content/common/sandbox_seccomp_bpf_linux.cc - Issue 16266014: Linux Sandbox: EPERM any system V IPC in the baseline

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_seccomp_bpf_linux.cc

Issue 16266014: Linux Sandbox: EPERM any system V IPC in the baseline (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/sandbox_seccomp_bpf_linux.cc

diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc

index 9412d9ee17a6d44fea9ca538059735a980fdc106..10913a2db0405a5dc3336675f91faf5e875041e3 100644

--- a/content/common/sandbox_seccomp_bpf_linux.cc

+++ b/content/common/sandbox_seccomp_bpf_linux.cc

@@ -1014,6 +1014,16 @@ bool IsSystemVIpc(int sysno) {

}

#endif

+bool IsAnySystemV(int sysno) {

+#if defined(__x86_64__) || defined(__arm__)

+ return IsSystemVMessageQueue(sysno) ||

+ IsSystemVSemaphores(sysno) ||

+ IsSystemVSharedMemory(sysno);

+#elif defined(__i386__)

+ return IsSystemVIpc(sysno);

+#endif

bool IsAdvancedScheduler(int sysno) {

switch (sysno) {

case __NR_ioprio_get: // IO scheduler.

@@ -1232,13 +1242,6 @@ bool IsBaselinePolicyWatched(int sysno) {

IsSocketCall(sysno) || // We'll need to handle this properly to build

// a x86_32 policy.

#endif

-#if defined(__x86_64__) || defined(__arm__)

- IsSystemVMessageQueue(sysno) ||

- IsSystemVSemaphores(sysno) ||

- IsSystemVSharedMemory(sysno) ||

-#elif defined(__i386__)

- IsSystemVIpc(sysno) ||

-#endif

#if defined(__arm__)

IsArmPciConfig(sysno) ||

#endif

@@ -1414,6 +1417,10 @@ ErrorCode BaselinePolicy(Sandbox* sandbox, int sysno) {

return ErrorCode(ENOENT);

}

+ if (IsAnySystemV(sysno)) {

+ return ErrorCode(EPERM);

+ }

if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) ||

IsDeniedGetOrModifySocket(sysno)) {

return ErrorCode(EPERM);

@@ -1455,10 +1462,6 @@ ErrorCode GpuProcessPolicy(Sandbox* sandbox, int sysno,

case __NR_openat:

return sandbox->Trap(GpuSIGSYS_Handler, broker_process);

default:

-#if defined(__x86_64__) || defined(__arm__)

- if (IsSystemVSharedMemory(sysno))

- return ErrorCode(EACCES);

-#endif

if (IsEventFd(sysno))

return ErrorCode(ErrorCode::ERR_ALLOWED);

« no previous file with comments | « no previous file | no next file » | no next file with comments »