Cross Reference: /external/minijail/libminijail.c

History log of /external/minijail/libminijail.c
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
866bb3acc5b62235567171dfed9205a5b8c3e039	07-Feb-2017	Chirantan Ekbote <chirantan@google.com>	Add a flag to drop access to the session keyring Now that chrome os is moving over to ext4 based directory encryption, the encryption keys are stored in the session keyring. Applications that don't need to access the encrypted user data directory don't need access to this keyring. Add a flag for applications to drop access to the session keyring when they don't need it. Bug: crbug.com/682419 TEST=autotest in a later CL Change-Id: I3cb8f120d9f4891d9a13f7fe342b0388e9975605 Signed-off-by: Chirantan Ekbote <chirantan@google.com> /external/minijail/libminijail.c
ab9eb44bf4d7f17cbeeed4fb7b64f17e7d039f56	25-Jan-2017	Martin Pelikán <mpel@google.com>	allow specifying larger /tmp tmpfs mounts Extract the size string-parsing and overflow-checking wrapper into util.c. Test: New unit tests. Change-Id: I31ba2f1a77217a2f13cda078e5e6a80104fbcd32 Signed-off-by: Martin Pelikán <mpel@google.com> /external/minijail/libminijail.c
b91d404ee6115dc130b0101b38d875be17c88efb	14-Jan-2017	Mike Frysinger <vapier@google.com>	add nosuid/nodev/noexec settings to the /tmp mount No daemon should be using this space for those things in the first place. Bug: None Test: `minijail0 -vt -- /bin/mount` shows /tmp using no* options Change-Id: I5105243329c74fecc5082b8580958f1949d98c9b /external/minijail/libminijail.c
3ba81577de768c0f0edfd087858c81168d6fc615	18-Jan-2017	Mike Frysinger <vapier@google.com>	name the /proc mount The current mount code ends up generating a mount point like: /proc proc ro,nosuid,nodev,noexec,relatime 0 0 This confuses `mount` and users. Give it a standard name of "proc". Bug: None Test: `mount` inside of minijail looks sane now Change-Id: I771a32eea340cfe0a6bc9d21520057e0491de9f4 /external/minijail/libminijail.c
0dce7573d8038618505b718308c359c4ed6fabcf	14-Jan-2017	Mike Frysinger <vapier@google.com>	fix mode settings on /tmp mount Change the mode from 0777 to 1777 so it has the sticky dir bit set. This is what all temp dirs should have so the kernel enforces sane behavior across diff uids. Bug: None Test: `minijail0 -vt -- /bin/sh -c 'mount; ls -ld /tmp'` shows /tmp using 1777 Change-Id: I96d77a9bda76323993fed8d127f5df865f6477a2 /external/minijail/libminijail.c
eea841ba782ce4c00f54a7331a50e87dfc188782	14-Jan-2017	Mike Frysinger <vapier@google.com>	keep error checking style with setgroups logic The code here all checks != 0, so make the new code do the same. Bug: None Test: make check still passes Change-Id: I94c6032431eea8bc0b017b8d3e1d4f6a6e98506e /external/minijail/libminijail.c
345431925825928a7b59149a179acfcb4615289f	11-Jan-2017	Jorge Lucangeli Obes <jorgelo@google.com>	Clarify, simplify some error messages. "cannot inherit and set or keep supplementary groups" is confusing, is confusing, so split the if clause. "usergroup inheritance without username" is inaccurate, better use "supplementary groups" terminology. "can only either inherit, keep or set supplementary groups;" " tried to do two or more" can be simplified. Bug: None Test: Builds, unit tests pass. Change-Id: Ib805e66dc0ca35043b9a9b73c09bae9d31ad5010 /external/minijail/libminijail.c
6b190c0ff461b707357d5fdab1155e31845c48cb	04-Jan-2017	Mike Frysinger <vapier@google.com>	ignore missing /proc/<pid>/setgroups files When running on older kernels that lack setgroups, the write failure causes minijail to abort. Short of having every caller detect the kernel support and selectively calling disable_setgroups, ignore the write failure directly when it's ENOENT. Bug: None Test: running on newer kernels works, as does older kernels Change-Id: I424cb749fec0f76cc4278a8a7581b168fbe50485 /external/minijail/libminijail.c
13807cb12a9afce34c2ecf664036df6be83f656e	03-Jan-2017	Lutz Justen <ljusten@google.com>	minijail: Add ability to keep supplementary gids. Adds the ability to keep supplementary group ids. If an outer process sets a saved uid, this allows changing to the saved uid in an inner, minijailed process. Without this, the inner jail would try to clear supplementary groups (setgroups(0, NULL)), which may not be allowed due to missing caps. Bug: 33838120 TEST=Tested using the authpolicy project in Chrome OS Change-Id: I9e98332324753922a4ac881b46233258067eaeae /external/minijail/libminijail.c
457a5e333407ea2a0f90d8c6ea85ccf08a3c8083	23-Nov-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Improve error messages. -Include arguments for initgroups(3), setgroups(2), setres{g,u}id(2). -Add "failed" for setns(2), unshare(2), initgroups(3), setgroups(2), and setres{g,u}id(2), mount(2), and various prctl(2)'s. -Use actual flag names for unshare(2) errors. Makes googling/referring to man pages easier. And two nits: -"net_bring_up_loopback" -> "config_net_loopback", shorter, clearer. -Fix one long line. Bug: 33264665 Test: Builds on Android and Linux. Change-Id: Id1bc42186f9d7f0724ff9897f364656f52202e44 /external/minijail/libminijail.c
24499562cbd6def6a7434a409f8684b7ea3e2f67	01-Dec-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Call setgroups(2) only once when changing users. The guard for calling setgroups(0, NULL) was checking j->uid and j->gid, which are not cleared by minijail_preexec(). This was causing setgroups(2) to be called twice, once by 'minijail0' and once by the sandboxed process. The guard should check j->flags.uid and j->flags.gid, which do get cleared. Note that every other if guard in this function is checking j->flags. Bug: 33259997 Test: Add logging, setgroups(2) only gets called once. Change-Id: I5c6c4ec7fc8778ea7c3f8bcc8aaca1d2514d3447 /external/minijail/libminijail.c
aa235b98fca2408c5f6bc2fbb8495591c8f70a88	23-Nov-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Create a new session for the jailed process. This prevents the jailed process from using the TIOCSTI ioctl to push characters into the parent process terminal's input buffer, therefore escaping the jail. To avoid messing with job control/signals in the non-interactive case (i.e. when not started from the console), only do this if any of stdin, stdout, or stderr are TTYs. Note that this bug only really affects users who use 'minijail0' from the command line, which is not the case for Android or Chrome OS. Bug: 33073072 Bug: crbug.com/667493 Test: Use repro case from bug. Change-Id: I7ab43ee8ba81110253809d98440ae572a01a6260 /external/minijail/libminijail.c
7559dfe9ed16455e03f68d9aa0a5a65747e6a174	16-Nov-2016	Mike Frysinger <vapier@google.com>	minijail: bring up loopback interface in new net namespaces For basic network logic, we need loopback. Bring it up all the time in new net namespaces since it shouldn't cause a problem otherwise -- it's not like it gets us external network connectivity. BUG=chromium:665649 TEST=`sudo ./minijail0 -r -v -p -e /sbin/ip a s` shows loopback as up Change-Id: I7e98f0ca42a2993e8c8e2b1de96df7b68c21e3f0 /external/minijail/libminijail.c
fb449ab7640406a2c9b14a1dfce07361d3497b16	14-Oct-2016	Luis Hector Chavez <lhchavez@google.com>	Add a PREUPLOAD.cfg file to enable clang-format This will save some time on reviews. This also preemptively formats some stuff so that future developers don't have to fight against it. Bug: None Test: pre-upload.py complained when I introduced a badly formatted change. Change-Id: I75b38cebc1298e481e62dbc9cea72f39ce33f88f /external/minijail/libminijail.c
43ff080dede627c40d1e87bfce549fd955c7a117	07-Oct-2016	Luis Hector Chavez <lhchavez@google.com>	Add an option to close all open file descriptors This adds the minijail_close_open_fds() API to close all open file descriptors (except the pipes that are internally set up to communicate with the jailed process). Bug: 32005517 Test: libminijail_unittest Change-Id: Ia392f14c080716297c5766ad31af983ee6c5ead3 /external/minijail/libminijail.c
713f6fbed8fd14efce499d5d609d24487b2518a4	03-Oct-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Use SECCOMP_RET_TRAP when setting thread sync. SECCOMP_RET_KILL will only kill the offending thread -- it's equivalent to having the thread call syscall(SYS_exit, SIGSYS). This is explicitly not the same as exit_group(2), so other threads in the thread group will not be killed. When setting thread sync, we normally would expect all threads in the thread group to be killed. To do this, use SECCOMP_RET_TRAP and reset the signal disposition for SIGSYS to its default value, which is to abort and dump core (see signal(7)). There was also a small bug related to seccomp_can_softfail(), where we were never using seccomp even when it was available. Bug: 31862018 Test: Manual with multi-threaded program. Change-Id: I4a10d256b0ba1b15041d46c22bd45b445f8ef3f7 /external/minijail/libminijail.c
200299c81d043606bf1290408251c01d46c51baf	23-Sep-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Allow entering a user namespace with a default gid mapping. https://android-review.googlesource.com/253910 added functionality to enter a user namespace with a default uid mapping. This CL completes that with a default gid mapping. This is useful when using user namespaces to gain root inside a namespace. Note that setting the gid map as a non-root user requires disabling the setgroups(2) system call by writing "deny" to /proc/[pid]/setgroups. Eventually we might expose disabling setgroups(2) as a command-line option, but there's no need to do it now. Bug: 30691131 Test: Using minijail0: $ ./minijail0 -m /usr/bin/id uid=0(root) gid=65534(nogroup) groups=0(root),65534(nogroup) $ ./minijail0 -m -M /usr/bin/id uid=0(root) gid=0(root) groups=0(root),65534(nogroup) Change-Id: I8f91bc43516a47df7bbf12a121cf658e89861aa0 /external/minijail/libminijail.c
13650616ba6faa3ad84c69816e80a2f65bce6331	02-Sep-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Add support for SECCOMP_FILTER_FLAG_TSYNC. This allows synchronizing all threads in a thread group to the same seccomp filter tree. Some processes only receive control over their execution after threads have already been created in their thread group. This happens for example with apps forked from the Android zygote. Thread sync (TSYNC) allows these processes to safely apply seccomp filters to all threads in their thread group, therefore preventing a thread running with seccomp filters from being able to circumvent the filter by exploiting an unconfined thread in the same thread group. Bug: 31267783 Test: Manual, with multithreaded program calling libminijail. Change-Id: I902428abf2e4d7fb3e2200ebfe9d5e640a1b10e0 /external/minijail/libminijail.c
4d4b3beea97e84dfd0f22ed08a651fed744855cb	16-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Add a function to load seccomp filters from a file descriptor. This allows for easier unit testing, since we don't need to rely on data files. It will also allow using Minijail for seccomp testing in CTS. Refactor seccomp filter parsing in libminijail.c to avoid duplicating code. Bug: 25949727 Change-Id: Iff21591cecc1783d141df912dafbe341ac83ed50 /external/minijail/libminijail.c
937ae7af62f114fbaf05578f5c4538b433aa6c2e	11-Aug-2016	Treehugger Robot <treehugger-gerrit@google.com>	Merge "Fix return value check of write_pid_to_path"
db6dab46427d5c35ee2221761bed47963c492f13	11-Aug-2016	Keshav Santhanam <ksanthanam@google.com>	Fix return value check of write_pid_to_path The write_pid_to_path function returns 0 on success, but the calling function expected a 0 on failure. BUG=none TEST=Deploy minijail to CrOS Change-Id: I91a4c32f05c2237f543d100219375227a3ab0539 /external/minijail/libminijail.c
963eeec8a493d91fce953cce3ce9e2263b042c79	10-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Rename the init process inside PID namespaces. Rename the init process that Minijail launches inside PID namespaces. This makes it easier to identify things when looking at 'ps' output. Bug: 30789126 Change-Id: Iffe3ea1fc2ecb66b1bae96912e2664913ca00d75 /external/minijail/libminijail.c
f205fff68bffedf32f05fa9637c7d53e2f4e3e72	06-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Kill the child process before dying. We kill the child process if we fail to send the Minijail configuration over, but we were not killing the child process when failing to write a pid file, failing to set up cgroups, or failing to set up uid/gid maps. Kill the child in those cases too. Use this opportunity to refactor libminijail.c a bit more, extracting common functions that don't require knowledge of struct minijail to util.c. Bug: 30708487 Change-Id: Ie22be97093c4f53e5a57585bfe88ae7b55567fbd /external/minijail/libminijail.c
ab6fa6f4befef62684ca6a7f06d04f5193be595b	04-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Allow entering a user namespace with a default mapping. Map the current uid as root inside the namespace. This is useful to run Minijail as a non-root user. Also refactor uid/gid map functions to remove duplicate code. Bug: 30691131 Change-Id: Ideef616c8c13bcbacb14b826fa2fc064701a6f69 /external/minijail/libminijail.c
565e978e80d693c077ec71caf45f6e06636a1a11	05-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Fix soft-fail on Android. Broken by https://android-review.googlesource.com/253830, which moved the code, but not the required defines. Fix by removing the unnecessary #ifdef USE.../#define SECCOMP... and using USE_SECCOMP_SOFTFAIL directly in seccomp_can_softfail(). Also adjust some formatting. Bug: 30693739 Change-Id: I5cd5a70b0e2efd30097522b002806cd744f24256 /external/minijail/libminijail.c
d90609947fe36526b869633699e6c0a22b3e14c5	04-Aug-2016	Treehugger Robot <treehugger-gerrit@google.com>	Merge "Move code away from libminijail.c."
7b2e29c72c117c7fc80c2790e1015cee4882f7a2	04-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Move code away from libminijail.c. The file has over 2000 lines. Move code to other files as it makes sense. Bug: 30662698 Change-Id: Iad3c4a5b2327a4c6956a837a08eb880c7edd7b03 /external/minijail/libminijail.c
3b2e6e495cf91ae3645000e71653369383997ef5	04-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Free all strings in minijail_destroy(). We're leaking memory. Test: libminijail_unittest. Bug: 30662596 Change-Id: Ic72275c8294f3ef06061069a64d46a5ed7d45e9e /external/minijail/libminijail.c
db0bc67ee176f4c897c46974b6c5c36d60ddb39f	03-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Use clang-format on more files. Also fix some TODO comments. Bug: None Change-Id: Ia075ec1ccda16dbf388a1c4f37c4f0241892c4f6 /external/minijail/libminijail.c
a205390245c35360b4010286b9cb1a85b8b39fa5	02-Aug-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Allow dropping all caps but keeping root on static binaries. Bug: 30259228 Change-Id: I366d06c5ea1ba5def43255bf3c99fdaea16b96df /external/minijail/libminijail.c
eec779603107e9778f015a4dfc4832e54f0b4c71	01-Jul-2016	Dylan Reid <dgreid@chromium.org>	Create mount destinations if they don't exist. This moves code from libcontainer to libminijail so that mounts made in the container don't have to exist before hand. This feature is useful when creating a tmpfs mount and bind mounting a file into that tmpfs, as in the test example. BUG=none TEST=minijail0 -m "0 1000 1" -M "0 1000 1" -v -C / \ -k tmpfs,/tmp/asdf,tmpfs -b /dev/null,/tmp/asdf/null,1 /bin/bash Also added test case to security_Minijail0 Change-Id: Ie2601ee24f5fa9440f26ebc31c4640ada5a3ef12 Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
81e2397c51787ed8682b08e9c732f53cc668401f	18-May-2016	Dylan Reid <dgreid@chromium.org>	Allow mount data to be specified Add an API, minijail_mount_with_data, that allows the mount data string to be set. This is needed for some mounts when entering a user namespace and specifying uid=, gid=, or similar mount options. BUG=b/27273730 TEST=mount proc with hidepid=2 check mount output to confirm security_Minijail0 test case added. Change-Id: Ieb48cc10ad4f6ed9968a89189392eb3cfb13af39 Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
4cbc2a522e1bc88424905bee32199af1c0fdbd20	18-Jun-2016	Dylan Reid <dgreid@chromium.org>	Add ability to enter a cgroup namespace The cgroup namespacing feature was recently added to the linux kernel. Allow jailed processes to be placed in to a new cgroup namespace. This avoids leaking host info into the jailed process and allows for the jailed process to use cgroups as it would if it was running outside of any namespaces. Android needs this so its cgroup setting CTS tests can pass and it can distribute its cpu shares between background and foreground apps. CQ-DEPEND=CL:356201 BUG=b/29259708 TEST=minijail0 -m '0 1000 100' -M '0 1000 100' -N /bin/bash check that the cgroup namespace is different check that a newly mounted cgroup FS is rooted at the parent's cgroup Change-Id: I3aead23ec8273eae90184337c040054becf4f12b Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
df7fab1a0e0ca2c02ec366ba1f530bc8db7c8688	02-Jun-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Add logging message when using user namespaces and mount namespaces. Also fix a comment that was > 80 cols. Bug: 28714771 Change-Id: I6c9f2f409bbbd499b9a6efb12b50a57861d6c871 /external/minijail/libminijail.c
7a569073b95af7532892dc726c2f33cd40edfb57	23-Apr-2016	Arthur Gautier <superbaloo@gmail.com>	Avoid warning about BSD_SOURCE on glibc >= 2.20 Commit id c941736c92fa3a319221f65f6755659b2a5e0a20 removed support for _BSD_SOURCE in favor of _DEFAULT_SOURCE. This commit introduces support for glibc >= 2.20. _BSD_SOURCE is not ignored, glibc just emits a warning and then defines _DEFAULT_SOURCE itself. The warning fails the build because of -Werror. Change-Id: I9a72ef419678ab1b76174c9481550af8954c2be4 See: https://sourceware.org/git/?p=glibc.git;a=commit;f=include/features.h;h=c941736c92fa3a319221f65f6755659b2a5e0a20 See: https://sourceware.org/git/?p=glibc.git;a=commit;f=include/features.h;h=ade40b10ff5fa59a318cf55b9d8414b758e8df78 Signed-off-by: Arthur Gautier <superbaloo@gmail.com> /external/minijail/libminijail.c
2413f3713ae8a306a23550e2eecd59f380f34eae	07-Apr-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Skip setting seccomp filter when running with ASan. Also add an example build target for an ASan-ified libminijail (useful for debugging). Bug: 28052772 Change-Id: Ib36a0303d635becaa8802dee56d486f11060ea47 /external/minijail/libminijail.c
f783b5273d66d19a78705276a38ae68ef2e3e165	14-Mar-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Fix use of SECURE_ALL_BITS/SECURE_ALL_LOCKS. Kernels 4.3+ define a new securebit (SECURE_NO_CAP_AMBIENT_RAISE), so using the SECURE_ALL_BITS and SECURE_ALL_LOCKS masks from newer kernel headers will return EPERM on older kernels. Detect this, and retry with the right mask for older (2.6.26-4.2) kernels. Also add a compile-time assert to make sure we identify these changes sooner going forward. Bug: 27632733 Change-Id: I6cf9c56fec222347575bd0d1147287aac6572e67 /external/minijail/libminijail.c
6b0de9b30aec11d4736557bd7fde0c36ea238ada	17-Mar-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Fix typo in error message. I did not notice "unmount(2)" -- the syscall is "umount". While in there, reword the comment to make it clearer. Bug: None Change-Id: I789a5a2c42a4973e8d90e3b61714fc84bd558df6 /external/minijail/libminijail.c
097b719fafb1add8a1fd60bf6d230816810dd7fa	16-Mar-2016	Hidehiko Abe <hidehiko@google.com>	Remove mount points from peer group just before oldroot unmount. With -K (skip_private_remount) option, there could be shared mount points under the oldroot. So, unmounting oldroot triggers unmounting mount points under the shared mount points, which will be propagated to the original namespace and corresponding mount points will be unmounted in those namespaces, too. To prevent such unexpected unmounting, this CL remove mount points being unmounted from peer groups. Bug: 27689605 TEST=Set up mount points; \ minijail0 -v -K -b /bin,/bin -P $CONTAINER -- \ /bin/true; \ Make sure shared mount points are untouched in \ the original namespace. Change-Id: I3dbf7de2a63382c084e4d7e4c2675cc2a6f73c77 /external/minijail/libminijail.c
87bf01da8a4f60cd9064ad3b5c34200b2211152a	08-Mar-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Re-organize flags in 'minijail_preexec'. This matches the order in 'minijail_preenter'. Bug: 27304928 Change-Id: I99b421cb19ddf45f73f47748f81e1a09f8e40c48 /external/minijail/libminijail.c
3da4031a852b9dcfd35b48bc700ad7ae55baa1bc	07-Mar-2016	Shuhei Takahashi <nya@google.com>	Make -K work for dynamically-linked binary. Bug: None TEST=strace -f minijail0 -v -K /bin/true \|& grep mount Change-Id: I96ec04c6acefa909a83f374d7db44ae78393a17c /external/minijail/libminijail.c
a521bee6c8c014aa19cbfea0b365ba984277aa27	03-Mar-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Add an option to skip remounting / as MS_PRIVATE. Also update the minijail0.1 file. Bug: 27304928 Change-Id: Id5c03fef3c7906e6fe53bad130d74c895f03f730 /external/minijail/libminijail.c
bce609d2455ca98c0f3c75fd2a791b522d1b41e4	03-Mar-2016	Ricky Zhou <rickyz@google.com>	Do not leak outside root dir fd into the child. Also adds O_CLOEXEC to all open calls to be on the safe side. In the future, we should look into doing some sanity checks before execve like Chromium's sandbox does: https://code.google.com/p/chromium/codesearch#chromium/src/sandbox/linux/services/credentials.cc&l=320 If we want to further prevent people from shooting themselves in the foot, we could also check that no fds are open, except for duping /dev/null over 0, 1, and 2. TEST=Built and tested that an fd to / is not leaked. Bug: None Change-Id: I41993a6aec9ce48bd34d191c3949f313ba80ca73 /external/minijail/libminijail.c
7ea269e060ec85eaf94ccf95033a6a6857fcff4e	27-Feb-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Don't call cap_get_proc(3) unconditionally. cap_get_proc(3) uses the capget(2) system call. Don't call cap_get_proc(3) if \|flags.use_caps\| is not set, to avoid having the program call a capability-related syscall even when capabilities are not being used. Bug: 27366428 Change-Id: Ifb797bc5f1a43adf4f9fa2fff3ef7d6f4bd9c958 /external/minijail/libminijail.c
d8c82052209904fba2b8b8cc46d15abd465a96f3	26-Feb-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Always call 'drop_caps'. This follows the model used by 'drop_ugid' and 'set_seccomp_filter', and allows for the section of code where these functions are used to be significantly more legible. Bug: 27366428 Change-Id: I72618340df65da20deca572ea8ff43a795423433 /external/minijail/libminijail.c
f9fcdbe67360c30a41b70c2f1271c0767eb073c9	20-Feb-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Add support for dropping capabilities from the bounding set. Android daemons such as adbd need to drop capabilities from their bounding sets (to prevent processes they launch from gaining privileges through file capabilities), but not from their runtime (permitted\|inheritable\|effective) sets. Add support for this and rename some capability-related code to make things clearer. While in there, fix a comment in the Android makefile. Bug: 27274137 Change-Id: I7cab7e3302bb34cd7859b9621906391104bf6b4e /external/minijail/libminijail.c
6c755d2e50ac66fff04148386c29fb851122422f	29-Jan-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Don't die() on bind mounts. By the time we get to the removed lines, \|mounts_head\| will be valid in the parent (Minijail) process, but \|flags.chroot\| and \|flags.pivot_root\| will have been cleared by minijail_preexec(). The removed lines were then incorrectly aborting the process too early. The flags will be set in the minijail struct used by the child (jailed) process, so the bind mounts will happen correctly. A follow-up CL will make sure \|mounts_head\| is never valid when both flags are cleared, so that we can correctly check for this. While in there, fix a comment and an info() message. security_Minijail0 now passes. Bug: 25368607 Change-Id: I5ac85ee62560ba8957bdab3fc84689ed06d106f0 /external/minijail/libminijail.c
2b12ba490431f312099163c476d30fb39e9428d7	26-Jan-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Print an error when attempting to use bind mounts without chroot. Bind mounts should be used with chroot or pivot_root. Print an error and exit when that's not the case. Clean up some comments and error messages while in there. Bug: 26784268 Change-Id: I4e384a989e1aef5b2989c4f17e047a9ac7cadbc8 /external/minijail/libminijail.c
b8a5138a451e183debbce56f3fa031e1880ff901	26-Jan-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Add 'cgroups' flag. Cgroups ended up being the only feature that doesn't have a flag. Fix that, and fix some comments while we're there. Bug: 26782393 Change-Id: I83e56b6d7fb4a5668ffecc2b597902ee663fdab6 /external/minijail/libminijail.c
605ce7f5ccda3597305f7ca8e21ba16e254cf96c	20-Jan-2016	Dylan Reid <dgreid@chromium.org>	Add ability to put jailed process in cgroups This adds an API that allows the jailed process to be added to a given cgroup. This API can be called repeatedly to add the process to many cgroups. The process will be added after fork but before it is exec'd. BUG=b/26549867 TEST=set cgroups and inspect that pid is in tasks file Change-Id: I87a9897c1dc741c726873e872eeae32692088979 Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
ce5b55eb48f276951b6c4d1bbfc667240c1e8f2f	13-Jan-2016	Dylan Reid <dgreid@chromium.org>	Separate child process sync from user namespace Syncing the child and parent was only done so that the uid/gid maps could be setup. Make this more general so that the next commit can add setting of cgroups which also wants to happen after the child forks but before the jailed process is run similar top uid/gid map setting. BUG=b/26549867 TEST=security_Minijail0 Change-Id: I81d512f351cfe459cd7af4c55263504d22b929fa Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
272e3ab72da543c3ed3cb1cf312e45796b149d19	13-Jan-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Fix Minijail build. Remove 'static' qualifier from helper functions to fix the build. Bug: None Change-Id: I03cf18a415961ee6a32f05262b2925f6e5a8a8e5 /external/minijail/libminijail.c
c31391e80af7fbdb7fe06ac9bb99a85cb7542be0	13-Jan-2016	Jeffrey Vander Stoep <jeffv@google.com>	Merge "softfail on older kernels that lack seccomp support"
2885befc0941a8283846b83ef111dce6dd880159	12-Jan-2016	Jeff Vander Stoep <jeffv@google.com>	softfail on older kernels that lack seccomp support Attempt to set up a seccomp filter. If seccomp not supported on an Android device and kernel version < 3.8 fail softly i.e. allow process to run without seccomp protections. Bug: 26435980 Change-Id: Ied6ac053908b6b0b81ba822621b1969bdedce4af /external/minijail/libminijail.c
bc67f44aa22f8f31c3386409e6f3fd0fdcbcffbe	08-Jan-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Make set_supplementary_gids return 'void'. After https://android-review.googlesource.com/#/c/195351 lands, no callers expect this function to return a result. Change the signature to avoid errors. Bug: 26099611 Change-Id: Id9c80350a0ce1f80ce5b5691117e68e37dd6c10e /external/minijail/libminijail.c
fd5fc562f3c609d13b80b6b93c381a3ba8dc92b0	08-Jan-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Make set_supplementary_gids abort on memory errors. Consumers of this API usually cannot continue if this function fails, since not adding supplementary groups would prevent the caller from accessing resources. Simplify callers by aborting instead of returning an error. This will also prevent callers from forgetting to check the return value of the function and not actually setting supplementary groups when they expected to. Once the callers are updated, we can change this function to return void. Bug: 26099611 Change-Id: Ib470e913d734ab4eac01b2aef3cdd4922d98e15a /external/minijail/libminijail.c
4b276a6c643cee568b9b623b1ce00fd41db9e8b9	07-Jan-2016	Jorge Lucangeli Obes <jorgelo@google.com>	Use prctl(PR_CAPBSET_READ) to get the last valid cap on Android. Not all Android processes will have access to '/proc/sys/kernel/cap_last_cap', so use prctl() to get the last valid cap on Android. Bug: 26217031 Change-Id: I7dffc8facca30a2e32c5c310c383e82a07b0519e /external/minijail/libminijail.c
2860c4693ea5f40b44e4b2eb2f0b6970ffcd7f27	17-Dec-2015	Peter Qiu <zqiu@google.com>	Add support for resetting signal masks By default, child process will inherit signal masks (blocked signals) from its parent process. Once the signal is blocked, the child process will not be able to receive notifications for those signals. Some parent processes (such as system daemons implemented using brillo::Daemon) will block signals such as SIGTERM and SIGINT, so that they can use signalfd to monitor those signals instead. In this case, the child process will not be able to receive notification for these signals. To fix it, allow the caller to specify a flag to indicate if child process should reset the signal mask or not. Bug: None BUG=chrome-os-partner:47785 TEST=Manual test Change-Id: I7d32c50e67af0dadbfeca8316f85b9a542e952c0 /external/minijail/libminijail.c
de02a5ba3578e0c3fb1d664d7109cd61e3d30e4c	12-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Fix marshaling for supplementary gid list. We were not marshaling the supplementary gid list at all. While in there, make unmarshaling seccomp filters more robust. Bug: 25870500 Change-Id: I8b7d832ae62eaa3d859863b3fdd7f9772732239f /external/minijail/libminijail.c
43e29b3551479dd6d989b830eacd1abbd83592cc	09-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Add libminijail static library target. This will be used for statically-linked binaries on Android. Also, fix the call to get_last_valid_cap() to only happen when we're dropping capabilities. Bug: 26099386 Change-Id: I741390b6b356592ec9bdfe54b04d23feab5702aa /external/minijail/libminijail.c
06940beabdb45d34cfaf9880eb8e793122c10abd	05-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Fix C99 declaration. Bug: 26040155 Change-Id: I5779d447d0c4917b30093a435db680fe3f66c8b3 /external/minijail/libminijail.c
cac4fa70f4570bdac3c11196e1dc98bfdc68ef40	05-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Merge "Free 'suppl_gid_list'."
43a6a864491b6209192936d66d6a2e50e66deee2	04-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Fix some long lines. Bug: None Change-Id: I2364bf07991b2a5be23502cd011a6cc8d35471d6 /external/minijail/libminijail.c
e81a52f36e9d283ba162180136eb5ac81f37440c	05-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Free 'suppl_gid_list'. Bug: 25870500 Change-Id: I20e4c87d303d6b2fb11b00b43c88536a6244fe18 /external/minijail/libminijail.c
f7a3868cc0f6fc8de945e4f9e9e6fcae5bf1e645	05-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Fix indentation. Change-Id: Ibd7a20bd3e943b13499b084eefa7ec66bef66bb6 /external/minijail/libminijail.c
d16ac49c9866b94ea74dcdaff2a7ebc9d05246dc	03-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Allow setting supplementary GIDs directly. This is used on Android where initgroups(3) is not applicable. Bug: 25870500 Change-Id: I6bdf3342ac8bfc532d33bd0446af2801d1108461 /external/minijail/libminijail.c
c2ba9f5bf14b1e126efbf6c221dce2a93a01bc3a	01-Dec-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Use size_t for size-related variables. Bug: 25870500 Change-Id: I42584ccd45c7c9390d9b5656831f4ba94ff27a4d /external/minijail/libminijail.c
d0a6e2fd0748110336fc6b28bb6fbf0bdfe1ddfa	24-Nov-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Remove unused Minijail flag and make multi-line comments consistent. Bug: 25870500 Change-Id: Ic9306659ab2ae91c45a3062f08964ec8c0c15320 /external/minijail/libminijail.c
f794247e0413fe36759a2bdcaa5bdd75cf3163a2	19-Nov-2015	Dylan Reid <dgreid@chromium.org>	minijail: Add option to enter a new IPC namespace Export this feature through the '-l' option to minijail0. TEST=run minijail0 with the -l option, check that the executed program is in a different ipc namesspace with /proc/self/ns/ipc. BUG=b/25770648 Change-Id: Ia8f72cc59160fc736c8a58cb68d9894f9c92281c Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
eac2894b0b59ba1e33c3f173c00c26bdb0268afb	12-Nov-2015	Andrew Bresticker <abrestic@chromium.org>	minijail: Support setting syscall table with PR_ALT_SYSCALL Add support for setting the syscall table for a jailed process using prctl(PR_ALT_SYSCALL). This adds the option '-a <table>' which changes the jailed process's syscall table to the alt_syscall table named <table>. alt_syscall tables must be registerd in the kernel (see crosreview.com/312137 for an example of how this is done). Bug: 25649436 TEST=Create a test blacklist that blocks write(2) and observe that 'minijail0 -a test -- /bin/echo hello' prints nothing to stdout. Change-Id: Idddafa1d0b81483a594e05d9d3390d4f9ad849c6 Signed-off-by: Andrew Bresticker <abrestic@chromium.org> /external/minijail/libminijail.c
648b220346aaee74ffbab35be6129bdfa5aca3a5	23-Oct-2015	Dylan Reid <dgreid@chromium.org>	minijail: Add ability to specify mounts In addition to bind mounts, allow other mounts to be specified when running minijail. Expose this as a -k option to minijail0. This will allow for file systems such as proc, sysfs, and devpts to be mounted before taking away the permisison to mount from the target program. For example "-k sysfs,/sys,sysfs,0xe" will mount /sys in the new vfs namespace. BUG=b/24976046 TEST=Mount sysfs, run a shell, check that sysfs is mounted. Change-Id: I9862e42e00ce76b1fab9cbac59c381f5270470ce Signed-off-by: Dylan Reid <dgreid@google.com> /external/minijail/libminijail.c
6c7a45812a3fbd590a85bcc7fea84c614a851288	30-Oct-2015	Dylan Reid <dgreid@chromium.org>	minijail: Remove has_bind_mounts API This was added for minijail0 and minijail0 no longer uses it. It hasn't had any users added in the week or so it's been merged, remove it. Change-Id: I1893b47fa2bd543718c98bb3bfcf23ed67566a01 Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
a14e08dad428aaa934687e3636a84ca7a9711de2	23-Oct-2015	Dylan Reid <dgreid@chromium.org>	minijail: Allow static binaries in a bind mount to run A previous commit placed a restriction on running static binaries and using bind mounts. Remove that restriction by checking if the binary path is in a bind mount and rebasing the path on to the bind mount source path so that the executable can be accessed from outside the chroot. This is needed so bind mounts can be specified when running a statically linked init program for Android. BUG=b/25192613 TEST=security_Minijail0, run a static init with bind mounts. Change-Id: I801909df67c1bf18d48efcfd54c11aafe4c75e54 Signed-off-by: Dylan Reid <dgreid@google.com> /external/minijail/libminijail.c
2034274edb55cf3717ca7fa49f614e69b0dc59c6	27-Oct-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Remove warning suppressions. Bug: None Change-Id: Ie0a2a3f5c5817b3db3e8613da1ef4d1cc3505048 /external/minijail/libminijail.c
1102f5a58d539ed72defe40fcc1078840d1b3778	15-Sep-2015	Dylan Reid <dgreid@chromium.org>	minijail: Support entering an existing net namespace. When launching a full OS as the jailed process, it is useful to first be able to configure a network namespace and start the new process in that namespace. This adds the "-e<net namespace file>" optional argument to -e. It allows, for example, passing "-e/var/run/netns/newns" to minijail0. Change-Id: I0613162072a1d14f10c58444c514f6d052c3d1e5 Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
360f3293dd53ed8ff4ded07587fb33002bc2b235	19-Oct-2015	Samuel Tan <samueltan@google.com>	Merge "minijail: remove minijail_run_pid_pipe()"
383e91a4ac0c12d469538b4ab294e3f215f113f0	19-Oct-2015	Samuel Tan <samueltan@google.com>	Merge "minijail: add minijail_run_pid_pipes_no_preload() API function"
63adc1ffaeeeb98d33522f5e2f68469a3e93b90f	17-Oct-2015	Samuel Tan <samueltan@google.com>	minijail: remove minijail_run_pid_pipe() Since all calls of minijail_run_pid_pipe() have been replaced by calls to minijail_run_pid_pipes(), remove the former function as it is unused. BUG: 24577038 Change-Id: I561fe4ab3ad7a78b05c67b1e1b56e761320603a2 /external/minijail/libminijail.c
63187f4d4d5748ee548d475b636d904915ed70ca	16-Oct-2015	Samuel Tan <samueltan@google.com>	minijail: add minijail_run_pid_pipes_no_preload() API function Add minijail_run_pid_pipes_no_preload() to the minijail API. This method is equivalent to minijail_run_pid_pipes(), except that LD_PRELOAD is not used. This function needs to be called on Android. BUG: 24577038 TEST: unit tests pass. TEST: manual test on minijail'd binary passes. Change-Id: I8067eee689c407501b18324fc378121ef28422fe /external/minijail/libminijail.c
f682d47fc474d05fd78260faeb7863d4ded5153f	18-Sep-2015	Dylan Reid <dgreid@chromium.org>	minijail: Read the last valid cap value earlier. The maximum valid capability of the kernel is read from /proc. However since the ability to change mount namespaces and pivot root were added, /proc might not be available when running drop_caps. To allow capabilities to be dropped even if entering a new mount namespace, cache the last valid cap earlier and pass it to drop_caps. Change-Id: I7adc017f0cdaa242d9348495815bbb4e70a74463 Signed-off-by: Dylan Reid <dgreid@chromium.org> /external/minijail/libminijail.c
efb697a502dea78f25b56121954683cd3229a6d3	13-Oct-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Merge "Make Minijail work correctly with shared mounts."
805be39fcbce5eb1c827d8a9d59d0aa3748a1fd8	13-Oct-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Make Minijail work correctly with shared mounts. This fixes some problems that appear when system booted with systemd. Systemd sets all mounts to shared. This means that when minijail0 creates mount namespace new mounts will propogate out of that namespace. This change fixes that by setting all mounts to private right after creating new namespace. Also when remounting /proc it unmounts it lazily, as normal umount() may fail when shared mounts are enabled. More information about shared mounts: https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt (Original patch by Andrey Ulanov <andreyu@google.com> at https://chromium-review.googlesource.com/303158) Change-Id: I0ff5851dba32524bd6c4ad663b67826fb9be0485 /external/minijail/libminijail.c
46a550989f7b2c934dfdf43ef28e9018ad60bd31	13-Oct-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Call chdir("/") after chroot in pivot_root. This change adds a chdir after chroot to avoid chroot breakouts. BUG=chromium:517844 TEST=getcwd() returns "/" instead of "(unreachable)/.../root" (Original patch by Luis Hector Chavez <lhchavez@google.com> at https://chromium-review.googlesource.com/#/c/304362/) Change-Id: If78f357636bcc1a3bfa71f377fef2ccc05b6dc0f /external/minijail/libminijail.c
08946cc5dff65d4103268752f8fb2655119a826a	17-Sep-2015	Dylan Reid <dgreid@chromium.org>	minijail: Check correct executable file When the chroot and pivot_root options are used the path to the binary to put in jail is given relative to the new root. However the checks for the program existing and how it is linked were still done relative the original rootfs. This "worked" as long as there was a similar file outside of the chroot. Add the ability to get the full path of the program from libminijail and use that path to check the file. This allows chrooting to a system that has init in / instead of /sbin. Don't try to check the binary if there are bind mounts specified. This avoids having to parse the mounts and check if the binary is in a bind mounted path. Change-Id: I2e3af14f5e8fd478963bcb56a3a6ae5908e78524 Signed-off-by: Dylan Reid <dgreid@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/300320 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
5471450610e34f115c4816d5e0e0f4da02def802	30-Sep-2015	Jorge Lucangeli Obes <jorgelo@google.com>	minijail: Refactor dynamic and static code paths. This CL uses the same code path for both dynamic and static binaries. This way we avoid duplicating code, or forgetting to add functionality to either of the paths. BUG=chromium:537667 TEST=security_Minijail0 passes. Change-Id: Ia484180a041dad3c302c3c8ce8bfd5b41d758ccb Reviewed-on: https://chromium-review.googlesource.com/303380 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> /external/minijail/libminijail.c
791f577a32e80c819c01c1866c355aa74e833462	15-Sep-2015	Dylan Reid <dgreid@chromium.org>	minijail: Don't unmount proc if not mounted When switching in to a new mount and a new pid namespace, as well as doing pivot_root, proc won't be mounted so leave it alone and let the new init process handle mounting it. Rename the readonly flag to remount_proc_ro which better reflects its meaning. This will aid in starting complete, containerized systems with minijail. Change-Id: Ice8f6d835b6417383c0cfb901ac737c3440dce55 Signed-off-by: Dylan Reid <dgreid@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/300154 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
e0a530ea900551cd3e1e2b5ee91c0f5ceae8248b	08-Sep-2015	Yu-Hsi Chiang <yuhsi@google.com>	minijail: use new_root as put_old in pivot_root(2) Instead of create a temp directory '.minijail_pivot' for put_old, reuse the new_root as put_old. By doing this, we can use pivot_root even if we don't have write permissions in that directory. Since the old root is mounted over the new root, keep fds of both old and new root so that we can use 'fchdir' to move between them. The idea comes from lxc. https://github.com/lxc/lxc/commit/2d489f9e87fa0cccd8a1762680a43eeff2fe1b6e BUG=chromium:517844 TEST=security_Minijail0 passes Change-Id: Ie446ad1d2557239c17b1a876a73459eca6d2d2ed Reviewed-on: https://chromium-review.googlesource.com/297867 Commit-Ready: Nicolas Boichat <drinkcat@chromium.org> Tested-by: Nicolas Boichat <drinkcat@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
64d65a79d48186e1db532d227bc20123bf0d16cf	13-Aug-2015	Yu-Hsi Chiang <yuhsi@google.com>	minijail: Support pivot_root Add an option that allows user to use pivot_root(2) when one want to jail process in a chrooted environment. This implies entering a new mount namespace since pivot_root(2) will really move the root filesystem. BUG=chromium:517844 TEST=security_Minijail0 passes Change-Id: Ie990670703b00e333fa4abc3804d6384d36fa7c9 Reviewed-on: https://chromium-review.googlesource.com/293128 Commit-Ready: Yu-hsi Chiang <yuhsi@google.com> Tested-by: Yu-hsi Chiang <yuhsi@google.com> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
1912c5b5e88455e0a0c03fd375d232a498edd95d	31-Aug-2015	Yu-Hsi Chiang <yuhsi@google.com>	minijail: Support multiple range uid/gid mappings. Now minijail accept multiple ranges of contiguous uid/gid mappings that is seperated by commas. The commas are replaced by newlines before writing to map files. BUG=chromium:517387 TEST=security_Minijail0 pass Change-Id: I27d45480010b38e71b80837cc2299f180d77c4a1 Reviewed-on: https://chromium-review.googlesource.com/296270 Commit-Ready: Yu-hsi Chiang <yuhsi@google.com> Tested-by: Yu-hsi Chiang <yuhsi@google.com> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
3cc05eab4d956e9bb919ebe7a2166c987ba1d5bf	11-Aug-2015	Yu-Hsi Chiang <yuhsi@google.com>	minijail: Support writing child pid to file BUG=chromium:519154 TEST=security_Minijail0 passes Change-Id: Icedff5d86ef0c3dbf2933e763b0858cb79e5b08f Reviewed-on: https://chromium-review.googlesource.com/292342 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Nicolas Boichat <drinkcat@chromium.org> Trybot-Ready: Nicolas Boichat <drinkcat@chromium.org> Tested-by: Yu-hsi Chiang <yuhsi@google.com> /external/minijail/libminijail.c
10e91239e3cff46a10dfbe0d0960926d9ab19c57	05-Aug-2015	Yu-Hsi Chiang <yuhsi@google.com>	minijail: add user namespace support Since most of the operations can be done if we have \|euid = 0\| in the new user namespace, we enter a new user namespace and become root immediately after fork()/clone(). It is incompatible with -b and <writable> set to 0, since we are not able to remount bind mounts as readonly in a user namespace. BUG=chromium:517387 TEST=security_Minijail0 pass TEST=`minijail0 -m "0 1000 1" -M "0 1000 1" -- /usr/bin/touch t` TEST=file `t` has owner:group root:root in minijail TEST=and chronos:chronos outside minijail Change-Id: I48f888097be5211715c5a839eca6f8e43b9903dd Reviewed-on: https://chromium-review.googlesource.com/291200 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Yu-hsi Chiang <yuhsi@google.com> Commit-Queue: Nicolas Boichat <drinkcat@chromium.org> Trybot-Ready: Nicolas Boichat <drinkcat@chromium.org> /external/minijail/libminijail.c
3e954eceba13f2e7547ada506a735f084108ea12	28-Jul-2015	Yu-Hsi Chiang <yuhsi@google.com>	minijail: Add a new option to allow program run as pid 1. Add a new flag that indicates whether to fork or not when pid namespace is set, so that programs can be run as pid 1 inside a new pid namespace. BUG=chromium:350616 TEST=security_Minijail0 pass TEST=`minijail -I /bin/bash` then `echo $$` and get pid 1 Change-Id: Icc959b775e5fe6368c15a834e23ce3f2c119af41 Reviewed-on: https://chromium-review.googlesource.com/289440 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Yu-hsi Chiang <yuhsi@google.com> Tested-by: Yu-hsi Chiang <yuhsi@google.com> /external/minijail/libminijail.c
34e227494fed804ebbc7054ef64472ab8c6d953b	10-Sep-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Use libcap on Android. Bug: 23787966 Change-Id: I8a7362e6551d55b473a7382665dc3e895bff9d56 /external/minijail/libminijail.c
5b7a318e9785d6ffe1698ecd73121befea77259f	20-Aug-2015	Daniel Erat <derat@google.com>	Use __ANDROID__ instead of __BRILLO__. __ANDROID__ is defined automatically by the toolchain. Bug: 23358460 Change-Id: Ieea8035dc1ad7d8dbdbe91936b364d8c15f447dc /external/minijail/libminijail.c
1b21c8f101c47472ae8a9db2e9237c68e6d63795	22-Jul-2015	Yabin Cui <yabinc@google.com>	Use getgrnam_r. Bug: 22568551 Change-Id: I3868897097b594b49f19946b18c52b17cd7975b5 /external/minijail/libminijail.c
a21c8fc135523df5bbd4523b36096dff6e8ade4a	16-Jul-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Add 'Android.mk' file, fix compile on Android. This requires disabling LDPRELOAD and temporarily disabling capabilities support. Reland of https://android-review.googlesource.com/#/c/159755/ with compile fixes. Compile-tested on aosp_{x86,x86_64,arm,arm64,mips64}-eng. Bug: 22487289 Change-Id: Ia4530cf09b074aa0a2afe5a5b307ff3c5c5d6c08 /external/minijail/libminijail.c
20ac22848f02ab78c2be42367722afc204d9774e	18-Jul-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Revert "Add 'Android.mk' file, fix compile on Android." Fails compile on x86_64, arm64, mips64. Failures have been identified, will re-upload on Monday. This reverts commit b9a322d86635c5b1358af0d46a8be1021f4ddb60. Change-Id: I14b35a3aae618da4ff108328a499505893c15568 /external/minijail/libminijail.c
b9a322d86635c5b1358af0d46a8be1021f4ddb60	16-Jul-2015	Jorge Lucangeli Obes <jorgelo@google.com>	Add 'Android.mk' file, fix compile on Android. This requires disabling LDPRELOAD and temporarily disabling capabilities support. Bug: 22487289 Change-Id: I27476d09605076b000d302f354e49ab17dc96a93 /external/minijail/libminijail.c
3c84df1c18b410cb33da3c9df010b59f960785a9	15-May-2015	Jorge Lucangeli Obes <jorgelo@chromium.org>	minijail: Set new process group ID. By setting a new process group ID (PGID) in Minijail, we can then kill both the Minijail process and the jailed process. Before, daemons like debugd were killing only the Minijail process, which doesn't stop the jailed process. BUG=chromium:486219 TEST='minijail0 -- /usr/bin/yes' TEST='ps axj' shows \|minijail0\| and \|yes\| with the same PGID. Change-Id: Ibc82948aeedd560c08c182194723ccd53ec9b764 Reviewed-on: https://chromium-review.googlesource.com/271327 Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Samuel Tan <samueltan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
d613ab2f0968cca1e377f506728a36b961ac157e	03-Mar-2015	Jorge Lucangeli Obes <jorgelo@chromium.org>	minijail: Make copyright headers consistent. BUG=None TEST=Compiles Change-Id: I7bff77f83b821cc0ab84f498b6d77cdbfa2286a7 Reviewed-on: https://chromium-review.googlesource.com/255609 Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Lee Campbell <leecam@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
3901da6e0bd4c709dda5506b5bb28177aca31abe	03-Mar-2015	Jorge Lucangeli Obes <jorgelo@chromium.org>	minijail: Allow tmpfs /tmp mount without a chroot. There's no need to require a chroot to mount a clean tmpfs /tmp. Also, halve the size of the tmpfs to 64M. BUG=brillo:439 TEST=Unit tests, security_Minijail pass. TEST='minijail0 -u nobody -g nobody -t -- mount' shows tmpfs mount. Change-Id: Iee84160cee0487a0e7e0807b64ba54f6b3980e83 Reviewed-on: https://chromium-review.googlesource.com/255650 Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Lee Campbell <leecam@chromium.org> /external/minijail/libminijail.c
e6bd8cc9ec47646b22902e004fb615c72278ab0c	09-Jan-2015	Mike Frysinger <vapier@chromium.org>	Revert "minijail: When pid-namespacing, init should be session leader" This reverts commit 552cb1a2c2cc2fca6303fe70eb7cd578b3434d60. The setsid behavior in the non/-i case causes some signal behaviors that we don't really want (like being able to send signals starting at the parent). Lets revert until we can sort out the nuances here. BUG=None TEST=`./minijail0 -p sleep 600` & hitting CTRL+C kills the whole process tree Change-Id: I47b36d633608a92d20337ca7791c23b6bade07e0 Reviewed-on: https://chromium-review.googlesource.com/239865 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> /external/minijail/libminijail.c
67546a0f5508cd1d5fe89f7505ab1c6f14c23eda	06-Jan-2015	Chris Masone <cmasone@chromium.org>	minijail: When pid-namespacing, init should be session leader When running a jailed process, the init process should take the role of process group and session leader -- otherwise calls to check these values for processes in the namespace may get 0 (as the actual leader is a process outside the namespace). BUG=None TEST=minijail0 -p /sbin/session_manager Change-Id: I35dc7c5ba63db57e64ad6c05018403d4b535922d Reviewed-on: https://chromium-review.googlesource.com/238849 Trybot-Ready: Chris Masone <cmasone@chromium.org> Tested-by: Chris Masone <cmasone@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Chris Masone <cmasone@chromium.org> /external/minijail/libminijail.c
0ef8a661dc17479d0e0cee211c53ed557543809f	19-Aug-2014	Utkarsh Sanghi <usanghi@chromium.org>	minijail: add seccomp softfail option Minijail now softfails when seccomp is not implemented by the OS. However if the USE_seccomp flag is defined, minijail still hardfails. BUG=chromium:368071 TEST=Manual: compiled with and without USE flag. CQ-DEPEND=CL:212960 Change-Id: If2b58ddd5ce51a357bda325d32fe2b3dac6df11f Reviewed-on: https://chromium-review.googlesource.com/212919 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Utkarsh Sanghi <usanghi@chromium.org> Commit-Queue: Utkarsh Sanghi <usanghi@chromium.org> /external/minijail/libminijail.c
1563b5b904547ab89dc3193f463c57002b7a28f2	10-Jul-2014	Jorge Lucangeli Obes <jorgelo@chromium.org>	minijail: Add support for entering an existing VFS namespace. Also, fix the Makefile while in there. BUG=chromium:376987 TEST=security_Minijail0 CQ-DEPEND=CL:209242 Change-Id: I18877211549500cbb720805a2480b1cb3244c1e9 Reviewed-on: https://chromium-review.googlesource.com/209240 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
2f61ee42b3c305ed99bf495af41b05ff5aa93213	16-Jun-2014	Jorge Lucangeli Obes <jorgelo@chromium.org>	Fix more style issues. BUG=None TEST=unit Change-Id: I89f7288e9b3226273232d99f1c0176b69ce3b300 Reviewed-on: https://chromium-review.googlesource.com/203971 Reviewed-by: Lee Campbell <leecam@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
c8b21e1a37d1c81f4331011999c30f6e5aef4dca	13-Jun-2014	Jorge Lucangeli Obes <jorgelo@chromium.org>	Fix coding style issues. BUG=None TEST=Compile Change-Id: Ic4515367a4b05be8410596c5159e4c6ddab8e798 Reviewed-on: https://chromium-review.googlesource.com/203719 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Lee Campbell <leecam@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
1e4fc6aa398673096ed202fccee8be977f9e3c2b	07-Jun-2014	Lee Campbell <leecam@chromium.org>	Allow minijail to run statically linked targets minijail will now detect static targets and sandbox them BUG:chromium:355109 TEST=Tested with autotest security_Minijail0 on arm and x64 Change-Id: I4c38f652207c5c50158449f952b14e9402e17751 Reviewed-on: https://chromium-review.googlesource.com/203013 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Lee Campbell <leecam@chromium.org> Commit-Queue: Lee Campbell <leecam@chromium.org> /external/minijail/libminijail.c
11af0628754be91d2db5bbc3619dcd717559a85c	22-May-2014	Lee Campbell <leecam@chromium.org>	Allow mounting of a tmpfs /tmp in the chroot Added the -t option to minijail so a tmpfs can be used in the chroot BUG=chromium:356246 TEST=Tested with autotest security_Minijail0 CQ-DEPEND=CL:201147 Change-Id: I660629a8b8fa1c2bf4fc59d2499ff806aa280449 Reviewed-on: https://chromium-review.googlesource.com/201133 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Lee Campbell <leecam@chromium.org> Commit-Queue: Lee Campbell <leecam@chromium.org> /external/minijail/libminijail.c
18d1eba3361767fa24ffdb696eca8643faa71816	18-Apr-2014	Jorge Lucangeli Obes <jorgelo@chromium.org>	Fix error reporting when sandboxed process is signaled. BUG=None TEST=Unittests pass. TEST=security_Minijail_seccomp passes on leon. TEST=/usr/bin/yes; killall yes; echo $? prints 143. TEST=minijail0 -- /usr/bin/yes; killall yes; echo $? prints 143 (not 253). TEST=minijail0 -S /dev/null -- /usr/bin/yes; echo $? prints 253. Change-Id: I62f779da9b5b3a61f6aff4c9855e5b73669c9efe Reviewed-on: https://chromium-review.googlesource.com/195627 Reviewed-by: Nam Nguyen <namnguyen@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
4ae30cc2874b9fb1bb141e92e0be7cde48cfaf0f	11-Apr-2014	Jorge Lucangeli Obes <jorgelo@chromium.org>	Clarify comments around minijail_pre{enter\|exec}(). I was investigating Minijail behaviour with static binaries and it took me a while to figure out what was happening where. Document preenter/preexec functions better and move them closer to the flags they track. This way if we add a new flag in the future we'll also track it in minijail_pre{enter\|exec}(). BUG=None TEST=unit, security_{Minijail0\|Minijail_seccomp} on leon. Change-Id: I67e1e233b0fa0df2dcd97ad397187a7dc791a0c3 Reviewed-on: https://chromium-review.googlesource.com/194200 Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
4e48065390a71f32d8b3ea00fc663579cbea1651	26-Mar-2014	Jorge Lucangeli Obes <jorgelo@chromium.org>	Fix minijail_change_{user\|group} with invalid users/groups. BUG=chromium:356736 TEST='minijail0 -u <invalid> -- /usr/bin/id' fails. TEST='minijail0 -g <invalid> -- /usr/bin/id' fails. Change-Id: I0e1a35f5c582060bade53edb7cfda3eb1892d83c Reviewed-on: https://chromium-review.googlesource.com/191701 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Nam Nguyen <namnguyen@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
c420a26f8fcab8877398ef557c42dac7b8b586ee	12-Jun-2013	mukesh agrawal <quiche@chromium.org>	minijail: add child PID to log messages BUG=chromium:248792 TEST=unit tests, manual Manual test ----------- - gmerge chromeos-minijail - reboot - connect to GoogleGuest - pkill -STOP wpa_supplicant - egrep "child process [0-9]+ exited" /var/log/messages Change-Id: I44923c38f924133ab45700653042c27491d466ba Reviewed-on: https://gerrit.chromium.org/gerrit/58277 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: mukesh agrawal <quiche@chromium.org> Commit-Queue: mukesh agrawal <quiche@chromium.org> /external/minijail/libminijail.c
3adfef722eabb95977d7d92f4789666878d1dd32	09-May-2013	Mike Frysinger <vapier@chromium.org>	capabilities: extract the max cap from the runtime system The cap_valid() macro checks against a max define hardcoded at build time from the kernel headers. The runtime kernel might have a different max value which means this code doesn't work exactly as we want. For example, if you build against linux-3.8 headers but boot with a 3.4 kernel, the kernel headers know about 36 caps while the runtime kernel only knows about 35. When this minijail code tries to drop capset 36, it dies because the kernel returns EINVAL. Conversely, if you were to build against linux-3.4 headers but boot a 3.8 kernel, minijail would know to drop caps up through 35, but that 36 would remain in place. Typically these scenarios don't happen, but as people develop/test things, it's not unreasonable to try these out (think testing newer kernel headers or booting kernel next). As such, suck up the max value at runtime via /proc and use that instead. BUG=None TEST=built against linux-3.8 headers and booted a linux-3.4 kernel; minijail no longer aborts (networking works), and some logging added to the kernel shows it running PR_CAPBSET_DROP for [0, 35] since the runtime kernel max is 35 (even though the compiled headers say 36). Change-Id: Ie9aec101263402a3e147e85caf1e8bda78008aa3 Reviewed-on: https://gerrit.chromium.org/gerrit/50702 Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> /external/minijail/libminijail.c
6c0863036842df03a681307d2da84d2b0f7f908f	20-Mar-2013	Elly Fong-Jones <ellyjones@chromium.org>	[minijail] support network namespacing Add a -e argument to minijail0 to network-namespace the target program. BUG=None TEST=adhoc $ minijail0 -e `which ping` 4.2.2.1 connect: Network is unreachable $ minijail0 `which ping` 4.2.2.1 <ordinary output...> Change-Id: Ie58ff1ec1e1ec21987734b86cbabb1118c7e0bf0 Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/46035 Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
339a113245ee553ffe0c17024fdd894a541b8fbd	16-Feb-2013	Jorge Lucangeli Obes <jorgelo@chromium.org>	Allow reading the jailed process' stdout and stderr. Also fix some nits while in there. BUG=None TEST=libminijail_unittest on alex and lumpy. Change-Id: I1bd227f196618d275da6e5da4ce91e90a370baa2 Reviewed-on: https://gerrit.chromium.org/gerrit/43460 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
e5609acdef8b6634be1fa81756a4ad188b0c69f0	06-Feb-2013	Kees Cook <keescook@chromium.org>	capabilities: correct the <<-operator width everwhere The <<-operator here needs to always be 64bit, so use a variable instead of trying to pick the right bit width, which will be arch-sensitive. BUG=chromium-os:38643 TEST=link and daisy build, both pass security_Minijail Change-Id: Ifab3037bf74f09256924993a8e91315b4b0ac998 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/42806 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
323878a2faabdd6a34327718120bb410bbf8edd2	06-Feb-2013	Kees Cook <keescook@chromium.org>	capabilities: make sure that CAP_SETPCAP is cleared When we didn't require CAP_SETPCAP, make sure we drop it when we're finished manipulating the bounding set. Additionally, fixes the capability bit tests for caps larger than 32-bits. The compiler didn't know to warn about the potentially out-of-range <<-operator usage. BUG=chromium-os:38643 TEST=link build, security_Minijail0 passes, verified CAP_SETPCAP is missing: `minijail0 -c 0 /bin/cat /proc/self/status \| grep CapEff` is all zeros `minijail0 -c 1 /bin/cat /proc/self/status \| grep CapEff` is 1 Change-Id: I7c0722c3bc775164486ff9628fc0c2005ae9275d Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/42670 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
1530b746a595d0ce1a3558d98774c0077e50ee98	11-Dec-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Add exit status reporting to Minijail. Things that can fail in the child process before Minijail exec()'s the sandboxed binary are already logging errors, so this will clarify what's going on with 'dhcpcd'. BUG=chrome-os-partner:16569 TEST=minijail0 -- <something with a non-zero exit code> Change-Id: I88530af2e9a0fc77c002b672d5a1c334ec7506e6 Reviewed-on: https://gerrit.chromium.org/gerrit/39568 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
eee3155a563aa34d1dc58a625bdc59a577271adb	18-Oct-2012	Lei Zhang <thestig@chromium.org>	Make it easier to build libminijail on Chromium Linux. - Move libsyscalls.gen.c generation code out of the Makefile and into a script. - Add SECURE_ALL_* defines for systems that do not linux/securebits.h. BUG=chromium-os:35482 TEST=FEATURES=test emerge chromeos-minijail Change-Id: I922c579f1fcf09db2379659dbde737f246200e51 Reviewed-on: https://gerrit.chromium.org/gerrit/35928 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Ready: Lei Zhang <thestig@chromium.org> Tested-by: Lei Zhang <thestig@chromium.org> /external/minijail/libminijail.c
6537a568125667e8db44a0af38fd04fc8fd07ef7	05-Sep-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Minijail: Fix indentation in libminijail.c BUG=None TEST=unit Change-Id: I5ad33ea09e6278eccad2982d262e6d4ef76832b9 Reviewed-on: https://gerrit.chromium.org/gerrit/32242 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Elly Jones <ellyjones@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
df4bd3548059113808f589a62b0bc2f832be6c40	30-Aug-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Minijail: allow writing to the child process' standard input. BUG=chromium-os:33983 TEST=libminijail_unittest TEST=security_Minijail0 Change-Id: Ic2373127b3bca6a4a4a05ffcbc48b486cb5eb4a6 Reviewed-on: https://gerrit.chromium.org/gerrit/31779 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
6201cf5ab4a71c2faa61f61a2e5553a04db3c730	23-Aug-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Minijail: with no_new_privs, drop privileges before setting seccomp filter. BUG=chromium-os:32619 TEST=unit TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive Change-Id: I88d5e8b441871bf92f108ff4bb1db27940b51240 Reviewed-on: https://gerrit.chromium.org/gerrit/31238 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
bda833cbcee330eab91561a9b50b6bc24c47f2e9	01-Aug-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Minijail: add logging for seccomp filter failures. BUG=chromium-os:33361 TEST=unit tests TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive Change-Id: I16cdb8fbcf1cb13f2dee5521f97fb8d0bdbdf93b Reviewed-on: https://gerrit.chromium.org/gerrit/29053 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
a6b034dedfb1109adcd88eb1bcea15a29067824c	08-Aug-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Minijail: extract utility functions. Extract utility functions and add them, together with logging, to a separate util.(c\|h) file. BUG=chromium-os:33361 TEST=unit tests TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive. Change-Id: Ied436a7b27f14ef87198b7bf007634b28cbbd480 Reviewed-on: https://gerrit.chromium.org/gerrit/29492 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Elly Jones <ellyjones@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
224e4275abc940fa96d8cf8eec69a052957aa7e1	02-Aug-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Refactor logging in Minijail. That way, the syscall filtering module can log to syslog without duplicating code. While I'm at it, make naming more consistent. BUG=None TEST=unit TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive Change-Id: I7102ca22f49dd7e5bb56bf2997d0d83cb0507e83 Reviewed-on: https://gerrit.chromium.org/gerrit/29080 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
1c888ae015df417adcebb78035360cac94c21da2	31-Jul-2012	Elly Jones <ellyjones@chromium.org>	[minijail] document use of NO_NEW_PRIVS TEST=None BUG=None Change-Id: If95c0aea1f9dcc2f1c990678b4e85289afc841cf Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/28818 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
a05d7bbb4072142e2bfb34310ad08c9dfb1ebbbf	14-Jun-2012	Elly Jones <ellyjones@chromium.org>	[minijail] don't forget to enter pid namespace minijail_preexec() clears the pid namespace flag. Oops. BUG=chromium-os:31862 TEST=adhoc,security_Minijail0 minijail0 -p /bin/ps should show ps as pid 2 Change-Id: I269805d0efb1d7c768420d3708ae1e93c6fa6a31 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/25300 Reviewed-by: Jim Hebert <jimhebert@chromium.org> /external/minijail/libminijail.c
761b74101442568efb4f35ef0d9e8c98bfa5d350	13-Jun-2012	Elly Jones <ellyjones@chromium.org>	[minijail] handle non-namespaced multithreaded use. Multithreaded use of pid namespaces is still broken; see the block comment in </libminijail.c>. BUG=None TEST=build Change-Id: Ibeb9434146a231fd2fd7468572e4fec28a1c1b60 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/25234 Reviewed-by: Mike Frysinger <vapier@chromium.org> /external/minijail/libminijail.c
474ee71b9a15c50877b87affc7d857681c29e7eb	02-May-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Re-enable setting seccomp filters in Minijail. Now that all the bits have landed, re-enable setting seccomp filters in Minijail. BUG=chromium-os:27878 TEST=security_Minijail0 TEST=security_Minijail_seccomp TEST=platform_CrosDisksArchive Change-Id: I13aae50a4d172443170e7fbf4bfc84812a424b65 Reviewed-on: https://gerrit.chromium.org/gerrit/21655 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
c2c9bccd546e44aac8919352261fd6ac59f3855b	01-May-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Add API for PR_SET_NO_NEW_PRIVS and set seccomp filter before dropping root. BUG=chromium-os:27878 TEST=minijail_unittest, syscall_filter_unittest TEST=security_Minijail0 TEST=security_Minijail_seccomp Change-Id: I78495fda8c14ca5b4f398806eb564b0756876735 Reviewed-on: https://gerrit.chromium.org/gerrit/21545 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
524c04005b26aa15b004ac55aceefdc654893e66	17-Jan-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Integrate BPF seccomp_filters to Minijail. BUG=chromium-os:25429 BUG=chromium-os:27878 TEST=security_Minijail_seccomp CQ-DEPEND=I13a9b22ac8d55f02d5a77b5beedb955386b63723 Change-Id: I5fa8f40b9a539a61d69439cad778c926fc934cb1 Reviewed-on: https://gerrit.chromium.org/gerrit/19527 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
2343d8319c9f9816e495f9359ba4420ef8b93de0	26-Apr-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Temporarily disable setting seccomp filters in Minijail. To make merging the BPF-based seccomp filter implementation easier, turn off setting seccomp filters in Minijail. Add a flag ("-F") to force setting seccomp filters. BUG=chromium-os:27878 TEST=security_Minijail0 still passes. Change-Id: I1948223f2292cf5c059bf50f69fd0b4e42ec39a2 Reviewed-on: https://gerrit.chromium.org/gerrit/21170 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
9807d034da0258d58eed33156c04187f58fd0ce5	17-Apr-2012	Jorge Lucangeli Obes <jorgelo@chromium.org>	Add minijail_run_pid() to return the pid of the jailed child process. This is needed when sandboxing processes whose pid's are needed by the parent process (starting with dhcpcd and shill). BUG=None TEST=security_Minijail0 still works. Change-Id: I3e6c5b19b9c7e70aea8230e6c1395097fb697b4f Reviewed-on: https://gerrit.chromium.org/gerrit/20413 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> /external/minijail/libminijail.c
dd3e851898b44b2b6e36eed12066a65adfd60efe	23-Jan-2012	Elly Jones <ellyjones@chromium.org>	[minijail] document an apparent use-after-free BUG=None TEST=build Change-Id: I093b2b1bac45aa224ea742c70853f4cc7176cca7 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/14627 Reviewed-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
e58176c07895532d49b4cb9a660a4eeb644d4e2f	23-Jan-2012	Elly Jones <ellyjones@chromium.org>	[minijail] pid namespace implies vfs namespace Make a pid namespace imply both a new vfs namespace and a /proc remount, since if we don't remount /proc, the old pid namespace is still reachable through the old mount there. BUG=chromium-os:25303 TEST=security_Minijail0 Change-Id: I91887d3ed6bc0e958e249c3c158735bc04f20fcd Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/14617 Reviewed-by: Kees Cook <keescook@chromium.org> /external/minijail/libminijail.c
a1059630647ed53a77726d9031dda0eab48bc1a4	15-Dec-2011	Elly Jones <ellyjones@chromium.org>	minijail0: honor readonly bind mounts linux-kernel commit 2e4b7fcd926006531935a4c79a5e9349fe51125b introduced support for readonly bind mounts, but you can't just supply MS_RDONLY along with MS_BIND; you have to construct an MS_BIND mount first, then do another mount with MS_REMOUNT \| MS_RDONLY. BUG=None TEST=platform_Minijail0 Change-Id: I1a8e2c603589b2eddcdb7a6d87059fabe17c60ba Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/13000 Reviewed-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
6ac9112378c716d6c1de2952bb971728b0655616	21-Oct-2011	Will Drewry <wad@chromium.org>	Makefile, libminijail: Invert symbol visibility to allow sane unittesting libminijail.c contains many helpers that are marked static. For instance, consumestr and consumebytes are both static yet eminently unittestable. The options for testing are as follows: 1. Replace "static" with a "private" or "protected" macro which we undefined during testing. 2. #include "libminijail.c" into the unittests to avoid visibility challenges. 3. Change default visibility to internal for all functions and data then invert it during unittesting. I chose #3. It also has the benefit of creating an optimally stripped binary and shared object. Using 'internal' visibility also let's the linker perform more optimizations. Feedback on this approach is very welcome. In the past, I've chosen approach #2, but that seems wrong for at least a couple of reasons. TEST=build, run readelf -s in all the output. .so should show LOCAL for all internal functions and on executables, private functions should show INTERNAL. Running strip --unneeded should remove all of the private linkage which can be checked with readelf -s again BUG=none Change-Id: Ifb1f02b4505f2f25d824c067748054520c39d3bf Reviewed-on: https://gerrit.chromium.org/gerrit/10540 Commit-Ready: Will Drewry <wad@chromium.org> Tested-by: Will Drewry <wad@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
bee7ba7f2cd6168f60f51dd0ce3ac8961b4cc25a	22-Oct-2011	Will Drewry <wad@chromium.org>	libminijail.c: fix dangling pointer evaluation on unmarshal error If minijail_unmarshal fails, the process will still need to call minijail_destroy to free up any allocated memory. The unmarshalling function exits immediately on error. That property means that some stale pointers may still exist. This change adds pointer clearing on error and fixes a minor memory leak of the chrootdir. BUG=none TEST=compiles and running ./libminijail_unittest passes. Still need to run the autotest suite on it. Change-Id: I47518130aef7f4a14e5da475ed6a84c2d1490940 Reviewed-on: https://gerrit.chromium.org/gerrit/10535 Commit-Ready: Will Drewry <wad@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org> Tested-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
a8d1e1b685840bce77d4d32cb4cd52e25e5e1763	21-Oct-2011	Elly Jones <ellyjones@chromium.org>	minijail0: unbreak chroot and marshalling 1) Parse opts for chroot and bind 2) Serialize/deserialize chroot properly BUG=chromium-os:21665 TEST=security_Minijail0 Change-Id: Ic99a40718a9c3ff72561f518179155fb502eef96 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/10507 Reviewed-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
1d697933d1f5c07c0cbad6a79118e67e6e043881	14-Oct-2011	Ben Chan <benchan@chromium.org>	libminijail: Fix minijail_parse_seccomp_filters to ignore comment lines. Also fixes minijail_parse_seccomp_filters to report the correct line number of an invalid line in a policy file. BUG=chromium-os:21690 TEST=Manually tested the following cases: 1. A comment line that starts with '#' but contains no ':' is ignored. 2. A comment line that starts with '#' and also contains ':' is ignored. 3. The line number of invalid filter lines are reported correctly. 4. Valid filter lines are parsed correctly. Change-Id: Iadacfae6c0b6c03fcf44e7e419d2635cb849e7a1 Reviewed-on: http://gerrit.chromium.org/gerrit/10104 Reviewed-by: Ben Chan <benchan@chromium.org> Tested-by: Ben Chan <benchan@chromium.org> /external/minijail/libminijail.c
51a5b6c7f464100cea4c79f737fab2e582904135	13-Oct-2011	Elly Jones <ellyjones@chromium.org>	minijail0: add chroot support. Support a -C commandline option to chroot(), and a -b commandline option to bind-mount paths into the chroot from outside. BUG=chromium-os:21165 TESTED_ON=kaen TEST=None yet Change-Id: Ia6a7a4498968a4bc6a12f8274fdb8c4be9d23ca4 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8661 Reviewed-by: Kees Cook <keescook@chromium.org> /external/minijail/libminijail.c
e1749eb93a119bf03b5b033d74c541dbb45be00e	07-Oct-2011	Elly Jones <ellyjones@chromium.org>	minijail0: convert to linux style Used indent(1) with --linux-style, then manual cleanup. BUG=None TEST=None Checkpatch: ok Change-Id: I52dbd329215680e9d42ce4f11df110cf2f341e90 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8732 Reviewed-by: Kees Cook <keescook@chromium.org> /external/minijail/libminijail.c
e805d37c95696e080dc421fe777df80c8f569fdb	28-Sep-2011	Kees Cook <keescook@chromium.org>	libminijail: pass-through errno should be negative The errno values in the rest of libminijail use negative errno values. This makes sure that the passed-through errno values are negative as well. BUG=chromium-os:20903 TEST=Built for x86-alex and did a full image build & boot, ran okay as: sudo minijail0 -pu chronos /bin/ls and correctly failed (exit code 253) with: sudo minijail0 -S /dev/null /bin/ls Change-Id: Ifac27468a21820ae342522c749c76f2045b630c3 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8394 Reviewed-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
eb300c59634e8504d3e28fce7b9992fe12c058e7	22-Sep-2011	Elly Jones <ellyjones@chromium.org>	minijail0: make jail_change_{user,group} reentrant. TEST=security_Minijail0 BUG=chromium-os:18473 Change-Id: I5b0aa360fa6196df0bc6cff16dbb8ba8cb23e2a9 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8144 Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gaurav Shah <gauravsh@chromium.org> /external/minijail/libminijail.c
c6c8643ae97b58dbbf0c36aaaec586a764d5396f	18-Sep-2011	Will Drewry <wad@chromium.org>	libminijail: only clear supplemental groups on user/group change minijail should be runnable by an unprivileged user. This change allows that to be true. BUG=chromium-os:19459 TEST=minijail -S somepolicy /bin/ls (need to test transitions still) Change-Id: Ib540953ae2435414b3d3adbadb68238962f5c0ff Reviewed-on: http://gerrit.chromium.org/gerrit/7912 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
f89aef580a713810a788d7e5ccf2e030696b6847	16-Sep-2011	Will Drewry <wad@chromium.org>	libminijail: add seccomp_filter support to LD_PRELOAD + cleanup This changes adds seccomp_filter support to minijail properly instead of requiring expanded scope needed for execve(2)ing the child process. Now the policy for cat(1) can be as small as follows. minijail-cat.policy: read: fd == 3 write: fd == 1 \|\| fd == 2 fstat64: 1 open: flags == 0x8000 close: 1 munmap: 1 exit_group: 1 Some additional code was moved around as a side effect of cleaning this up. I can split it out if desirable. BUG=chromium-os:19459 TEST=Manual tests (for now) # minijail0 -S minijail-dash-cat.policy -- /sbin/minijail-0 -S minijail-cat.policy -- /bin/cat /proc/self/seccomp_filter ... emits the policy for cat at the top with inherited: 0 and the original policy below as inherited. ... # minijail0 -S minijail-cat.policy -- /bin/cat /proc/self/seccomp_filter Mode: 13 Enabled: 1 Inherited: 0 252 (sys_exit_group): 1 197 (sys_fstat64): 1 91 (sys_munmap): 1 6 (sys_close): 1 5 (sys_open): flags == 0x8000 4 (sys_write): fd == 1 \|\| fd == 2 3 (sys_read): fd == 3 Change-Id: I34a81f3c1764e4f949f8c2a26d42e51e125b4aae Reviewed-on: http://gerrit.chromium.org/gerrit/7893 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
fe4a372685f30fe7d0f30da2a46cc096f418c359	16-Sep-2011	Will Drewry <wad@chromium.org>	libminijail: move over to using marshalled binary for preload Move libminijail and libminijailpreload over to using the marshalling helper functions and add to/from_fd. The format itself is not terribly robust, but we can change it underneath the functions in the future (or move struct minijail to a protobuf :). These changes lay the groundwork for sending seccomp_filter policy. A subsequent change will implement that and disable use in the parent. BUG=chromium-os:19459 TEST=tested as per previous commits: minijail0 -[pvrcuGg] -- /bin/cat /proc/self/status .. /bin/ps aux .. /bin/bash -c 'env' Change-Id: I565816611b31ce49f85fee2241c55a3328d7b770 Reviewed-on: http://gerrit.chromium.org/gerrit/7892 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
2ddaad07d7c54e370353abfa05efe2661898b428	16-Sep-2011	Will Drewry <wad@chromium.org>	libminijail: add marshalling and scrubbing functions In order to support arbitrary divisions of labor between minijail_run and minijail_enter, we need to support serializing the entire minijail for sharing with the LD_PRELOADed library in a child process. Instead of continuing with one-off marshalling, this unify the marshalling code (as fragile as it is). In addition, scrubbing features that only apply in the parent or the child around marshalling and unmarshalling are split out to separate the logic. One change did sneak in to support marshalling which was copying/freeing j->user. I can split this out as a precursor patch if needed. The next change in the series converts the existing code over and moves it to communicate over a file descriptor. BUG=chromium-os:19459 TEST=gmerged and ran minijail0. Internal only changes. Change-Id: Ib4c157d1d4d4edf6910793ea04880399e539285b Reviewed-on: http://gerrit.chromium.org/gerrit/7891 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
2f54b6a1ab672b02e1ae352cb8cf27b4732a413a	16-Sep-2011	Will Drewry <wad@chromium.org>	minijail0: move ld_preload communication to a pipe Moves minijail0 communication over to using a file descriptor instead of packing it in an environment variable. The primary reasoning is to allow seccomp filter policies to be passed to a child process. However, this will make it easier for minijail behavior to stay consistent across minijail_run and minijail_enter if serialization can be made more generic. For instance, -g does not properly traverse a preload instead relying on inheritance which is inconsistent depending on pidns usage. BUG=chromium-os:19459 TEST=tested -[pvrcu] with /bin/cat /proc/self/status Change-Id: Id1845b86517ce0a6a9d6bcd85f700ea459d7c8f4 Reviewed-on: http://gerrit.chromium.org/gerrit/7890 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
32ac9f5392525576dcd7bf2e18fb4c230649a3da	19-Aug-2011	Will Drewry <wad@chromium.org>	libminijail,minijail0: add seccomp filter support This change adds support for installing seccomp filters via libminijail or by using minijail0 with an arch-specific filters file. Support for LD_PRELOAD marshalling is still missing and will come in a new change. BUG=chromium-os:19459 TEST=minijail0 -r -S dash-cat.policy -u chronos -- /bin/dash -c '/bin/cat /proc/self/seccomp_filter' dash-cat.policy can be found in the bug. built for arm-generic, tegra2_seaboard, and x86-alex. Tested on x86-alex as above and with -H. Change-Id: I3cac97d1df62f70cd546763aeca8f52dd0aea09d Reviewed-on: http://gerrit.chromium.org/gerrit/7773 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
f0ef52e0bb54e6ea28e3abf96b95ed1bb9225cb4	14-Sep-2011	Thieu Le <thieule@chromium.org>	Revert "libminijail,minijail0: add seccomp filter support" This reverts commit adf64c0814e16cb43ce81e6b3e3660a16f564cc7 Change-Id: Ib24f2ad26dfe14ddd4e6b38e204630577db5a4cc Reviewed-on: http://gerrit.chromium.org/gerrit/7735 Reviewed-by: Thieu Le <thieule@chromium.org> Tested-by: Thieu Le <thieule@chromium.org> /external/minijail/libminijail.c
13dcc70bf9fec5d9c13dc47738f2852d88262ce9	19-Aug-2011	Will Drewry <wad@chromium.org>	libminijail,minijail0: add seccomp filter support This change adds support for installing seccomp filters via libminijail or by using minijail0 with an arch-specific filters file. Support for LD_PRELOAD marshalling is still missing and will come in a new change. BUG=chromium-os:19459 TEST=minijail0 -r -S dash-cat.policy -u chronos -- /bin/dash -c '/bin/cat /proc/self/seccomp_filter' dash-cat.policy can be found in the bug. Change-Id: Id3f52ae9ce7bf49c257b2cfb9ba66b38b8be8094 Reviewed-on: http://gerrit.chromium.org/gerrit/6789 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c
541c7e59a012dbffa0f68cc623623c81b11d267e	26-Aug-2011	Ben Chan <benchan@chromium.org>	minijail: Restore original value of LD_PRELOAD after fork. This CL restores the original value of LD_PRELOAD in the process that calls minijain_run. This prevents any subsequent process, which is not created by minijail_run, from preloading libminijalpreload.so. BUG=chromium-os:19732 TEST=Examined the environment of calling process after minijain_run returns. Change-Id: I578e4c46c72eb549fa59353ab1a25f0160077a03 Reviewed-on: http://gerrit.chromium.org/gerrit/6788 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Ben Chan <benchan@chromium.org> /external/minijail/libminijail.c
cd7a9046e61e243fca916a286e49d58e2331eaa7	22-Jul-2011	Elly Jones <ellyjones@chromium.org>	RFC: minijail: add libminijail. Drewry requested an implementation of minijail that: 1) Would be linkable against C programs 2) Not depend on libbase 3) Supply the necessary LD_PRELOAD hacks to use his syscall-filtering framework without the apply-after-exec hack and to use ptrace-disable. Thoughts? BUG=chromium-os:17937 TEST=Adhoc (extremely ;)). Proper test suite to be written; crosbug.com/18834 Change-Id: I8b34557a9a231dad75827c1a3d11f235f712648d Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/4585 Reviewed-by: Will Drewry <wad@chromium.org> /external/minijail/libminijail.c