Linux sandbox: Disallow get_robust_list and set_robust_list.

These are only used for futexes that are shared between processes, which should not be happening in Chromium. BUG=413855 Review URL: https://codereview.chromium.org/569713004 Cr-Commit-Position: refs/heads/master@{#294986}

Linux sandbox: Disallow get_robust_list and set_robust_list.
These are only used for futexes that are shared between processes, which should not be happening in Chromium. BUG=413855 Review URL: https://codereview.chromium.org/569713004 Cr-Commit-Position: refs/heads/master@{#294986}
a75e8729 · rickyz · Commit bot · 7bf3d6dc · a75e8729 · a75e8729
Commit a75e8729 authored Sep 15, 2014 by rickyz Committed by Commit bot Sep 16, 2014
Showing with 3 additions and 1 deletion

sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +3 -0

sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +0 -1

No files found.
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -153,6 +153,9 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
  if (sysno == __NR_futex)
    return RestrictFutex();
+  if (sysno == __NR_set_robust_list)
+    return Error(EPERM);
  if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
    return RestrictGetSetpriority(current_pid);

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -402,7 +402,6 @@ bool SyscallSets::IsAllowedFutex(int sysno) {
  switch (sysno) {
    case __NR_get_robust_list:
    case __NR_set_robust_list:
-      return true;
    case __NR_futex:
    default:
      return false;