Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(106)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc

Issue 569713004: Linux sandbox: Disallow get_robust_list and set_robust_list. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Make set_robust_list return EPERM. Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
6 6
7 #include "build/build_config.h" 7 #include "build/build_config.h"
8 #include "sandbox/linux/services/linux_syscalls.h" 8 #include "sandbox/linux/services/linux_syscalls.h"
9 9
10 namespace sandbox { 10 namespace sandbox {
(...skipping 382 matching lines...) Expand 10 before | Expand all | Expand 10 after
393 case __NR_vfork: 393 case __NR_vfork:
394 #endif 394 #endif
395 default: 395 default:
396 return false; 396 return false;
397 } 397 }
398 } 398 }
399 399
400 // It's difficult to restrict those, but there is attack surface here. 400 // It's difficult to restrict those, but there is attack surface here.
401 bool SyscallSets::IsAllowedFutex(int sysno) { 401 bool SyscallSets::IsAllowedFutex(int sysno) {
402 switch (sysno) { 402 switch (sysno) {
403 case __NR_get_robust_list:
404 case __NR_set_robust_list: 403 case __NR_set_robust_list:
405 return true;
406 case __NR_futex: 404 case __NR_futex:
407 default: 405 default:
408 return false; 406 return false;
jln (very slow on Chromium) 2014/09/15 23:37:46 Can you put __NR_get_robust_list here (before defa
409 } 407 }
410 } 408 }
411 409
412 bool SyscallSets::IsAllowedEpoll(int sysno) { 410 bool SyscallSets::IsAllowedEpoll(int sysno) {
413 switch (sysno) { 411 switch (sysno) {
414 #if !defined(__aarch64__) 412 #if !defined(__aarch64__)
415 case __NR_epoll_create: 413 case __NR_epoll_create:
416 case __NR_epoll_wait: 414 case __NR_epoll_wait:
417 #endif 415 #endif
418 case __NR_epoll_create1: 416 case __NR_epoll_create1:
(...skipping 633 matching lines...) Expand 10 before | Expand all | Expand 10 after
1052 switch (sysno) { 1050 switch (sysno) {
1053 case __NR_sysmips: 1051 case __NR_sysmips:
1054 case __NR_unused150: 1052 case __NR_unused150:
1055 return true; 1053 return true;
1056 default: 1054 default:
1057 return false; 1055 return false;
1058 } 1056 }
1059 } 1057 }
1060 #endif // defined(__mips__) 1058 #endif // defined(__mips__)
1061 } // namespace sandbox. 1059 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698