1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/common/sandbox_linux/bpf_utility_policy_linux.h"
9 #include "base/basictypes.h"
10 #include "build/build_config.h"
11 #include "content/common/sandbox_linux/sandbox_linux.h"
12 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
13 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
14 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
15 #include "sandbox/linux/system_headers/linux_syscalls.h"
17 using sandbox::SyscallSets
;
18 using sandbox::bpf_dsl::Allow
;
19 using sandbox::bpf_dsl::Error
;
20 using sandbox::bpf_dsl::ResultExpr
;
24 UtilityProcessPolicy::UtilityProcessPolicy() {
26 UtilityProcessPolicy::~UtilityProcessPolicy() {
29 ResultExpr
UtilityProcessPolicy::EvaluateSyscall(int sysno
) const {
30 // TODO(mdempsky): For now, this is just a copy of the renderer
31 // policy, which happens to work well for utility processes too. It
32 // should be possible to limit further though. In particular, the
33 // entries below annotated with bug references are most likely
38 return sandbox::RestrictIoctl();
39 // Allow the system calls below.
42 #if defined(__i386__) || defined(__x86_64__)
45 #if defined(__i386__) || defined(__arm__)
55 // Default on the content baseline policy.
56 return SandboxBPFBasePolicy::EvaluateSyscall(sysno
);
60 } // namespace content