X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=src%2Fsandbox%2Flinux%2Fseccomp-bpf-helpers%2Fbaseline_policy.cc;h=aa347de39f4a53a6d7caf19612ababb653eb53ac;hb=3545e9f2671f595d2a2f3ee75ca0393b01e35ef6;hp=7f4d5590cf86616b006ccc4b04571710deb9c939;hpb=7d210d4c7e9ba36e635eabc5b5780495f8a63292;p=platform%2Fframework%2Fweb%2Fcrosswalk.git

diff --git a/src/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/src/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
index 7f4d559..aa347de 100644
--- a/src/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/src/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -120,6 +120,16 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return Allow();
   }
 
+#if defined(OS_ANDROID)
+  // Needed for thread creation.
+  if (sysno == __NR_sigaltstack)
+    return Allow();
+#endif
+
+  if (sysno == __NR_clock_gettime) {
+    return RestrictClockID();
+  }
+
   if (sysno == __NR_clone) {
     return RestrictCloneToThreadsAndEPERMFork();
   }
@@ -132,22 +142,31 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return RestrictFcntlCommands();
 #endif
 
+#if !defined(__aarch64__)
   // fork() is never used as a system call (clone() is used instead), but we
   // have seen it in fallback code on Android.
   if (sysno == __NR_fork) {
     return Error(EPERM);
   }
+#endif
 
   if (sysno == __NR_futex)
     return RestrictFutex();
 
+  if (sysno == __NR_set_robust_list)
+    return Error(EPERM);
+
+  if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
+    return RestrictGetSetpriority(current_pid);
+
   if (sysno == __NR_madvise) {
     // Only allow MADV_DONTNEED (aka MADV_FREE).
     const Arg<int> advice(2);
     return If(advice == MADV_DONTNEED, Allow()).Else(Error(EPERM));
   }
 
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
   if (sysno == __NR_mmap)
     return RestrictMmapFlags();
 #endif
@@ -161,9 +180,10 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return RestrictMprotectFlags();
 
   if (sysno == __NR_prctl)
-    return sandbox::RestrictPrctl();
+    return RestrictPrctl();
 
-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+    defined(__aarch64__)
   if (sysno == __NR_socketpair) {
     // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
     COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
@@ -181,6 +201,9 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return Error(fs_denied_errno);
   }
 
+  if (SyscallSets::IsSeccomp(sysno))
+    return Error(EPERM);
+
   if (SyscallSets::IsAnySystemV(sysno)) {
     return Error(EPERM);
   }