sandbox/linux/seccomp-bpf/demo.cc - Issue 12223109: SECCOMP-BPF: Refactor the BPF sandbox API to use fewer "static" fields and methods.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/linux/seccomp-bpf/demo.cc

Issue 12223109: SECCOMP-BPF: Refactor the BPF sandbox API to use fewer "static" fields and methods. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Make sure unnamed namespaces are always top-level Created 7 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/linux/seccomp-bpf/demo.cc

diff --git a/sandbox/linux/seccomp-bpf/demo.cc b/sandbox/linux/seccomp-bpf/demo.cc

index fcae39936284d81d7669ee04c91a77c80fa74494..5634896deeb61c924648dd4e7b5484ba8e44ab1c 100644

--- a/sandbox/linux/seccomp-bpf/demo.cc

+++ b/sandbox/linux/seccomp-bpf/demo.cc

@@ -137,7 +137,7 @@ static intptr_t defaultHandler(const struct arch_seccomp_data& data,

return -ERR;

}

-static ErrorCode evaluator(int sysno, void *) {

+static ErrorCode evaluator(Sandbox *sandbox, int sysno, void *) {

switch (sysno) {

#if defined(__NR_accept)

case __NR_accept: case __NR_accept4:

@@ -226,13 +226,13 @@ static ErrorCode evaluator(int sysno, void *) {

case __NR_prctl:

// Allow PR_SET_DUMPABLE and PR_GET_DUMPABLE. Do not allow anything else.

- return Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

+ return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

PR_SET_DUMPABLE,

ErrorCode(ErrorCode::ERR_ALLOWED),

- Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

+ sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,

PR_GET_DUMPABLE,

ErrorCode(ErrorCode::ERR_ALLOWED),

- Sandbox::Trap(defaultHandler, NULL)));

+ sandbox->Trap(defaultHandler, NULL)));

// The following system calls are temporarily permitted. This must be

// tightened later. But we currently don't implement enough of the sandboxing

@@ -267,7 +267,7 @@ static ErrorCode evaluator(int sysno, void *) {

// Everything that isn't explicitly allowed is denied.

default:

- return Sandbox::Trap(defaultHandler, NULL);

+ return sandbox->Trap(defaultHandler, NULL);

}

@@ -316,9 +316,10 @@ int main(int argc, char *argv[]) {

perror("sandbox");

_exit(1);

}

- Sandbox::set_proc_fd(proc_fd);

- Sandbox::SetSandboxPolicy(evaluator, NULL);

- Sandbox::StartSandbox();

+ Sandbox sandbox;

+ sandbox.set_proc_fd(proc_fd);

+ sandbox.SetSandboxPolicy(evaluator, NULL);

+ sandbox.StartSandbox();

// Check that we can create threads

pthread_t thr;

« content/common/sandbox_seccomp_bpf_linux.cc ('K') | « sandbox/linux/seccomp-bpf/codegen.cc ('k') | sandbox/linux/seccomp-bpf/die.h » ('j') | sandbox/linux/seccomp-bpf/sandbox_bpf.h » ('J')