return Allow();
}
+#if defined(OS_ANDROID)
+ // Needed for thread creation.
+ if (sysno == __NR_sigaltstack)
+ return Allow();
+#endif
+
+ if (sysno == __NR_clock_gettime) {
+ return RestrictClockID();
+ }
+
if (sysno == __NR_clone) {
return RestrictCloneToThreadsAndEPERMFork();
}
return RestrictFcntlCommands();
#endif
+#if !defined(__aarch64__)
// fork() is never used as a system call (clone() is used instead), but we
// have seen it in fallback code on Android.
if (sysno == __NR_fork) {
return Error(EPERM);
}
+#endif
if (sysno == __NR_futex)
return RestrictFutex();
+ if (sysno == __NR_set_robust_list)
+ return Error(EPERM);
+
+ if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
+ return RestrictGetSetpriority(current_pid);
+
if (sysno == __NR_madvise) {
// Only allow MADV_DONTNEED (aka MADV_FREE).
const Arg<int> advice(2);
return If(advice == MADV_DONTNEED, Allow()).Else(Error(EPERM));
}
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
if (sysno == __NR_mmap)
return RestrictMmapFlags();
#endif
return RestrictMprotectFlags();
if (sysno == __NR_prctl)
- return sandbox::RestrictPrctl();
+ return RestrictPrctl();
-#if defined(__x86_64__) || defined(__arm__) || defined(__mips__)
+#if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+ defined(__aarch64__)
if (sysno == __NR_socketpair) {
// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
return Error(fs_denied_errno);
}
+ if (SyscallSets::IsSeccomp(sysno))
+ return Error(EPERM);
+
if (SyscallSets::IsAnySystemV(sysno)) {
return Error(EPERM);
}