GPU Linux sandbox: block clone() and *kill

- Restrict *kill to the current process - EPERM process creation with clone() - Restrict thread creation flags to the standard pthread_create() flags. BUG=367986 R=jorgelo@chromium.org Review URL: https://codereview.chromium.org/273963003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@269174 0039d316-1c4b-4281-b951-d872f2087c98
author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-05-09 07:01:03 +0000
committer: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-05-09 07:01:03 +0000
commit: f20f380420696d076d4af6c5a505e0c00450b449 (patch)
tree: dfff5030e4c5d858909257d3ef2923fb43a415b9 /content
parent: 4eacd67739cffc1a14c5579fb4cc1e5012331899 (diff)
download: chromium_src-f20f380420696d076d4af6c5a505e0c00450b449.zip
chromium_src-f20f380420696d076d4af6c5a505e0c00450b449.tar.gz
chromium_src-f20f380420696d076d4af6c5a505e0c00450b449.tar.bz2
1 files changed, 0 insertions, 6 deletions
diff --git a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
index 2ad07a3..8ea2600 100644
--- a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
@@ -166,8 +166,6 @@ GpuProcessPolicy::~GpuProcessPolicy() {}
 ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                             int sysno) const {
   switch (sysno) {
-    // TODO(jln): restrict clone.
-    case __NR_clone:
     case __NR_ioctl:
 #if defined(__i386__) || defined(__x86_64__)
     // The Nvidia driver uses flags not in the baseline policy
@@ -187,10 +185,6 @@ ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
       DCHECK(broker_process_);
       return sandbox->Trap(GpuSIGSYS_Handler, broker_process_);
     default:
-      // Allow *kill from the GPU process temporarily until fork()
-      // is denied here.
-      if (SyscallSets::IsKill(sysno))
-        return ErrorCode(ErrorCode::ERR_ALLOWED);
       if (SyscallSets::IsEventFd(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
author	jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-05-09 07:01:03 +0000
committer	jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-05-09 07:01:03 +0000
commit	f20f380420696d076d4af6c5a505e0c00450b449 (patch)
tree	dfff5030e4c5d858909257d3ef2923fb43a415b9 /content
parent	4eacd67739cffc1a14c5579fb4cc1e5012331899 (diff)
download	chromium_src-f20f380420696d076d4af6c5a505e0c00450b449.zip chromium_src-f20f380420696d076d4af6c5a505e0c00450b449.tar.gz chromium_src-f20f380420696d076d4af6c5a505e0c00450b449.tar.bz2