- only really works as advertised once we restrict clone() |
// to CLONE_THREAD. |
static void EmitAllowSignalSelf(std::vector<struct sock_filter>* program) { |
@@ -333,6 +350,12 @@ |
EmitSetupEmptyFileSystem(program); |
} |
+static void ApplyNoPtracePolicy(std::vector<struct sock_filter>* program) { |
+ EmitDenySyscall(__NR_ptrace, program); |
+ EmitDenySyscall(__NR_process_vm_readv, program); |
+ EmitDenySyscall(__NR_process_vm_writev, program); |
jln (very slow on Chromium)
2012/06/01 18:34:37
Not a huge deal, but maybe add move_pages and migr
|
+} |
+ |
static bool CanUseSeccompFilters() { |
int ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, 0, 0, 0); |
if (ret != 0 && errno == EFAULT) |
@@ -380,11 +403,19 @@ |
ApplyGPUPolicy(&program); |
} else if (process_type == switches::kPpapiPluginProcess) { |
ApplyFlashPolicy(&program); |
+ } else if (process_type == switches::kRendererProcess || |
+ process_type == switches::kWorkerProcess) { |
+ ApplyNoPtracePolicy(&program); |
} else { |
jln (very slow on Chromium)
2012/06/01 18:34:37
This whole section (up to line 418) is becoming di
|
NOTREACHED(); |
} |
- EmitTrap(&program); |
+ if (process_type == switches::kRendererProcess || |
+ process_type == switches::kWorkerProcess) { |
+ EmitAllow(&program); |
+ } else { |
+ EmitTrap(&program); |
+ } |
InstallSIGSYSHandler(); |
InstallFilter(program); |