1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "services/network/network_sandbox_hook_linux.h"
6 #include "sandbox/linux/syscall_broker/broker_command.h"
7
8 #include "base/rand_util.h"
9 #include "base/system/sys_info.h"
10
11 using sandbox::syscall_broker::BrokerFilePermission;
12 using sandbox::syscall_broker::MakeBrokerCommandSet;
13
14 namespace network {
15
NetworkPreSandboxHook(service_manager::SandboxLinux::Options options)16 bool NetworkPreSandboxHook(service_manager::SandboxLinux::Options options) {
17 #if !defined(OS_BSD)
18 auto* instance = service_manager::SandboxLinux::GetInstance();
19
20 // TODO(tsepez): remove universal permission under filesytem root.
21 instance->StartBrokerProcess(
22 MakeBrokerCommandSet({
23 sandbox::syscall_broker::COMMAND_ACCESS,
24 sandbox::syscall_broker::COMMAND_MKDIR,
25 sandbox::syscall_broker::COMMAND_OPEN,
26 sandbox::syscall_broker::COMMAND_READLINK,
27 sandbox::syscall_broker::COMMAND_RENAME,
28 sandbox::syscall_broker::COMMAND_RMDIR,
29 sandbox::syscall_broker::COMMAND_STAT,
30 sandbox::syscall_broker::COMMAND_UNLINK,
31 }),
32 {BrokerFilePermission::ReadWriteCreateRecursive("/")},
33 service_manager::SandboxLinux::PreSandboxHook(), options);
34
35 instance->EngageNamespaceSandboxIfPossible();
36 #endif // defined(OS_BSD)
37 return true;
38 }
39
40 } // namespace network
41