Apply ioctl() restriction across the board.

R=jln@chromium.org, jorgelo@chromium.org

Review URL: https://codereview.chromium.org/14741015

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@200391 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 8 deletions

diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc
index 15ff398..73769e4 100644
--- a/content/common/sandbox_seccomp_bpf_linux.cc
+++ b/content/common/sandbox_seccomp_bpf_linux.cc
@@ -1404,9 +1404,9 @@ ErrorCode RestrictPrctl(Sandbox *sandbox) {
 
 ErrorCode RestrictIoctl(Sandbox *sandbox) {
   // Allow TCGETS and FIONREAD, trap to ReportIoctlFailure otherwise.
-  return sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_EQUAL, TCGETS,
+  return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS,
                        ErrorCode(ErrorCode::ERR_ALLOWED),
-         sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_EQUAL, FIONREAD,
+         sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD,
                        ErrorCode(ErrorCode::ERR_ALLOWED),
                        sandbox->Trap(ReportIoctlFailure, NULL)));
 }
@@ -1416,12 +1416,7 @@ ErrorCode RendererOrWorkerProcessPolicy(Sandbox *sandbox, int sysno, void *) {
     case __NR_clone:
       return RestrictCloneToThreadsAndEPERMFork(sandbox);
     case __NR_ioctl:
-      // Restrict IOCTL on x86_64.
-      if (IsArchitectureX86_64()) {
-        return RestrictIoctl(sandbox);
-      } else {
-        return ErrorCode(ErrorCode::ERR_ALLOWED);
-      }
+      return RestrictIoctl(sandbox);
     case __NR_prctl:
       return RestrictPrctl(sandbox);
     // Allow the system calls below.