-
Matthew Denton authored
BPF sandbox policies normal use this code sequence if they are using a broker: auto* broker_process = SandboxLinux::GetInstance()->broker_process(); if (broker_process->IsSyscallAllowed(sysno)) { return Trap(BrokerProcess::SIGSYS_Handler, broker_process); } Switch this to: auto* sandbox_linux = SandboxLinux::GetInstance(); if (sandbox_linux->ShouldBrokerHandleSyscall(sysno)) return sandbox_linux->HandleViaBroker(); ...which has the advantage of being clearer. This also makes it easier to land SECCOMP_RET_USER_NOTIF support, as if USER_NOTIF is supported we will use bpf_dsl::UserNotif instead of bpf_dsl::Trap, and users of the sandbox shouldn't have to care which one is used. Bug: 1117351 Change-Id: I809fdb4118fef39d8b142fdd571743c49e0812a2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2377422 Commit-Queue: Matthew Denton <mpdenton@chromium.org> Reviewed-by:Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#808573}
55e1bdbf
