Linux sandbox: Restrict sched_* calls in the renderer policy.

BUG=413855 Review URL: https://codereview.chromium.org/639183003 Cr-Commit-Position: refs/heads/master@{#299193}

Linux sandbox: Restrict sched_* calls in the renderer policy.
BUG=413855 Review URL: https://codereview.chromium.org/639183003 Cr-Commit-Position: refs/heads/master@{#299193}
9c2d6867 · rickyz · Commit bot · 1056c8a4 · 9c2d6867
Commit 9c2d6867 authored Oct 10, 2014 by rickyz Committed by Commit bot Oct 10, 2014
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 4 deletions

content/common/sandbox_linux/bpf_renderer_policy_linux.cc content/common/sandbox_linux/bpf_renderer_policy_linux.cc +5 -4

No files found.
--- a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
@@ -43,16 +43,17 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
    case __NR_mremap:  // See crbug.com/149834.
    case __NR_pread64:
    case __NR_pwrite64:
-    case __NR_sched_getaffinity:
    case __NR_sched_get_priority_max:
    case __NR_sched_get_priority_min:
-    case __NR_sched_getparam:
-    case __NR_sched_getscheduler:
-    case __NR_sched_setscheduler:
    case __NR_sysinfo:
    case __NR_times:
    case __NR_uname:
      return Allow();
+    case __NR_sched_getaffinity:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_setscheduler:
+      return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
    case __NR_prlimit64:
      return Error(EPERM);  // See crbug.com/160157.
    default: