| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
| 6 #include <dlfcn.h> | 6 #include <dlfcn.h> |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/audit.h> | 9 #include <linux/audit.h> |
| 10 #include <linux/filter.h> | 10 #include <linux/filter.h> |
| (...skipping 492 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 503 bool SandboxSeccompBpf::IsSeccompBpfDesired() { | 503 bool SandboxSeccompBpf::IsSeccompBpfDesired() { |
| 504 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 504 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 505 if (!command_line.HasSwitch(switches::kNoSandbox) && | 505 if (!command_line.HasSwitch(switches::kNoSandbox) && |
| 506 !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { | 506 !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { |
| 507 return true; | 507 return true; |
| 508 } else { | 508 } else { |
| 509 return false; | 509 return false; |
| 510 } | 510 } |
| 511 } | 511 } |
| 512 | 512 |
| 513 bool SandboxSeccompBpf::ShouldEnableSeccompBpf( |
| 514 const std::string& process_type) { |
| 515 #if defined(SECCOMP_BPF_SANDBOX) |
| 516 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 517 return !ShouldDisableBpfSandbox(command_line, process_type); |
| 518 #endif |
| 519 return false; |
| 520 } |
| 521 |
| 513 bool SandboxSeccompBpf::SupportsSandbox() { | 522 bool SandboxSeccompBpf::SupportsSandbox() { |
| 514 #if defined(SECCOMP_BPF_SANDBOX) | 523 #if defined(SECCOMP_BPF_SANDBOX) |
| 515 // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton | 524 // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton |
| 516 // here. | 525 // here. |
| 517 if (playground2::Sandbox::supportsSeccompSandbox(-1) == | 526 if (playground2::Sandbox::supportsSeccompSandbox(-1) == |
| 518 playground2::Sandbox::STATUS_AVAILABLE) { | 527 playground2::Sandbox::STATUS_AVAILABLE) { |
| 519 return true; | 528 return true; |
| 520 } | 529 } |
| 521 #endif | 530 #endif |
| 522 return false; | 531 return false; |
| 523 } | 532 } |
| 524 | 533 |
| 525 bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { | 534 bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { |
| 526 #if defined(SECCOMP_BPF_SANDBOX) | 535 #if defined(SECCOMP_BPF_SANDBOX) |
| 527 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 536 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 528 | 537 |
| 529 if (IsSeccompBpfDesired() && // Global switches policy. | 538 if (IsSeccompBpfDesired() && // Global switches policy. |
| 530 // Process-specific policy. | 539 // Process-specific policy. |
| 531 !ShouldDisableBpfSandbox(command_line, process_type) && | 540 ShouldEnableSeccompBpf(process_type) && |
| 532 SupportsSandbox()) { | 541 SupportsSandbox()) { |
| 533 return StartBpfSandbox_x86(command_line, process_type); | 542 return StartBpfSandbox_x86(command_line, process_type); |
| 534 } | 543 } |
| 535 #endif | 544 #endif |
| 536 return false; | 545 return false; |
| 537 } | 546 } |
| 538 | 547 |
| 539 } // namespace content | 548 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10829156:
Linux: add BPF sandbox status in about:sandbox (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src