| Age | Commit message (Collapse) | Author |
|---|
|
Normally we don't do this, but enough changes have accumulated that
we're doing a tree-wide one-off update of the name & style.
BUG=chromium:1098010
TEST=`repo upload` works
Change-Id: I208569250e49179362ec9e2343ffc13652f576dd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/minijail/+/3893890
Tested-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Allen Webb <allenwebb@google.com>
Auto-Submit: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>
|
|
This change adds a MINIJAIL_ prefix to all the ARCH_ #defines, and adds
them to the constants table. This should make it easier to obtain at
build-time when cross-compiling.
Bug: None
Test: make clean && make all
Change-Id: I415a3d344682fb000d36adb7f498174b11f3cf3a
|
|
Detect at runtime whether SECCOMP_RET_LOG is available and use that for
logging.
Bug: chromium:934859
Test: New unit tests.
Test: On 4.14 device, minijail0 -S -L test/seccomp.policy -- /bin/true.
Test: audit.log shows failing syscall, binary exits successfully.
Test: On <4.14 device, behaves as before.
Change-Id: Ic9da1b5dae2b4b1df50e9d3e6f18c816e93bff87
|
|
This makes the code much easier to manage as we don't have to deal
with C strings, and we can add some wrappers to simplify the call
stack (and enforce proper arguments).
Bug: None
Test: `make tests` still passes
Change-Id: I66a75a069fa36302a5e710ebe6057749bcb2aaac
|
|
Since all <, <=, >, >= operands are unsigned, when the immediate fits in
32-bits (which should be the vast majority of the time), we can omit one
of the comparison that would normally occur. So, for
arg1 >= K
That would be roughly translated to
if (hi(arg1) > hi(K)) jump NEXT;
if (hi(arg1) == hi(K) && lo(arg1) >= lo(K)) jump NEXT;
jump KILL;
If the first check (|hi(arg1) > hi(K)|) fails, we then evaluate the
whole second expression. If |hi(K) == 0|, then the only value of
|hi(arg1)| for which it would fail would be if |hi(arg1) == 0|, so we
don't need to evaluate |hi(arg1) == hi(K)| at all, since we know that
it's always going to be true. In other words,
// given that |hi(K) == 0|,
if (hi(arg1) > 0) jump NEXT;
// if the code gets here, |hi(arg1) == 0|.
if (lo(arg1) >= lo(K)) jump NEXT;
jump KILL;
The case for > is identical, and </<= get translated into >/>= since
cBPF only supports the latter two operators, which concludes the
proof of correctness for this optimization.
This saves one opcode.
Bug: 111726641
Test: make tests
Test: echo 'read: arg1 <= 0xbadc0ffee0ddf00d' | \
./parse_seccomp_policy --dump - | \
./libseccomp/tools/scmp_bpf_disasm
Test: echo 'read: arg1 <= 0xff' | ./parse_seccomp_policy --dump - | \
./libseccomp/tools/scmp_bpf_disasm
Change-Id: Ia00362ce92ff5e858c7366dab013e2db88c09818
|
|
This change introduces four new comparison operators.
Bug: 111726641
Test: make tests
Test: echo 'read: arg1 < 0xff' | ./parse_seccomp_policy --dump - | \
./libseccomp/tools/scmp_bpf_disasm
Test: echo 'read: arg1 <= 0xff' | ./parse_seccomp_policy --dump - | \
./libseccomp/tools/scmp_bpf_disasm
Test: echo 'read: arg1 > 0xff' | ./parse_seccomp_policy --dump - | \
./libseccomp/tools/scmp_bpf_disasm
Test: echo 'read: arg1 >= 0xff' | ./parse_seccomp_policy --dump - | \
./libseccomp/tools/scmp_bpf_disasm
Change-Id: If6a1752d688748e9f0d0ad4902c3ae2982881b2e
|
|
This project was started as a BSD licensed work, and it remained that
way even after the AOSP move, so make sure new files correctly reflect
that too. Otherwise we end up with half the files using BSD and the
other half using Apache which is annoying.
Bug: None
Test: grepped for "apache" in all the files
Change-Id: I7cc7c890b42a1ded7552e1852246eaf86ca8428c
|
|
The new in-process crash dumping on Android could use functionality to
include policy files in other policy files. The use case would be to
add a short section of syscalls required for crash dumping to processes
already using syscall filtering.
The first step to do this is to extract the functionality that parses
an individual file to a separate function, so that it can be called
multiple times.
Implementation of the include directive will be done in a follow-up CL.
Bug: 36007996
Test: New unit tests, but no change in functionality.
Change-Id: I4097513bf11c23af67b6741fceb5c7abe360396e
|
|
SECCOMP_RET_KILL will only kill the offending thread -- it's equivalent
to having the thread call syscall(SYS_exit, SIGSYS). This is explicitly
*not* the same as exit_group(2), so other threads in the thread group
will not be killed.
When setting thread sync, we normally would expect all threads in the
thread group to be killed. To do this, use SECCOMP_RET_TRAP and reset
the signal disposition for SIGSYS to its default value, which is to
abort and dump core (see signal(7)).
There was also a small bug related to seccomp_can_softfail(), where we
were never using seccomp even when it was available.
Bug: 31862018
Test: Manual with multi-threaded program.
Change-Id: I4a10d256b0ba1b15041d46c22bd45b445f8ef3f7
|
|
That way they can be run on Android Platform Continuous Testing,
which requires gtest for parsing of test output. Also fix some issues
in the tests:
-Use ASSERT instead of EXCEPT for pointers that are later
dereferenced.
-Add a few missing ASSERTs.
syscall_filter_unittest.cpp has no changes from
syscall_filter_unittest.c. Keep parallel targets for now, and once
Chrome OS is updated, remove C targets.
Bug: 30973585
Change-Id: I46a1474afa8850015da927ce8c7d9f8b8ce95b65
|
