Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2487)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 10907035: Linux Sandbox: sandbox workers (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <asm/unistd.h> 5 #include <asm/unistd.h>
6 #include <dlfcn.h> 6 #include <dlfcn.h>
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <linux/audit.h> 9 #include <linux/audit.h>
10 #include <linux/filter.h> 10 #include <linux/filter.h>
(...skipping 1223 matching lines...) Expand 10 before | Expand all | Expand 10 after
1234 } 1234 }
1235 default: 1235 default:
1236 if (IsEventFd(sysno)) 1236 if (IsEventFd(sysno))
1237 return ErrorCode(ErrorCode::ERR_ALLOWED); 1237 return ErrorCode(ErrorCode::ERR_ALLOWED);
1238 1238
1239 // Default on the baseline policy. 1239 // Default on the baseline policy.
1240 return BaselinePolicy_x86_64(sysno); 1240 return BaselinePolicy_x86_64(sysno);
1241 } 1241 }
1242 } 1242 }
1243 1243
1244 ErrorCode RendererProcessPolicy_x86_64(int sysno) { 1244 ErrorCode RendererOrWorkerProcessPolicy_x86_64(int sysno) {
1245 switch (sysno) { 1245 switch (sysno) {
1246 case __NR_ioctl: // TODO(jln) investigate legitimate use in the renderer 1246 case __NR_ioctl: // TODO(jln) investigate legitimate use in the renderer
1247 // and see if alternatives can be used. 1247 // and see if alternatives can be used.
1248 case __NR_fdatasync: 1248 case __NR_fdatasync:
1249 case __NR_fsync: 1249 case __NR_fsync:
1250 #if defined(__i386__) || defined(__x86_64__) 1250 #if defined(__i386__) || defined(__x86_64__)
1251 case __NR_getrlimit: 1251 case __NR_getrlimit:
1252 #endif 1252 #endif
1253 case __NR_pread64: 1253 case __NR_pread64:
1254 case __NR_pwrite64: 1254 case __NR_pwrite64:
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after
1353 else 1353 else
1354 return GpuProcessPolicy_x86_64; 1354 return GpuProcessPolicy_x86_64;
1355 } 1355 }
1356 1356
1357 if (process_type == switches::kPpapiPluginProcess) { 1357 if (process_type == switches::kPpapiPluginProcess) {
1358 // TODO(jln): figure out what to do with non-Flash PPAPI 1358 // TODO(jln): figure out what to do with non-Flash PPAPI
1359 // out-of-process plug-ins. 1359 // out-of-process plug-ins.
1360 return FlashProcessPolicy_x86_64; 1360 return FlashProcessPolicy_x86_64;
1361 } 1361 }
1362 1362
1363 if (process_type == switches::kRendererProcess) { 1363 if (process_type == switches::kRendererProcess ||
1364 return RendererProcessPolicy_x86_64; 1364 process_type == switches::kWorkerProcess) {
1365 return RendererOrWorkerProcessPolicy_x86_64;
1365 } 1366 }
1366 1367
1367 if (process_type == switches::kWorkerProcess) {
1368 return BlacklistDebugAndNumaPolicy;
1369 }
1370 NOTREACHED(); 1368 NOTREACHED();
1371 // This will be our default if we need one. 1369 // This will be our default if we need one.
1372 return AllowAllPolicy; 1370 return AllowAllPolicy;
1373 #else 1371 #else
1374 // On other architectures (currently IA32 or ARM), 1372 // On other architectures (currently IA32 or ARM),
1375 // we only have a small blacklist at the moment. 1373 // we only have a small blacklist at the moment.
1376 (void) process_type; 1374 (void) process_type;
1377 return BlacklistDebugAndNumaPolicy; 1375 return BlacklistDebugAndNumaPolicy;
1378 #endif // __x86_64__ 1376 #endif // __x86_64__
1379 } 1377 }
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after
1442 // Process-specific policy. 1440 // Process-specific policy.
1443 ShouldEnableSeccompBpf(process_type) && 1441 ShouldEnableSeccompBpf(process_type) &&
1444 SupportsSandbox()) { 1442 SupportsSandbox()) {
1445 return StartBpfSandbox(command_line, process_type); 1443 return StartBpfSandbox(command_line, process_type);
1446 } 1444 }
1447 #endif 1445 #endif
1448 return false; 1446 return false;
1449 } 1447 }
1450 1448
1451 } // namespace content 1449 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698