diff options
Diffstat (limited to 'chromium/content/common/sandbox_linux/bpf_renderer_policy_linux.cc')
-rw-r--r-- | chromium/content/common/sandbox_linux/bpf_renderer_policy_linux.cc | 30 |
1 files changed, 3 insertions, 27 deletions
diff --git a/chromium/content/common/sandbox_linux/bpf_renderer_policy_linux.cc b/chromium/content/common/sandbox_linux/bpf_renderer_policy_linux.cc index ce7dffbef0f..db520101807 100644 --- a/chromium/content/common/sandbox_linux/bpf_renderer_policy_linux.cc +++ b/chromium/content/common/sandbox_linux/bpf_renderer_policy_linux.cc @@ -18,31 +18,18 @@ using sandbox::SyscallSets; namespace content { -namespace { - -inline bool IsUsingToolKitGtk() { -#if defined(TOOLKIT_GTK) - return true; -#else - return false; -#endif -} - -} // namespace - RendererProcessPolicy::RendererProcessPolicy() {} RendererProcessPolicy::~RendererProcessPolicy() {} ErrorCode RendererProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const { switch (sysno) { - case __NR_clone: - return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox); case __NR_ioctl: return sandbox::RestrictIoctl(sandbox); - case __NR_prctl: - return sandbox::RestrictPrctl(sandbox); // Allow the system calls below. + // The baseline policy allows __NR_clock_gettime. Allow + // clock_getres() for V8. crbug.com/329053. + case __NR_clock_getres: case __NR_fdatasync: case __NR_fsync: case __NR_getpriority: @@ -69,17 +56,6 @@ ErrorCode RendererProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, case __NR_prlimit64: return ErrorCode(EPERM); // See crbug.com/160157. default: - if (IsUsingToolKitGtk()) { -#if defined(__x86_64__) || defined(__arm__) - if (SyscallSets::IsSystemVSharedMemory(sysno)) - return ErrorCode(ErrorCode::ERR_ALLOWED); -#endif -#if defined(__i386__) - if (SyscallSets::IsSystemVIpc(sysno)) - return ErrorCode(ErrorCode::ERR_ALLOWED); -#endif - } - // Default on the content baseline policy. return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); } |