| Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
|
| diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
|
| index 2b002b4d235c96481178b56cbf8969cf8045c07e..2f4640130b9335f444360df0e167bf7a2b28043d 100644
|
| --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
|
| +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
|
| @@ -35,14 +35,6 @@
|
|
|
| namespace {
|
|
|
| -inline bool RunningOnASAN() {
|
| -#if defined(ADDRESS_SANITIZER)
|
| - return true;
|
| -#else
|
| - return false;
|
| -#endif
|
| -}
|
| -
|
| inline bool IsArchitectureX86_64() {
|
| #if defined(__x86_64__)
|
| return true;
|
| @@ -65,24 +57,19 @@ namespace sandbox {
|
|
|
| ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) {
|
| // Glibc's pthread.
|
| - // TODO(jln): fix this on ASAN.
|
| - if (!RunningOnASAN()) {
|
| - return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
|
| - CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
|
| - CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
|
| - CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,
|
| - ErrorCode(ErrorCode::ERR_ALLOWED),
|
| - sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
|
| - CLONE_PARENT_SETTID | SIGCHLD,
|
| - ErrorCode(EPERM),
|
| - // ARM
|
| - sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
|
| - CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD,
|
| - ErrorCode(EPERM),
|
| - sandbox->Trap(SIGSYSCloneFailure, NULL))));
|
| - } else {
|
| - return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| - }
|
| + return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
|
| + CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
|
| + CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
|
| + CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,
|
| + ErrorCode(ErrorCode::ERR_ALLOWED),
|
| + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
|
| + CLONE_PARENT_SETTID | SIGCHLD,
|
| + ErrorCode(EPERM),
|
| + // ARM
|
| + sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
|
| + CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD,
|
| + ErrorCode(EPERM),
|
| + sandbox->Trap(SIGSYSCloneFailure, NULL))));
|
| }
|
|
|
| ErrorCode RestrictPrctl(SandboxBPF* sandbox) {
|
| @@ -213,35 +200,20 @@ ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox) {
|
| #endif
|
|
|
| ErrorCode RestrictKillTarget(pid_t target_pid, SandboxBPF* sandbox, int sysno) {
|
| - if (!RunningOnASAN()) {
|
| - switch (sysno) {
|
| - case __NR_kill:
|
| - case __NR_tgkill:
|
| - return sandbox->Cond(0,
|
| - ErrorCode::TP_32BIT,
|
| - ErrorCode::OP_EQUAL,
|
| - target_pid,
|
| - ErrorCode(ErrorCode::ERR_ALLOWED),
|
| - sandbox->Trap(SIGSYSKillFailure, NULL));
|
| - case __NR_tkill:
|
| - return sandbox->Trap(SIGSYSKillFailure, NULL);
|
| - default:
|
| - NOTREACHED();
|
| - return sandbox->Trap(CrashSIGSYS_Handler, NULL);
|
| - }
|
| - } else {
|
| - switch (sysno) {
|
| - case __NR_kill:
|
| - case __NR_tgkill:
|
| - case __NR_tkill:
|
| - // On ASAN, fork() is not properly denied. This could lead to the
|
| - // strange failures we're observing with this policy on ASAN.
|
| - // TODO(jln): fix this.
|
| - return ErrorCode(ErrorCode::ERR_ALLOWED);
|
| - default:
|
| - NOTREACHED();
|
| - return sandbox->Trap(CrashSIGSYS_Handler, NULL);
|
| - }
|
| + switch (sysno) {
|
| + case __NR_kill:
|
| + case __NR_tgkill:
|
| + return sandbox->Cond(0,
|
| + ErrorCode::TP_32BIT,
|
| + ErrorCode::OP_EQUAL,
|
| + target_pid,
|
| + ErrorCode(ErrorCode::ERR_ALLOWED),
|
| + sandbox->Trap(SIGSYSKillFailure, NULL));
|
| + case __NR_tkill:
|
| + return sandbox->Trap(SIGSYSKillFailure, NULL);
|
| + default:
|
| + NOTREACHED();
|
| + return sandbox->Trap(CrashSIGSYS_Handler, NULL);
|
| }
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 263563004:
Linux sandbox: disallow fork() and *kill for ASAN (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src