Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(730)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

Issue 260793003: [MIPS] Add seccomp bpf support (Closed) Base URL: https://git.chromium.org/git/chromium/src.git@master
Patch Set: Update per code review Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h ('k') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <fcntl.h> 9 #include <fcntl.h>
10 #include <linux/futex.h> 10 #include <linux/futex.h>
(...skipping 19 matching lines...) Expand all
30 #if defined(OS_ANDROID) 30 #if defined(OS_ANDROID)
31 #if !defined(F_DUPFD_CLOEXEC) 31 #if !defined(F_DUPFD_CLOEXEC)
32 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6) 32 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
33 #endif 33 #endif
34 #endif 34 #endif
35 35
36 #if defined(__arm__) && !defined(MAP_STACK) 36 #if defined(__arm__) && !defined(MAP_STACK)
37 #define MAP_STACK 0x20000 // Daisy build environment has old headers. 37 #define MAP_STACK 0x20000 // Daisy build environment has old headers.
38 #endif 38 #endif
39 39
40 #if defined(__mips__) && !defined(MAP_STACK)
41 #define MAP_STACK 0x40000
42 #endif
40 namespace { 43 namespace {
41 44
42 inline bool IsArchitectureX86_64() { 45 inline bool IsArchitectureX86_64() {
43 #if defined(__x86_64__) 46 #if defined(__x86_64__)
44 return true; 47 return true;
45 #else 48 #else
46 return false; 49 return false;
47 #endif 50 #endif
48 } 51 }
49 52
50 inline bool IsArchitectureI386() { 53 inline bool IsArchitectureI386() {
51 #if defined(__i386__) 54 #if defined(__i386__)
52 return true; 55 return true;
53 #else 56 #else
54 return false; 57 return false;
55 #endif 58 #endif
56 } 59 }
57 60
58 inline bool IsAndroid() { 61 inline bool IsAndroid() {
59 #if defined(OS_ANDROID) 62 #if defined(OS_ANDROID)
60 return true; 63 return true;
61 #else 64 #else
62 return false; 65 return false;
63 #endif 66 #endif
64 } 67 }
65 68
69 inline bool IsArchitectureMips() {
70 #if defined(__mips__)
71 return true;
72 #else
73 return false;
74 #endif
75 }
76
66 } // namespace. 77 } // namespace.
67 78
68 namespace sandbox { 79 namespace sandbox {
69 80
70 // Allow Glibc's and Android pthread creation flags, crash on any other 81 // Allow Glibc's and Android pthread creation flags, crash on any other
71 // thread creation attempts and EPERM attempts to use neither 82 // thread creation attempts and EPERM attempts to use neither
72 // CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations. 83 // CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
73 ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) { 84 ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) {
74 if (!IsAndroid()) { 85 if (!IsAndroid()) {
75 const uint64_t kGlibcPthreadFlags = 86 const uint64_t kGlibcPthreadFlags =
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
151 ErrorCode(ErrorCode::ERR_ALLOWED)); 162 ErrorCode(ErrorCode::ERR_ALLOWED));
152 } 163 }
153 164
154 ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox) { 165 ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox) {
155 // We also restrict the flags in F_SETFL. We don't want to permit flags with 166 // We also restrict the flags in F_SETFL. We don't want to permit flags with
156 // a history of trouble such as O_DIRECT. The flags you see are actually the 167 // a history of trouble such as O_DIRECT. The flags you see are actually the
157 // allowed ones, and the variable is a "denied" mask because of the negation 168 // allowed ones, and the variable is a "denied" mask because of the negation
158 // operator. 169 // operator.
159 // Glibc overrides the kernel's O_LARGEFILE value. Account for this. 170 // Glibc overrides the kernel's O_LARGEFILE value. Account for this.
160 int kOLargeFileFlag = O_LARGEFILE; 171 int kOLargeFileFlag = O_LARGEFILE;
161 if (IsArchitectureX86_64() || IsArchitectureI386()) 172 if (IsArchitectureX86_64() || IsArchitectureI386() || IsArchitectureMips())
162 kOLargeFileFlag = 0100000; 173 kOLargeFileFlag = 0100000;
163 174
164 // TODO(jln): add TP_LONG/TP_SIZET types. 175 // TODO(jln): add TP_LONG/TP_SIZET types.
165 ErrorCode::ArgType mask_long_type; 176 ErrorCode::ArgType mask_long_type;
166 if (sizeof(long) == 8) 177 if (sizeof(long) == 8)
167 mask_long_type = ErrorCode::TP_64BIT; 178 mask_long_type = ErrorCode::TP_64BIT;
168 else if (sizeof(long) == 4) 179 else if (sizeof(long) == 4)
169 mask_long_type = ErrorCode::TP_32BIT; 180 mask_long_type = ErrorCode::TP_32BIT;
170 else 181 else
171 NOTREACHED(); 182 NOTREACHED();
(...skipping 26 matching lines...) Expand all
198 ErrorCode(ErrorCode::ERR_ALLOWED), 209 ErrorCode(ErrorCode::ERR_ALLOWED),
199 sandbox->Cond(1, ErrorCode::TP_32BIT, 210 sandbox->Cond(1, ErrorCode::TP_32BIT,
200 ErrorCode::OP_EQUAL, F_GETLK, 211 ErrorCode::OP_EQUAL, F_GETLK,
201 ErrorCode(ErrorCode::ERR_ALLOWED), 212 ErrorCode(ErrorCode::ERR_ALLOWED),
202 sandbox->Cond(1, ErrorCode::TP_32BIT, 213 sandbox->Cond(1, ErrorCode::TP_32BIT,
203 ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC, 214 ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC,
204 ErrorCode(ErrorCode::ERR_ALLOWED), 215 ErrorCode(ErrorCode::ERR_ALLOWED),
205 sandbox->Trap(CrashSIGSYS_Handler, NULL)))))))))); 216 sandbox->Trap(CrashSIGSYS_Handler, NULL))))))))));
206 } 217 }
207 218
208 #if defined(__i386__) 219 #if defined(__i386__) || defined(__mips__)
209 ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox) { 220 ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox) {
210 // Unfortunately, we are unable to restrict the first parameter to 221 // Unfortunately, we are unable to restrict the first parameter to
211 // socketpair(2). Whilst initially sounding bad, it's noteworthy that very 222 // socketpair(2). Whilst initially sounding bad, it's noteworthy that very
212 // few protocols actually support socketpair(2). The scary call that we're 223 // few protocols actually support socketpair(2). The scary call that we're
213 // worried about, socket(2), remains blocked. 224 // worried about, socket(2), remains blocked.
214 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 225 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
215 SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED), 226 SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED),
216 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 227 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
217 SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED), 228 SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED),
218 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 229 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after
267 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 278 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
268 FUTEX_CMP_REQUEUE_PI | FUTEX_CLOCK_REALTIME, 279 FUTEX_CMP_REQUEUE_PI | FUTEX_CLOCK_REALTIME,
269 sandbox->Trap(SIGSYSFutexFailure, NULL), 280 sandbox->Trap(SIGSYSFutexFailure, NULL),
270 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 281 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
271 FUTEX_CMP_REQUEUE_PI_PRIVATE | FUTEX_CLOCK_REALTIME, 282 FUTEX_CMP_REQUEUE_PI_PRIVATE | FUTEX_CLOCK_REALTIME,
272 sandbox->Trap(SIGSYSFutexFailure, NULL), 283 sandbox->Trap(SIGSYSFutexFailure, NULL),
273 ErrorCode(ErrorCode::ERR_ALLOWED))))); 284 ErrorCode(ErrorCode::ERR_ALLOWED)))));
274 } 285 }
275 286
276 } // namespace sandbox. 287 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h ('k') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698