OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
" | 5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
" |
6 | 6 |
7 #include <sys/types.h> | 7 #include <sys/types.h> |
8 | 8 |
9 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 9 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
10 | 10 |
11 namespace content { | 11 namespace content { |
12 | 12 |
13 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() | 13 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid() |
14 : SandboxBPFBasePolicy() {} | 14 : SandboxBPFBasePolicy() {} |
15 | 15 |
16 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} | 16 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {} |
17 | 17 |
18 sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall( | 18 sandbox::ErrorCode SandboxBPFBasePolicyAndroid::EvaluateSyscall( |
19 sandbox::SandboxBPF* sandbox, | 19 sandbox::SandboxBPF* sandbox, |
20 int sysno) const { | 20 int sysno) const { |
21 bool override_and_allow = false; | 21 bool override_and_allow = false; |
22 | 22 |
23 switch (sysno) { | 23 switch (sysno) { |
| 24 // TODO(rsesek): restrict clone parameters. |
| 25 case __NR_clone: |
24 case __NR_epoll_pwait: | 26 case __NR_epoll_pwait: |
25 case __NR_flock: | 27 case __NR_flock: |
26 case __NR_getpriority: | 28 case __NR_getpriority: |
27 case __NR_ioctl: | 29 case __NR_ioctl: |
28 case __NR_mremap: | 30 case __NR_mremap: |
29 // File system access cannot be restricted with seccomp-bpf on Android, | 31 // File system access cannot be restricted with seccomp-bpf on Android, |
30 // since the JVM classloader and other Framework features require file | 32 // since the JVM classloader and other Framework features require file |
31 // access. It may be possible to restrict the filesystem with SELinux. | 33 // access. It may be possible to restrict the filesystem with SELinux. |
32 // Currently we rely on the app/service UID isolation to create a | 34 // Currently we rely on the app/service UID isolation to create a |
33 // filesystem "sandbox". | 35 // filesystem "sandbox". |
(...skipping 15 matching lines...) Expand all Loading... |
49 break; | 51 break; |
50 } | 52 } |
51 | 53 |
52 if (override_and_allow) | 54 if (override_and_allow) |
53 return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED); | 55 return sandbox::ErrorCode(sandbox::ErrorCode::ERR_ALLOWED); |
54 | 56 |
55 return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); | 57 return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); |
56 } | 58 } |
57 | 59 |
58 } // namespace content | 60 } // namespace content |
OLD | NEW |