Chromium Code Reviews Chromium Code Reviews
Issue 117803002:
Make building seccomp-bpf a GYP condition (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/nacl_sandbox_linux.h" | 5 #include "components/nacl/loader/nacl_sandbox_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <signal.h> | 8 #include <signal.h> |
| 9 #include <sys/ptrace.h> | 9 #include <sys/ptrace.h> |
| 10 | 10 |
| 11 #include "base/basictypes.h" | 11 #include "base/basictypes.h" |
| 12 #include "base/callback.h" | 12 #include "base/callback.h" |
| 13 #include "base/compiler_specific.h" | 13 #include "base/compiler_specific.h" |
| 14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "build/build_config.h" | 15 #include "build/build_config.h" |
| 16 | |
| 17 #if defined(USE_SECCOMP_BPF) | |
| 16 #include "content/public/common/sandbox_init.h" | 18 #include "content/public/common/sandbox_init.h" |
| 17 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 19 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 18 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" | 20 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
| 19 #include "sandbox/linux/services/linux_syscalls.h" | 21 #include "sandbox/linux/services/linux_syscalls.h" |
| 20 | 22 |
| 21 using sandbox::ErrorCode; | 23 using sandbox::ErrorCode; |
| 22 using sandbox::SandboxBPF; | 24 using sandbox::SandboxBPF; |
| 23 using sandbox::SandboxBPFPolicy; | 25 using sandbox::SandboxBPFPolicy; |
| 24 | 26 |
| 25 namespace { | 27 namespace { |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 144 errno = 0; | 146 errno = 0; |
| 145 // Make a ptrace request with an invalid PID. | 147 // Make a ptrace request with an invalid PID. |
| 146 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL); | 148 long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL); |
| 147 CHECK_EQ(-1, ptrace_ret); | 149 CHECK_EQ(-1, ptrace_ret); |
| 148 // Without the sandbox on, this ptrace call would ESRCH instead. | 150 // Without the sandbox on, this ptrace call would ESRCH instead. |
| 149 CHECK_EQ(EPERM, errno); | 151 CHECK_EQ(EPERM, errno); |
| 150 } | 152 } |
| 151 | 153 |
| 152 } // namespace | 154 } // namespace |
| 153 | 155 |
| 156 #else | |
| 157 | |
| 158 #if !defined(ARCH_CPU_MIPS_FAMILY) | |
| 159 #error "Seccomp-bpf disabled on supported architecture!" | |
| 160 #endif // !!defined(ARCH_CPU_MIPS_FAMILY) | |
|
Mark Seaborn
2013/12/18 08:10:21
Nit: Just "!defined" (but a closing comment is rat
jln (very slow on Chromium)
2013/12/19 00:00:19
Done.
| |
| 161 | |
| 162 #endif // defined(USE_SECCOMP_BPF) | |
| 163 | |
| 154 bool InitializeBPFSandbox() { | 164 bool InitializeBPFSandbox() { |
| 165 #if defined(USE_SECCOMP_BPF) | |
| 155 bool sandbox_is_initialized = content::InitializeSandbox( | 166 bool sandbox_is_initialized = content::InitializeSandbox( |
| 156 scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy())); | 167 scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy())); |
| 157 if (sandbox_is_initialized) { | 168 if (sandbox_is_initialized) { |
| 158 RunSandboxSanityChecks(); | 169 RunSandboxSanityChecks(); |
| 159 return true; | 170 return true; |
| 160 } | 171 } |
| 172 #endif // defined(USE_SECCOMP_BPF) | |
| 161 return false; | 173 return false; |
|
Mark Seaborn
2013/12/18 08:10:21
Hmm, as an aside (which does not affect this chang
jln (very slow on Chromium)
2013/12/19 00:00:19
No, and it was a clear TODO (crbug.com/270914), bu
| |
| 162 } | 174 } |
| OLD | NEW |
