866bb3acc5b62235567171dfed9205a5b8c3e039 |
|
07-Feb-2017 |
Chirantan Ekbote <chirantan@google.com> |
Add a flag to drop access to the session keyring Now that chrome os is moving over to ext4 based directory encryption, the encryption keys are stored in the session keyring. Applications that don't need to access the encrypted user data directory don't need access to this keyring. Add a flag for applications to drop access to the session keyring when they don't need it. Bug: crbug.com/682419 TEST=autotest in a later CL Change-Id: I3cb8f120d9f4891d9a13f7fe342b0388e9975605 Signed-off-by: Chirantan Ekbote <chirantan@google.com>
/external/minijail/libminijail.c
|
ab9eb44bf4d7f17cbeeed4fb7b64f17e7d039f56 |
|
25-Jan-2017 |
Martin Pelikán <mpel@google.com> |
allow specifying larger /tmp tmpfs mounts Extract the size string-parsing and overflow-checking wrapper into util.c. Test: New unit tests. Change-Id: I31ba2f1a77217a2f13cda078e5e6a80104fbcd32 Signed-off-by: Martin Pelikán <mpel@google.com>
/external/minijail/libminijail.c
|
b91d404ee6115dc130b0101b38d875be17c88efb |
|
14-Jan-2017 |
Mike Frysinger <vapier@google.com> |
add nosuid/nodev/noexec settings to the /tmp mount No daemon should be using this space for those things in the first place. Bug: None Test: `minijail0 -vt -- /bin/mount` shows /tmp using no* options Change-Id: I5105243329c74fecc5082b8580958f1949d98c9b
/external/minijail/libminijail.c
|
3ba81577de768c0f0edfd087858c81168d6fc615 |
|
18-Jan-2017 |
Mike Frysinger <vapier@google.com> |
name the /proc mount The current mount code ends up generating a mount point like: /proc proc ro,nosuid,nodev,noexec,relatime 0 0 This confuses `mount` and users. Give it a standard name of "proc". Bug: None Test: `mount` inside of minijail looks sane now Change-Id: I771a32eea340cfe0a6bc9d21520057e0491de9f4
/external/minijail/libminijail.c
|
0dce7573d8038618505b718308c359c4ed6fabcf |
|
14-Jan-2017 |
Mike Frysinger <vapier@google.com> |
fix mode settings on /tmp mount Change the mode from 0777 to 1777 so it has the sticky dir bit set. This is what all temp dirs should have so the kernel enforces sane behavior across diff uids. Bug: None Test: `minijail0 -vt -- /bin/sh -c 'mount; ls -ld /tmp'` shows /tmp using 1777 Change-Id: I96d77a9bda76323993fed8d127f5df865f6477a2
/external/minijail/libminijail.c
|
eea841ba782ce4c00f54a7331a50e87dfc188782 |
|
14-Jan-2017 |
Mike Frysinger <vapier@google.com> |
keep error checking style with setgroups logic The code here all checks != 0, so make the new code do the same. Bug: None Test: make check still passes Change-Id: I94c6032431eea8bc0b017b8d3e1d4f6a6e98506e
/external/minijail/libminijail.c
|
345431925825928a7b59149a179acfcb4615289f |
|
11-Jan-2017 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Clarify, simplify some error messages. "cannot inherit *and* set or keep supplementary groups" is confusing, is confusing, so split the if clause. "usergroup inheritance without username" is inaccurate, better use "supplementary groups" terminology. "can only either inherit, keep or set supplementary groups;" " tried to do two or more" can be simplified. Bug: None Test: Builds, unit tests pass. Change-Id: Ib805e66dc0ca35043b9a9b73c09bae9d31ad5010
/external/minijail/libminijail.c
|
6b190c0ff461b707357d5fdab1155e31845c48cb |
|
04-Jan-2017 |
Mike Frysinger <vapier@google.com> |
ignore missing /proc/<pid>/setgroups files When running on older kernels that lack setgroups, the write failure causes minijail to abort. Short of having every caller detect the kernel support and selectively calling disable_setgroups, ignore the write failure directly when it's ENOENT. Bug: None Test: running on newer kernels works, as does older kernels Change-Id: I424cb749fec0f76cc4278a8a7581b168fbe50485
/external/minijail/libminijail.c
|
13807cb12a9afce34c2ecf664036df6be83f656e |
|
03-Jan-2017 |
Lutz Justen <ljusten@google.com> |
minijail: Add ability to keep supplementary gids. Adds the ability to keep supplementary group ids. If an outer process sets a saved uid, this allows changing to the saved uid in an inner, minijailed process. Without this, the inner jail would try to clear supplementary groups (setgroups(0, NULL)), which may not be allowed due to missing caps. Bug: 33838120 TEST=Tested using the authpolicy project in Chrome OS Change-Id: I9e98332324753922a4ac881b46233258067eaeae
/external/minijail/libminijail.c
|
457a5e333407ea2a0f90d8c6ea85ccf08a3c8083 |
|
23-Nov-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Improve error messages. -Include arguments for initgroups(3), setgroups(2), setres{g,u}id(2). -Add "failed" for setns(2), unshare(2), initgroups(3), setgroups(2), and setres{g,u}id(2), mount(2), and various prctl(2)'s. -Use actual flag names for unshare(2) errors. Makes googling/referring to man pages easier. And two nits: -"net_bring_up_loopback" -> "config_net_loopback", shorter, clearer. -Fix one long line. Bug: 33264665 Test: Builds on Android and Linux. Change-Id: Id1bc42186f9d7f0724ff9897f364656f52202e44
/external/minijail/libminijail.c
|
24499562cbd6def6a7434a409f8684b7ea3e2f67 |
|
01-Dec-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Call setgroups(2) only once when changing users. The guard for calling setgroups(0, NULL) was checking j->uid and j->gid, which are not cleared by minijail_preexec(). This was causing setgroups(2) to be called twice, once by 'minijail0' and once by the sandboxed process. The guard should check j->flags.uid and j->flags.gid, which do get cleared. Note that every other if guard in this function is checking j->flags. Bug: 33259997 Test: Add logging, setgroups(2) only gets called once. Change-Id: I5c6c4ec7fc8778ea7c3f8bcc8aaca1d2514d3447
/external/minijail/libminijail.c
|
aa235b98fca2408c5f6bc2fbb8495591c8f70a88 |
|
23-Nov-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Create a new session for the jailed process. This prevents the jailed process from using the TIOCSTI ioctl to push characters into the parent process terminal's input buffer, therefore escaping the jail. To avoid messing with job control/signals in the non-interactive case (i.e. when not started from the console), only do this if any of stdin, stdout, or stderr are TTYs. Note that this bug only really affects users who use 'minijail0' from the command line, which is not the case for Android or Chrome OS. Bug: 33073072 Bug: crbug.com/667493 Test: Use repro case from bug. Change-Id: I7ab43ee8ba81110253809d98440ae572a01a6260
/external/minijail/libminijail.c
|
7559dfe9ed16455e03f68d9aa0a5a65747e6a174 |
|
16-Nov-2016 |
Mike Frysinger <vapier@google.com> |
minijail: bring up loopback interface in new net namespaces For basic network logic, we need loopback. Bring it up all the time in new net namespaces since it shouldn't cause a problem otherwise -- it's not like it gets us external network connectivity. BUG=chromium:665649 TEST=`sudo ./minijail0 -r -v -p -e /sbin/ip a s` shows loopback as up Change-Id: I7e98f0ca42a2993e8c8e2b1de96df7b68c21e3f0
/external/minijail/libminijail.c
|
fb449ab7640406a2c9b14a1dfce07361d3497b16 |
|
14-Oct-2016 |
Luis Hector Chavez <lhchavez@google.com> |
Add a PREUPLOAD.cfg file to enable clang-format This will save some time on reviews. This also preemptively formats some stuff so that future developers don't have to fight against it. Bug: None Test: pre-upload.py complained when I introduced a badly formatted change. Change-Id: I75b38cebc1298e481e62dbc9cea72f39ce33f88f
/external/minijail/libminijail.c
|
43ff080dede627c40d1e87bfce549fd955c7a117 |
|
07-Oct-2016 |
Luis Hector Chavez <lhchavez@google.com> |
Add an option to close all open file descriptors This adds the minijail_close_open_fds() API to close all open file descriptors (except the pipes that are internally set up to communicate with the jailed process). Bug: 32005517 Test: libminijail_unittest Change-Id: Ia392f14c080716297c5766ad31af983ee6c5ead3
/external/minijail/libminijail.c
|
713f6fbed8fd14efce499d5d609d24487b2518a4 |
|
03-Oct-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Use SECCOMP_RET_TRAP when setting thread sync. SECCOMP_RET_KILL will only kill the offending thread -- it's equivalent to having the thread call syscall(SYS_exit, SIGSYS). This is explicitly *not* the same as exit_group(2), so other threads in the thread group will not be killed. When setting thread sync, we normally would expect all threads in the thread group to be killed. To do this, use SECCOMP_RET_TRAP and reset the signal disposition for SIGSYS to its default value, which is to abort and dump core (see signal(7)). There was also a small bug related to seccomp_can_softfail(), where we were never using seccomp even when it was available. Bug: 31862018 Test: Manual with multi-threaded program. Change-Id: I4a10d256b0ba1b15041d46c22bd45b445f8ef3f7
/external/minijail/libminijail.c
|
200299c81d043606bf1290408251c01d46c51baf |
|
23-Sep-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Allow entering a user namespace with a default gid mapping. https://android-review.googlesource.com/253910 added functionality to enter a user namespace with a default uid mapping. This CL completes that with a default gid mapping. This is useful when using user namespaces to gain root inside a namespace. Note that setting the gid map as a non-root user requires disabling the setgroups(2) system call by writing "deny" to /proc/[pid]/setgroups. Eventually we might expose disabling setgroups(2) as a command-line option, but there's no need to do it now. Bug: 30691131 Test: Using minijail0: $ ./minijail0 -m /usr/bin/id uid=0(root) gid=65534(nogroup) groups=0(root),65534(nogroup) $ ./minijail0 -m -M /usr/bin/id uid=0(root) gid=0(root) groups=0(root),65534(nogroup) Change-Id: I8f91bc43516a47df7bbf12a121cf658e89861aa0
/external/minijail/libminijail.c
|
13650616ba6faa3ad84c69816e80a2f65bce6331 |
|
02-Sep-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add support for SECCOMP_FILTER_FLAG_TSYNC. This allows synchronizing all threads in a thread group to the same seccomp filter tree. Some processes only receive control over their execution after threads have already been created in their thread group. This happens for example with apps forked from the Android zygote. Thread sync (TSYNC) allows these processes to safely apply seccomp filters to all threads in their thread group, therefore preventing a thread running with seccomp filters from being able to circumvent the filter by exploiting an unconfined thread in the same thread group. Bug: 31267783 Test: Manual, with multithreaded program calling libminijail. Change-Id: I902428abf2e4d7fb3e2200ebfe9d5e640a1b10e0
/external/minijail/libminijail.c
|
4d4b3beea97e84dfd0f22ed08a651fed744855cb |
|
16-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add a function to load seccomp filters from a file descriptor. This allows for easier unit testing, since we don't need to rely on data files. It will also allow using Minijail for seccomp testing in CTS. Refactor seccomp filter parsing in libminijail.c to avoid duplicating code. Bug: 25949727 Change-Id: Iff21591cecc1783d141df912dafbe341ac83ed50
/external/minijail/libminijail.c
|
937ae7af62f114fbaf05578f5c4538b433aa6c2e |
|
11-Aug-2016 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Fix return value check of write_pid_to_path"
|
db6dab46427d5c35ee2221761bed47963c492f13 |
|
11-Aug-2016 |
Keshav Santhanam <ksanthanam@google.com> |
Fix return value check of write_pid_to_path The write_pid_to_path function returns 0 on success, but the calling function expected a 0 on failure. BUG=none TEST=Deploy minijail to CrOS Change-Id: I91a4c32f05c2237f543d100219375227a3ab0539
/external/minijail/libminijail.c
|
963eeec8a493d91fce953cce3ce9e2263b042c79 |
|
10-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Rename the init process inside PID namespaces. Rename the init process that Minijail launches inside PID namespaces. This makes it easier to identify things when looking at 'ps' output. Bug: 30789126 Change-Id: Iffe3ea1fc2ecb66b1bae96912e2664913ca00d75
/external/minijail/libminijail.c
|
f205fff68bffedf32f05fa9637c7d53e2f4e3e72 |
|
06-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Kill the child process before dying. We kill the child process if we fail to send the Minijail configuration over, but we were not killing the child process when failing to write a pid file, failing to set up cgroups, or failing to set up uid/gid maps. Kill the child in those cases too. Use this opportunity to refactor libminijail.c a bit more, extracting common functions that don't require knowledge of struct minijail to util.c. Bug: 30708487 Change-Id: Ie22be97093c4f53e5a57585bfe88ae7b55567fbd
/external/minijail/libminijail.c
|
ab6fa6f4befef62684ca6a7f06d04f5193be595b |
|
04-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Allow entering a user namespace with a default mapping. Map the current uid as root inside the namespace. This is useful to run Minijail as a non-root user. Also refactor uid/gid map functions to remove duplicate code. Bug: 30691131 Change-Id: Ideef616c8c13bcbacb14b826fa2fc064701a6f69
/external/minijail/libminijail.c
|
565e978e80d693c077ec71caf45f6e06636a1a11 |
|
05-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Fix soft-fail on Android. Broken by https://android-review.googlesource.com/253830, which moved the code, but not the required defines. Fix by removing the unnecessary #ifdef USE.../#define SECCOMP... and using USE_SECCOMP_SOFTFAIL directly in seccomp_can_softfail(). Also adjust some formatting. Bug: 30693739 Change-Id: I5cd5a70b0e2efd30097522b002806cd744f24256
/external/minijail/libminijail.c
|
d90609947fe36526b869633699e6c0a22b3e14c5 |
|
04-Aug-2016 |
Treehugger Robot <treehugger-gerrit@google.com> |
Merge "Move code away from libminijail.c."
|
7b2e29c72c117c7fc80c2790e1015cee4882f7a2 |
|
04-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Move code away from libminijail.c. The file has over 2000 lines. Move code to other files as it makes sense. Bug: 30662698 Change-Id: Iad3c4a5b2327a4c6956a837a08eb880c7edd7b03
/external/minijail/libminijail.c
|
3b2e6e495cf91ae3645000e71653369383997ef5 |
|
04-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Free all strings in minijail_destroy(). We're leaking memory. Test: libminijail_unittest. Bug: 30662596 Change-Id: Ic72275c8294f3ef06061069a64d46a5ed7d45e9e
/external/minijail/libminijail.c
|
db0bc67ee176f4c897c46974b6c5c36d60ddb39f |
|
03-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Use clang-format on more files. Also fix some TODO comments. Bug: None Change-Id: Ia075ec1ccda16dbf388a1c4f37c4f0241892c4f6
/external/minijail/libminijail.c
|
a205390245c35360b4010286b9cb1a85b8b39fa5 |
|
02-Aug-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Allow dropping all caps but keeping root on static binaries. Bug: 30259228 Change-Id: I366d06c5ea1ba5def43255bf3c99fdaea16b96df
/external/minijail/libminijail.c
|
eec779603107e9778f015a4dfc4832e54f0b4c71 |
|
01-Jul-2016 |
Dylan Reid <dgreid@chromium.org> |
Create mount destinations if they don't exist. This moves code from libcontainer to libminijail so that mounts made in the container don't have to exist before hand. This feature is useful when creating a tmpfs mount and bind mounting a file into that tmpfs, as in the test example. BUG=none TEST=minijail0 -m "0 1000 1" -M "0 1000 1" -v -C / \ -k tmpfs,/tmp/asdf,tmpfs -b /dev/null,/tmp/asdf/null,1 /bin/bash Also added test case to security_Minijail0 Change-Id: Ie2601ee24f5fa9440f26ebc31c4640ada5a3ef12 Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
81e2397c51787ed8682b08e9c732f53cc668401f |
|
18-May-2016 |
Dylan Reid <dgreid@chromium.org> |
Allow mount data to be specified Add an API, minijail_mount_with_data, that allows the mount data string to be set. This is needed for some mounts when entering a user namespace and specifying uid=, gid=, or similar mount options. BUG=b/27273730 TEST=mount proc with hidepid=2 check mount output to confirm security_Minijail0 test case added. Change-Id: Ieb48cc10ad4f6ed9968a89189392eb3cfb13af39 Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
4cbc2a522e1bc88424905bee32199af1c0fdbd20 |
|
18-Jun-2016 |
Dylan Reid <dgreid@chromium.org> |
Add ability to enter a cgroup namespace The cgroup namespacing feature was recently added to the linux kernel. Allow jailed processes to be placed in to a new cgroup namespace. This avoids leaking host info into the jailed process and allows for the jailed process to use cgroups as it would if it was running outside of any namespaces. Android needs this so its cgroup setting CTS tests can pass and it can distribute its cpu shares between background and foreground apps. CQ-DEPEND=CL:356201 BUG=b/29259708 TEST=minijail0 -m '0 1000 100' -M '0 1000 100' -N /bin/bash check that the cgroup namespace is different check that a newly mounted cgroup FS is rooted at the parent's cgroup Change-Id: I3aead23ec8273eae90184337c040054becf4f12b Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
df7fab1a0e0ca2c02ec366ba1f530bc8db7c8688 |
|
02-Jun-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add logging message when using user namespaces and mount namespaces. Also fix a comment that was > 80 cols. Bug: 28714771 Change-Id: I6c9f2f409bbbd499b9a6efb12b50a57861d6c871
/external/minijail/libminijail.c
|
7a569073b95af7532892dc726c2f33cd40edfb57 |
|
23-Apr-2016 |
Arthur Gautier <superbaloo@gmail.com> |
Avoid warning about BSD_SOURCE on glibc >= 2.20 Commit id c941736c92fa3a319221f65f6755659b2a5e0a20 removed support for _BSD_SOURCE in favor of _DEFAULT_SOURCE. This commit introduces support for glibc >= 2.20. _BSD_SOURCE is not ignored, glibc just emits a warning and then defines _DEFAULT_SOURCE itself. The warning fails the build because of -Werror. Change-Id: I9a72ef419678ab1b76174c9481550af8954c2be4 See: https://sourceware.org/git/?p=glibc.git;a=commit;f=include/features.h;h=c941736c92fa3a319221f65f6755659b2a5e0a20 See: https://sourceware.org/git/?p=glibc.git;a=commit;f=include/features.h;h=ade40b10ff5fa59a318cf55b9d8414b758e8df78 Signed-off-by: Arthur Gautier <superbaloo@gmail.com>
/external/minijail/libminijail.c
|
2413f3713ae8a306a23550e2eecd59f380f34eae |
|
07-Apr-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Skip setting seccomp filter when running with ASan. Also add an example build target for an ASan-ified libminijail (useful for debugging). Bug: 28052772 Change-Id: Ib36a0303d635becaa8802dee56d486f11060ea47
/external/minijail/libminijail.c
|
f783b5273d66d19a78705276a38ae68ef2e3e165 |
|
14-Mar-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Fix use of SECURE_ALL_BITS/SECURE_ALL_LOCKS. Kernels 4.3+ define a new securebit (SECURE_NO_CAP_AMBIENT_RAISE), so using the SECURE_ALL_BITS and SECURE_ALL_LOCKS masks from newer kernel headers will return EPERM on older kernels. Detect this, and retry with the right mask for older (2.6.26-4.2) kernels. Also add a compile-time assert to make sure we identify these changes sooner going forward. Bug: 27632733 Change-Id: I6cf9c56fec222347575bd0d1147287aac6572e67
/external/minijail/libminijail.c
|
6b0de9b30aec11d4736557bd7fde0c36ea238ada |
|
17-Mar-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Fix typo in error message. I did not notice "unmount(2)" -- the syscall is "umount". While in there, reword the comment to make it clearer. Bug: None Change-Id: I789a5a2c42a4973e8d90e3b61714fc84bd558df6
/external/minijail/libminijail.c
|
097b719fafb1add8a1fd60bf6d230816810dd7fa |
|
16-Mar-2016 |
Hidehiko Abe <hidehiko@google.com> |
Remove mount points from peer group just before oldroot unmount. With -K (skip_private_remount) option, there could be shared mount points under the oldroot. So, unmounting oldroot triggers unmounting mount points under the shared mount points, which will be propagated to the original namespace and corresponding mount points will be unmounted in those namespaces, too. To prevent such unexpected unmounting, this CL remove mount points being unmounted from peer groups. Bug: 27689605 TEST=Set up mount points; \ minijail0 -v -K -b /bin,/bin -P $CONTAINER -- \ /bin/true; \ Make sure shared mount points are untouched in \ the original namespace. Change-Id: I3dbf7de2a63382c084e4d7e4c2675cc2a6f73c77
/external/minijail/libminijail.c
|
87bf01da8a4f60cd9064ad3b5c34200b2211152a |
|
08-Mar-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Re-organize flags in 'minijail_preexec'. This matches the order in 'minijail_preenter'. Bug: 27304928 Change-Id: I99b421cb19ddf45f73f47748f81e1a09f8e40c48
/external/minijail/libminijail.c
|
3da4031a852b9dcfd35b48bc700ad7ae55baa1bc |
|
07-Mar-2016 |
Shuhei Takahashi <nya@google.com> |
Make -K work for dynamically-linked binary. Bug: None TEST=strace -f minijail0 -v -K /bin/true |& grep mount Change-Id: I96ec04c6acefa909a83f374d7db44ae78393a17c
/external/minijail/libminijail.c
|
a521bee6c8c014aa19cbfea0b365ba984277aa27 |
|
03-Mar-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add an option to skip remounting / as MS_PRIVATE. Also update the minijail0.1 file. Bug: 27304928 Change-Id: Id5c03fef3c7906e6fe53bad130d74c895f03f730
/external/minijail/libminijail.c
|
bce609d2455ca98c0f3c75fd2a791b522d1b41e4 |
|
03-Mar-2016 |
Ricky Zhou <rickyz@google.com> |
Do not leak outside root dir fd into the child. Also adds O_CLOEXEC to all open calls to be on the safe side. In the future, we should look into doing some sanity checks before execve like Chromium's sandbox does: https://code.google.com/p/chromium/codesearch#chromium/src/sandbox/linux/services/credentials.cc&l=320 If we want to further prevent people from shooting themselves in the foot, we could also check that no fds are open, except for duping /dev/null over 0, 1, and 2. TEST=Built and tested that an fd to / is not leaked. Bug: None Change-Id: I41993a6aec9ce48bd34d191c3949f313ba80ca73
/external/minijail/libminijail.c
|
7ea269e060ec85eaf94ccf95033a6a6857fcff4e |
|
27-Feb-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Don't call cap_get_proc(3) unconditionally. cap_get_proc(3) uses the capget(2) system call. Don't call cap_get_proc(3) if |flags.use_caps| is not set, to avoid having the program call a capability-related syscall even when capabilities are not being used. Bug: 27366428 Change-Id: Ifb797bc5f1a43adf4f9fa2fff3ef7d6f4bd9c958
/external/minijail/libminijail.c
|
d8c82052209904fba2b8b8cc46d15abd465a96f3 |
|
26-Feb-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Always call 'drop_caps'. This follows the model used by 'drop_ugid' and 'set_seccomp_filter', and allows for the section of code where these functions are used to be significantly more legible. Bug: 27366428 Change-Id: I72618340df65da20deca572ea8ff43a795423433
/external/minijail/libminijail.c
|
f9fcdbe67360c30a41b70c2f1271c0767eb073c9 |
|
20-Feb-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add support for dropping capabilities from the bounding set. Android daemons such as adbd need to drop capabilities from their bounding sets (to prevent processes they launch from gaining privileges through file capabilities), but not from their runtime (permitted|inheritable|effective) sets. Add support for this and rename some capability-related code to make things clearer. While in there, fix a comment in the Android makefile. Bug: 27274137 Change-Id: I7cab7e3302bb34cd7859b9621906391104bf6b4e
/external/minijail/libminijail.c
|
6c755d2e50ac66fff04148386c29fb851122422f |
|
29-Jan-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Don't die() on bind mounts. By the time we get to the removed lines, |mounts_head| will be valid in the parent (Minijail) process, but |flags.chroot| and |flags.pivot_root| will have been cleared by minijail_preexec(). The removed lines were then incorrectly aborting the process too early. The flags *will* be set in the minijail struct used by the child (jailed) process, so the bind mounts will happen correctly. A follow-up CL will make sure |mounts_head| is never valid when both flags are cleared, so that we can correctly check for this. While in there, fix a comment and an info() message. security_Minijail0 now passes. Bug: 25368607 Change-Id: I5ac85ee62560ba8957bdab3fc84689ed06d106f0
/external/minijail/libminijail.c
|
2b12ba490431f312099163c476d30fb39e9428d7 |
|
26-Jan-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Print an error when attempting to use bind mounts without chroot. Bind mounts should be used with chroot or pivot_root. Print an error and exit when that's not the case. Clean up some comments and error messages while in there. Bug: 26784268 Change-Id: I4e384a989e1aef5b2989c4f17e047a9ac7cadbc8
/external/minijail/libminijail.c
|
b8a5138a451e183debbce56f3fa031e1880ff901 |
|
26-Jan-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add 'cgroups' flag. Cgroups ended up being the only feature that doesn't have a flag. Fix that, and fix some comments while we're there. Bug: 26782393 Change-Id: I83e56b6d7fb4a5668ffecc2b597902ee663fdab6
/external/minijail/libminijail.c
|
605ce7f5ccda3597305f7ca8e21ba16e254cf96c |
|
20-Jan-2016 |
Dylan Reid <dgreid@chromium.org> |
Add ability to put jailed process in cgroups This adds an API that allows the jailed process to be added to a given cgroup. This API can be called repeatedly to add the process to many cgroups. The process will be added after fork but before it is exec'd. BUG=b/26549867 TEST=set cgroups and inspect that pid is in tasks file Change-Id: I87a9897c1dc741c726873e872eeae32692088979 Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
ce5b55eb48f276951b6c4d1bbfc667240c1e8f2f |
|
13-Jan-2016 |
Dylan Reid <dgreid@chromium.org> |
Separate child process sync from user namespace Syncing the child and parent was only done so that the uid/gid maps could be setup. Make this more general so that the next commit can add setting of cgroups which also wants to happen after the child forks but before the jailed process is run similar top uid/gid map setting. BUG=b/26549867 TEST=security_Minijail0 Change-Id: I81d512f351cfe459cd7af4c55263504d22b929fa Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
272e3ab72da543c3ed3cb1cf312e45796b149d19 |
|
13-Jan-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Fix Minijail build. Remove 'static' qualifier from helper functions to fix the build. Bug: None Change-Id: I03cf18a415961ee6a32f05262b2925f6e5a8a8e5
/external/minijail/libminijail.c
|
c31391e80af7fbdb7fe06ac9bb99a85cb7542be0 |
|
13-Jan-2016 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "softfail on older kernels that lack seccomp support"
|
2885befc0941a8283846b83ef111dce6dd880159 |
|
12-Jan-2016 |
Jeff Vander Stoep <jeffv@google.com> |
softfail on older kernels that lack seccomp support Attempt to set up a seccomp filter. If seccomp not supported on an Android device and kernel version < 3.8 fail softly i.e. allow process to run without seccomp protections. Bug: 26435980 Change-Id: Ied6ac053908b6b0b81ba822621b1969bdedce4af
/external/minijail/libminijail.c
|
bc67f44aa22f8f31c3386409e6f3fd0fdcbcffbe |
|
08-Jan-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Make set_supplementary_gids return 'void'. After https://android-review.googlesource.com/#/c/195351 lands, no callers expect this function to return a result. Change the signature to avoid errors. Bug: 26099611 Change-Id: Id9c80350a0ce1f80ce5b5691117e68e37dd6c10e
/external/minijail/libminijail.c
|
fd5fc562f3c609d13b80b6b93c381a3ba8dc92b0 |
|
08-Jan-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Make set_supplementary_gids abort on memory errors. Consumers of this API usually cannot continue if this function fails, since not adding supplementary groups would prevent the caller from accessing resources. Simplify callers by aborting instead of returning an error. This will also prevent callers from forgetting to check the return value of the function and not actually setting supplementary groups when they expected to. Once the callers are updated, we can change this function to return void. Bug: 26099611 Change-Id: Ib470e913d734ab4eac01b2aef3cdd4922d98e15a
/external/minijail/libminijail.c
|
4b276a6c643cee568b9b623b1ce00fd41db9e8b9 |
|
07-Jan-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Use prctl(PR_CAPBSET_READ) to get the last valid cap on Android. Not all Android processes will have access to '/proc/sys/kernel/cap_last_cap', so use prctl() to get the last valid cap on Android. Bug: 26217031 Change-Id: I7dffc8facca30a2e32c5c310c383e82a07b0519e
/external/minijail/libminijail.c
|
2860c4693ea5f40b44e4b2eb2f0b6970ffcd7f27 |
|
17-Dec-2015 |
Peter Qiu <zqiu@google.com> |
Add support for resetting signal masks By default, child process will inherit signal masks (blocked signals) from its parent process. Once the signal is blocked, the child process will not be able to receive notifications for those signals. Some parent processes (such as system daemons implemented using brillo::Daemon) will block signals such as SIGTERM and SIGINT, so that they can use signalfd to monitor those signals instead. In this case, the child process will not be able to receive notification for these signals. To fix it, allow the caller to specify a flag to indicate if child process should reset the signal mask or not. Bug: None BUG=chrome-os-partner:47785 TEST=Manual test Change-Id: I7d32c50e67af0dadbfeca8316f85b9a542e952c0
/external/minijail/libminijail.c
|
de02a5ba3578e0c3fb1d664d7109cd61e3d30e4c |
|
12-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Fix marshaling for supplementary gid list. We were not marshaling the supplementary gid list at all. While in there, make unmarshaling seccomp filters more robust. Bug: 25870500 Change-Id: I8b7d832ae62eaa3d859863b3fdd7f9772732239f
/external/minijail/libminijail.c
|
43e29b3551479dd6d989b830eacd1abbd83592cc |
|
09-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add libminijail static library target. This will be used for statically-linked binaries on Android. Also, fix the call to get_last_valid_cap() to only happen when we're dropping capabilities. Bug: 26099386 Change-Id: I741390b6b356592ec9bdfe54b04d23feab5702aa
/external/minijail/libminijail.c
|
06940beabdb45d34cfaf9880eb8e793122c10abd |
|
05-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Fix C99 declaration. Bug: 26040155 Change-Id: I5779d447d0c4917b30093a435db680fe3f66c8b3
/external/minijail/libminijail.c
|
cac4fa70f4570bdac3c11196e1dc98bfdc68ef40 |
|
05-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Merge "Free 'suppl_gid_list'."
|
43a6a864491b6209192936d66d6a2e50e66deee2 |
|
04-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Fix some long lines. Bug: None Change-Id: I2364bf07991b2a5be23502cd011a6cc8d35471d6
/external/minijail/libminijail.c
|
e81a52f36e9d283ba162180136eb5ac81f37440c |
|
05-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Free 'suppl_gid_list'. Bug: 25870500 Change-Id: I20e4c87d303d6b2fb11b00b43c88536a6244fe18
/external/minijail/libminijail.c
|
f7a3868cc0f6fc8de945e4f9e9e6fcae5bf1e645 |
|
05-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Fix indentation. Change-Id: Ibd7a20bd3e943b13499b084eefa7ec66bef66bb6
/external/minijail/libminijail.c
|
d16ac49c9866b94ea74dcdaff2a7ebc9d05246dc |
|
03-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Allow setting supplementary GIDs directly. This is used on Android where initgroups(3) is not applicable. Bug: 25870500 Change-Id: I6bdf3342ac8bfc532d33bd0446af2801d1108461
/external/minijail/libminijail.c
|
c2ba9f5bf14b1e126efbf6c221dce2a93a01bc3a |
|
01-Dec-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Use size_t for size-related variables. Bug: 25870500 Change-Id: I42584ccd45c7c9390d9b5656831f4ba94ff27a4d
/external/minijail/libminijail.c
|
d0a6e2fd0748110336fc6b28bb6fbf0bdfe1ddfa |
|
24-Nov-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Remove unused Minijail flag and make multi-line comments consistent. Bug: 25870500 Change-Id: Ic9306659ab2ae91c45a3062f08964ec8c0c15320
/external/minijail/libminijail.c
|
f794247e0413fe36759a2bdcaa5bdd75cf3163a2 |
|
19-Nov-2015 |
Dylan Reid <dgreid@chromium.org> |
minijail: Add option to enter a new IPC namespace Export this feature through the '-l' option to minijail0. TEST=run minijail0 with the -l option, check that the executed program is in a different ipc namesspace with /proc/self/ns/ipc. BUG=b/25770648 Change-Id: Ia8f72cc59160fc736c8a58cb68d9894f9c92281c Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
eac2894b0b59ba1e33c3f173c00c26bdb0268afb |
|
12-Nov-2015 |
Andrew Bresticker <abrestic@chromium.org> |
minijail: Support setting syscall table with PR_ALT_SYSCALL Add support for setting the syscall table for a jailed process using prctl(PR_ALT_SYSCALL). This adds the option '-a <table>' which changes the jailed process's syscall table to the alt_syscall table named <table>. alt_syscall tables must be registerd in the kernel (see crosreview.com/312137 for an example of how this is done). Bug: 25649436 TEST=Create a test blacklist that blocks write(2) and observe that 'minijail0 -a test -- /bin/echo hello' prints nothing to stdout. Change-Id: Idddafa1d0b81483a594e05d9d3390d4f9ad849c6 Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
/external/minijail/libminijail.c
|
648b220346aaee74ffbab35be6129bdfa5aca3a5 |
|
23-Oct-2015 |
Dylan Reid <dgreid@chromium.org> |
minijail: Add ability to specify mounts In addition to bind mounts, allow other mounts to be specified when running minijail. Expose this as a -k option to minijail0. This will allow for file systems such as proc, sysfs, and devpts to be mounted before taking away the permisison to mount from the target program. For example "-k sysfs,/sys,sysfs,0xe" will mount /sys in the new vfs namespace. BUG=b/24976046 TEST=Mount sysfs, run a shell, check that sysfs is mounted. Change-Id: I9862e42e00ce76b1fab9cbac59c381f5270470ce Signed-off-by: Dylan Reid <dgreid@google.com>
/external/minijail/libminijail.c
|
6c7a45812a3fbd590a85bcc7fea84c614a851288 |
|
30-Oct-2015 |
Dylan Reid <dgreid@chromium.org> |
minijail: Remove has_bind_mounts API This was added for minijail0 and minijail0 no longer uses it. It hasn't had any users added in the week or so it's been merged, remove it. Change-Id: I1893b47fa2bd543718c98bb3bfcf23ed67566a01 Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
a14e08dad428aaa934687e3636a84ca7a9711de2 |
|
23-Oct-2015 |
Dylan Reid <dgreid@chromium.org> |
minijail: Allow static binaries in a bind mount to run A previous commit placed a restriction on running static binaries and using bind mounts. Remove that restriction by checking if the binary path is in a bind mount and rebasing the path on to the bind mount source path so that the executable can be accessed from outside the chroot. This is needed so bind mounts can be specified when running a statically linked init program for Android. BUG=b/25192613 TEST=security_Minijail0, run a static init with bind mounts. Change-Id: I801909df67c1bf18d48efcfd54c11aafe4c75e54 Signed-off-by: Dylan Reid <dgreid@google.com>
/external/minijail/libminijail.c
|
2034274edb55cf3717ca7fa49f614e69b0dc59c6 |
|
27-Oct-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Remove warning suppressions. Bug: None Change-Id: Ie0a2a3f5c5817b3db3e8613da1ef4d1cc3505048
/external/minijail/libminijail.c
|
1102f5a58d539ed72defe40fcc1078840d1b3778 |
|
15-Sep-2015 |
Dylan Reid <dgreid@chromium.org> |
minijail: Support entering an existing net namespace. When launching a full OS as the jailed process, it is useful to first be able to configure a network namespace and start the new process in that namespace. This adds the "-e<net namespace file>" optional argument to -e. It allows, for example, passing "-e/var/run/netns/newns" to minijail0. Change-Id: I0613162072a1d14f10c58444c514f6d052c3d1e5 Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
360f3293dd53ed8ff4ded07587fb33002bc2b235 |
|
19-Oct-2015 |
Samuel Tan <samueltan@google.com> |
Merge "minijail: remove minijail_run_pid_pipe()"
|
383e91a4ac0c12d469538b4ab294e3f215f113f0 |
|
19-Oct-2015 |
Samuel Tan <samueltan@google.com> |
Merge "minijail: add minijail_run_pid_pipes_no_preload() API function"
|
63adc1ffaeeeb98d33522f5e2f68469a3e93b90f |
|
17-Oct-2015 |
Samuel Tan <samueltan@google.com> |
minijail: remove minijail_run_pid_pipe() Since all calls of minijail_run_pid_pipe() have been replaced by calls to minijail_run_pid_pipes(), remove the former function as it is unused. BUG: 24577038 Change-Id: I561fe4ab3ad7a78b05c67b1e1b56e761320603a2
/external/minijail/libminijail.c
|
63187f4d4d5748ee548d475b636d904915ed70ca |
|
16-Oct-2015 |
Samuel Tan <samueltan@google.com> |
minijail: add minijail_run_pid_pipes_no_preload() API function Add minijail_run_pid_pipes_no_preload() to the minijail API. This method is equivalent to minijail_run_pid_pipes(), except that LD_PRELOAD is not used. This function needs to be called on Android. BUG: 24577038 TEST: unit tests pass. TEST: manual test on minijail'd binary passes. Change-Id: I8067eee689c407501b18324fc378121ef28422fe
/external/minijail/libminijail.c
|
f682d47fc474d05fd78260faeb7863d4ded5153f |
|
18-Sep-2015 |
Dylan Reid <dgreid@chromium.org> |
minijail: Read the last valid cap value earlier. The maximum valid capability of the kernel is read from /proc. However since the ability to change mount namespaces and pivot root were added, /proc might not be available when running drop_caps. To allow capabilities to be dropped even if entering a new mount namespace, cache the last valid cap earlier and pass it to drop_caps. Change-Id: I7adc017f0cdaa242d9348495815bbb4e70a74463 Signed-off-by: Dylan Reid <dgreid@chromium.org>
/external/minijail/libminijail.c
|
efb697a502dea78f25b56121954683cd3229a6d3 |
|
13-Oct-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Merge "Make Minijail work correctly with shared mounts."
|
805be39fcbce5eb1c827d8a9d59d0aa3748a1fd8 |
|
13-Oct-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Make Minijail work correctly with shared mounts. This fixes some problems that appear when system booted with systemd. Systemd sets all mounts to shared. This means that when minijail0 creates mount namespace new mounts will propogate out of that namespace. This change fixes that by setting all mounts to private right after creating new namespace. Also when remounting /proc it unmounts it lazily, as normal umount() may fail when shared mounts are enabled. More information about shared mounts: https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt (Original patch by Andrey Ulanov <andreyu@google.com> at https://chromium-review.googlesource.com/303158) Change-Id: I0ff5851dba32524bd6c4ad663b67826fb9be0485
/external/minijail/libminijail.c
|
46a550989f7b2c934dfdf43ef28e9018ad60bd31 |
|
13-Oct-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Call chdir("/") after chroot in pivot_root. This change adds a chdir after chroot to avoid chroot breakouts. BUG=chromium:517844 TEST=getcwd() returns "/" instead of "(unreachable)/.../root" (Original patch by Luis Hector Chavez <lhchavez@google.com> at https://chromium-review.googlesource.com/#/c/304362/) Change-Id: If78f357636bcc1a3bfa71f377fef2ccc05b6dc0f
/external/minijail/libminijail.c
|
08946cc5dff65d4103268752f8fb2655119a826a |
|
17-Sep-2015 |
Dylan Reid <dgreid@chromium.org> |
minijail: Check correct executable file When the chroot and pivot_root options are used the path to the binary to put in jail is given relative to the new root. However the checks for the program existing and how it is linked were still done relative the original rootfs. This "worked" as long as there was a similar file outside of the chroot. Add the ability to get the full path of the program from libminijail and use that path to check the file. This allows chrooting to a system that has init in / instead of /sbin. Don't try to check the binary if there are bind mounts specified. This avoids having to parse the mounts and check if the binary is in a bind mounted path. Change-Id: I2e3af14f5e8fd478963bcb56a3a6ae5908e78524 Signed-off-by: Dylan Reid <dgreid@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/300320 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
5471450610e34f115c4816d5e0e0f4da02def802 |
|
30-Sep-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
minijail: Refactor dynamic and static code paths. This CL uses the same code path for both dynamic and static binaries. This way we avoid duplicating code, or forgetting to add functionality to either of the paths. BUG=chromium:537667 TEST=security_Minijail0 passes. Change-Id: Ia484180a041dad3c302c3c8ce8bfd5b41d758ccb Reviewed-on: https://chromium-review.googlesource.com/303380 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org>
/external/minijail/libminijail.c
|
791f577a32e80c819c01c1866c355aa74e833462 |
|
15-Sep-2015 |
Dylan Reid <dgreid@chromium.org> |
minijail: Don't unmount proc if not mounted When switching in to a new mount and a new pid namespace, as well as doing pivot_root, proc won't be mounted so leave it alone and let the new init process handle mounting it. Rename the readonly flag to remount_proc_ro which better reflects its meaning. This will aid in starting complete, containerized systems with minijail. Change-Id: Ice8f6d835b6417383c0cfb901ac737c3440dce55 Signed-off-by: Dylan Reid <dgreid@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/300154 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
e0a530ea900551cd3e1e2b5ee91c0f5ceae8248b |
|
08-Sep-2015 |
Yu-Hsi Chiang <yuhsi@google.com> |
minijail: use new_root as put_old in pivot_root(2) Instead of create a temp directory '.minijail_pivot' for put_old, reuse the new_root as put_old. By doing this, we can use pivot_root even if we don't have write permissions in that directory. Since the old root is mounted over the new root, keep fds of both old and new root so that we can use 'fchdir' to move between them. The idea comes from lxc. https://github.com/lxc/lxc/commit/2d489f9e87fa0cccd8a1762680a43eeff2fe1b6e BUG=chromium:517844 TEST=security_Minijail0 passes Change-Id: Ie446ad1d2557239c17b1a876a73459eca6d2d2ed Reviewed-on: https://chromium-review.googlesource.com/297867 Commit-Ready: Nicolas Boichat <drinkcat@chromium.org> Tested-by: Nicolas Boichat <drinkcat@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
64d65a79d48186e1db532d227bc20123bf0d16cf |
|
13-Aug-2015 |
Yu-Hsi Chiang <yuhsi@google.com> |
minijail: Support pivot_root Add an option that allows user to use pivot_root(2) when one want to jail process in a chrooted environment. This implies entering a new mount namespace since pivot_root(2) will really move the root filesystem. BUG=chromium:517844 TEST=security_Minijail0 passes Change-Id: Ie990670703b00e333fa4abc3804d6384d36fa7c9 Reviewed-on: https://chromium-review.googlesource.com/293128 Commit-Ready: Yu-hsi Chiang <yuhsi@google.com> Tested-by: Yu-hsi Chiang <yuhsi@google.com> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
1912c5b5e88455e0a0c03fd375d232a498edd95d |
|
31-Aug-2015 |
Yu-Hsi Chiang <yuhsi@google.com> |
minijail: Support multiple range uid/gid mappings. Now minijail accept multiple ranges of contiguous uid/gid mappings that is seperated by commas. The commas are replaced by newlines before writing to map files. BUG=chromium:517387 TEST=security_Minijail0 pass Change-Id: I27d45480010b38e71b80837cc2299f180d77c4a1 Reviewed-on: https://chromium-review.googlesource.com/296270 Commit-Ready: Yu-hsi Chiang <yuhsi@google.com> Tested-by: Yu-hsi Chiang <yuhsi@google.com> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
3cc05eab4d956e9bb919ebe7a2166c987ba1d5bf |
|
11-Aug-2015 |
Yu-Hsi Chiang <yuhsi@google.com> |
minijail: Support writing child pid to file BUG=chromium:519154 TEST=security_Minijail0 passes Change-Id: Icedff5d86ef0c3dbf2933e763b0858cb79e5b08f Reviewed-on: https://chromium-review.googlesource.com/292342 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Nicolas Boichat <drinkcat@chromium.org> Trybot-Ready: Nicolas Boichat <drinkcat@chromium.org> Tested-by: Yu-hsi Chiang <yuhsi@google.com>
/external/minijail/libminijail.c
|
10e91239e3cff46a10dfbe0d0960926d9ab19c57 |
|
05-Aug-2015 |
Yu-Hsi Chiang <yuhsi@google.com> |
minijail: add user namespace support Since most of the operations can be done if we have |euid = 0| in the new user namespace, we enter a new user namespace and become root immediately after fork()/clone(). It is incompatible with -b and <writable> set to 0, since we are not able to remount bind mounts as readonly in a user namespace. BUG=chromium:517387 TEST=security_Minijail0 pass TEST=`minijail0 -m "0 1000 1" -M "0 1000 1" -- /usr/bin/touch t` TEST=file `t` has owner:group root:root in minijail TEST=and chronos:chronos outside minijail Change-Id: I48f888097be5211715c5a839eca6f8e43b9903dd Reviewed-on: https://chromium-review.googlesource.com/291200 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Yu-hsi Chiang <yuhsi@google.com> Commit-Queue: Nicolas Boichat <drinkcat@chromium.org> Trybot-Ready: Nicolas Boichat <drinkcat@chromium.org>
/external/minijail/libminijail.c
|
3e954eceba13f2e7547ada506a735f084108ea12 |
|
28-Jul-2015 |
Yu-Hsi Chiang <yuhsi@google.com> |
minijail: Add a new option to allow program run as pid 1. Add a new flag that indicates whether to fork or not when pid namespace is set, so that programs can be run as pid 1 inside a new pid namespace. BUG=chromium:350616 TEST=security_Minijail0 pass TEST=`minijail -I /bin/bash` then `echo $$` and get pid 1 Change-Id: Icc959b775e5fe6368c15a834e23ce3f2c119af41 Reviewed-on: https://chromium-review.googlesource.com/289440 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Yu-hsi Chiang <yuhsi@google.com> Tested-by: Yu-hsi Chiang <yuhsi@google.com>
/external/minijail/libminijail.c
|
34e227494fed804ebbc7054ef64472ab8c6d953b |
|
10-Sep-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Use libcap on Android. Bug: 23787966 Change-Id: I8a7362e6551d55b473a7382665dc3e895bff9d56
/external/minijail/libminijail.c
|
5b7a318e9785d6ffe1698ecd73121befea77259f |
|
20-Aug-2015 |
Daniel Erat <derat@google.com> |
Use __ANDROID__ instead of __BRILLO__. __ANDROID__ is defined automatically by the toolchain. Bug: 23358460 Change-Id: Ieea8035dc1ad7d8dbdbe91936b364d8c15f447dc
/external/minijail/libminijail.c
|
1b21c8f101c47472ae8a9db2e9237c68e6d63795 |
|
22-Jul-2015 |
Yabin Cui <yabinc@google.com> |
Use getgrnam_r. Bug: 22568551 Change-Id: I3868897097b594b49f19946b18c52b17cd7975b5
/external/minijail/libminijail.c
|
a21c8fc135523df5bbd4523b36096dff6e8ade4a |
|
16-Jul-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add 'Android.mk' file, fix compile on Android. This requires disabling LDPRELOAD and temporarily disabling capabilities support. Reland of https://android-review.googlesource.com/#/c/159755/ with compile fixes. Compile-tested on aosp_{x86,x86_64,arm,arm64,mips64}-eng. Bug: 22487289 Change-Id: Ia4530cf09b074aa0a2afe5a5b307ff3c5c5d6c08
/external/minijail/libminijail.c
|
20ac22848f02ab78c2be42367722afc204d9774e |
|
18-Jul-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Revert "Add 'Android.mk' file, fix compile on Android." Fails compile on x86_64, arm64, mips64. Failures have been identified, will re-upload on Monday. This reverts commit b9a322d86635c5b1358af0d46a8be1021f4ddb60. Change-Id: I14b35a3aae618da4ff108328a499505893c15568
/external/minijail/libminijail.c
|
b9a322d86635c5b1358af0d46a8be1021f4ddb60 |
|
16-Jul-2015 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Add 'Android.mk' file, fix compile on Android. This requires disabling LDPRELOAD and temporarily disabling capabilities support. Bug: 22487289 Change-Id: I27476d09605076b000d302f354e49ab17dc96a93
/external/minijail/libminijail.c
|
3c84df1c18b410cb33da3c9df010b59f960785a9 |
|
15-May-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
minijail: Set new process group ID. By setting a new process group ID (PGID) in Minijail, we can then kill both the Minijail process and the jailed process. Before, daemons like debugd were killing only the Minijail process, which doesn't stop the jailed process. BUG=chromium:486219 TEST='minijail0 -- /usr/bin/yes' TEST='ps axj' shows |minijail0| and |yes| with the same PGID. Change-Id: Ibc82948aeedd560c08c182194723ccd53ec9b764 Reviewed-on: https://chromium-review.googlesource.com/271327 Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Samuel Tan <samueltan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
d613ab2f0968cca1e377f506728a36b961ac157e |
|
03-Mar-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
minijail: Make copyright headers consistent. BUG=None TEST=Compiles Change-Id: I7bff77f83b821cc0ab84f498b6d77cdbfa2286a7 Reviewed-on: https://chromium-review.googlesource.com/255609 Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Lee Campbell <leecam@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
3901da6e0bd4c709dda5506b5bb28177aca31abe |
|
03-Mar-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
minijail: Allow tmpfs /tmp mount without a chroot. There's no need to require a chroot to mount a clean tmpfs /tmp. Also, halve the size of the tmpfs to 64M. BUG=brillo:439 TEST=Unit tests, security_Minijail pass. TEST='minijail0 -u nobody -g nobody -t -- mount' shows tmpfs mount. Change-Id: Iee84160cee0487a0e7e0807b64ba54f6b3980e83 Reviewed-on: https://chromium-review.googlesource.com/255650 Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Lee Campbell <leecam@chromium.org>
/external/minijail/libminijail.c
|
e6bd8cc9ec47646b22902e004fb615c72278ab0c |
|
09-Jan-2015 |
Mike Frysinger <vapier@chromium.org> |
Revert "minijail: When pid-namespacing, init should be session leader" This reverts commit 552cb1a2c2cc2fca6303fe70eb7cd578b3434d60. The setsid behavior in the non/-i case causes some signal behaviors that we don't really want (like being able to send signals starting at the parent). Lets revert until we can sort out the nuances here. BUG=None TEST=`./minijail0 -p sleep 600` & hitting CTRL+C kills the whole process tree Change-Id: I47b36d633608a92d20337ca7791c23b6bade07e0 Reviewed-on: https://chromium-review.googlesource.com/239865 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
/external/minijail/libminijail.c
|
67546a0f5508cd1d5fe89f7505ab1c6f14c23eda |
|
06-Jan-2015 |
Chris Masone <cmasone@chromium.org> |
minijail: When pid-namespacing, init should be session leader When running a jailed process, the init process should take the role of process group and session leader -- otherwise calls to check these values for processes in the namespace may get 0 (as the actual leader is a process outside the namespace). BUG=None TEST=minijail0 -p /sbin/session_manager Change-Id: I35dc7c5ba63db57e64ad6c05018403d4b535922d Reviewed-on: https://chromium-review.googlesource.com/238849 Trybot-Ready: Chris Masone <cmasone@chromium.org> Tested-by: Chris Masone <cmasone@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Chris Masone <cmasone@chromium.org>
/external/minijail/libminijail.c
|
0ef8a661dc17479d0e0cee211c53ed557543809f |
|
19-Aug-2014 |
Utkarsh Sanghi <usanghi@chromium.org> |
minijail: add seccomp softfail option Minijail now softfails when seccomp is not implemented by the OS. However if the USE_seccomp flag is defined, minijail still hardfails. BUG=chromium:368071 TEST=Manual: compiled with and without USE flag. CQ-DEPEND=CL:212960 Change-Id: If2b58ddd5ce51a357bda325d32fe2b3dac6df11f Reviewed-on: https://chromium-review.googlesource.com/212919 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Utkarsh Sanghi <usanghi@chromium.org> Commit-Queue: Utkarsh Sanghi <usanghi@chromium.org>
/external/minijail/libminijail.c
|
1563b5b904547ab89dc3193f463c57002b7a28f2 |
|
10-Jul-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
minijail: Add support for entering an existing VFS namespace. Also, fix the Makefile while in there. BUG=chromium:376987 TEST=security_Minijail0 CQ-DEPEND=CL:209242 Change-Id: I18877211549500cbb720805a2480b1cb3244c1e9 Reviewed-on: https://chromium-review.googlesource.com/209240 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
2f61ee42b3c305ed99bf495af41b05ff5aa93213 |
|
16-Jun-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Fix more style issues. BUG=None TEST=unit Change-Id: I89f7288e9b3226273232d99f1c0176b69ce3b300 Reviewed-on: https://chromium-review.googlesource.com/203971 Reviewed-by: Lee Campbell <leecam@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
c8b21e1a37d1c81f4331011999c30f6e5aef4dca |
|
13-Jun-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Fix coding style issues. BUG=None TEST=Compile Change-Id: Ic4515367a4b05be8410596c5159e4c6ddab8e798 Reviewed-on: https://chromium-review.googlesource.com/203719 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Lee Campbell <leecam@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
1e4fc6aa398673096ed202fccee8be977f9e3c2b |
|
07-Jun-2014 |
Lee Campbell <leecam@chromium.org> |
Allow minijail to run statically linked targets minijail will now detect static targets and sandbox them BUG:chromium:355109 TEST=Tested with autotest security_Minijail0 on arm and x64 Change-Id: I4c38f652207c5c50158449f952b14e9402e17751 Reviewed-on: https://chromium-review.googlesource.com/203013 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Lee Campbell <leecam@chromium.org> Commit-Queue: Lee Campbell <leecam@chromium.org>
/external/minijail/libminijail.c
|
11af0628754be91d2db5bbc3619dcd717559a85c |
|
22-May-2014 |
Lee Campbell <leecam@chromium.org> |
Allow mounting of a tmpfs /tmp in the chroot Added the -t option to minijail so a tmpfs can be used in the chroot BUG=chromium:356246 TEST=Tested with autotest security_Minijail0 CQ-DEPEND=CL:201147 Change-Id: I660629a8b8fa1c2bf4fc59d2499ff806aa280449 Reviewed-on: https://chromium-review.googlesource.com/201133 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Lee Campbell <leecam@chromium.org> Commit-Queue: Lee Campbell <leecam@chromium.org>
/external/minijail/libminijail.c
|
18d1eba3361767fa24ffdb696eca8643faa71816 |
|
18-Apr-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Fix error reporting when sandboxed process is signaled. BUG=None TEST=Unittests pass. TEST=security_Minijail_seccomp passes on leon. TEST=/usr/bin/yes; killall yes; echo $? prints 143. TEST=minijail0 -- /usr/bin/yes; killall yes; echo $? prints 143 (not 253). TEST=minijail0 -S /dev/null -- /usr/bin/yes; echo $? prints 253. Change-Id: I62f779da9b5b3a61f6aff4c9855e5b73669c9efe Reviewed-on: https://chromium-review.googlesource.com/195627 Reviewed-by: Nam Nguyen <namnguyen@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
4ae30cc2874b9fb1bb141e92e0be7cde48cfaf0f |
|
11-Apr-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Clarify comments around minijail_pre{enter|exec}(). I was investigating Minijail behaviour with static binaries and it took me a while to figure out what was happening where. Document preenter/preexec functions better and move them closer to the flags they track. This way if we add a new flag in the future we'll also track it in minijail_pre{enter|exec}(). BUG=None TEST=unit, security_{Minijail0|Minijail_seccomp} on leon. Change-Id: I67e1e233b0fa0df2dcd97ad397187a7dc791a0c3 Reviewed-on: https://chromium-review.googlesource.com/194200 Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
4e48065390a71f32d8b3ea00fc663579cbea1651 |
|
26-Mar-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Fix minijail_change_{user|group} with invalid users/groups. BUG=chromium:356736 TEST='minijail0 -u <invalid> -- /usr/bin/id' fails. TEST='minijail0 -g <invalid> -- /usr/bin/id' fails. Change-Id: I0e1a35f5c582060bade53edb7cfda3eb1892d83c Reviewed-on: https://chromium-review.googlesource.com/191701 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Nam Nguyen <namnguyen@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
c420a26f8fcab8877398ef557c42dac7b8b586ee |
|
12-Jun-2013 |
mukesh agrawal <quiche@chromium.org> |
minijail: add child PID to log messages BUG=chromium:248792 TEST=unit tests, manual Manual test ----------- - gmerge chromeos-minijail - reboot - connect to GoogleGuest - pkill -STOP wpa_supplicant - egrep "child process [0-9]+ exited" /var/log/messages Change-Id: I44923c38f924133ab45700653042c27491d466ba Reviewed-on: https://gerrit.chromium.org/gerrit/58277 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: mukesh agrawal <quiche@chromium.org> Commit-Queue: mukesh agrawal <quiche@chromium.org>
/external/minijail/libminijail.c
|
3adfef722eabb95977d7d92f4789666878d1dd32 |
|
09-May-2013 |
Mike Frysinger <vapier@chromium.org> |
capabilities: extract the max cap from the runtime system The cap_valid() macro checks against a max define hardcoded at build time from the kernel headers. The runtime kernel might have a different max value which means this code doesn't work exactly as we want. For example, if you build against linux-3.8 headers but boot with a 3.4 kernel, the kernel headers know about 36 caps while the runtime kernel only knows about 35. When this minijail code tries to drop capset 36, it dies because the kernel returns EINVAL. Conversely, if you were to build against linux-3.4 headers but boot a 3.8 kernel, minijail would know to drop caps up through 35, but that 36 would remain in place. Typically these scenarios don't happen, but as people develop/test things, it's not unreasonable to try these out (think testing newer kernel headers or booting kernel next). As such, suck up the max value at runtime via /proc and use that instead. BUG=None TEST=built against linux-3.8 headers and booted a linux-3.4 kernel; minijail no longer aborts (networking works), and some logging added to the kernel shows it running PR_CAPBSET_DROP for [0, 35] since the runtime kernel max is 35 (even though the compiled headers say 36). Change-Id: Ie9aec101263402a3e147e85caf1e8bda78008aa3 Reviewed-on: https://gerrit.chromium.org/gerrit/50702 Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
/external/minijail/libminijail.c
|
6c0863036842df03a681307d2da84d2b0f7f908f |
|
20-Mar-2013 |
Elly Fong-Jones <ellyjones@chromium.org> |
[minijail] support network namespacing Add a -e argument to minijail0 to network-namespace the target program. BUG=None TEST=adhoc $ minijail0 -e `which ping` 4.2.2.1 connect: Network is unreachable $ minijail0 `which ping` 4.2.2.1 <ordinary output...> Change-Id: Ie58ff1ec1e1ec21987734b86cbabb1118c7e0bf0 Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/46035 Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
339a113245ee553ffe0c17024fdd894a541b8fbd |
|
16-Feb-2013 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Allow reading the jailed process' stdout and stderr. Also fix some nits while in there. BUG=None TEST=libminijail_unittest on alex and lumpy. Change-Id: I1bd227f196618d275da6e5da4ce91e90a370baa2 Reviewed-on: https://gerrit.chromium.org/gerrit/43460 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
e5609acdef8b6634be1fa81756a4ad188b0c69f0 |
|
06-Feb-2013 |
Kees Cook <keescook@chromium.org> |
capabilities: correct the <<-operator width everwhere The <<-operator here needs to always be 64bit, so use a variable instead of trying to pick the right bit width, which will be arch-sensitive. BUG=chromium-os:38643 TEST=link and daisy build, both pass security_Minijail Change-Id: Ifab3037bf74f09256924993a8e91315b4b0ac998 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/42806 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
323878a2faabdd6a34327718120bb410bbf8edd2 |
|
06-Feb-2013 |
Kees Cook <keescook@chromium.org> |
capabilities: make sure that CAP_SETPCAP is cleared When we didn't require CAP_SETPCAP, make sure we drop it when we're finished manipulating the bounding set. Additionally, fixes the capability bit tests for caps larger than 32-bits. The compiler didn't know to warn about the potentially out-of-range <<-operator usage. BUG=chromium-os:38643 TEST=link build, security_Minijail0 passes, verified CAP_SETPCAP is missing: `minijail0 -c 0 /bin/cat /proc/self/status | grep CapEff` is all zeros `minijail0 -c 1 /bin/cat /proc/self/status | grep CapEff` is 1 Change-Id: I7c0722c3bc775164486ff9628fc0c2005ae9275d Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/42670 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
1530b746a595d0ce1a3558d98774c0077e50ee98 |
|
11-Dec-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Add exit status reporting to Minijail. Things that can fail in the child process before Minijail exec()'s the sandboxed binary are already logging errors, so this will clarify what's going on with 'dhcpcd'. BUG=chrome-os-partner:16569 TEST=minijail0 -- <something with a non-zero exit code> Change-Id: I88530af2e9a0fc77c002b672d5a1c334ec7506e6 Reviewed-on: https://gerrit.chromium.org/gerrit/39568 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
eee3155a563aa34d1dc58a625bdc59a577271adb |
|
18-Oct-2012 |
Lei Zhang <thestig@chromium.org> |
Make it easier to build libminijail on Chromium Linux. - Move libsyscalls.gen.c generation code out of the Makefile and into a script. - Add SECURE_ALL_* defines for systems that do not linux/securebits.h. BUG=chromium-os:35482 TEST=FEATURES=test emerge chromeos-minijail Change-Id: I922c579f1fcf09db2379659dbde737f246200e51 Reviewed-on: https://gerrit.chromium.org/gerrit/35928 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Ready: Lei Zhang <thestig@chromium.org> Tested-by: Lei Zhang <thestig@chromium.org>
/external/minijail/libminijail.c
|
6537a568125667e8db44a0af38fd04fc8fd07ef7 |
|
05-Sep-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Minijail: Fix indentation in libminijail.c BUG=None TEST=unit Change-Id: I5ad33ea09e6278eccad2982d262e6d4ef76832b9 Reviewed-on: https://gerrit.chromium.org/gerrit/32242 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Elly Jones <ellyjones@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
df4bd3548059113808f589a62b0bc2f832be6c40 |
|
30-Aug-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Minijail: allow writing to the child process' standard input. BUG=chromium-os:33983 TEST=libminijail_unittest TEST=security_Minijail0 Change-Id: Ic2373127b3bca6a4a4a05ffcbc48b486cb5eb4a6 Reviewed-on: https://gerrit.chromium.org/gerrit/31779 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
6201cf5ab4a71c2faa61f61a2e5553a04db3c730 |
|
23-Aug-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Minijail: with no_new_privs, drop privileges before setting seccomp filter. BUG=chromium-os:32619 TEST=unit TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive Change-Id: I88d5e8b441871bf92f108ff4bb1db27940b51240 Reviewed-on: https://gerrit.chromium.org/gerrit/31238 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
bda833cbcee330eab91561a9b50b6bc24c47f2e9 |
|
01-Aug-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Minijail: add logging for seccomp filter failures. BUG=chromium-os:33361 TEST=unit tests TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive Change-Id: I16cdb8fbcf1cb13f2dee5521f97fb8d0bdbdf93b Reviewed-on: https://gerrit.chromium.org/gerrit/29053 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
a6b034dedfb1109adcd88eb1bcea15a29067824c |
|
08-Aug-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Minijail: extract utility functions. Extract utility functions and add them, together with logging, to a separate util.(c|h) file. BUG=chromium-os:33361 TEST=unit tests TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive. Change-Id: Ied436a7b27f14ef87198b7bf007634b28cbbd480 Reviewed-on: https://gerrit.chromium.org/gerrit/29492 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Elly Jones <ellyjones@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
224e4275abc940fa96d8cf8eec69a052957aa7e1 |
|
02-Aug-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Refactor logging in Minijail. That way, the syscall filtering module can log to syslog without duplicating code. While I'm at it, make naming more consistent. BUG=None TEST=unit TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive Change-Id: I7102ca22f49dd7e5bb56bf2997d0d83cb0507e83 Reviewed-on: https://gerrit.chromium.org/gerrit/29080 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
1c888ae015df417adcebb78035360cac94c21da2 |
|
31-Jul-2012 |
Elly Jones <ellyjones@chromium.org> |
[minijail] document use of NO_NEW_PRIVS TEST=None BUG=None Change-Id: If95c0aea1f9dcc2f1c990678b4e85289afc841cf Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/28818 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
a05d7bbb4072142e2bfb34310ad08c9dfb1ebbbf |
|
14-Jun-2012 |
Elly Jones <ellyjones@chromium.org> |
[minijail] don't forget to enter pid namespace minijail_preexec() clears the pid namespace flag. Oops. BUG=chromium-os:31862 TEST=adhoc,security_Minijail0 minijail0 -p /bin/ps should show ps as pid 2 Change-Id: I269805d0efb1d7c768420d3708ae1e93c6fa6a31 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/25300 Reviewed-by: Jim Hebert <jimhebert@chromium.org>
/external/minijail/libminijail.c
|
761b74101442568efb4f35ef0d9e8c98bfa5d350 |
|
13-Jun-2012 |
Elly Jones <ellyjones@chromium.org> |
[minijail] handle non-namespaced multithreaded use. Multithreaded use of pid namespaces is still broken; see the block comment in </libminijail.c>. BUG=None TEST=build Change-Id: Ibeb9434146a231fd2fd7468572e4fec28a1c1b60 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/25234 Reviewed-by: Mike Frysinger <vapier@chromium.org>
/external/minijail/libminijail.c
|
474ee71b9a15c50877b87affc7d857681c29e7eb |
|
02-May-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Re-enable setting seccomp filters in Minijail. Now that all the bits have landed, re-enable setting seccomp filters in Minijail. BUG=chromium-os:27878 TEST=security_Minijail0 TEST=security_Minijail_seccomp TEST=platform_CrosDisksArchive Change-Id: I13aae50a4d172443170e7fbf4bfc84812a424b65 Reviewed-on: https://gerrit.chromium.org/gerrit/21655 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
c2c9bccd546e44aac8919352261fd6ac59f3855b |
|
01-May-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Add API for PR_SET_NO_NEW_PRIVS and set seccomp filter before dropping root. BUG=chromium-os:27878 TEST=minijail_unittest, syscall_filter_unittest TEST=security_Minijail0 TEST=security_Minijail_seccomp Change-Id: I78495fda8c14ca5b4f398806eb564b0756876735 Reviewed-on: https://gerrit.chromium.org/gerrit/21545 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
524c04005b26aa15b004ac55aceefdc654893e66 |
|
17-Jan-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Integrate BPF seccomp_filters to Minijail. BUG=chromium-os:25429 BUG=chromium-os:27878 TEST=security_Minijail_seccomp CQ-DEPEND=I13a9b22ac8d55f02d5a77b5beedb955386b63723 Change-Id: I5fa8f40b9a539a61d69439cad778c926fc934cb1 Reviewed-on: https://gerrit.chromium.org/gerrit/19527 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
2343d8319c9f9816e495f9359ba4420ef8b93de0 |
|
26-Apr-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Temporarily disable setting seccomp filters in Minijail. To make merging the BPF-based seccomp filter implementation easier, turn off setting seccomp filters in Minijail. Add a flag ("-F") to force setting seccomp filters. BUG=chromium-os:27878 TEST=security_Minijail0 still passes. Change-Id: I1948223f2292cf5c059bf50f69fd0b4e42ec39a2 Reviewed-on: https://gerrit.chromium.org/gerrit/21170 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
9807d034da0258d58eed33156c04187f58fd0ce5 |
|
17-Apr-2012 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
Add minijail_run_pid() to return the pid of the jailed child process. This is needed when sandboxing processes whose pid's are needed by the parent process (starting with dhcpcd and shill). BUG=None TEST=security_Minijail0 still works. Change-Id: I3e6c5b19b9c7e70aea8230e6c1395097fb697b4f Reviewed-on: https://gerrit.chromium.org/gerrit/20413 Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
/external/minijail/libminijail.c
|
dd3e851898b44b2b6e36eed12066a65adfd60efe |
|
23-Jan-2012 |
Elly Jones <ellyjones@chromium.org> |
[minijail] document an apparent use-after-free BUG=None TEST=build Change-Id: I093b2b1bac45aa224ea742c70853f4cc7176cca7 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/14627 Reviewed-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
e58176c07895532d49b4cb9a660a4eeb644d4e2f |
|
23-Jan-2012 |
Elly Jones <ellyjones@chromium.org> |
[minijail] pid namespace implies vfs namespace Make a pid namespace imply both a new vfs namespace and a /proc remount, since if we don't remount /proc, the old pid namespace is still reachable through the old mount there. BUG=chromium-os:25303 TEST=security_Minijail0 Change-Id: I91887d3ed6bc0e958e249c3c158735bc04f20fcd Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/14617 Reviewed-by: Kees Cook <keescook@chromium.org>
/external/minijail/libminijail.c
|
a1059630647ed53a77726d9031dda0eab48bc1a4 |
|
15-Dec-2011 |
Elly Jones <ellyjones@chromium.org> |
minijail0: honor readonly bind mounts linux-kernel commit 2e4b7fcd926006531935a4c79a5e9349fe51125b introduced support for readonly bind mounts, but you can't just supply MS_RDONLY along with MS_BIND; you have to construct an MS_BIND mount first, then do another mount with MS_REMOUNT | MS_RDONLY. BUG=None TEST=platform_Minijail0 Change-Id: I1a8e2c603589b2eddcdb7a6d87059fabe17c60ba Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/13000 Reviewed-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
6ac9112378c716d6c1de2952bb971728b0655616 |
|
21-Oct-2011 |
Will Drewry <wad@chromium.org> |
Makefile, libminijail: Invert symbol visibility to allow sane unittesting libminijail.c contains many helpers that are marked static. For instance, consumestr and consumebytes are both static yet eminently unittestable. The options for testing are as follows: 1. Replace "static" with a "private" or "protected" macro which we undefined during testing. 2. #include "libminijail.c" into the unittests to avoid visibility challenges. 3. Change default visibility to internal for all functions and data then invert it during unittesting. I chose #3. It also has the benefit of creating an optimally stripped binary and shared object. Using 'internal' visibility also let's the linker perform more optimizations. Feedback on this approach is very welcome. In the past, I've chosen approach #2, but that seems wrong for at least a couple of reasons. TEST=build, run readelf -s in all the output. .so should show LOCAL for all internal functions and on executables, private functions should show INTERNAL. Running strip --unneeded should remove all of the private linkage which can be checked with readelf -s again BUG=none Change-Id: Ifb1f02b4505f2f25d824c067748054520c39d3bf Reviewed-on: https://gerrit.chromium.org/gerrit/10540 Commit-Ready: Will Drewry <wad@chromium.org> Tested-by: Will Drewry <wad@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
bee7ba7f2cd6168f60f51dd0ce3ac8961b4cc25a |
|
22-Oct-2011 |
Will Drewry <wad@chromium.org> |
libminijail.c: fix dangling pointer evaluation on unmarshal error If minijail_unmarshal fails, the process will still need to call minijail_destroy to free up any allocated memory. The unmarshalling function exits immediately on error. That property means that some stale pointers may still exist. This change adds pointer clearing on error and fixes a minor memory leak of the chrootdir. BUG=none TEST=compiles and running ./libminijail_unittest passes. Still need to run the autotest suite on it. Change-Id: I47518130aef7f4a14e5da475ed6a84c2d1490940 Reviewed-on: https://gerrit.chromium.org/gerrit/10535 Commit-Ready: Will Drewry <wad@chromium.org> Reviewed-by: Will Drewry <wad@chromium.org> Tested-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
a8d1e1b685840bce77d4d32cb4cd52e25e5e1763 |
|
21-Oct-2011 |
Elly Jones <ellyjones@chromium.org> |
minijail0: unbreak chroot and marshalling 1) Parse opts for chroot and bind 2) Serialize/deserialize chroot properly BUG=chromium-os:21665 TEST=security_Minijail0 Change-Id: Ic99a40718a9c3ff72561f518179155fb502eef96 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/10507 Reviewed-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
1d697933d1f5c07c0cbad6a79118e67e6e043881 |
|
14-Oct-2011 |
Ben Chan <benchan@chromium.org> |
libminijail: Fix minijail_parse_seccomp_filters to ignore comment lines. Also fixes minijail_parse_seccomp_filters to report the correct line number of an invalid line in a policy file. BUG=chromium-os:21690 TEST=Manually tested the following cases: 1. A comment line that starts with '#' but contains no ':' is ignored. 2. A comment line that starts with '#' and also contains ':' is ignored. 3. The line number of invalid filter lines are reported correctly. 4. Valid filter lines are parsed correctly. Change-Id: Iadacfae6c0b6c03fcf44e7e419d2635cb849e7a1 Reviewed-on: http://gerrit.chromium.org/gerrit/10104 Reviewed-by: Ben Chan <benchan@chromium.org> Tested-by: Ben Chan <benchan@chromium.org>
/external/minijail/libminijail.c
|
51a5b6c7f464100cea4c79f737fab2e582904135 |
|
13-Oct-2011 |
Elly Jones <ellyjones@chromium.org> |
minijail0: add chroot support. Support a -C commandline option to chroot(), and a -b commandline option to bind-mount paths into the chroot from outside. BUG=chromium-os:21165 TESTED_ON=kaen TEST=None yet Change-Id: Ia6a7a4498968a4bc6a12f8274fdb8c4be9d23ca4 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8661 Reviewed-by: Kees Cook <keescook@chromium.org>
/external/minijail/libminijail.c
|
e1749eb93a119bf03b5b033d74c541dbb45be00e |
|
07-Oct-2011 |
Elly Jones <ellyjones@chromium.org> |
minijail0: convert to linux style Used indent(1) with --linux-style, then manual cleanup. BUG=None TEST=None Checkpatch: ok Change-Id: I52dbd329215680e9d42ce4f11df110cf2f341e90 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8732 Reviewed-by: Kees Cook <keescook@chromium.org>
/external/minijail/libminijail.c
|
e805d37c95696e080dc421fe777df80c8f569fdb |
|
28-Sep-2011 |
Kees Cook <keescook@chromium.org> |
libminijail: pass-through errno should be negative The errno values in the rest of libminijail use negative errno values. This makes sure that the passed-through errno values are negative as well. BUG=chromium-os:20903 TEST=Built for x86-alex and did a full image build & boot, ran okay as: sudo minijail0 -pu chronos /bin/ls and correctly failed (exit code 253) with: sudo minijail0 -S /dev/null /bin/ls Change-Id: Ifac27468a21820ae342522c749c76f2045b630c3 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8394 Reviewed-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
eb300c59634e8504d3e28fce7b9992fe12c058e7 |
|
22-Sep-2011 |
Elly Jones <ellyjones@chromium.org> |
minijail0: make jail_change_{user,group} reentrant. TEST=security_Minijail0 BUG=chromium-os:18473 Change-Id: I5b0aa360fa6196df0bc6cff16dbb8ba8cb23e2a9 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8144 Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
/external/minijail/libminijail.c
|
c6c8643ae97b58dbbf0c36aaaec586a764d5396f |
|
18-Sep-2011 |
Will Drewry <wad@chromium.org> |
libminijail: only clear supplemental groups on user/group change minijail should be runnable by an unprivileged user. This change allows that to be true. BUG=chromium-os:19459 TEST=minijail -S somepolicy /bin/ls (need to test transitions still) Change-Id: Ib540953ae2435414b3d3adbadb68238962f5c0ff Reviewed-on: http://gerrit.chromium.org/gerrit/7912 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
f89aef580a713810a788d7e5ccf2e030696b6847 |
|
16-Sep-2011 |
Will Drewry <wad@chromium.org> |
libminijail: add seccomp_filter support to LD_PRELOAD + cleanup This changes adds seccomp_filter support to minijail properly instead of requiring expanded scope needed for execve(2)ing the child process. Now the policy for cat(1) can be as small as follows. minijail-cat.policy: read: fd == 3 write: fd == 1 || fd == 2 fstat64: 1 open: flags == 0x8000 close: 1 munmap: 1 exit_group: 1 Some additional code was moved around as a side effect of cleaning this up. I can split it out if desirable. BUG=chromium-os:19459 TEST=Manual tests (for now) # minijail0 -S minijail-dash-cat.policy -- /sbin/minijail-0 -S minijail-cat.policy -- /bin/cat /proc/self/seccomp_filter ... emits the policy for cat at the top with inherited: 0 and the original policy below as inherited. ... # minijail0 -S minijail-cat.policy -- /bin/cat /proc/self/seccomp_filter Mode: 13 Enabled: 1 Inherited: 0 252 (sys_exit_group): 1 197 (sys_fstat64): 1 91 (sys_munmap): 1 6 (sys_close): 1 5 (sys_open): flags == 0x8000 4 (sys_write): fd == 1 || fd == 2 3 (sys_read): fd == 3 Change-Id: I34a81f3c1764e4f949f8c2a26d42e51e125b4aae Reviewed-on: http://gerrit.chromium.org/gerrit/7893 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
fe4a372685f30fe7d0f30da2a46cc096f418c359 |
|
16-Sep-2011 |
Will Drewry <wad@chromium.org> |
libminijail: move over to using marshalled binary for preload Move libminijail and libminijailpreload over to using the marshalling helper functions and add to/from_fd. The format itself is not terribly robust, but we can change it underneath the functions in the future (or move struct minijail to a protobuf :). These changes lay the groundwork for sending seccomp_filter policy. A subsequent change will implement that and disable use in the parent. BUG=chromium-os:19459 TEST=tested as per previous commits: minijail0 -[pvrcuGg] -- /bin/cat /proc/self/status .. /bin/ps aux .. /bin/bash -c 'env' Change-Id: I565816611b31ce49f85fee2241c55a3328d7b770 Reviewed-on: http://gerrit.chromium.org/gerrit/7892 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
2ddaad07d7c54e370353abfa05efe2661898b428 |
|
16-Sep-2011 |
Will Drewry <wad@chromium.org> |
libminijail: add marshalling and scrubbing functions In order to support arbitrary divisions of labor between minijail_run and minijail_enter, we need to support serializing the entire minijail for sharing with the LD_PRELOADed library in a child process. Instead of continuing with one-off marshalling, this unify the marshalling code (as fragile as it is). In addition, scrubbing features that only apply in the parent or the child around marshalling and unmarshalling are split out to separate the logic. One change did sneak in to support marshalling which was copying/freeing j->user. I can split this out as a precursor patch if needed. The next change in the series converts the existing code over and moves it to communicate over a file descriptor. BUG=chromium-os:19459 TEST=gmerged and ran minijail0. Internal only changes. Change-Id: Ib4c157d1d4d4edf6910793ea04880399e539285b Reviewed-on: http://gerrit.chromium.org/gerrit/7891 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
2f54b6a1ab672b02e1ae352cb8cf27b4732a413a |
|
16-Sep-2011 |
Will Drewry <wad@chromium.org> |
minijail0: move ld_preload communication to a pipe Moves minijail0 communication over to using a file descriptor instead of packing it in an environment variable. The primary reasoning is to allow seccomp filter policies to be passed to a child process. However, this will make it easier for minijail behavior to stay consistent across minijail_run and minijail_enter if serialization can be made more generic. For instance, -g does not properly traverse a preload instead relying on inheritance which is inconsistent depending on pidns usage. BUG=chromium-os:19459 TEST=tested -[pvrcu] with /bin/cat /proc/self/status Change-Id: Id1845b86517ce0a6a9d6bcd85f700ea459d7c8f4 Reviewed-on: http://gerrit.chromium.org/gerrit/7890 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
32ac9f5392525576dcd7bf2e18fb4c230649a3da |
|
19-Aug-2011 |
Will Drewry <wad@chromium.org> |
libminijail,minijail0: add seccomp filter support This change adds support for installing seccomp filters via libminijail or by using minijail0 with an arch-specific filters file. Support for LD_PRELOAD marshalling is still missing and will come in a new change. BUG=chromium-os:19459 TEST=minijail0 -r -S dash-cat.policy -u chronos -- /bin/dash -c '/bin/cat /proc/self/seccomp_filter' dash-cat.policy can be found in the bug. built for arm-generic, tegra2_seaboard, and x86-alex. Tested on x86-alex as above and with -H. Change-Id: I3cac97d1df62f70cd546763aeca8f52dd0aea09d Reviewed-on: http://gerrit.chromium.org/gerrit/7773 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
f0ef52e0bb54e6ea28e3abf96b95ed1bb9225cb4 |
|
14-Sep-2011 |
Thieu Le <thieule@chromium.org> |
Revert "libminijail,minijail0: add seccomp filter support" This reverts commit adf64c0814e16cb43ce81e6b3e3660a16f564cc7 Change-Id: Ib24f2ad26dfe14ddd4e6b38e204630577db5a4cc Reviewed-on: http://gerrit.chromium.org/gerrit/7735 Reviewed-by: Thieu Le <thieule@chromium.org> Tested-by: Thieu Le <thieule@chromium.org>
/external/minijail/libminijail.c
|
13dcc70bf9fec5d9c13dc47738f2852d88262ce9 |
|
19-Aug-2011 |
Will Drewry <wad@chromium.org> |
libminijail,minijail0: add seccomp filter support This change adds support for installing seccomp filters via libminijail or by using minijail0 with an arch-specific filters file. Support for LD_PRELOAD marshalling is still missing and will come in a new change. BUG=chromium-os:19459 TEST=minijail0 -r -S dash-cat.policy -u chronos -- /bin/dash -c '/bin/cat /proc/self/seccomp_filter' dash-cat.policy can be found in the bug. Change-Id: Id3f52ae9ce7bf49c257b2cfb9ba66b38b8be8094 Reviewed-on: http://gerrit.chromium.org/gerrit/6789 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|
541c7e59a012dbffa0f68cc623623c81b11d267e |
|
26-Aug-2011 |
Ben Chan <benchan@chromium.org> |
minijail: Restore original value of LD_PRELOAD after fork. This CL restores the original value of LD_PRELOAD in the process that calls minijain_run. This prevents any subsequent process, which is not created by minijail_run, from preloading libminijalpreload.so. BUG=chromium-os:19732 TEST=Examined the environment of calling process after minijain_run returns. Change-Id: I578e4c46c72eb549fa59353ab1a25f0160077a03 Reviewed-on: http://gerrit.chromium.org/gerrit/6788 Reviewed-by: Elly Jones <ellyjones@chromium.org> Tested-by: Ben Chan <benchan@chromium.org>
/external/minijail/libminijail.c
|
cd7a9046e61e243fca916a286e49d58e2331eaa7 |
|
22-Jul-2011 |
Elly Jones <ellyjones@chromium.org> |
RFC: minijail: add libminijail. Drewry requested an implementation of minijail that: 1) Would be linkable against C programs 2) Not depend on libbase 3) Supply the necessary LD_PRELOAD hacks to use his syscall-filtering framework without the apply-after-exec hack and to use ptrace-disable. Thoughts? BUG=chromium-os:17937 TEST=Adhoc (extremely ;)). Proper test suite to be written; crosbug.com/18834 Change-Id: I8b34557a9a231dad75827c1a3d11f235f712648d Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/4585 Reviewed-by: Will Drewry <wad@chromium.org>
/external/minijail/libminijail.c
|