OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <signal.h> | 8 #include <signal.h> |
9 #include <sys/ptrace.h> | 9 #include <sys/ptrace.h> |
10 | 10 |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
67 | 67 |
68 private: | 68 private: |
69 scoped_ptr<SandboxBPFPolicy> baseline_policy_; | 69 scoped_ptr<SandboxBPFPolicy> baseline_policy_; |
70 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); | 70 DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); |
71 }; | 71 }; |
72 | 72 |
73 ErrorCode NaClBPFSandboxPolicy::EvaluateSyscall( | 73 ErrorCode NaClBPFSandboxPolicy::EvaluateSyscall( |
74 sandbox::SandboxBPF* sb, int sysno) const { | 74 sandbox::SandboxBPF* sb, int sysno) const { |
75 DCHECK(baseline_policy_); | 75 DCHECK(baseline_policy_); |
76 switch (sysno) { | 76 switch (sysno) { |
| 77 case __NR_clone: // TODO(jln): restrict parameters. |
77 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls, | 78 // TODO(jln): NaCl's GDB debug stub uses the following socket system calls, |
78 // see if it can be restricted a bit. | 79 // see if it can be restricted a bit. |
79 #if defined(__x86_64__) || defined(__arm__) | 80 #if defined(__x86_64__) || defined(__arm__) |
80 // transport_common.cc needs this. | 81 // transport_common.cc needs this. |
81 case __NR_accept: | 82 case __NR_accept: |
82 case __NR_setsockopt: | 83 case __NR_setsockopt: |
83 #elif defined(__i386__) | 84 #elif defined(__i386__) |
84 case __NR_socketcall: | 85 case __NR_socketcall: |
85 #endif | 86 #endif |
86 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is | 87 // trusted/service_runtime/linux/thread_suspension.c needs sigwait() and is |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
169 scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy())); | 170 scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy())); |
170 if (sandbox_is_initialized) { | 171 if (sandbox_is_initialized) { |
171 RunSandboxSanityChecks(); | 172 RunSandboxSanityChecks(); |
172 return true; | 173 return true; |
173 } | 174 } |
174 #endif // defined(USE_SECCOMP_BPF) | 175 #endif // defined(USE_SECCOMP_BPF) |
175 return false; | 176 return false; |
176 } | 177 } |
177 | 178 |
178 } // namespace nacl | 179 } // namespace nacl |
OLD | NEW |