1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h"
7 #include <sys/syscall.h>
10 using sandbox::bpf_dsl::Allow;
11 using sandbox::bpf_dsl::ResultExpr;
15 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()
16 : SandboxBPFBasePolicy() {}
18 SandboxBPFBasePolicyAndroid::~SandboxBPFBasePolicyAndroid() {}
20 ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const {
21 bool override_and_allow = false;
24 // TODO(rsesek): restrict clone parameters.
26 case __NR_epoll_pwait:
28 case __NR_getpriority:
31 // File system access cannot be restricted with seccomp-bpf on Android,
32 // since the JVM classloader and other Framework features require file
33 // access. It may be possible to restrict the filesystem with SELinux.
34 // Currently we rely on the app/service UID isolation to create a
35 // filesystem "sandbox".
41 case __NR_rt_sigtimedwait:
42 case __NR_setpriority:
43 case __NR_sigaltstack:
44 #if defined(__i386__) || defined(__arm__)
50 override_and_allow = true;
54 if (override_and_allow)
57 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
60 } // namespace content