chromiumos/platform/minijail.git
17 months agominijail: add child PID to log messages 77/58277/2 factory-4290.B factory-4455.B factory-pit-4280.B factory-pit-4390.B factory-pit-4471.B factory-spring-4262.B firmware-falco_peppy-4389.B firmware-leon-4389.26.B firmware-pit-4482.B firmware-wolf-4389.24.B master release-R29-4319.B release-R30-4537.B stabilize-4287.B stabilize-4443.B stabilize-4512.B
mukesh agrawal [Wed, 12 Jun 2013 00:22:42 +0000 (17:22 -0700)]
minijail: add child PID to log messages

BUG=chromium:248792
TEST=unit tests, manual

Manual test
-----------
- gmerge chromeos-minijail
- reboot
- connect to GoogleGuest
- pkill -STOP wpa_supplicant
- egrep "child process [0-9]+ exited" /var/log/messages

Change-Id: I44923c38f924133ab45700653042c27491d466ba
Reviewed-on: https://gerrit.chromium.org/gerrit/58277
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: mukesh agrawal <quiche@chromium.org>
Commit-Queue: mukesh agrawal <quiche@chromium.org>

17 months agominijail: do not use gcc designator extension. 04/51004/2 stabilize-4255.B
Yunlian Jiang [Mon, 13 May 2013 18:14:30 +0000 (11:14 -0700)]
minijail: do not use gcc designator extension.

BUG=chromium:240348
TEST=CFLAGS="clang" FEATURES="test" emerge-lumpy chromeos-minijail passes.

Change-Id: Ie56992d6e487f9badf14b62a47010fe0e7882847
Reviewed-on: https://gerrit.chromium.org/gerrit/51004
Reviewed-by: Will Drewry <wad@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Commit-Queue: Yunlian Jiang <yunlian@chromium.org>

18 months agocapabilities: extract the max cap from the runtime system 02/50702/2 factory-4128.B factory-spring-4131.B
Mike Frysinger [Thu, 9 May 2013 21:19:08 +0000 (17:19 -0400)]
capabilities: extract the max cap from the runtime system

The cap_valid() macro checks against a max define hardcoded at build time
from the kernel headers.  The runtime kernel might have a different max
value which means this code doesn't work exactly as we want.

For example, if you build against linux-3.8 headers but boot with a 3.4
kernel, the kernel headers know about 36 caps while the runtime kernel
only knows about 35.  When this minijail code tries to drop capset 36, it
dies because the kernel returns EINVAL.

Conversely, if you were to build against linux-3.4 headers but boot a 3.8
kernel, minijail would know to drop caps up through 35, but that 36 would
remain in place.

Typically these scenarios don't happen, but as people develop/test things,
it's not unreasonable to try these out (think testing newer kernel headers
or booting kernel next).  As such, suck up the max value at runtime via
/proc and use that instead.

BUG=None
TEST=built against linux-3.8 headers and booted a linux-3.4 kernel;
minijail no longer aborts (networking works), and some logging added
to the kernel shows it running PR_CAPBSET_DROP for [0, 35] since the
runtime kernel max is 35 (even though the compiled headers say 36).

Change-Id: Ie9aec101263402a3e147e85caf1e8bda78008aa3
Reviewed-on: https://gerrit.chromium.org/gerrit/50702
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
19 months agoAdd "unconditional errno" support to syscall filter policies. 68/46568/3 release-R28-4100.B stabilize-4008.0.B stabilize-4035.0.B stabilize-4068.0.B stabilize-4100.38.B stabilize-spring-4100.53.B toolchainB
Jorge Lucangeli Obes [Tue, 26 Mar 2013 22:11:30 +0000 (15:11 -0700)]
Add "unconditional errno" support to syscall filter policies.

BUG=chromium:224082
TEST=syscall_filter_unittest

Change-Id: Ic83ecb72af8b62f297f1b6a3dc49eb3219029715
Reviewed-on: https://gerrit.chromium.org/gerrit/46568
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>

19 months ago[minijail] support network namespacing 35/46035/2
Elly Fong-Jones [Wed, 20 Mar 2013 21:15:28 +0000 (17:15 -0400)]
[minijail] support network namespacing

Add a -e argument to minijail0 to network-namespace the target program.

BUG=None
TEST=adhoc
$ minijail0 -e `which ping` 4.2.2.1
connect: Network is unreachable
$ minijail0 `which ping` 4.2.2.1
<ordinary output...>

Change-Id: Ie58ff1ec1e1ec21987734b86cbabb1118c7e0bf0
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/46035
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
20 months ago[minijail] check permissions on target 77/45877/3 release-R27-3912.B stabilize-3881.0.B stabilize-3912.79.B toolchainA
Elly Fong-Jones [Tue, 19 Mar 2013 20:29:03 +0000 (16:29 -0400)]
[minijail] check permissions on target

Check that the target a) exists and b) is executable before trying to run it. If
it isn't, give an error message. This is more user friendly than the previous
behavior of 'exit with a failing error code'.

BUG=chromium:208335
TEST=adhoc
run 'minijail0 /nonexistent', note error
run 'minijail0 /usr/bin/id', note lack of error

Change-Id: Icf9641a35e7b97bda747d9e73eae2d311bb77be8
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/45877
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
21 months agoAllow reading the jailed process' stdout and stderr. 60/43460/9 factory-spring-3842.B firmware-spring-3824.4.B firmware-spring-3824.55.B firmware-spring-3824.84.B firmware-spring-3824.B firmware-spring-3833.B
Jorge Lucangeli Obes [Sat, 16 Feb 2013 00:53:47 +0000 (16:53 -0800)]
Allow reading the jailed process' stdout and stderr.

Also fix some nits while in there.

BUG=None
TEST=libminijail_unittest on alex and lumpy.

Change-Id: I1bd227f196618d275da6e5da4ce91e90a370baa2
Reviewed-on: https://gerrit.chromium.org/gerrit/43460
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>

21 months agocapabilities: correct the <<-operator width everwhere 06/42806/2 release-R26-3701.B stabilize-3701.30.0 stabilize-3701.30.0b stabilize-3701.46.B stabilize-3701.81.B stabilize-bluetooth-smart toolchain-3701.42.B
Kees Cook [Wed, 6 Feb 2013 22:12:41 +0000 (14:12 -0800)]
capabilities: correct the <<-operator width everwhere

The <<-operator here needs to always be 64bit, so use a variable instead
of trying to pick the right bit width, which will be arch-sensitive.

BUG=chromium-os:38643
TEST=link and daisy build, both pass security_Minijail

Change-Id: Ifab3037bf74f09256924993a8e91315b4b0ac998
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/42806
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
21 months agocapabilities: make sure that CAP_SETPCAP is cleared 70/42670/3
Kees Cook [Tue, 5 Feb 2013 23:35:24 +0000 (15:35 -0800)]
capabilities: make sure that CAP_SETPCAP is cleared

When we didn't require CAP_SETPCAP, make sure we drop it when we're
finished manipulating the bounding set.

Additionally, fixes the capability bit tests for caps larger than
32-bits. The compiler didn't know to warn about the potentially out-of-range
<<-operator usage.

BUG=chromium-os:38643
TEST=link build, security_Minijail0 passes, verified CAP_SETPCAP is missing:
 `minijail0 -c 0 /bin/cat /proc/self/status | grep CapEff` is all zeros
 `minijail0 -c 1 /bin/cat /proc/self/status | grep CapEff` is 1

Change-Id: I7c0722c3bc775164486ff9628fc0c2005ae9275d
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/42670
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
21 months agoUnalias |policy| variable in syscall filter code. 51/42551/2
Jorge Lucangeli Obes [Mon, 4 Feb 2013 19:55:30 +0000 (11:55 -0800)]
Unalias |policy| variable in syscall filter code.

BUG=None
TEST=syscall_filter_unittest

Change-Id: Iaddc9d0e418529525e8cf5ecaf9bd5dd04c2b90d
Reviewed-on: https://gerrit.chromium.org/gerrit/42551
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>

21 months agoFix Minijail x32 compilation. 43/42543/2
Jorge Lucangeli Obes [Mon, 4 Feb 2013 18:03:43 +0000 (10:03 -0800)]
Fix Minijail x32 compilation.

BUG=chromium-os:38539
TEST=./setup_board --board=x32-generic; emerge-x32-generic chromeos-minijail

Change-Id: I4ca1c78d583976a6f692a589c5b153101700beee
Reviewed-on: https://gerrit.chromium.org/gerrit/42543
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>

22 months ago[minijail] stop parsing at first non-opt arg 67/41767/3 stabilize-3658.0.0
Elly Fong-Jones [Tue, 22 Jan 2013 18:55:02 +0000 (13:55 -0500)]
[minijail] stop parsing at first non-opt arg

BUG=chromium-os:35122
TEST=security_Minijail0,adhoc
Running minijail with different stop arguments should work:
$ /sbin/minijail0 /bin/ls -u INVALID_USER
/bin/ls: cannot access INVALID_USER: No such file or directory
$ /sbin/minijail0 -u bin /bin/ls -g INVALID_GROUP
/bin/ls: cannot access INVALID_GROUP: No such file or directory
$ /sbin/minijail0 -u bin -g bin /bin/echo -x
-x

Change-Id: I2d7ced270ddecd7a5ee3b99c5416e3982f5dc112
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/41767
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
23 months agoAdd exit status reporting to Minijail. 68/39568/2 factory-3536.B release-R25-3428.B stabilize-3428.110.0 stabilize-3428.149 stabilize-3428.149.B stabilize-3428.193 toolchain-3428.65.B
Jorge Lucangeli Obes [Tue, 11 Dec 2012 22:08:09 +0000 (14:08 -0800)]
Add exit status reporting to Minijail.

Things that can fail in the child process before Minijail exec()'s
the sandboxed binary are already logging errors, so this will clarify
what's going on with 'dhcpcd'.

BUG=chrome-os-partner:16569
TEST=minijail0 -- <something with a non-zero exit code>

Change-Id: I88530af2e9a0fc77c002b672d5a1c334ec7506e6
Reviewed-on: https://gerrit.chromium.org/gerrit/39568
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

23 months agoAdd support for checking flags in syscall arguments in Minijail. 28/39128/5 stabilize2
Jorge Lucangeli Obes [Fri, 30 Nov 2012 23:42:52 +0000 (15:42 -0800)]
Add support for checking flags in syscall arguments in Minijail.

Also, extract some code into functions as well, to make the code more readable.

BUG=chromium-os:36848
TEST=syscall_filter_unittest, security_Minijail_seccomp

Change-Id: Iedf8ecbf1814340fd8b3e4ec687b303c9c024d0a
Reviewed-on: https://gerrit.chromium.org/gerrit/39128
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

23 months agoAdd BPF jset instruction support to Minijail. 18/39018/4
Jorge Lucangeli Obes [Fri, 30 Nov 2012 22:46:23 +0000 (14:46 -0800)]
Add BPF jset instruction support to Minijail.

First step is to add support for the actual BPF instruction.
Next step is to parse this in the policy files and use the functions
introduced by this CL.

BUG=chromium-os:36848
TEST=syscall_filter_unittest

Change-Id: I172598e63413506f190ae6b4b07ae63e1198f44c
Reviewed-on: https://gerrit.chromium.org/gerrit/39018
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
2 years agoMake it easier to build libminijail on Chromium Linux.
Lei Zhang [Thu, 18 Oct 2012 04:27:10 +0000 (21:27 -0700)]
Make it easier to build libminijail on Chromium Linux.

- Move libsyscalls.gen.c generation code out of the Makefile and into a
  script.
- Add SECURE_ALL_* defines for systems that do not linux/securebits.h.

BUG=chromium-os:35482
TEST=FEATURES=test emerge chromeos-minijail

Change-Id: I922c579f1fcf09db2379659dbde737f246200e51
Reviewed-on: https://gerrit.chromium.org/gerrit/35928
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Lei Zhang <thestig@chromium.org>
Tested-by: Lei Zhang <thestig@chromium.org>
2 years agoMinijail: Fix indentation in libminijail.c factory-2723.14.B factory-2914.B factory-2985.B factory-2993.B factory-3004.B release-R23-2913.B stabilize stabilize-daisy stabilize-link stabilize-link-2913.278
Jorge Lucangeli Obes [Wed, 5 Sep 2012 17:39:40 +0000 (10:39 -0700)]
Minijail: Fix indentation in libminijail.c

BUG=None
TEST=unit

Change-Id: I5ad33ea09e6278eccad2982d262e6d4ef76832b9
Reviewed-on: https://gerrit.chromium.org/gerrit/32242
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
2 years agoMinijail: allow writing to the child process' standard input. factory-2848.B
Jorge Lucangeli Obes [Thu, 30 Aug 2012 02:12:28 +0000 (19:12 -0700)]
Minijail: allow writing to the child process' standard input.

BUG=chromium-os:33983
TEST=libminijail_unittest
TEST=security_Minijail0

Change-Id: Ic2373127b3bca6a4a4a05ffcbc48b486cb5eb4a6
Reviewed-on: https://gerrit.chromium.org/gerrit/31779
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoMinijail: remove libsyscalls.gen.o from test-clean target. factory-2846.B
Jorge Lucangeli Obes [Fri, 31 Aug 2012 16:53:55 +0000 (09:53 -0700)]
Minijail: remove libsyscalls.gen.o from test-clean target.

CFLAGS testing change does not affect libsyscalls.gen.o,
and this way we can enable the 'tests' target in the
Minijail ebuild, instead of building the unittest targets
separately.

BUG=None
TEST=cros_workon make chromeos-minijail --test, tests build and run.

Change-Id: If49d74d2db77698d9613b801661f8f75bc29d7be
Reviewed-on: https://gerrit.chromium.org/gerrit/32031
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoMinijail: add better error reporting when including an invalid syscall. firmware-stout-2817.B
Jorge Lucangeli Obes [Tue, 28 Aug 2012 18:50:29 +0000 (11:50 -0700)]
Minijail: add better error reporting when including an invalid syscall.

BUG=None
TEST=syscall_filter_unittest

Change-Id: I8aa5963d8b0c2392865027bde5948fd746a07da8
Reviewed-on: https://gerrit.chromium.org/gerrit/31620
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoMinijail: with no_new_privs, drop privileges before setting seccomp filter.
Jorge Lucangeli Obes [Thu, 23 Aug 2012 18:42:27 +0000 (11:42 -0700)]
Minijail: with no_new_privs, drop privileges before setting seccomp filter.

BUG=chromium-os:32619
TEST=unit
TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive

Change-Id: I88d5e8b441871bf92f108ff4bb1db27940b51240
Reviewed-on: https://gerrit.chromium.org/gerrit/31238
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoMinijail: add logging for seccomp filter failures. firmware-butterfly-2788.B
Jorge Lucangeli Obes [Tue, 31 Jul 2012 23:25:56 +0000 (16:25 -0700)]
Minijail: add logging for seccomp filter failures.

BUG=chromium-os:33361
TEST=unit tests
TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive

Change-Id: I16cdb8fbcf1cb13f2dee5521f97fb8d0bdbdf93b
Reviewed-on: https://gerrit.chromium.org/gerrit/29053
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoMinijail: extract utility functions.
Jorge Lucangeli Obes [Tue, 7 Aug 2012 22:29:20 +0000 (15:29 -0700)]
Minijail: extract utility functions.

Extract utility functions and add them, together with logging,
to a separate util.(c|h) file.

BUG=chromium-os:33361
TEST=unit tests
TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive.

Change-Id: Ied436a7b27f14ef87198b7bf007634b28cbbd480
Reviewed-on: https://gerrit.chromium.org/gerrit/29492
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoRefactor logging in Minijail. factory-2717.B factory-2723.14.orig.B release-R22-2723.B
Jorge Lucangeli Obes [Thu, 2 Aug 2012 21:31:39 +0000 (14:31 -0700)]
Refactor logging in Minijail.

That way, the syscall filtering module can log to syslog without
duplicating code. While I'm at it, make naming more consistent.

BUG=None
TEST=unit
TEST=security_Minijail0, security_Minijail_seccomp, platform_CrosDisksArchive

Change-Id: I7102ca22f49dd7e5bb56bf2997d0d83cb0507e83
Reviewed-on: https://gerrit.chromium.org/gerrit/29080
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoFix Minijail's getopt string. firmware-link-2695.2.B firmware-link-2695.B firmware-snow-2695.90.B firmware-snow-2695.B
Jorge Lucangeli Obes [Tue, 31 Jul 2012 23:35:38 +0000 (16:35 -0700)]
Fix Minijail's getopt string.

"-F" option does not exist.

BUG=None
TEST=security_Minijail0

Change-Id: I7463288d0555636d1c96373e61494082738111bd
Reviewed-on: https://gerrit.chromium.org/gerrit/28876
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years ago[minijail] document use of NO_NEW_PRIVS
Elly Jones [Tue, 31 Jul 2012 16:23:47 +0000 (12:23 -0400)]
[minijail] document use of NO_NEW_PRIVS

TEST=None
BUG=None

Change-Id: If95c0aea1f9dcc2f1c990678b4e85289afc841cf
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/28818
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
2 years agoDon't crash when receiving a NULL policy file. firmware-parrot-2685.B
Jorge Lucangeli Obes [Fri, 27 Jul 2012 20:37:30 +0000 (13:37 -0700)]
Don't crash when receiving a NULL policy file.

BUG=None
TEST=syscall_filter_unittest

Change-Id: Id9d38ddb2a01014a7bd97f9cce6d4fdc0cf878dd
Reviewed-on: https://gerrit.chromium.org/gerrit/28621
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agominijail: Support ARM private system calls in seccomp filter policy.
Ben Chan [Sat, 21 Jul 2012 23:30:52 +0000 (16:30 -0700)]
minijail: Support ARM private system calls in seccomp filter policy.

This CL modifies Makefile to add ARM private system calls (__ARM_NR_*)
to the system call table in the generated libsyscalls.gen.c file, such
that the system call '__ARM_NR_<name>' can be referred by the name
'ARM_<name>' in the seccomp filter policy file.

BUG=chromium-os:32825
TEST=Tested the following:
1. FEATURES=test emerge-{x86-mario,lumpy,daisy} chromeos-minijail
2. Run `minijail0 -H` on mario, lumpy, and daisy to verify that the
   expected system calls are supported (including those ARM private
   system calls).
3. Run platform_CrosDisksArchive tests on x86-mario, lumpy, and daisy.

Change-Id: Ib68dc7c20eda25d87e0a7c0656c50184c319a957
Reviewed-on: https://gerrit.chromium.org/gerrit/28129
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>

2 years agoFix "-n" option in Minijail.
Jorge Lucangeli Obes [Mon, 16 Jul 2012 22:27:31 +0000 (15:27 -0700)]
Fix "-n" option in Minijail.

BUG=None
TEST="minijail -n" does not call prctl() after setting seccomp mode 2.

Change-Id: I0147457d31019d1a70e37cf712141979f4262461
Reviewed-on: https://gerrit.chromium.org/gerrit/27554
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoReplace duplicated RET_KILL code with existing function. factory-2460.B factory-2475.B factory-2569.B release-R21-2465.B
Jorge Lucangeli Obes [Thu, 14 Jun 2012 04:43:40 +0000 (21:43 -0700)]
Replace duplicated RET_KILL code with existing function.

BUG=None
TEST=syscall_filter_unittest

Change-Id: I810b99b85cb039db8bd313ca08119d22ff2554ba
Reviewed-on: https://gerrit.chromium.org/gerrit/25277
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years ago[minijail] don't forget to enter pid namespace
Elly Jones [Thu, 14 Jun 2012 18:09:27 +0000 (14:09 -0400)]
[minijail] don't forget to enter pid namespace

minijail_preexec() clears the pid namespace flag. Oops.

BUG=chromium-os:31862
TEST=adhoc,security_Minijail0
minijail0 -p /bin/ps should show ps as pid 2

Change-Id: I269805d0efb1d7c768420d3708ae1e93c6fa6a31
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/25300
Reviewed-by: Jim Hebert <jimhebert@chromium.org>
2 years ago[minijail] handle non-namespaced multithreaded use.
Elly Jones [Wed, 13 Jun 2012 19:49:52 +0000 (15:49 -0400)]
[minijail] handle non-namespaced multithreaded use.

Multithreaded use of pid namespaces is still broken; see the block comment in
</libminijail.c>.

BUG=None
TEST=build

Change-Id: Ibeb9434146a231fd2fd7468572e4fec28a1c1b60
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/25234
Reviewed-by: Mike Frysinger <vapier@chromium.org>
2 years agoAdd jorgelo@chromium to Minijail OWNERS file. factory-2268.16.B factory-2305.B factory-2338.B factory-2368.B factory-2394.B firmware-link-2348.B release-R20-2268.B
Jorge Lucangeli Obes [Wed, 2 May 2012 22:03:41 +0000 (15:03 -0700)]
Add jorgelo@chromium to Minijail OWNERS file.

BUG=None
TEST=None

Change-Id: I6edcd16cd3f6424cbb4ddf91310d1ceec828d0bd
Reviewed-on: https://gerrit.chromium.org/gerrit/21694
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoRe-enable setting seccomp filters in Minijail.
Jorge Lucangeli Obes [Tue, 1 May 2012 23:54:15 +0000 (16:54 -0700)]
Re-enable setting seccomp filters in Minijail.

Now that all the bits have landed, re-enable setting seccomp filters
in Minijail.

BUG=chromium-os:27878
TEST=security_Minijail0
TEST=security_Minijail_seccomp
TEST=platform_CrosDisksArchive

Change-Id: I13aae50a4d172443170e7fbf4bfc84812a424b65
Reviewed-on: https://gerrit.chromium.org/gerrit/21655
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoAdd API for PR_SET_NO_NEW_PRIVS and set seccomp filter before dropping root.
Jorge Lucangeli Obes [Tue, 1 May 2012 16:30:24 +0000 (09:30 -0700)]
Add API for PR_SET_NO_NEW_PRIVS and set seccomp filter before dropping root.

BUG=chromium-os:27878
TEST=minijail_unittest, syscall_filter_unittest
TEST=security_Minijail0
TEST=security_Minijail_seccomp

Change-Id: I78495fda8c14ca5b4f398806eb564b0756876735
Reviewed-on: https://gerrit.chromium.org/gerrit/21545
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoIntegrate BPF seccomp_filters to Minijail.
Jorge Lucangeli Obes [Tue, 17 Jan 2012 19:30:23 +0000 (11:30 -0800)]
Integrate BPF seccomp_filters to Minijail.

BUG=chromium-os:25429
BUG=chromium-os:27878
TEST=security_Minijail_seccomp
CQ-DEPEND=I13a9b22ac8d55f02d5a77b5beedb955386b63723

Change-Id: I5fa8f40b9a539a61d69439cad778c926fc934cb1
Reviewed-on: https://gerrit.chromium.org/gerrit/19527
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoAdd full seccomp BPF filter generation.
Jorge Lucangeli Obes [Fri, 23 Mar 2012 23:19:59 +0000 (16:19 -0700)]
Add full seccomp BPF filter generation.

This CL uses the mechanism to generate filter sections from
policy strings and builds a complete filter by first
validating the arch and loading the syscall number, then
checking against all syscalls listed in the policy file, and
executing the argument filters if necessary.

BUG=chromium-os:25429
BUG=chromium-os:27878
TEST=syscall_filter_unittest
CQ-DEPEND=I3a4334a3c568178e19b18e7f3ed97517b03afd1b

Change-Id: I13a9b22ac8d55f02d5a77b5beedb955386b63723
Reviewed-on: https://gerrit.chromium.org/gerrit/19007
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
2 years agoUpdate Minijail syscall filter unit tests to work on 32 bits.
Jorge Lucangeli Obes [Thu, 26 Apr 2012 17:05:09 +0000 (10:05 -0700)]
Update Minijail syscall filter unit tests to work on 32 bits.

BUG=chromium-os:25429
BUG=chromium-os:27878
TEST=syscall_filter_unittest

Change-Id: Ib9cbee020059684ae58aa8c3ca2a2c8a4afb084d
Reviewed-on: https://gerrit.chromium.org/gerrit/21261
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years agoTemporarily disable setting seccomp filters in Minijail.
Jorge Lucangeli Obes [Thu, 26 Apr 2012 04:59:48 +0000 (21:59 -0700)]
Temporarily disable setting seccomp filters in Minijail.

To make merging the BPF-based seccomp filter implementation easier,
turn off setting seccomp filters in Minijail. Add a flag ("-F") to
force setting seccomp filters.

BUG=chromium-os:27878
TEST=security_Minijail0 still passes.

Change-Id: I1948223f2292cf5c059bf50f69fd0b4e42ec39a2
Reviewed-on: https://gerrit.chromium.org/gerrit/21170
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
2 years agoAdd syscall filter BPF program generator.
Jorge Lucangeli Obes [Tue, 20 Mar 2012 17:14:31 +0000 (10:14 -0700)]
Add syscall filter BPF program generator.

BUG=chromium-os:25429
BUG=chromium-os:27878
TEST=syscall_filter_unittest

Change-Id: I3a4334a3c568178e19b18e7f3ed97517b03afd1b
Reviewed-on: https://gerrit.chromium.org/gerrit/18914
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
2 years agoAdd minijail_run_pid() to return the pid of the jailed child process.
Jorge Lucangeli Obes [Tue, 17 Apr 2012 20:36:00 +0000 (13:36 -0700)]
Add minijail_run_pid() to return the pid of the jailed child process.

This is needed when sandboxing processes whose pid's are needed
by the parent process (starting with dhcpcd and shill).

BUG=None
TEST=security_Minijail0 still works.

Change-Id: I3e6c5b19b9c7e70aea8230e6c1395097fb697b4f
Reviewed-on: https://gerrit.chromium.org/gerrit/20413
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

2 years ago[minijail] document an apparent use-after-free factory-1987.B release-R18-1660.B release-R19-2046.B
Elly Jones [Mon, 23 Jan 2012 20:13:38 +0000 (15:13 -0500)]
[minijail] document an apparent use-after-free

BUG=None
TEST=build

Change-Id: I093b2b1bac45aa224ea742c70853f4cc7176cca7
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14627
Reviewed-by: Will Drewry <wad@chromium.org>
2 years ago[minijail] fix usage docs
Elly Jones [Mon, 23 Jan 2012 18:27:43 +0000 (13:27 -0500)]
[minijail] fix usage docs

Explicitly state that -r only remounts /proc right now.

BUG=None
TEST=build

Change-Id: I5faf34cd9971120885c118e2ebb7be09ad9ddcbf
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14624

2 years ago[minijail] pid namespace implies vfs namespace
Elly Jones [Mon, 23 Jan 2012 16:46:17 +0000 (11:46 -0500)]
[minijail] pid namespace implies vfs namespace

Make a pid namespace imply both a new vfs namespace and a /proc remount, since
if we don't remount /proc, the old pid namespace is still reachable through the
old mount there.

BUG=chromium-os:25303
TEST=security_Minijail0

Change-Id: I91887d3ed6bc0e958e249c3c158735bc04f20fcd
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14617
Reviewed-by: Kees Cook <keescook@chromium.org>
2 years agominijail0: honor readonly bind mounts
Elly Jones [Thu, 15 Dec 2011 20:17:07 +0000 (15:17 -0500)]
minijail0: honor readonly bind mounts

linux-kernel commit 2e4b7fcd926006531935a4c79a5e9349fe51125b introduced support
for readonly bind mounts, but you can't just supply MS_RDONLY along with
MS_BIND; you have to construct an MS_BIND mount first, then do another mount
with MS_REMOUNT | MS_RDONLY.

BUG=None
TEST=platform_Minijail0

Change-Id: I1a8e2c603589b2eddcdb7a6d87059fabe17c60ba
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/13000
Reviewed-by: Will Drewry <wad@chromium.org>
2 years agominijail: remove C++ implementation
Elly Jones [Mon, 12 Dec 2011 20:25:28 +0000 (15:25 -0500)]
minijail: remove C++ implementation

BUG=chromium-os:21946
TESTED_ON=tegra2_kaen
TEST=Adhoc
Run 'FEATURES=test emerge-$board chromeos-minijail' to ensure the minijail
ebuild isn't broken. Since it was already removed from the system by
https://gerrit.chromium.org/gerrit/12757 this change should have no effect if
chromeos-minijail still builds.

Change-Id: Ie6dcc29920d09b95da21891d121e4c8be11567b1
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/12763
Reviewed-by: Will Drewry <wad@chromium.org>
2 years agominijail0: parse *all* the arguments!
Elly Jones [Wed, 7 Dec 2011 18:31:43 +0000 (13:31 -0500)]
minijail0: parse *all* the arguments!

Using strtok the way we did causes src == dest == writeable - oops.

BUG=none
TEST=security_Minijail0

Change-Id: Ifc8e6e528e93549b64b23e6ac46dbee4e54ddad7
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/12555
Reviewed-by: Jim Hebert <jimhebert@chromium.org>
3 years agolibminijail_unittests: add more for consume* factory-1284.B factory-1412.B firmware-kiev-2.112.B firmware-uboot_v2-1299.B release-R17-1412.B
Will Drewry [Sat, 22 Oct 2011 01:52:08 +0000 (20:52 -0500)]
libminijail_unittests: add more for consume*

consume* lack unittests. This adds some.

TEST=run unittests
BUG=none

Change-Id: I52a63040a4cc5b21eae4a8ab5447dc225c855b56
Reviewed-on: https://gerrit.chromium.org/gerrit/10541
Commit-Ready: Will Drewry <wad@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agotest_harness.h: Explain failure on terminal signal
Will Drewry [Fri, 21 Oct 2011 20:53:05 +0000 (15:53 -0500)]
test_harness.h: Explain failure on terminal signal

The chroot and consume* changes introduce a crasher in the unittests.
This adds proper error messaging on that case.

BUG=none
TEST=FEAUTRES=test emerge-x86-alex chromeos-minijail (with pending change)
     see chroot crasher emitted warning.

Change-Id: I2a312b961a321e3bf55645aed9c6f6480dd958c9
Reviewed-on: https://gerrit.chromium.org/gerrit/10539
Commit-Ready: Will Drewry <wad@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agoMakefile, libminijail: Invert symbol visibility to allow sane unittesting
Will Drewry [Fri, 21 Oct 2011 21:38:58 +0000 (16:38 -0500)]
Makefile, libminijail: Invert symbol visibility to allow sane unittesting

libminijail.c contains many helpers that are marked static.  For instance,
consumestr and consumebytes are both static yet eminently unittestable.
The options for testing are as follows:
1. Replace "static" with a "private" or "protected" macro which we
   undefined during testing.
2. #include "libminijail.c" into the unittests to avoid visibility
   challenges.
3. Change default visibility to internal for all functions and data
   then invert it during unittesting.

I chose #3. It also has the benefit of creating an optimally stripped
binary and shared object.  Using 'internal' visibility also let's the
linker perform more optimizations.

Feedback on this approach is very welcome. In the past, I've chosen
approach #2, but that seems wrong for at least a couple of reasons.

TEST=build, run readelf -s in all the output.  .so should show LOCAL for
all internal functions and on executables, private functions should show
INTERNAL.  Running strip --unneeded should remove all of the private
linkage which can be checked with readelf -s again
BUG=none

Change-Id: Ifb1f02b4505f2f25d824c067748054520c39d3bf
Reviewed-on: https://gerrit.chromium.org/gerrit/10540
Commit-Ready: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
3 years agolibminijail.c: fix dangling pointer evaluation on unmarshal error
Will Drewry [Sat, 22 Oct 2011 01:47:01 +0000 (20:47 -0500)]
libminijail.c: fix dangling pointer evaluation on unmarshal error

If minijail_unmarshal fails, the process will still need to call
minijail_destroy to free up any allocated memory.  The unmarshalling
function exits immediately on error. That property means that some
stale pointers may still exist.

This change adds pointer clearing on error and fixes a minor memory
leak of the chrootdir.

BUG=none
TEST=compiles and running ./libminijail_unittest passes. Still need to run the autotest suite on it.

Change-Id: I47518130aef7f4a14e5da475ed6a84c2d1490940
Reviewed-on: https://gerrit.chromium.org/gerrit/10535
Commit-Ready: Will Drewry <wad@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agolibminijail_unittest: fix unittests for consumestr
Will Drewry [Fri, 21 Oct 2011 20:52:43 +0000 (15:52 -0500)]
libminijail_unittest: fix unittests for consumestr

consumestr changed the behavior of unmarshal and the unittest
needed to be updated to reflect it.

TEST=FEATURES=test emerge-x86-alex chromeos-minijail (with pending cl to add test support)
BUG=none

Change-Id: I29af4b2103b081c749efbb9b2c6a08e6ca3f0b03
Reviewed-on: https://gerrit.chromium.org/gerrit/10534
Commit-Ready: Will Drewry <wad@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agoupdate Makefile to use a LIBDIR variable to locate the preload library factory-1235.B
Sonny Rao [Fri, 21 Oct 2011 22:17:13 +0000 (22:17 +0000)]
update Makefile to use a LIBDIR variable to locate the preload library

This allows the ebuild will to supply the correct LIBDIR instead of
just assuming /lib in order to properly support multilib systems
This also requires the ebuild to pass LIBDIR to emake before it
becomes useful.

BUG=chromium-os:21805
TEST=build for x86-generic and amd64-generic and ensure minijail
works on both without problems loading libminijailpreload.so

Change-Id: I99a694ef37ba833a7e7c3850278d7f1d1c0b09ad
Reviewed-on: https://gerrit.chromium.org/gerrit/10680
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>

3 years agominijail: add OWNERS.
Elly Jones [Mon, 24 Oct 2011 20:40:38 +0000 (16:40 -0400)]
minijail: add OWNERS.

Using emails instead of usernames in chromium style.

TEST=None
BUG=chromium-os:22007

Change-Id: I306510c474e8e0e8ccedcb7f4e04c6e78b3672dc
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/10587
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
3 years agoRevert "update Makefile to accept a LIBDIR variable to specify where libraries go"
David James [Sat, 22 Oct 2011 03:59:36 +0000 (20:59 -0700)]
Revert "update Makefile to accept a LIBDIR variable to specify where libraries go"

This likely broke the tree. See http://build.chromium.org/p/chromiumos/builders/x86%20generic%20PFQ/builds/1356

All other changes that went into that build were vetted by the commit queue, so this change is probably the change that busted the power manager and caused it to abort on all tests.

This reverts commit 705888e904c6a0acec55c47874138f1494e1d0e7

Change-Id: Id1fe81e061119eca210b2601f7a6db936c361550
Reviewed-on: http://gerrit.chromium.org/gerrit/10547
Reviewed-by: St├ęphane Marchesin <marcheu@chromium.org>
Commit-Ready: David James <davidjames@chromium.org>
Tested-by: David James <davidjames@chromium.org>
3 years agoupdate Makefile to accept a LIBDIR variable to specify where libraries go
Sonny Rao [Fri, 21 Oct 2011 22:17:13 +0000 (22:17 +0000)]
update Makefile to accept a LIBDIR variable to specify where libraries go

This un-breaks amd64-generic because the ebuild will supply the correct
LIBDIR

BUG=chromium-os:21805
TEST=build for x86-generic and amd64-generic and ensure minijail
works on both without problems loading libminijailpreload.so

Change-Id: I1f3db56bd4c9c998b869ea0a4a32dfd5c85c6421
Reviewed-on: http://gerrit.chromium.org/gerrit/10527
Reviewed-by: Will Drewry <wad@chromium.org>
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
3 years agominijail0: unbreak chroot and marshalling
Elly Jones [Fri, 21 Oct 2011 19:38:00 +0000 (15:38 -0400)]
minijail0: unbreak chroot and marshalling

1) Parse opts for chroot and bind
2) Serialize/deserialize chroot properly

BUG=chromium-os:21665
TEST=security_Minijail0

Change-Id: Ic99a40718a9c3ff72561f518179155fb502eef96
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/10507
Reviewed-by: Will Drewry <wad@chromium.org>
3 years agolibminijail: Fix minijail_parse_seccomp_filters to ignore comment lines. release-R16-1193.B
Ben Chan [Fri, 14 Oct 2011 17:53:32 +0000 (10:53 -0700)]
libminijail: Fix minijail_parse_seccomp_filters to ignore comment lines.

Also fixes minijail_parse_seccomp_filters to report the correct line
number of an invalid line in a policy file.

BUG=chromium-os:21690
TEST=Manually tested the following cases:
1. A comment line that starts with '#' but contains no ':' is ignored.
2. A comment line that starts with '#' and also contains ':' is ignored.
3. The line number of invalid filter lines are reported correctly.
4. Valid filter lines are parsed correctly.

Change-Id: Iadacfae6c0b6c03fcf44e7e419d2635cb849e7a1
Reviewed-on: http://gerrit.chromium.org/gerrit/10104
Reviewed-by: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
3 years agominijail0: add chroot support.
Elly Jones [Wed, 12 Oct 2011 23:09:26 +0000 (19:09 -0400)]
minijail0: add chroot support.

Support a -C commandline option to chroot(), and a -b commandline option to
bind-mount paths into the chroot from outside.

BUG=chromium-os:21165
TESTED_ON=kaen
TEST=None yet

Change-Id: Ia6a7a4498968a4bc6a12f8274fdb8c4be9d23ca4
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/8661
Reviewed-by: Kees Cook <keescook@chromium.org>
3 years agominijail0: convert to linux style
Elly Jones [Fri, 7 Oct 2011 17:54:59 +0000 (13:54 -0400)]
minijail0: convert to linux style

Used indent(1) with --linux-style, then manual cleanup.

BUG=None
TEST=None

Checkpatch: ok
Change-Id: I52dbd329215680e9d42ce4f11df110cf2f341e90
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/8732
Reviewed-by: Kees Cook <keescook@chromium.org>
3 years agolibminijail_unittest: add some tests
Will Drewry [Tue, 27 Sep 2011 20:13:54 +0000 (15:13 -0500)]
libminijail_unittest: add some tests

Adds libminijail_unittest with some very basic tests. More tests will
be added, but this gets all the pieces in place.

TEST=itself! [ FEATURES="test noclean" emerge-x86-alex chromeos-minijail ]
BUG=chromium-os:20917

Change-Id: I5893c6f72d1e741dd6287acde52af65500b059e4
Reviewed-on: http://gerrit.chromium.org/gerrit/8371
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agominijail: add a C test harness
Will Drewry [Tue, 27 Sep 2011 20:06:26 +0000 (15:06 -0500)]
minijail: add a C test harness

Adds a gtest-like, single-file unittest harness for C.  This is groundwork
for adding unittesting code to libminijail and for providing simple
drivers for autotest test cases.

TEST=build the not-yet-committed libminijaiL_unittest and run them
BUG=chromium-os:20917

Change-Id: I822df185399104eb8c1d540cd549a96f0fff061a
Reviewed-on: http://gerrit.chromium.org/gerrit/8370
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Commit-Ready: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agolibminijail: pass-through errno should be negative
Kees Cook [Tue, 27 Sep 2011 22:33:42 +0000 (15:33 -0700)]
libminijail: pass-through errno should be negative

The errno values in the rest of libminijail use negative errno values. This
makes sure that the passed-through errno values are negative as well.

BUG=chromium-os:20903
TEST=Built for x86-alex and did a full image build & boot, ran okay as:
  sudo minijail0 -pu chronos /bin/ls
 and correctly failed (exit code 253) with:
  sudo minijail0 -S /dev/null /bin/ls

Change-Id: Ifac27468a21820ae342522c749c76f2045b630c3
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/8394
Reviewed-by: Will Drewry <wad@chromium.org>
3 years agominijail0: make jail_change_{user,group} reentrant.
Elly Jones [Thu, 22 Sep 2011 18:35:43 +0000 (14:35 -0400)]
minijail0: make jail_change_{user,group} reentrant.

TEST=security_Minijail0
BUG=chromium-os:18473

Change-Id: I5b0aa360fa6196df0bc6cff16dbb8ba8cb23e2a9
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/8144
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
3 years agolibminijail: only clear supplemental groups on user/group change
Will Drewry [Sun, 18 Sep 2011 19:37:22 +0000 (14:37 -0500)]
libminijail: only clear supplemental groups on user/group change

minijail should be runnable by an unprivileged user.  This change allows
that to be true.

BUG=chromium-os:19459
TEST=minijail -S somepolicy /bin/ls
     (need to test transitions still)

Change-Id: Ib540953ae2435414b3d3adbadb68238962f5c0ff
Reviewed-on: http://gerrit.chromium.org/gerrit/7912
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agolibminijail: add seccomp_filter support to LD_PRELOAD + cleanup
Will Drewry [Fri, 16 Sep 2011 21:48:57 +0000 (16:48 -0500)]
libminijail: add seccomp_filter support to LD_PRELOAD + cleanup

This changes adds seccomp_filter support to minijail properly
instead of requiring expanded scope needed for execve(2)ing the
child process.

Now the policy for cat(1) can be as small as follows.
minijail-cat.policy:
  read: fd == 3
  write: fd == 1 || fd == 2
  fstat64: 1
  open: flags == 0x8000
  close: 1
  munmap: 1
  exit_group: 1

Some additional code was moved around as a side effect of cleaning
this up. I can split it out if desirable.

BUG=chromium-os:19459
TEST=Manual tests (for now)
  # minijail0 -S minijail-dash-cat.policy -- /sbin/minijail-0 -S minijail-cat.policy -- /bin/cat /proc/self/seccomp_filter
  ...
  emits the policy for cat at the top with inherited: 0 and the original policy below as inherited.
  ...

  # minijail0 -S minijail-cat.policy -- /bin/cat /proc/self/seccomp_filter
  Mode: 13
  Enabled: 1
  Inherited: 0
  252 (sys_exit_group): 1
  197 (sys_fstat64): 1
  91 (sys_munmap): 1
  6 (sys_close): 1
  5 (sys_open): flags == 0x8000
  4 (sys_write): fd == 1 || fd == 2
  3 (sys_read): fd == 3

Change-Id: I34a81f3c1764e4f949f8c2a26d42e51e125b4aae
Reviewed-on: http://gerrit.chromium.org/gerrit/7893
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agolibminijail: move over to using marshalled binary for preload
Will Drewry [Fri, 16 Sep 2011 19:50:50 +0000 (14:50 -0500)]
libminijail: move over to using marshalled binary for preload

Move libminijail and libminijailpreload over to using the marshalling
helper functions and add to/from_fd.  The format itself is not terribly
robust, but we can change it underneath the functions in the future
(or move struct minijail to a protobuf :).

These changes lay the groundwork for sending seccomp_filter policy. A
subsequent change will implement that and disable use in the parent.

BUG=chromium-os:19459
TEST=tested as per previous commits:
     minijail0 -[pvrcuGg] -- /bin/cat /proc/self/status
     .. /bin/ps aux
     .. /bin/bash -c 'env'

Change-Id: I565816611b31ce49f85fee2241c55a3328d7b770
Reviewed-on: http://gerrit.chromium.org/gerrit/7892
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agolibminijail: add marshalling and scrubbing functions
Will Drewry [Fri, 16 Sep 2011 16:36:08 +0000 (11:36 -0500)]
libminijail: add marshalling and scrubbing functions

In order to support arbitrary divisions of labor between minijail_run
and minijail_enter, we need to support serializing the entire minijail
for sharing with the LD_PRELOADed library in a child process.  Instead
of continuing with one-off marshalling, this unify the marshalling code
(as fragile as it is).

In addition, scrubbing features that only apply in the parent or the
child around marshalling and unmarshalling are split out to separate the
logic.

One change did sneak in to support marshalling which was copying/freeing
j->user. I can split this out as a precursor patch if needed.

The next change in the series converts the existing code over and moves it
to communicate over a file descriptor.

BUG=chromium-os:19459
TEST=gmerged and ran minijail0. Internal only changes.

Change-Id: Ib4c157d1d4d4edf6910793ea04880399e539285b
Reviewed-on: http://gerrit.chromium.org/gerrit/7891
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agominijail0: move ld_preload communication to a pipe
Will Drewry [Fri, 16 Sep 2011 18:45:31 +0000 (13:45 -0500)]
minijail0: move ld_preload communication to a pipe

Moves minijail0 communication over to using a file descriptor instead
of packing it in an environment variable. The primary reasoning is to
allow seccomp filter policies to be passed to a child process.

However, this will make it easier for minijail behavior to stay
consistent across minijail_run and minijail_enter if serialization can
be made more generic.  For instance, -g does not properly traverse a
preload instead relying on inheritance which is inconsistent depending
on pidns usage.

BUG=chromium-os:19459
TEST=tested -[pvrcu] with /bin/cat /proc/self/status

Change-Id: Id1845b86517ce0a6a9d6bcd85f700ea459d7c8f4
Reviewed-on: http://gerrit.chromium.org/gerrit/7890
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agolibminijail,minijail0: add seccomp filter support
Will Drewry [Fri, 19 Aug 2011 02:36:27 +0000 (21:36 -0500)]
libminijail,minijail0: add seccomp filter support

This change adds support for installing seccomp filters via libminijail
or by using minijail0 with an arch-specific filters file.

Support for LD_PRELOAD marshalling is still missing and will come in a new change.

BUG=chromium-os:19459
TEST=minijail0 -r -S dash-cat.policy -u chronos -- /bin/dash -c '/bin/cat /proc/self/seccomp_filter'
dash-cat.policy can be found  in the bug.
built for arm-generic, tegra2_seaboard, and x86-alex.  Tested on x86-alex as above and with -H.

Change-Id: I3cac97d1df62f70cd546763aeca8f52dd0aea09d
Reviewed-on: http://gerrit.chromium.org/gerrit/7773
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agoRevert "libminijail,minijail0: add seccomp filter support"
Thieu Le [Wed, 14 Sep 2011 21:03:09 +0000 (14:03 -0700)]
Revert "libminijail,minijail0: add seccomp filter support"

This reverts commit adf64c0814e16cb43ce81e6b3e3660a16f564cc7

Change-Id: Ib24f2ad26dfe14ddd4e6b38e204630577db5a4cc
Reviewed-on: http://gerrit.chromium.org/gerrit/7735
Reviewed-by: Thieu Le <thieule@chromium.org>
Tested-by: Thieu Le <thieule@chromium.org>
3 years agolibminijail,minijail0: add seccomp filter support
Will Drewry [Fri, 19 Aug 2011 02:36:27 +0000 (21:36 -0500)]
libminijail,minijail0: add seccomp filter support

This change adds support for installing seccomp filters via libminijail
or by using minijail0 with an arch-specific filters file.

Support for LD_PRELOAD marshalling is still missing and will come in a new change.

BUG=chromium-os:19459
TEST=minijail0 -r -S dash-cat.policy -u chronos -- /bin/dash -c '/bin/cat /proc/self/seccomp_filter'
dash-cat.policy can be found  in the bug.

Change-Id: Id3f52ae9ce7bf49c257b2cfb9ba66b38b8be8094
Reviewed-on: http://gerrit.chromium.org/gerrit/6789
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
3 years agominijail: Restore original value of LD_PRELOAD after fork. factory-1020.B release-1011.B
Ben Chan [Fri, 26 Aug 2011 21:55:53 +0000 (14:55 -0700)]
minijail: Restore original value of LD_PRELOAD after fork.

This CL restores the original value of LD_PRELOAD in the process that
calls minijain_run. This prevents any subsequent process, which is not
created by minijail_run, from preloading libminijalpreload.so.

BUG=chromium-os:19732
TEST=Examined the environment of calling process after minijain_run returns.

Change-Id: I578e4c46c72eb549fa59353ab1a25f0160077a03
Reviewed-on: http://gerrit.chromium.org/gerrit/6788
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
3 years agominijail: Pass gid option through libminijailpreload. factory-980.B test-982.B
Ben Chan [Tue, 23 Aug 2011 19:54:41 +0000 (12:54 -0700)]
minijail: Pass gid option through libminijailpreload.

BUG=chromium-os:19495
TEST=Examined the changed gid of a process launched via minijail_run.

Change-Id: I069295be964db508a8d7bfb00d2fee4244c49f60
Reviewed-on: http://gerrit.chromium.org/gerrit/6510
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
3 years agominijail: Add Makefile target to compile libminijail.so
Ben Chan [Tue, 23 Aug 2011 15:15:03 +0000 (08:15 -0700)]
minijail: Add Makefile target to compile libminijail.so

BUG=chromium-os:19502
TEST=emerge chromeos-minijail for x86-generic and arm-generic

Change-Id: Id95bfaa8b2317cd4607f6e9161e8d6cb6477efd7
Reviewed-on: http://gerrit.chromium.org/gerrit/6487
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
3 years agominijail: remove 'install' target.
Elly Jones [Mon, 15 Aug 2011 16:57:48 +0000 (12:57 -0400)]
minijail: remove 'install' target.

Not needed, since we use portage's install tools to install instead of the
makefile target, and it's somewhat complex to get the interaction between PREFIX
and PRELOAD_PATH and DESTDIR right.

TEST=Adhoc
emerge-$board chromeos-minijail ; ls -l
/build/$board/{lib/libminijailpreload.so,sbin/minijail0}

Change-Id: I8050d514cb44361fe4e8ce3a178a0bdcae3404df
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/5989
Reviewed-by: Chris Masone <cmasone@chromium.org>
3 years agoRFC: minijail: add libminijail.
Elly Jones [Fri, 22 Jul 2011 17:56:51 +0000 (13:56 -0400)]
RFC: minijail: add libminijail.

Drewry requested an implementation of minijail that:

1) Would be linkable against C programs
2) Not depend on libbase
3) Supply the necessary LD_PRELOAD hacks to use his syscall-filtering framework
   without the apply-after-exec hack and to use ptrace-disable.

Thoughts?

BUG=chromium-os:17937
TEST=Adhoc (extremely ;)). Proper test suite to be written; crosbug.com/18834

Change-Id: I8b34557a9a231dad75827c1a3d11f235f712648d
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/4585
Reviewed-by: Will Drewry <wad@chromium.org>
3 years agominijail: accept named uid/gid. 0.14.811.B 0.15.877.B 780.B firmware-881-u-boot-v1 firmware-u-boot-v1
Elly Jones [Thu, 7 Jul 2011 21:07:51 +0000 (17:07 -0400)]
minijail: accept named uid/gid.

This will let us stop hardcoding uids everywhere.

TEST=platform_MiniJailUidGid
BUG=chromium-os:5327

Change-Id: I9b8029ac4e3a3cb6c80740ba4c60d1aaba4831d6
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/3744
Reviewed-by: Chris Masone <cmasone@chromium.org>
3 years agominijail: return change_gid_ from change_gid(), not change_uid_.
Elly Jones [Thu, 7 Jul 2011 17:58:06 +0000 (13:58 -0400)]
minijail: return change_gid_ from change_gid(), not change_uid_.

This change makes platform_MiniJailUidGid pass.

BUG=chromium-os:2110,chromium-os:5327
TEST=platform_MiniJailUidGid

Change-Id: I3ff33b3670ad91668cea6f38e569ba0e24453365
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/3734
Reviewed-by: Chris Masone <cmasone@chromium.org>
3 years agominijail: unmount /proc, then mount
Elly Jones [Thu, 30 Jun 2011 15:44:24 +0000 (11:44 -0400)]
minijail: unmount /proc, then mount

If we don't do this, --add-readonly-mounts gets us EBUSY because we inherit the
parent's rw mount of /proc. If we use MS_REMOUNT, we actually affect the mount
that is present in the parent namespace too (!); unmounting and mounting again
creates a new instance of procfs for us.

BUG=chromium-os:10841
TEST=platform_MiniJailReadOnlyFS

Change-Id: Id1e6336349519961dba591d1d01ef3b2f1b1b908
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: http://gerrit.chromium.org/gerrit/3452
Reviewed-by: Chris Masone <cmasone@chromium.org>
3 years ago[minijail] Roll forward to new libchrome 0.13.558.B 0.13.587.B
Chris Masone [Thu, 12 May 2011 18:10:55 +0000 (11:10 -0700)]
[minijail] Roll forward to new libchrome

BUG=chromium-os:14304
TEST=build, unit tests

Change-Id: I9811e51183de0d5699a7a0b3443fa1028c9f4d74
Reviewed-on: http://gerrit.chromium.org/gerrit/820
Reviewed-by: Chris Sosa <sosa@chromium.org>
Tested-by: Chris Masone <cmasone@chromium.org>
3 years ago[minijail] Add the ability to set capabilities from the command line 0.13.509.B
Chris Masone [Wed, 27 Apr 2011 15:22:40 +0000 (08:22 -0700)]
[minijail] Add the ability to set capabilities from the command line

make `minijail --use-capabilities [bitmask]` set the effective and
bounding capability sets of the jailed process.

BUG=14302
TEST=unit tests

Change-Id: I66eb18145fb7ed466c4629a7cb32fe12deea2c0f

R=wad@chromium.org

Review URL: http://codereview.chromium.org/6881066

4 years ago[minijail] Update to new libchrome API 0.11.241.B 0.11.257.B 0.11.257.B90 0.12.362.B 0.12.369.B 0.12.392.B 0.12.433.B 0.12.433.B109 0.12.433.B62 0.13.434.B 11.1.241.B
Chris Masone [Thu, 12 Aug 2010 17:41:16 +0000 (10:41 -0700)]
[minijail] Update to new libchrome API

CommandLine::GetLooseValues() is deprecated, in favor of
CommandLine::args(), which returns a vector of strings.

BUG=None
TEST=Compile

Change-Id: Ia34ba23f275065b3ff267e89ff5a70cfdf6bef84

Review URL: http://codereview.chromium.org/3173010

4 years agoAdd LICENSE file
J. Richard Barnette [Thu, 5 Aug 2010 21:13:48 +0000 (14:13 -0700)]
Add LICENSE file

4 years agoUpdate Watchlists
Anush Elangovan [Tue, 8 Jun 2010 08:33:22 +0000 (01:33 -0700)]
Update Watchlists

Change-Id: I9fd8935b33b9d70674688d3e8a3a6a6c16751622

4 years agoSetup code review inheritance
Anush Elangovan [Sat, 5 Jun 2010 20:12:30 +0000 (13:12 -0700)]
Setup code review inheritance

Change-Id: Ieaf8a605afc010b49c8115373adf67321bb652bc

4 years agobuild: Restore make_tests.sh scripts.
Daniel Erat [Wed, 7 Apr 2010 01:57:00 +0000 (18:57 -0700)]
build: Restore make_tests.sh scripts.

I deleted these in 264032322a9b25772bb978a2c3350f2fc6a43956,
but the full image buildbot still needs them.

BUG=none
TEST=none
TBR=cmasone

Review URL: http://codereview.chromium.org/1561017

4 years agobuild: Delete files from the previous build system.
Daniel Erat [Tue, 6 Apr 2010 21:53:55 +0000 (14:53 -0700)]
build: Delete files from the previous build system.

There are other files in sub-repos that I'll delete
in separate changelists.

BUG=none
TEST=built an image using portage

Review URL: http://codereview.chromium.org/1521015

4 years agowaitpid() on the child process when changing namespaces
Will Drewry [Thu, 1 Apr 2010 14:39:30 +0000 (09:39 -0500)]
waitpid() on the child process when changing namespaces

This allows upstart to wait for the process as if it was the same one called.
Otherwise, we lose the process id and upstart assumes everything is over.
"expect fork" does not handle this properly.

TEST=manual check: /sbin/minijail --namespace-vfs -- /bin/bash -c 'sleep 1'
BUG=none

Review URL: http://codereview.chromium.org/1570004

4 years agomake minijail inherit the env when building
Chris Masone [Thu, 11 Feb 2010 02:14:00 +0000 (18:14 -0800)]
make minijail inherit the env when building

Review URL: http://codereview.chromium.org/604011

4 years agoMake minijail respect the groups of the uid provided on the command line.
Chris Masone [Thu, 4 Feb 2010 17:34:23 +0000 (09:34 -0800)]
Make minijail respect the groups of the uid provided on the command line.

Review URL: http://codereview.chromium.org/561069

4 years agoRename chromeos-microbenchmark package to libchromeos-microbenchmark-dev
Colin Watson [Mon, 25 Jan 2010 15:23:40 +0000 (15:23 +0000)]
Rename chromeos-microbenchmark package to libchromeos-microbenchmark-dev

This package only contains a header file and a static library, so
libfoo-dev naming is more conventional, and it lets chromiumos-build
know that it can cross-convert the resulting package and install it to
satisfy future build-dependencies without having to add a special case.

Review URL: http://codereview.chromium.org/553066

4 years agoUpdate minijail tests with real mocks and packaging testing deps
Will Drewry [Tue, 19 Jan 2010 22:43:50 +0000 (14:43 -0800)]
Update minijail tests with real mocks and packaging testing deps
- Now needs gmock, gtest, and chromeos-microbenchmark
- Adds mocks for options, interface, and env
- Adds baseline tests for minijail and testing of default options functionality
- Makes minijail failures non-terminal

Review URL: http://codereview.chromium.org/542124

4 years agominijail: Switch to new cross-friendly packaging style
Colin Watson [Thu, 7 Jan 2010 17:38:39 +0000 (17:38 +0000)]
minijail: Switch to new cross-friendly packaging style

Use dh(1) and dh-chromeos.
Unhardcode a couple of runtime dependencies. I've left libcap2 hardcoded
since we're specifying a higher version than would be generated
automatically.
Use cross-tools from environment if set.

Review URL: http://codereview.chromium.org/523129

4 years agoFix broken tree
Will Drewry [Thu, 10 Dec 2009 22:13:15 +0000 (14:13 -0800)]
Fix broken tree

- Fixes naming
- Removes minijail_benchmarks as part of the build for now until I fix it.

Review URL: http://codereview.chromium.org/491019

4 years agoOverhaul microbenchmark so that it can be pulled in easily by any package
Will Drewry [Thu, 10 Dec 2009 20:31:47 +0000 (12:31 -0800)]
Overhaul microbenchmark so that it can be pulled in easily by any package

This follows the model set by gtest_main.a and adds a microbenchmark_main.a
which can be pulled in by any package to do quick microbenchmarking of any of
the functions in their tree.

This change also includes updates to minijail as an example usage of the microbenchmark code.

Last but not least, I fixed a copy and paste error in the copyright and a
missing comma in the output as well as updated some comments.

Review URL: http://codereview.chromium.org/492005

4 years agoenable seccomp benchmark options which was in the switch list but not connected to...
Will Drewry [Tue, 8 Dec 2009 02:15:36 +0000 (18:15 -0800)]
enable seccomp benchmark options which was in the switch list but not connected to anything...

Review URL: http://codereview.chromium.org/460133

4 years agoAdd build and package support to minijail
Will Drewry [Mon, 7 Dec 2009 23:50:16 +0000 (15:50 -0800)]
Add build and package support to minijail
Packaging:
- Adds packaging for minijail
- Adds support for building minijail in the chroot (libcap-dev)
- Fixes libcap2 versioning to be compatible with libcap-dev in the repo
- Build minijail as part of the platform packages
Code:
- Fixed an initialization check bug in minijail and unittests

Review URL: http://codereview.chromium.org/465106

4 years agoBaseline minijail with a commandline switch driven main.
drewry@google.com [Mon, 7 Dec 2009 19:13:27 +0000 (19:13 +0000)]
Baseline minijail with a commandline switch driven main.

Review URL: http://codereview.chromium.org/466049

git-svn-id: svn://chrome-svn/chromeos/trunk@342 06c00378-0e64-4dae-be16-12b19f9950a1