Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1264)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

Issue 493603003: sandbox: Update known syscalls to kernel 3.17 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: disallow seccomp Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf-helpers/syscall_sets.h » ('j') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <sys/mman.h> 8 #include <sys/mman.h>
9 #include <sys/socket.h> 9 #include <sys/socket.h>
10 #include <sys/syscall.h> 10 #include <sys/syscall.h>
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after
156 if (sysno == __NR_mmap2) 156 if (sysno == __NR_mmap2)
157 return RestrictMmapFlags(); 157 return RestrictMmapFlags();
158 #endif 158 #endif
159 159
160 if (sysno == __NR_mprotect) 160 if (sysno == __NR_mprotect)
161 return RestrictMprotectFlags(); 161 return RestrictMprotectFlags();
162 162
163 if (sysno == __NR_prctl) 163 if (sysno == __NR_prctl)
164 return sandbox::RestrictPrctl(); 164 return sandbox::RestrictPrctl();
165 165
166 if (SyscallSets::IsSeccomp(sysno))
167 return Error(EPERM);
jln (very slow on Chromium) 2014/08/22 00:05:17 I know that this function is getting quite messy,
168
166 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) 169 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
167 if (sysno == __NR_socketpair) { 170 if (sysno == __NR_socketpair) {
168 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. 171 // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
169 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); 172 COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
170 const Arg<int> domain(0); 173 const Arg<int> domain(0);
171 return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS()); 174 return If(domain == AF_UNIX, Allow()).Else(CrashSIGSYS());
172 } 175 }
173 #endif 176 #endif
174 177
175 if (SyscallSets::IsKill(sysno)) { 178 if (SyscallSets::IsKill(sysno)) {
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after
231 DCHECK_EQ(syscall(__NR_getpid), current_pid_); 234 DCHECK_EQ(syscall(__NR_getpid), current_pid_);
232 } 235 }
233 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno); 236 return EvaluateSyscallImpl(fs_denied_errno_, current_pid_, sysno);
234 } 237 }
235 238
236 ResultExpr BaselinePolicy::InvalidSyscall() const { 239 ResultExpr BaselinePolicy::InvalidSyscall() const {
237 return CrashSIGSYS(); 240 return CrashSIGSYS();
238 } 241 }
239 242
240 } // namespace sandbox. 243 } // namespace sandbox.
OLDNEW
« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf-helpers/syscall_sets.h » ('j') | sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698