content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h"
   6
   7 #include <sys/syscall.h>
   8 #include <sys/types.h>
   9
  10 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
  11
  12 using sandbox::bpf_dsl::Allow;
  13 using sandbox::bpf_dsl::ResultExpr;
  14
  15 namespace content {
  16
  17 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()
  18     : SandboxBPFBasePolicy() {}
  19
  20 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {}
  21
  22 ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const {
  23   bool override_and_allow = false;
  24
  25   switch (sysno) {
  26     // TODO(rsesek): restrict clone parameters.
  27     case __NR_clone:
  28     case __NR_epoll_pwait:
  29     case __NR_flock:
  30 #if defined(__x86_64__) || defined(__aarch64__)
  31     case __NR_newfstatat:
  32 #elif defined(__i386__) || defined(__arm__) || defined(__mips__)
  33     case __NR_fstatat64:
  34 #endif
  35     case __NR_getpriority:
  36     case __NR_ioctl:
  37     case __NR_mremap:
  38     // File system access cannot be restricted with seccomp-bpf on Android,
  39     // since the JVM classloader and other Framework features require file
  40     // access. It may be possible to restrict the filesystem with SELinux.
  41     // Currently we rely on the app/service UID isolation to create a
  42     // filesystem "sandbox".
  43 #if !defined(ARCH_CPU_ARM64)
  44     case __NR_open:
  45 #endif
  46     case __NR_openat:
  47     case __NR_pread64:
  48     case __NR_rt_sigtimedwait:
  49     case __NR_setpriority:
  50     case __NR_set_tid_address:
  51     case __NR_sigaltstack:
  52 #if defined(__i386__) || defined(__arm__)
  53     case __NR_ugetrlimit:
  54 #else
  55     case __NR_getrlimit:
  56 #endif
  57     case __NR_uname:
  58       override_and_allow = true;
  59       break;
  60   }
  61
  62   if (override_and_allow)
  63     return Allow();
  64
  65   return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
  66 }
  67
  68 }  // namespace content