| Age | Commit message (Collapse) | Author |
|---|
|
Make the following two changes to ensure that minijail builds
in CrOS:
1) Edit references to the previously renamed signal.o file to
signal_handler.o in the Makefile
2) Add a comparison of __LITTLE_ENDIAN with __BYTE_ORDER to
bpf.h, since __LITTLE_ENDIAN__ is not defined when building
for CrOS.
BUG: 24680644
Change-Id: I152573d29a87a3a685c0d27e728632e84462e8ef
TEST: Cherry-pick change to CrOS and minijail build succeeds.
|
|
This requires disabling LDPRELOAD and temporarily disabling
capabilities support.
Reland of https://android-review.googlesource.com/#/c/159755/
with compile fixes. Compile-tested on
aosp_{x86,x86_64,arm,arm64,mips64}-eng.
Bug: 22487289
Change-Id: Ia4530cf09b074aa0a2afe5a5b307ff3c5c5d6c08
|
|
Fix is not complete, arm64 was still failing.
This reverts commit 6666fe26242c1daed54c0e384bfcbb1e98ae2bfb.
Change-Id: Iad02965e730271f80aa59ca7d26b34a553bc0c70
|
|
Endianness macros are different on Android.
Change-Id: I12d4e79b81d9192652b398b9a994db41bfa7880c
|
|
BUG=chromium:416890
TEST=syscall_filter_unittest passes.
Change-Id: I0cec225e0276f786fc44a05e3dff2080866f3c49
Reviewed-on: https://chromium-review.googlesource.com/220188
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
minijail did not set ARCH_NR correctly such that it always assumed any
MIPS platform to be 64-bit, which caused the architecture validation in
the seccomp filter to fail on a 32-bit MIPS platform.
BUG=chromium:416734
TEST=Tested a seccomp filter via minijail on a 32-bit MIPS platform.
Change-Id: I26489f0b80e48c30ee39d256218b48f927cd74b4
Reviewed-on: https://chromium-review.googlesource.com/219434
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
|
|
Just copy & paste relevant toolchain defines and kernel headers.
BUG=chromium:307180
TEST=ppc build works
Change-Id: I43b402e6eebbfa5e9ce11ac0c782d6baab9e0a4b
Reviewed-on: https://chromium-review.googlesource.com/173726
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
In C99 standard. Inline functions only make sense when you
put them in a ".h" file. The whole concept is about making
the function definition visible to all callers. In this case,
the function 'set_bpf_instr' is declared in bpf.h and defined
in bpf.c and it is called by functions from libsyscalls.gen.c
When compiling libsyscalls.gen.c, it finds the 'set_bpf_instr'
is a inline funtions, however, in this compilation unit,
it could not find the definition, so the error pops out.
BUG=chromium:298450
TEST=FEATURES="test" CC=i686-pc-linux-gnu-clang
emerge-x86-generic chromeos-minijail
Change-Id: I666386337379c5897bdd3772fed428f284e76661
Reviewed-on: https://chromium-review.googlesource.com/170615
Reviewed-by: Luis Lozano <llozano@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
|
|
BUG=chromium-os:38539
TEST=./setup_board --board=x32-generic; emerge-x32-generic chromeos-minijail
Change-Id: I4ca1c78d583976a6f692a589c5b153101700beee
Reviewed-on: https://gerrit.chromium.org/gerrit/42543
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
First step is to add support for the actual BPF instruction.
Next step is to parse this in the policy files and use the functions
introduced by this CL.
BUG=chromium-os:36848
TEST=syscall_filter_unittest
Change-Id: I172598e63413506f190ae6b4b07ae63e1198f44c
Reviewed-on: https://gerrit.chromium.org/gerrit/39018
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
BUG=chromium-os:33361
TEST=unit tests
TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive
Change-Id: I16cdb8fbcf1cb13f2dee5521f97fb8d0bdbdf93b
Reviewed-on: https://gerrit.chromium.org/gerrit/29053
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
That way, the syscall filtering module can log to syslog without
duplicating code. While I'm at it, make naming more consistent.
BUG=None
TEST=unit
TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive
Change-Id: I7102ca22f49dd7e5bb56bf2997d0d83cb0507e83
Reviewed-on: https://gerrit.chromium.org/gerrit/29080
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
|
This CL uses the mechanism to generate filter sections from
policy strings and builds a complete filter by first
validating the arch and loading the syscall number, then
checking against all syscalls listed in the policy file, and
executing the argument filters if necessary.
BUG=chromium-os:25429
BUG=chromium-os:27878
TEST=syscall_filter_unittest
CQ-DEPEND=I3a4334a3c568178e19b18e7f3ed97517b03afd1b
Change-Id: I13a9b22ac8d55f02d5a77b5beedb955386b63723
Reviewed-on: https://gerrit.chromium.org/gerrit/19007
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
|
|
BUG=chromium-os:25429
BUG=chromium-os:27878
TEST=syscall_filter_unittest
Change-Id: I3a4334a3c568178e19b18e7f3ed97517b03afd1b
Reviewed-on: https://gerrit.chromium.org/gerrit/18914
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
|
