sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.cc - Issue 180783019: [Android] Define a baseline seccomp-bpf sandbox policy.

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.cc

Issue 180783019: [Android] Define a baseline seccomp-bpf sandbox policy. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h ('k') | sandbox/linux/seccomp-bpf/sandbox_bpf.cc » ('j') | sandbox/linux/seccomp-bpf/sandbox_bpf.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h"

	6

	7 #include <sys/types.h>

	8

	9 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"

	10 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

	11

	12 namespace sandbox {

	13

	14 BaselinePolicyAndroid::BaselinePolicyAndroid()

	15 : BaselinePolicy() {}

	16

	17 BaselinePolicyAndroid::~BaselinePolicyAndroid() {}

	18

	19 ErrorCode BaselinePolicyAndroid::EvaluateSyscall(SandboxBPF* sandbox,

	20 int sysno) const {

	21 bool allowed = false;

	22

	23 switch (sysno) {

	24 case __NR_open:
	jln (very slow on Chromium) 2014/03/07 01:30:30 Very excited if this works! We may want to experi Very excited if this works! We may want to experiment with having a "broker thread" in the browser, or a better broker process model and broker out open afterwards. Robert Sesek 2014/03/25 21:57:17 Yes, this does work! This mostly appears to be rea Show quoted text On 2014/03/07 01:30:30, jln wrote: > Very excited if this works! > > We may want to experiment with having a "broker thread" in the browser, or a > better broker process model and broker out open afterwards. Yes, this does work! This mostly appears to be reading data files in both the apk and the system partition.
	25

	26 case __NR_uname:

	27

	28 case __NR_flock:

	29 case __NR_sigaltstack:

	30 case __NR_rt_sigtimedwait:

	31 case __NR_mremap:

	32 case __NR_ioctl:

	33 case __NR_pread64:

	34 case __NR_getpriority:

	35 case __NR_setpriority:

	36 case __NR_ugetrlimit:

	37 allowed = true;

	38 break;

	39 }

	40

	41 if (allowed)

	42 return ErrorCode(ErrorCode::ERR_ALLOWED);

	43

	44 return BaselinePolicy::EvaluateSyscall(sandbox, sysno);

	45 }

	46

	47 } // namespace sandbox

OLD	NEW