diff options
| author | mseaborn@chromium.org <mseaborn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-27 19:55:33 +0000 |
|---|---|---|
| committer | mseaborn@chromium.org <mseaborn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-27 19:55:33 +0000 |
| commit | 94609b06fbc45c75bfca8fcafc8866ff0fa135bb (patch) | |
| tree | 6af080648957a0211d9d5719a4ac66085e31b614 /sandbox/linux/seccomp/open.cc | |
| parent | dbdd535d60e77e926e005770b3f7406f73b161c9 (diff) | |
| download | chromium_src-94609b06fbc45c75bfca8fcafc8866ff0fa135bb.zip chromium_src-94609b06fbc45c75bfca8fcafc8866ff0fa135bb.tar.gz chromium_src-94609b06fbc45c75bfca8fcafc8866ff0fa135bb.tar.bz2 | |
Seccomp sandbox: Add a policy flag to allow file namespace access to be disabled
This allows file namespace access to be turned on for the purpose of
testing, and we use this in some of the tests, but it is disabled by
default.
This synchronises the Chromium copy with r88 in the non-Chromium copy of
seccomp-sandbox.
BUG=none
TEST=make test
Review URL: http://codereview.chromium.org/3248002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57722 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox/linux/seccomp/open.cc')
| -rw-r--r-- | sandbox/linux/seccomp/open.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sandbox/linux/seccomp/open.cc b/sandbox/linux/seccomp/open.cc index 73263d1..8a9093c 100644 --- a/sandbox/linux/seccomp/open.cc +++ b/sandbox/linux/seccomp/open.cc @@ -63,7 +63,8 @@ bool Sandbox::process_open(int parentMapsFd, int sandboxFd, int threadFdPub, return false; } - if ((open_req.flags & O_ACCMODE) != O_RDONLY) { + if ((open_req.flags & O_ACCMODE) != O_RDONLY || + !g_policy.allow_file_namespace) { // After locking the mutex, we can no longer abandon the system call. So, // perform checks before clobbering the securely shared memory. char tmp[open_req.path_length]; |