| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <errno.h> | 5 #include <errno.h> |
| 6 #include <fcntl.h> | 6 #include <fcntl.h> |
| 7 #include <linux/unistd.h> | 7 #include <linux/unistd.h> |
| 8 #include <netinet/in.h> | 8 #include <netinet/in.h> |
| 9 #include <netinet/tcp.h> | 9 #include <netinet/tcp.h> |
| 10 #include <netinet/udp.h> | 10 #include <netinet/udp.h> |
| (...skipping 10 matching lines...) Expand all Loading... |
| 21 #include <sys/resource.h> | 21 #include <sys/resource.h> |
| 22 #include <sys/shm.h> | 22 #include <sys/shm.h> |
| 23 #include <sys/socket.h> | 23 #include <sys/socket.h> |
| 24 #include <sys/time.h> | 24 #include <sys/time.h> |
| 25 #include <sys/types.h> | 25 #include <sys/types.h> |
| 26 #include <time.h> | 26 #include <time.h> |
| 27 #include <unistd.h> | 27 #include <unistd.h> |
| 28 | 28 |
| 29 #include "base/posix/eintr_wrapper.h" | 29 #include "base/posix/eintr_wrapper.h" |
| 30 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 30 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 31 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
| 31 #include "sandbox/linux/services/linux_syscalls.h" | 32 #include "sandbox/linux/services/linux_syscalls.h" |
| 32 | 33 |
| 33 using sandbox::ErrorCode; | 34 using sandbox::ErrorCode; |
| 34 using sandbox::SandboxBPF; | 35 using sandbox::SandboxBPF; |
| 36 using sandbox::SandboxBPFPolicy; |
| 35 using sandbox::arch_seccomp_data; | 37 using sandbox::arch_seccomp_data; |
| 36 | 38 |
| 37 #define ERR EPERM | 39 #define ERR EPERM |
| 38 | 40 |
| 39 // We don't expect our sandbox to do anything useful yet. So, we will fail | 41 // We don't expect our sandbox to do anything useful yet. So, we will fail |
| 40 // almost immediately. For now, force the code to continue running. The | 42 // almost immediately. For now, force the code to continue running. The |
| 41 // following line should be removed as soon as the sandbox is starting to | 43 // following line should be removed as soon as the sandbox is starting to |
| 42 // actually enforce restrictions in a meaningful way: | 44 // actually enforce restrictions in a meaningful way: |
| 43 #define _exit(x) do { } while (0) | 45 #define _exit(x) do { } while (0) |
| 44 | 46 |
| (...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 230 | 232 |
| 231 ptr = strrchr(ptr, '\000'); | 233 ptr = strrchr(ptr, '\000'); |
| 232 strncat(ptr, msg1, sizeof(buf) - (ptr - buf)); | 234 strncat(ptr, msg1, sizeof(buf) - (ptr - buf)); |
| 233 | 235 |
| 234 ptr = strrchr(ptr, '\000'); | 236 ptr = strrchr(ptr, '\000'); |
| 235 if (HANDLE_EINTR(write(2, buf, ptr - buf))) { } | 237 if (HANDLE_EINTR(write(2, buf, ptr - buf))) { } |
| 236 | 238 |
| 237 return -ERR; | 239 return -ERR; |
| 238 } | 240 } |
| 239 | 241 |
| 240 ErrorCode Evaluator(SandboxBPF* sandbox, int sysno, void *) { | 242 class Policy : public SandboxBPFPolicy { |
| 243 public: |
| 244 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, |
| 245 int sysno) const OVERRIDE; |
| 246 }; |
| 247 |
| 248 ErrorCode Policy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const { |
| 241 switch (sysno) { | 249 switch (sysno) { |
| 242 #if defined(__NR_accept) | 250 #if defined(__NR_accept) |
| 243 case __NR_accept: case __NR_accept4: | 251 case __NR_accept: case __NR_accept4: |
| 244 #endif | 252 #endif |
| 245 case __NR_alarm: | 253 case __NR_alarm: |
| 246 case __NR_brk: | 254 case __NR_brk: |
| 247 case __NR_clock_gettime: | 255 case __NR_clock_gettime: |
| 248 case __NR_close: | 256 case __NR_close: |
| 249 case __NR_dup: case __NR_dup2: | 257 case __NR_dup: case __NR_dup2: |
| 250 case __NR_epoll_create: case __NR_epoll_ctl: case __NR_epoll_wait: | 258 case __NR_epoll_create: case __NR_epoll_ctl: case __NR_epoll_wait: |
| (...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 413 if (argc) { } | 421 if (argc) { } |
| 414 if (argv) { } | 422 if (argv) { } |
| 415 int proc_fd = open("/proc", O_RDONLY|O_DIRECTORY); | 423 int proc_fd = open("/proc", O_RDONLY|O_DIRECTORY); |
| 416 if (SandboxBPF::SupportsSeccompSandbox(proc_fd) != | 424 if (SandboxBPF::SupportsSeccompSandbox(proc_fd) != |
| 417 SandboxBPF::STATUS_AVAILABLE) { | 425 SandboxBPF::STATUS_AVAILABLE) { |
| 418 perror("sandbox"); | 426 perror("sandbox"); |
| 419 _exit(1); | 427 _exit(1); |
| 420 } | 428 } |
| 421 SandboxBPF sandbox; | 429 SandboxBPF sandbox; |
| 422 sandbox.set_proc_fd(proc_fd); | 430 sandbox.set_proc_fd(proc_fd); |
| 423 sandbox.SetSandboxPolicyDeprecated(Evaluator, NULL); | 431 sandbox.SetSandboxPolicy(new Policy()); |
| 424 if (!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)) { | 432 if (!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)) { |
| 425 fprintf(stderr, "StartSandbox() failed"); | 433 fprintf(stderr, "StartSandbox() failed"); |
| 426 _exit(1); | 434 _exit(1); |
| 427 } | 435 } |
| 428 | 436 |
| 429 // Check that we can create threads | 437 // Check that we can create threads |
| 430 pthread_t thr; | 438 pthread_t thr; |
| 431 if (!pthread_create(&thr, NULL, ThreadFnc, | 439 if (!pthread_create(&thr, NULL, ThreadFnc, |
| 432 reinterpret_cast<void *>(0x1234))) { | 440 reinterpret_cast<void *>(0x1234))) { |
| 433 void *ret; | 441 void *ret; |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 520 perror("pthread_create"); | 528 perror("pthread_create"); |
| 521 _exit(1); | 529 _exit(1); |
| 522 } | 530 } |
| 523 } | 531 } |
| 524 for (int i = 0; i < kSendmsgStressNumThreads; ++i) { | 532 for (int i = 0; i < kSendmsgStressNumThreads; ++i) { |
| 525 pthread_join(sendmsgStressThreads[i], NULL); | 533 pthread_join(sendmsgStressThreads[i], NULL); |
| 526 } | 534 } |
| 527 | 535 |
| 528 return 0; | 536 return 0; |
| 529 } | 537 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 290223002:
Remove SandboxBPF's dependency on CompatibilityPolicy (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src