#include "base/files/scoped_file.h"
#include "base/macros.h"
#include "build/build_config.h"
+#include "sandbox/linux/bpf_dsl/policy.h"
#include "sandbox/linux/seccomp-bpf/bpf_tests.h"
#include "sandbox/linux/seccomp-bpf/errorcode.h"
#include "sandbox/linux/seccomp-bpf/syscall.h"
#endif
};
-class BasicPolicy : public SandboxBPFDSLPolicy {
+class BasicPolicy : public Policy {
public:
BasicPolicy() {}
- virtual ~BasicPolicy() {}
- virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+ ~BasicPolicy() override {}
+ ResultExpr EvaluateSyscall(int sysno) const override {
if (sysno == __NR_getpgid) {
const Arg<pid_t> pid(0);
return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
/* On IA-32, socketpair() is implemented via socketcall(). :-( */
#if !defined(ARCH_CPU_X86)
-class BooleanLogicPolicy : public SandboxBPFDSLPolicy {
+class BooleanLogicPolicy : public Policy {
public:
BooleanLogicPolicy() {}
- virtual ~BooleanLogicPolicy() {}
- virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+ ~BooleanLogicPolicy() override {}
+ ResultExpr EvaluateSyscall(int sysno) const override {
if (sysno == __NR_socketpair) {
const Arg<int> domain(0), type(1), protocol(2);
return If(domain == AF_UNIX &&
}
#endif // !ARCH_CPU_X86
-class MoreBooleanLogicPolicy : public SandboxBPFDSLPolicy {
+class MoreBooleanLogicPolicy : public Policy {
public:
MoreBooleanLogicPolicy() {}
- virtual ~MoreBooleanLogicPolicy() {}
- virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+ ~MoreBooleanLogicPolicy() override {}
+ ResultExpr EvaluateSyscall(int sysno) const override {
if (sysno == __NR_setresuid) {
const Arg<uid_t> ruid(0), euid(1), suid(2);
return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
static const uintptr_t kDeadBeefAddr =
static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
-class ArgSizePolicy : public SandboxBPFDSLPolicy {
+class ArgSizePolicy : public Policy {
public:
ArgSizePolicy() {}
- virtual ~ArgSizePolicy() {}
- virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+ ~ArgSizePolicy() override {}
+ ResultExpr EvaluateSyscall(int sysno) const override {
if (sysno == __NR_uname) {
const Arg<uintptr_t> addr(0);
return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
-EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr));
}
-class TrappingPolicy : public SandboxBPFDSLPolicy {
+class TrappingPolicy : public Policy {
public:
TrappingPolicy() {}
- virtual ~TrappingPolicy() {}
- virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+ ~TrappingPolicy() override {}
+ ResultExpr EvaluateSyscall(int sysno) const override {
if (sysno == __NR_uname) {
return Trap(UnameTrap, &count_);
}
ASSERT_SYSCALL_RESULT(3, uname, NULL);
}
-class MaskingPolicy : public SandboxBPFDSLPolicy {
+class MaskingPolicy : public Policy {
public:
MaskingPolicy() {}
- virtual ~MaskingPolicy() {}
- virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+ ~MaskingPolicy() override {}
+ ResultExpr EvaluateSyscall(int sysno) const override {
if (sysno == __NR_setuid) {
const Arg<uid_t> uid(0);
return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
}
}
-class ElseIfPolicy : public SandboxBPFDSLPolicy {
+class ElseIfPolicy : public Policy {
public:
ElseIfPolicy() {}
- virtual ~ElseIfPolicy() {}
- virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+ ~ElseIfPolicy() override {}
+ ResultExpr EvaluateSyscall(int sysno) const override {
if (sysno == __NR_setuid) {
const Arg<uid_t> uid(0);
return If((uid & 0xfff) == 0, Error(0))
ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222);
}
-class SwitchPolicy : public SandboxBPFDSLPolicy {
+class SwitchPolicy : public Policy {
public:
SwitchPolicy() {}
- virtual ~SwitchPolicy() {}
- virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+ ~SwitchPolicy() override {}
+ ResultExpr EvaluateSyscall(int sysno) const override {
if (sysno == __NR_fcntl) {
const Arg<int> cmd(1);
const Arg<unsigned long> long_arg(2);