summaryrefslogtreecommitdiff
path: root/chromium/services/service_manager/sandbox/linux
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/services/service_manager/sandbox/linux')
-rw-r--r--chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.cc34
-rw-r--r--chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.h27
-rw-r--r--chromium/services/service_manager/sandbox/linux/sandbox_linux.h2
-rw-r--r--chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc4
4 files changed, 66 insertions, 1 deletions
diff --git a/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.cc b/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.cc
new file mode 100644
index 00000000000..812072395ec
--- /dev/null
+++ b/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.cc
@@ -0,0 +1,34 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "services/service_manager/sandbox/linux/bpf_tts_policy_linux.h"
+
+#include <sys/socket.h>
+
+#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
+#include "sandbox/linux/syscall_broker/broker_process.h"
+#include "sandbox/linux/system_headers/linux_syscalls.h"
+#include "services/service_manager/sandbox/linux/sandbox_linux.h"
+
+using sandbox::bpf_dsl::Allow;
+using sandbox::bpf_dsl::ResultExpr;
+using sandbox::bpf_dsl::Trap;
+using sandbox::syscall_broker::BrokerProcess;
+
+namespace service_manager {
+
+TtsProcessPolicy::TtsProcessPolicy() {}
+
+TtsProcessPolicy::~TtsProcessPolicy() {}
+
+ResultExpr TtsProcessPolicy::EvaluateSyscall(int sysno) const {
+ auto* broker_process = SandboxLinux::GetInstance()->broker_process();
+ if (broker_process->IsSyscallAllowed(sysno))
+ return Trap(BrokerProcess::SIGSYS_Handler, broker_process);
+
+ return BPFBasePolicy::EvaluateSyscall(sysno);
+}
+
+} // namespace service_manager
diff --git a/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.h b/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.h
new file mode 100644
index 00000000000..a562a68cfce
--- /dev/null
+++ b/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.h
@@ -0,0 +1,27 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_TTS_POLICY_LINUX_H_
+#define SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_TTS_POLICY_LINUX_H_
+
+#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
+#include "services/service_manager/sandbox/export.h"
+#include "services/service_manager/sandbox/linux/bpf_base_policy_linux.h"
+
+namespace service_manager {
+
+class SERVICE_MANAGER_SANDBOX_EXPORT TtsProcessPolicy : public BPFBasePolicy {
+ public:
+ TtsProcessPolicy();
+ ~TtsProcessPolicy() override;
+
+ sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override;
+
+ private:
+ DISALLOW_COPY_AND_ASSIGN(TtsProcessPolicy);
+};
+
+} // namespace service_manager
+
+#endif // SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_TTS_POLICY_LINUX_H_
diff --git a/chromium/services/service_manager/sandbox/linux/sandbox_linux.h b/chromium/services/service_manager/sandbox/linux/sandbox_linux.h
index 9f67272c5e2..6a17f9edb63 100644
--- a/chromium/services/service_manager/sandbox/linux/sandbox_linux.h
+++ b/chromium/services/service_manager/sandbox/linux/sandbox_linux.h
@@ -9,7 +9,7 @@
#include <string>
#include <vector>
-#include "base/logging.h"
+#include "base/check_op.h"
#include "base/macros.h"
#include "base/posix/global_descriptors.h"
#include "sandbox/linux/syscall_broker/broker_command.h"
diff --git a/chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc b/chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc
index e2f22540a5a..1c16d68df91 100644
--- a/chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc
+++ b/chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc
@@ -54,6 +54,7 @@
#if defined(OS_CHROMEOS)
#include "services/service_manager/sandbox/linux/bpf_ime_policy_linux.h"
+#include "services/service_manager/sandbox/linux/bpf_tts_policy_linux.h"
#endif // defined(OS_CHROMEOS)
using sandbox::BaselinePolicy;
@@ -185,6 +186,8 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
#if defined(OS_CHROMEOS)
case SandboxType::kIme:
return std::make_unique<ImeProcessPolicy>();
+ case SandboxType::kTts:
+ return std::make_unique<TtsProcessPolicy>();
#endif // defined(OS_CHROMEOS)
case SandboxType::kZygoteIntermediateSandbox:
case SandboxType::kNoSandbox:
@@ -228,6 +231,7 @@ void SandboxSeccompBPF::RunSandboxSanityChecks(
} break;
#if defined(OS_CHROMEOS)
case SandboxType::kIme:
+ case SandboxType::kTts:
#endif // defined(OS_CHROMEOS)
case SandboxType::kAudio:
case SandboxType::kSharingService:
View Lorry Controller Status