| Index: sandbox/linux/seccomp-bpf/sandbox_bpf.cc
|
| diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
|
| index e7b1da65299c7557cc28e893c9f9e19cf6f2171d..8fbd3f27058885bf15a06bbc4bcda94eab95e03e 100644
|
| --- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
|
| +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
|
| @@ -3,6 +3,7 @@
|
| // found in the LICENSE file.
|
|
|
| #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
|
| +#include "sandbox/linux/seccomp-bpf/verifier.h"
|
|
|
| // The kernel gives us a sandbox, we turn it into a playground :-)
|
| // This is version 2 of the playground; version 1 was built on top of
|
| @@ -269,6 +270,10 @@ void Sandbox::installFilter() {
|
| program.push_back((struct sock_filter)
|
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO + SECCOMP_DENY_ERRNO));
|
|
|
| + // Make sure compilation resulted in BPF program that executes
|
| + // correctly.
|
| + Verifier::verifyBPF(program, evaluators_);
|
| +
|
| // Install BPF filter program
|
| const struct sock_fprog prog = { program.size(), &program[0] };
|
| if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
|
| @@ -313,7 +318,6 @@ void Sandbox::sigSys(int nr, siginfo_t *info, void *void_context) {
|
| bool Sandbox::suppressLogging_ = false;
|
| Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
|
| int Sandbox::proc_fd_ = -1;
|
| -std::vector<std::pair<Sandbox::EvaluateSyscall,
|
| - Sandbox::EvaluateArguments> > Sandbox::evaluators_;
|
| +Sandbox::Evaluators Sandbox::evaluators_;
|
|
|
| } // namespace
|
|
|
Chromium Code Reviews
Issue 10546041:
Added a new Verifier class to the BPF compiler. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src