sandbox: Update known syscalls to kernel 3.17

Updated Arm, Mips, x86_32 and x86_64 syscall defines to match the latest kernel 3.17 at the time of this commit. BUG=406123 TEST=sandbox_linux_unittests Review URL: https://codereview.chromium.org/493603003 Cr-Commit-Position: refs/heads/master@{#291315} git-svn-id: svn://svn.chromium.org/chrome/trunk/src@291315 0039d316-1c4b-4281-b951-d872f2087c98

sandbox: Update known syscalls to kernel 3.17
Updated Arm, Mips, x86_32 and x86_64 syscall defines to match the latest kernel 3.17 at the time of this commit. BUG=406123 TEST=sandbox_linux_unittests Review URL: https://codereview.chromium.org/493603003 Cr-Commit-Position: refs/heads/master@{#291315} git-svn-id: svn://svn.chromium.org/chrome/trunk/src@291315 0039d316-1c4b-4281-b951-d872f2087c98
7ae1ce21 · leecam@chromium.org · 6d51582e · 7ae1ce21 · 7ae1ce21 · 7ae1ce21
Commit 7ae1ce21 authored Aug 22, 2014 by leecam@chromium.org
7 changed files
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -181,6 +181,9 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
    return Error(fs_denied_errno);
  }
+  if (SyscallSets::IsSeccomp(sysno))
+    return Error(EPERM);
  if (SyscallSets::IsAnySystemV(sysno)) {
    return Error(EPERM);
  }

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -106,6 +106,9 @@ bool SyscallSets::IsFileSystem(int sysno) {
 #endif
 #if defined(__i386__) || defined(__arm__) || defined(__mips__)
    case __NR_lstat64:
+#endif
+#if !defined(__mips__)
+    case __NR_memfd_create:
 #endif
    case __NR_mkdir:
    case __NR_mkdirat:
@@ -117,6 +120,7 @@ bool SyscallSets::IsFileSystem(int sysno) {
    case __NR_readlinkat:
    case __NR_rename:
    case __NR_renameat:
+    case __NR_renameat2:
    case __NR_rmdir:
    case __NR_stat:  // EPERM not a valid errno.
 #if defined(__i386__)
@@ -564,6 +568,15 @@ bool SyscallSets::IsPrctl(int sysno) {
  }
 }
+bool SyscallSets::IsSeccomp(int sysno) {
+  switch (sysno) {
+    case __NR_seccomp:
+      return true;
+    default:
+      return false;
+  }
+}
 bool SyscallSets::IsAllowedBasicScheduler(int sysno) {
  switch (sysno) {
    case __NR_sched_yield:
@@ -605,6 +618,7 @@ bool SyscallSets::IsKernelModule(int sysno) {
 #endif
    case __NR_delete_module:
    case __NR_init_module:
+    case __NR_finit_module:
      return true;
    default:
      return false;
@@ -697,9 +711,7 @@ bool SyscallSets::IsDebug(int sysno) {
    case __NR_ptrace:
    case __NR_process_vm_readv:
    case __NR_process_vm_writev:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
    case __NR_kcmp:
-#endif
      return true;
    default:
      return false;
@@ -828,10 +840,12 @@ bool SyscallSets::IsAdvancedScheduler(int sysno) {
    case __NR_sched_get_priority_max:
    case __NR_sched_get_priority_min:
    case __NR_sched_getaffinity:
+    case __NR_sched_getattr:
    case __NR_sched_getparam:
    case __NR_sched_getscheduler:
    case __NR_sched_rr_get_interval:
    case __NR_sched_setaffinity:
+    case __NR_sched_setattr:
    case __NR_sched_setparam:
    case __NR_sched_setscheduler:
      return true;
@@ -915,6 +929,9 @@ bool SyscallSets::IsExtendedAttributes(int sysno) {
 // TODO(jln): classify this better.
 bool SyscallSets::IsMisc(int sysno) {
  switch (sysno) {
+#if !defined(_mips_)
+    case __NR_getrandom:
+#endif
    case __NR_name_to_handle_at:
    case __NR_open_by_handle_at:
    case __NR_perf_event_open:

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
@@ -54,6 +54,7 @@ class SANDBOX_EXPORT SyscallSets {
  static bool IsAllowedAddressSpaceAccess(int sysno);
  static bool IsAllowedGeneralIo(int sysno);
  static bool IsPrctl(int sysno);
+  static bool IsSeccomp(int sysno);
  static bool IsAllowedBasicScheduler(int sysno);
  static bool IsAdminOperation(int sysno);
  static bool IsKernelModule(int sysno);

--- a/sandbox/linux/services/arm_linux_syscalls.h
+++ b/sandbox/linux/services/arm_linux_syscalls.h
@@ -1347,6 +1347,38 @@
 #define __NR_process_vm_writev (__NR_SYSCALL_BASE+377)
 #endif
+#if !defined(__NR_kcmp)
+#define __NR_kcmp (__NR_SYSCALL_BASE+378)
+#endif
+#if !defined(__NR_finit_module)
+#define __NR_finit_module (__NR_SYSCALL_BASE+379)
+#endif
+#if !defined(__NR_sched_setattr)
+#define __NR_sched_setattr (__NR_SYSCALL_BASE+380)
+#endif
+#if !defined(__NR_sched_getattr)
+#define __NR_sched_getattr (__NR_SYSCALL_BASE+381)
+#endif
+#if !defined(__NR_renameat2)
+#define __NR_renameat2 (__NR_SYSCALL_BASE+382)
+#endif
+#if !defined(__NR_seccomp)
+#define __NR_seccomp (__NR_SYSCALL_BASE+383)
+#endif
+#if !defined(__NR_getrandom)
+#define __NR_getrandom (__NR_SYSCALL_BASE+384)
+#endif
+#if !defined(__NR_memfd_create)
+#define __NR_memfd_create (__NR_SYSCALL_BASE+385)
+#endif
 // ARM private syscalls.
 #if !defined(__ARM_NR_breakpoint)
 #define __ARM_NR_breakpoint (__ARM_NR_BASE+1)

--- a/sandbox/linux/services/mips_linux_syscalls.h
+++ b/sandbox/linux/services/mips_linux_syscalls.h
@@ -1409,4 +1409,20 @@
 #define __NR_finit_module (__NR_Linux + 348)
 #endif
+#if !defined(__NR_sched_setattr)
+#define __NR_sched_setattr (__NR_Linux + 349)
+#endif
+#if !defined(__NR_sched_getattr)
+#define __NR_sched_getattr (__NR_Linux + 350)
+#endif
+#if !defined(__NR_renameat2)
+#define __NR_renameat2 (__NR_Linux + 351)
+#endif
+#if !defined(__NR_seccomp)
+#define __NR_seccomp (__NR_Linux + 352)
+#endif
 #endif  // SANDBOX_LINUX_SERVICES_MIPS_LINUX_SYSCALLS_H_
--- a/sandbox/linux/services/x86_32_linux_syscalls.h
+++ b/sandbox/linux/services/x86_32_linux_syscalls.h
@@ -1394,5 +1394,33 @@
 #define __NR_kcmp 349
 #endif
+#if !defined(__NR_finit_module)
+#define __NR_finit_module 350
+#endif
+#if !defined(__NR_sched_setattr)
+#define __NR_sched_setattr 351
+#endif
+#if !defined(__NR_sched_getattr)
+#define __NR_sched_getattr 352
+#endif
+#if !defined(__NR_renameat2)
+#define __NR_renameat2 353
+#endif
+#if !defined(__NR_seccomp)
+#define __NR_seccomp 354
+#endif
+#if !defined(__NR_getrandom)
+#define __NR_getrandom 355
+#endif
+#if !defined(__NR_memfd_create)
+#define __NR_memfd_create 356
+#endif
 #endif  // SANDBOX_LINUX_SERVICES_X86_32_LINUX_SYSCALLS_H_
--- a/sandbox/linux/services/x86_64_linux_syscalls.h
+++ b/sandbox/linux/services/x86_64_linux_syscalls.h
@@ -1262,5 +1262,33 @@
 #define __NR_kcmp 312
 #endif
+#if !defined(__NR_finit_module)
+#define __NR_finit_module 313
+#endif
+#if !defined(__NR_sched_setattr)
+#define __NR_sched_setattr 314
+#endif
+#if !defined(__NR_sched_getattr)
+#define __NR_sched_getattr 315
+#endif
+#if !defined(__NR_renameat2)
+#define __NR_renameat2 316
+#endif
+#if !defined(__NR_seccomp)
+#define __NR_seccomp 317
+#endif
+#if !defined(__NR_getrandom)
+#define __NR_getrandom 318
+#endif
+#if !defined(__NR_memfd_create)
+#define __NR_memfd_create 319
+#endif
 #endif  // SANDBOX_LINUX_SERVICES_X86_64_LINUX_SYSCALLS_H_