Age | Commit message (Collapse) | Author | |
---|---|---|---|
2017-07-16 | release-request-05263112-375a-4b1f-a657-a14bb2a5c5a3-for-git_oc-mr1-release- ↵android-wear-8.1.0_r1android-vts-8.1_r9android-vts-8.1_r8android-vts-8.1_r7android-vts-8.1_r6android-vts-8.1_r5android-vts-8.1_r4android-vts-8.1_r3android-vts-8.1_r14android-vts-8.1_r13android-vts-8.1_r12android-vts-8.1_r11android-vts-8.1_r10android-security-8.1.0_r93android-security-8.1.0_r92android-security-8.1.0_r91android-security-8.1.0_r90android-security-8.1.0_r89android-security-8.1.0_r88android-security-8.1.0_r87android-security-8.1.0_r86android-security-8.1.0_r85android-security-8.1.0_r84android-security-8.1.0_r83android-security-8.1.0_r82android-cts-8.1_r9android-cts-8.1_r8android-cts-8.1_r7android-cts-8.1_r6android-cts-8.1_r5android-cts-8.1_r4android-cts-8.1_r3android-cts-8.1_r25android-cts-8.1_r24android-cts-8.1_r23android-cts-8.1_r22android-cts-8.1_r21android-cts-8.1_r20android-cts-8.1_r2android-cts-8.1_r19android-cts-8.1_r18android-cts-8.1_r17android-cts-8.1_r16android-cts-8.1_r15android-cts-8.1_r14android-cts-8.1_r13android-cts-8.1_r12android-cts-8.1_r11android-cts-8.1_r10android-cts-8.1_r1android-8.1.0_r9android-8.1.0_r81android-8.1.0_r80android-8.1.0_r8android-8.1.0_r79android-8.1.0_r78android-8.1.0_r77android-8.1.0_r76android-8.1.0_r75android-8.1.0_r74android-8.1.0_r73android-8.1.0_r72android-8.1.0_r71android-8.1.0_r70android-8.1.0_r7android-8.1.0_r69android-8.1.0_r68android-8.1.0_r67android-8.1.0_r66android-8.1.0_r65android-8.1.0_r64android-8.1.0_r63android-8.1.0_r62android-8.1.0_r61android-8.1.0_r60android-8.1.0_r6android-8.1.0_r53android-8.1.0_r52android-8.1.0_r51android-8.1.0_r50android-8.1.0_r5android-8.1.0_r48android-8.1.0_r47android-8.1.0_r46android-8.1.0_r45android-8.1.0_r43android-8.1.0_r42android-8.1.0_r41android-8.1.0_r40android-8.1.0_r4android-8.1.0_r39android-8.1.0_r38android-8.1.0_r37android-8.1.0_r36android-8.1.0_r35android-8.1.0_r33android-8.1.0_r32android-8.1.0_r31android-8.1.0_r30android-8.1.0_r3android-8.1.0_r29android-8.1.0_r28android-8.1.0_r27android-8.1.0_r26android-8.1.0_r25android-8.1.0_r23android-8.1.0_r22android-8.1.0_r21android-8.1.0_r20android-8.1.0_r2android-8.1.0_r19android-8.1.0_r18android-8.1.0_r17android-8.1.0_r16android-8.1.0_r15android-8.1.0_r14android-8.1.0_r13android-8.1.0_r12android-8.1.0_r11android-8.1.0_r10android-8.1.0_r1security-oc-mr1-releaseoreo-mr1-wear-releaseoreo-mr1-vts-releaseoreo-mr1-security-releaseoreo-mr1-s1-releaseoreo-mr1-releaseoreo-mr1-cuttlefish-testingoreo-mr1-cts-releaseoreo-m8-releaseoreo-m7-releaseoreo-m6-s4-releaseoreo-m6-s3-releaseoreo-m6-s2-releaseoreo-m5-releaseoreo-m4-s9-releaseoreo-m4-s8-releaseoreo-m4-s7-releaseoreo-m4-s6-releaseoreo-m4-s5-releaseoreo-m4-s4-releaseoreo-m4-s3-releaseoreo-m4-s2-releaseoreo-m4-s12-releaseoreo-m4-s11-releaseoreo-m4-s10-releaseoreo-m4-s1-releaseoreo-m3-releaseoreo-m2-s5-releaseoreo-m2-s4-releaseoreo-m2-s3-releaseoreo-m2-s2-releaseoreo-m2-s1-releaseoreo-m2-release | android-build-team Robot | |
4185249 snap-temp-L63000000082739046 Change-Id: Ia5845f15dc55c8bd7b552b337e817fb7295bd9ac | |||
2017-07-14 | Add LICENSE file. am: db19bfbfbd am: c563ae667a am: e5b3a44103oreo-mr1-dev | Jorge Lucangeli Obes | |
am: 8ffc6c0276 Change-Id: Ib27af36f2c86750852e2a428310602a087f5b3a2 | |||
2017-07-14 | Add LICENSE file. am: db19bfbfbd am: c563ae667a | Jorge Lucangeli Obes | |
am: e5b3a44103 Change-Id: I7d408993e6ba5a92b9a01c542b5045c4fb7f7708 | |||
2017-07-14 | Add LICENSE file. am: db19bfbfbd | Jorge Lucangeli Obes | |
am: c563ae667a Change-Id: I7378e949b453302a792b52bb027df879b4075ed0 | |||
2017-07-14 | Add LICENSE file. | Jorge Lucangeli Obes | |
am: db19bfbfbd Change-Id: If0831211070c217ffbdfd48bc184e2ccd79e1108 | |||
2017-07-14 | Add LICENSE file.android-o-preview-4 | Jorge Lucangeli Obes | |
When moving Minijail from Chrome OS to Android, we lost the LICENSE file: https://chromium.git.corp.google.com/chromiumos/platform2/+/master/LICENSE Add it back in. Bug: None Test: None Change-Id: I9fb7ecdccc35a62482a90e9500a71970de08205d | |||
2017-07-14 | Use unsigned long for prctl argument am: a7f4fc9162 am: 7fae31245f am: ↵ | Dylan Reid | |
de8986a733 am: 6cf96468c5 Change-Id: I7fc56bb6d531d53e1c321834f2ce95cc4385560f | |||
2017-07-14 | Use unsigned long for prctl argument am: a7f4fc9162 am: 7fae31245f | Dylan Reid | |
am: de8986a733 Change-Id: Iff86ce6e3cb99bc75b92a4136080b7653b05237a | |||
2017-07-14 | Use unsigned long for prctl argument am: a7f4fc9162 | Dylan Reid | |
am: 7fae31245f Change-Id: I90a1ad3f77dce43b936747ae18222ca91b0b9cfd | |||
2017-07-14 | Use unsigned long for prctl argument | Dylan Reid | |
am: a7f4fc9162 Change-Id: I38989aeba90b9eed6e377daacf4f55e36f948ecf | |||
2017-07-13 | Use unsigned long for prctl argument | Dylan Reid | |
uint64_t isn't the right type when running on a 32 bit machine. BUG=none TEST=check caps can be dropped on a 32 bit userspace machine like kevin. minijail0 -u wpa -g wpa -c 3000 -i -t -- /bin/ls Change-Id: I1ec55dc653fe206a1641f0a971ab2b20c42a2d9c Signed-off-by: Dylan Reid <dgreid@chromium.org> | |||
2017-07-13 | release-request-d3de000d-8c5a-4c3c-b63e-e989421d7762-for-git_oc-mr1-release- ↵ | android-build-team Robot | |
4176727 snap-temp-L91200000081901352 Change-Id: I915ad12e739cce9bb95fb05374995c6295578816 | |||
2017-07-12 | Add include guard around scoped_minijail.h am: 59e4737dff am: 3f67380850 am: ↵ | Chirantan Ekbote | |
b60d57424c am: 2f4314011f Change-Id: I46d1be1dc471f3f1feeda817bb1b61b60bacf41e | |||
2017-07-12 | Add include guard around scoped_minijail.h am: 59e4737dff am: 3f67380850 | Chirantan Ekbote | |
am: b60d57424c Change-Id: I6ea6f75a57d385894916dec8585097d02adaf216 | |||
2017-07-12 | Add include guard around scoped_minijail.h am: 59e4737dff | Chirantan Ekbote | |
am: 3f67380850 Change-Id: I1ae8795badde138ba07af135c5508692bcd3f37f | |||
2017-07-12 | Add include guard around scoped_minijail.h | Chirantan Ekbote | |
am: 59e4737dff Change-Id: I6148023b77b0881b779d571b31601abb8f2c80f0 | |||
2017-07-12 | Add include guard around scoped_minijail.h | Chirantan Ekbote | |
Add an include guard around scoped_minijail.h so that there is no compiler error if it gets included twice transitively. BUG=none TEST=include scoped_minijail.h twice and see that it still compiles properly Change-Id: Ia9ee6e5d22be433fef1c98e3ae56061e1afed647 Signed-off-by: Chirantan Ekbote <chirantan@google.com> | |||
2017-07-12 | release-request-b6f2d5b3-a3d6-410f-b58f-c85ba8187177-for-git_oc-mr1-release- ↵ | android-build-team Robot | |
4173087 snap-temp-L93200000081515229 Change-Id: Ie39dcf8a1e16a14f6849d02b9ed013b11141ee26 | |||
2017-07-11 | minijail: Allow skipping setting securebits when restricting caps am: ↵ | Luis Hector Chavez | |
ec0a2c1023 am: 4a01d5fd55 am: 20f15e9c71 am: f6ef36d822 Change-Id: I75b245f3cda582c563c3de432344b446fc3aa0ca | |||
2017-07-11 | minijail: Allow skipping setting securebits when restricting caps am: ↵ | Luis Hector Chavez | |
ec0a2c1023 am: 4a01d5fd55 am: 20f15e9c71 Change-Id: If209e386dc61e2406d116a2617d4c6d82893ae4e | |||
2017-07-11 | minijail: Allow skipping setting securebits when restricting caps am: ec0a2c1023 | Luis Hector Chavez | |
am: 4a01d5fd55 Change-Id: Ib611fb9072333fd36c82010c31b9b8dd4b05d9bc | |||
2017-07-11 | minijail: Allow skipping setting securebits when restricting caps | Luis Hector Chavez | |
am: ec0a2c1023 Change-Id: I9671c05901c202ce4f7fd703371ad45b79f79e06 | |||
2017-07-11 | minijail: Allow skipping setting securebits when restricting caps | Luis Hector Chavez | |
This change allows the user to optionally skip setting a subset of the securebits that are automatically set when restricting caps. Bug: 63069223 Test: $ gcc -static -xc -o securebits - << EOF #include <stdio.h> #include <sys/prctl.h> int main() { printf("%x\n", prctl(PR_GET_SECUREBITS)); } EOF $ sudo ./minijail0 -c 1fffffffff --ambient ./securebits 2f $ sudo ./minijail0 -c 1fffffffff --ambient -B 2f ./securebits 0 Change-Id: Ie247302bbbb35f04caa2066541a8c175f6c94976 | |||
2017-07-02 | release-request-d9dc98f7-19b2-484c-b4d1-f35dc43e9c05-for-git_oc-mr1-release- ↵ | android-build-team Robot | |
4152006 snap-temp-L91700000079405440 Change-Id: Ibb22349bf700b9eeeba7f406ba1ed6bfdb17c5bf | |||
2017-06-30 | minijail: Add support for dropping caps with static binaries am: fe5fb8ea50 ↵ | Luis Hector Chavez | |
am: 5302f58f1c am: ab5309116f am: 3b361c5622 Change-Id: Idb900ac4150e94f724b74609ad0541f195ce84bc | |||
2017-06-30 | minijail: Add support for dropping caps with static binaries am: fe5fb8ea50 ↵ | Luis Hector Chavez | |
am: 5302f58f1c am: ab5309116f Change-Id: If3edf723305edeef2a602e7c71fa70ee797fc096 | |||
2017-06-30 | minijail: Add support for dropping caps with static binaries am: fe5fb8ea50 | Luis Hector Chavez | |
am: 5302f58f1c Change-Id: I33d0c038d9b845bf56da057bc6b76611827b9490 | |||
2017-06-30 | minijail: Add support for dropping caps with static binaries | Luis Hector Chavez | |
am: fe5fb8ea50 Change-Id: Id17f8df3cf8bf8a27f1d5f600474f7cc7699fa79 | |||
2017-06-30 | minijail: Add support for dropping caps with static binaries | Luis Hector Chavez | |
This change relaxes the preconditions needed for dropping caps, such that it is supported provided that at least one of these two are true: * The program being run is dynamically-linked, which means that the LD_PRELOAD trick can be used to drop caps after execve(). * Ambient capabilities are also being set, which makes the capability bound to be able to survive an execve(). Additionally, this change validates that the parameters passed into the minijail0 binary comply with the preconditions, and suggest the alternative of passing in --ambient to fix it. Bug: 63069223 Test: $ g++ -static -std=c++11 -xc++ -o captest - << EOF #include <fstream> #include <iostream> #include <string> int main() { std::ifstream status("/proc/self/status"); std::string line; while (std::getline(status, line)) { if (line.find("CapEff") == 0) { std::cout << line << std::endl; } } return 0; } EOF $ sudo ./captest CapEff: 0000003fffffffff $ sudo ./minijail0 -T static -c 1fffffffff ./captest Can't run statically-linked binaries with capabilities (-c) \ without also setting ambient capabilities. Try passing --ambient $ sudo ./minijail0 -T static -c 1fffffffff --ambient ./captest CapEff: 0000001fffffffff Change-Id: Ie8be509303780a09356ce94bd1436a861a59ce80 | |||
2017-06-29 | Add the ability to set rlimits on the jailed process am: 0f72ef4240 am: ↵ | Dylan Reid | |
b27ba66cd5 am: f0635d12ec am: 04db2854a7 Change-Id: Ie70790f61ea2fdb345c0d7eeabb84e1e5c2dd251 | |||
2017-06-29 | Add the ability to set rlimits on the jailed process am: 0f72ef4240 am: ↵ | Dylan Reid | |
b27ba66cd5 am: f0635d12ec Change-Id: I4daaf61ea5ea5615f69b88b113b1b32d5f9778c0 | |||
2017-06-29 | Add the ability to set rlimits on the jailed process am: 0f72ef4240 | Dylan Reid | |
am: b27ba66cd5 Change-Id: I0a4345ac20c0f5d4b04a60f9c12f383fd68ea1c0 | |||
2017-06-29 | Add the ability to set rlimits on the jailed process | Dylan Reid | |
am: 0f72ef4240 Change-Id: I95fa1ce3d78261ba2807823671df9e1a5ba5facd | |||
2017-06-29 | Add the ability to set rlimits on the jailed process | Dylan Reid | |
Currently Chrome OS relies on upstart to configure these limits but that isn't available when using libminijail from session manager. Add it so runtime limits can be configured for Android and other containers. BUG=none TEST=updated security_Minijail0 and manually check /proc/xxx/limits of jailed process. Change-Id: I62ed63c89c9c5196b7d9873520b396c9524e5855 Signed-off-by: Dylan Reid <dgreid@chromium.org> | |||
2017-06-22 | release-request-36fe639f-9404-4c33-86fb-47bc4ab2221f-for-git_oc-mr1-release- ↵ | android-build-team Robot | |
4124666 snap-temp-L64200000076596327 Change-Id: I8199e81f1c7489ebfce66a9d385a7a0e15ff5cda | |||
2017-06-21 | clarify -s vs -S seccomp modes a bit am: e61fd66813 am: dd37a5752a am: ↵ | Mike Frysinger | |
2577ef10cc am: 262d381364 Change-Id: I14b94fd5cdcbc00c852147128dcfe28e6b9c2129 | |||
2017-06-21 | man pages: standardize reference style am: 0fe4e4f252 am: 30e73b95f1 am: ↵ | Mike Frysinger | |
4f07ede91e am: 57097df5da Change-Id: If873f4e41705f0e97935b72236399ab49e938fc0 | |||
2017-06-21 | clarify -s vs -S seccomp modes a bit am: e61fd66813 am: dd37a5752a | Mike Frysinger | |
am: 2577ef10cc Change-Id: I05d47efa00a7fa3a4c3302e36fad0c678a41aa80 | |||
2017-06-21 | man pages: standardize reference style am: 0fe4e4f252 am: 30e73b95f1 | Mike Frysinger | |
am: 4f07ede91e Change-Id: I91cf7e6134be12fc4e54666cb1c553f6a61bcb5d | |||
2017-06-21 | clarify -s vs -S seccomp modes a bit am: e61fd66813 | Mike Frysinger | |
am: dd37a5752a Change-Id: I440203b52c694e9900c3f8a8a8b2e7d366e208b8 | |||
2017-06-21 | man pages: standardize reference style am: 0fe4e4f252 | Mike Frysinger | |
am: 30e73b95f1 Change-Id: I09dd95832f9e30749b0ddd5b6f268336ddf02655 | |||
2017-06-21 | clarify -s vs -S seccomp modes a bit | Mike Frysinger | |
am: e61fd66813 Change-Id: I5fab1ebb26924b2edfe06c1142065608bbd96bfc | |||
2017-06-21 | man pages: standardize reference style | Mike Frysinger | |
am: 0fe4e4f252 Change-Id: Ifb114ad1a1c0b544987207b5b44b31db916e9a99 | |||
2017-06-20 | clarify -s vs -S seccomp modes a bit | Mike Frysinger | |
And do not allow them to be used together as it doesn't make sense. Bug: None Test: read the output Change-Id: Ic935e3787b5cf52a166de5ebc0b12e251bfc8c23 | |||
2017-06-20 | man pages: standardize reference style | Mike Frysinger | |
The standard here is to bold the man page name and not the section. Bug: None Test: man rendering works Change-Id: Ia612b5df47963e6071f707ec1cabbc233839df42 | |||
2017-06-08 | release-request-01b39c26-bf86-40a5-a7bf-8eb15c488673-for-git_oc-mr1-release- ↵ | android-build-team Robot | |
4080221 snap-temp-L23400000072087081 Change-Id: I1558997c852400c190a7126bb13e6eb83757a290 | |||
2017-06-08 | minijail0: adjust how we stop processing non-opts am: 98f4a938cb am: ↵ | Mike Frysinger | |
4f8562358e am: 927cd4f006 am: c015846d94 Change-Id: Iac9d260ca778e0b2fa9adc1ce97be57b37fdedb7 | |||
2017-06-08 | minijail0: adjust how we stop processing non-opts am: 98f4a938cb am: 4f8562358e | Mike Frysinger | |
am: 927cd4f006 Change-Id: I025470a9c95e8240c90ea6a75f8c829ef1e58c8e | |||
2017-06-08 | minijail0: adjust how we stop processing non-opts am: 98f4a938cb | Mike Frysinger | |
am: 4f8562358e Change-Id: I154e2f7754c461a113d128781b8426ae98f51302 | |||
2017-06-08 | minijail0: adjust how we stop processing non-opts | Mike Frysinger | |
am: 98f4a938cb Change-Id: I4310f467ce15f8d6a2fd484744509fcf9691b43e |