Supervised user whitelists: Cleanup
[chromium-blink-merge.git] / content / common / sandbox_linux / android / sandbox_bpf_base_policy_android.cc
blobc831390cb96828a0366d4f53f5db4abe2323dd69
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h"
7 #include <sys/syscall.h>
8 #include <sys/types.h>
10 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
12 using sandbox::bpf_dsl::Allow;
13 using sandbox::bpf_dsl::ResultExpr;
15 namespace content {
17 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()
18 : SandboxBPFBasePolicy() {}
20 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {}
22 ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const {
23 bool override_and_allow = false;
25 switch (sysno) {
26 // TODO(rsesek): restrict clone parameters.
27 case __NR_clone:
28 case __NR_epoll_pwait:
29 case __NR_flock:
30 #if defined(__x86_64__) || defined(__aarch64__)
31 case __NR_newfstatat:
32 #elif defined(__i386__) || defined(__arm__) || defined(__mips__)
33 case __NR_fstatat64:
34 #endif
35 case __NR_getpriority:
36 case __NR_ioctl:
37 case __NR_mremap:
38 // File system access cannot be restricted with seccomp-bpf on Android,
39 // since the JVM classloader and other Framework features require file
40 // access. It may be possible to restrict the filesystem with SELinux.
41 // Currently we rely on the app/service UID isolation to create a
42 // filesystem "sandbox".
43 #if !defined(ARCH_CPU_ARM64)
44 case __NR_open:
45 #endif
46 case __NR_openat:
47 case __NR_pread64:
48 case __NR_rt_sigtimedwait:
49 case __NR_setpriority:
50 case __NR_set_tid_address:
51 case __NR_sigaltstack:
52 #if defined(__i386__) || defined(__arm__)
53 case __NR_ugetrlimit:
54 #else
55 case __NR_getrlimit:
56 #endif
57 case __NR_uname:
58 override_and_allow = true;
59 break;
62 if (override_and_allow)
63 return Allow();
65 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
68 } // namespace content