diff options
| author | rickyz <rickyz@chromium.org> | 2014-09-15 19:28:10 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2014-09-16 02:30:50 +0000 |
| commit | a75e8729dc917c0089a725e67fa2e9feaec0baef (patch) | |
| tree | 2cf927b09ae4c302b8c25256ae8234570f00b552 /sandbox | |
| parent | 7bf3d6dcbb9ab6aecd8998cfcdc0b565de4b45e1 (diff) | |
| download | chromium_src-a75e8729dc917c0089a725e67fa2e9feaec0baef.zip chromium_src-a75e8729dc917c0089a725e67fa2e9feaec0baef.tar.gz chromium_src-a75e8729dc917c0089a725e67fa2e9feaec0baef.tar.bz2 | |
Linux sandbox: Disallow get_robust_list and set_robust_list.
These are only used for futexes that are shared between processes, which should not be happening in Chromium.
BUG=413855
Review URL: https://codereview.chromium.org/569713004
Cr-Commit-Position: refs/heads/master@{#294986}
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | 3 | ||||
| -rw-r--r-- | sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc | 1 |
2 files changed, 3 insertions, 1 deletions
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc index eb2a307..aa347de 100644 --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -153,6 +153,9 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, if (sysno == __NR_futex) return RestrictFutex(); + if (sysno == __NR_set_robust_list) + return Error(EPERM); + if (sysno == __NR_getpriority || sysno ==__NR_setpriority) return RestrictGetSetpriority(current_pid); diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc index de6ba24..640be69 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc @@ -402,7 +402,6 @@ bool SyscallSets::IsAllowedFutex(int sysno) { switch (sysno) { case __NR_get_robust_list: case __NR_set_robust_list: - return true; case __NR_futex: default: return false; |