content/common/sandbox_seccomp_bpf_linux.cc - Issue 10836243: Add basic ARM policy to seccomp-bpf sandbox.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 10836243: Add basic ARM policy to seccomp-bpf sandbox. (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Addressed more comments. Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/sandbox_seccomp_bpf_linux.cc

diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc

index 226bad780d956b9996052efd54f50aa90125053c..a033138f965c51f51a5d63b1a4dcfce46b830eca 100644

--- a/content/common/sandbox_seccomp_bpf_linux.cc

+++ b/content/common/sandbox_seccomp_bpf_linux.cc

@@ -25,13 +25,19 @@

#include "content/public/common/content_switches.h"

// These are the only architectures supported for now.

-#if defined(__i386__) || defined(__x86_64__)

+#if defined(__i386__) || defined(__x86_64__) || defined(__arm__)

#define SECCOMP_BPF_SANDBOX

#endif

#if defined(SECCOMP_BPF_SANDBOX)

#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

+#if defined(__i386__) || defined(__x86_64__)

#include "sandbox/linux/services/x86_linux_syscalls.h"

+#elif defined(__arm__)

+// This file doesn't yet list all syscalls.

+#include "sandbox/linux/services/arm_linux_syscalls.h"

+#endif

namespace {

@@ -1192,7 +1198,9 @@ playground2::Sandbox::ErrorCode BlacklistPtracePolicy(int sysno) {

return ENOSYS;

}

switch (sysno) {

+#if defined(__x86_64__) || defined(__i386__)

jln (very slow on Chromium) 2012/08/14 22:51:46 The rest of this file does i386 || x86_64, would b

case __NR_migrate_pages:

+#endif

case __NR_move_pages:

case __NR_process_vm_readv:

case __NR_process_vm_writev:

@@ -1259,15 +1267,16 @@ playground2::Sandbox::EvaluateSyscall GetProcessSyscallPolicy(

// This will be our default if we need one.

return AllowAllPolicy;

#else

- // On IA32, we only have a small blacklist at the moment.

+ // On other architectures (currently IA32 or ARM),

+ // we only have a small blacklist at the moment.

(void) process_type;

return BlacklistPtracePolicy;

#endif // __x86_64__

}

// Initialize the seccomp-bpf sandbox.

-bool StartBpfSandbox_x86(const CommandLine& command_line,

- const std::string& process_type) {

+bool StartBpfSandbox(const CommandLine& command_line,

+ const std::string& process_type) {

playground2::Sandbox::EvaluateSyscall SyscallPolicy =

GetProcessSyscallPolicy(command_line, process_type);

@@ -1329,7 +1338,7 @@ bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) {

// Process-specific policy.

ShouldEnableSeccompBpf(process_type) &&

SupportsSandbox()) {

- return StartBpfSandbox_x86(command_line, process_type);

+ return StartBpfSandbox(command_line, process_type);

}

#endif

return false;

« no previous file with comments | « no previous file | sandbox/linux/services/arm_linux_syscalls.h » ('j') | no next file with comments »