| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <pthread.h> | 9 #include <pthread.h> |
| 10 #include <sched.h> | 10 #include <sched.h> |
| (...skipping 24 matching lines...) Expand all Loading... |
| 35 #include "sandbox/linux/bpf_dsl/policy.h" | 35 #include "sandbox/linux/bpf_dsl/policy.h" |
| 36 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 36 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 37 #include "sandbox/linux/seccomp-bpf/die.h" | 37 #include "sandbox/linux/seccomp-bpf/die.h" |
| 38 #include "sandbox/linux/seccomp-bpf/errorcode.h" | 38 #include "sandbox/linux/seccomp-bpf/errorcode.h" |
| 39 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" | 39 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" |
| 40 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 40 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 41 #include "sandbox/linux/seccomp-bpf/syscall.h" | 41 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 42 #include "sandbox/linux/seccomp-bpf/trap.h" | 42 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 43 #include "sandbox/linux/services/linux_syscalls.h" | 43 #include "sandbox/linux/services/linux_syscalls.h" |
| 44 #include "sandbox/linux/services/syscall_wrappers.h" | 44 #include "sandbox/linux/services/syscall_wrappers.h" |
| 45 #include "sandbox/linux/syscall_broker/broker_file_permission.h" |
| 45 #include "sandbox/linux/syscall_broker/broker_process.h" | 46 #include "sandbox/linux/syscall_broker/broker_process.h" |
| 46 #include "sandbox/linux/tests/scoped_temporary_file.h" | 47 #include "sandbox/linux/tests/scoped_temporary_file.h" |
| 47 #include "sandbox/linux/tests/unit_tests.h" | 48 #include "sandbox/linux/tests/unit_tests.h" |
| 48 #include "testing/gtest/include/gtest/gtest.h" | 49 #include "testing/gtest/include/gtest/gtest.h" |
| 49 | 50 |
| 50 // Workaround for Android's prctl.h file. | 51 // Workaround for Android's prctl.h file. |
| 51 #ifndef PR_GET_ENDIAN | 52 #ifndef PR_GET_ENDIAN |
| 52 #define PR_GET_ENDIAN 19 | 53 #define PR_GET_ENDIAN 19 |
| 53 #endif | 54 #endif |
| 54 #ifndef PR_CAPBSET_READ | 55 #ifndef PR_CAPBSET_READ |
| (...skipping 694 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 749 | 750 |
| 750 bool NoOpCallback() { | 751 bool NoOpCallback() { |
| 751 return true; | 752 return true; |
| 752 } | 753 } |
| 753 | 754 |
| 754 // Test a trap handler that makes use of a broker process to open(). | 755 // Test a trap handler that makes use of a broker process to open(). |
| 755 | 756 |
| 756 class InitializedOpenBroker { | 757 class InitializedOpenBroker { |
| 757 public: | 758 public: |
| 758 InitializedOpenBroker() : initialized_(false) { | 759 InitializedOpenBroker() : initialized_(false) { |
| 759 std::vector<std::string> allowed_files; | 760 std::vector<syscall_broker::BrokerFilePermission> permissions; |
| 760 allowed_files.push_back("/proc/allowed"); | 761 permissions.push_back( |
| 761 allowed_files.push_back("/proc/cpuinfo"); | 762 syscall_broker::BrokerFilePermission::ReadOnly("/proc/allowed")); |
| 763 permissions.push_back( |
| 764 syscall_broker::BrokerFilePermission::ReadOnly("/proc/cpuinfo")); |
| 762 | 765 |
| 763 broker_process_.reset(new syscall_broker::BrokerProcess( | 766 broker_process_.reset( |
| 764 EPERM, allowed_files, std::vector<std::string>())); | 767 new syscall_broker::BrokerProcess(EPERM, permissions)); |
| 765 BPF_ASSERT(broker_process() != NULL); | 768 BPF_ASSERT(broker_process() != NULL); |
| 766 BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback))); | 769 BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback))); |
| 767 | 770 |
| 768 initialized_ = true; | 771 initialized_ = true; |
| 769 } | 772 } |
| 770 bool initialized() { return initialized_; } | 773 bool initialized() { return initialized_; } |
| 771 class syscall_broker::BrokerProcess* broker_process() { | 774 class syscall_broker::BrokerProcess* broker_process() { |
| 772 return broker_process_.get(); | 775 return broker_process_.get(); |
| 773 } | 776 } |
| 774 | 777 |
| (...skipping 1619 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2394 BPF_ASSERT_EQ(ENOSYS, errno); | 2397 BPF_ASSERT_EQ(ENOSYS, errno); |
| 2395 | 2398 |
| 2396 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300)); | 2399 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300)); |
| 2397 BPF_ASSERT_EQ(EPERM, errno); | 2400 BPF_ASSERT_EQ(EPERM, errno); |
| 2398 } | 2401 } |
| 2399 | 2402 |
| 2400 } // namespace | 2403 } // namespace |
| 2401 | 2404 |
| 2402 } // namespace bpf_dsl | 2405 } // namespace bpf_dsl |
| 2403 } // namespace sandbox | 2406 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 721553002:
sandbox: Extend BrokerPolicy to support file creation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master