| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the optional verifier pass in PolicyCompiler along with the
underlying verification code. It might come back in the future if STP
ever proves usable, but that will take a completely different form
anyway. In the mean time, simplicity, test coverage, and golden files
provide much more correctness reassurance for me than this verifier
code ever has.
Side bonus: We can change dump_bpf.cc and verifier.cc to only build as
part of sandbox_linux_unittests now, so we'll save a little bit of
code bloat in Chromium/Bauxite.
"So long, and thanks for all the bugs!"
BUG=414363
Review URL: https://codereview.chromium.org/1309913003
Cr-Commit-Position: refs/heads/master@{#346493}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some toolchain (especially PNaCl for Non-SFI build) does not
provide the linux/filter.h system header.
This CL defines all necessary structs and macros for sandbox,
and replace linux/filter.h with the new header.
This CL is preparation to enable seccomp-bpf sandbox on
nacl_helper_nonsfi.
TEST=Ran bots.
BUG=358465
Review URL: https://codereview.chromium.org/1053603002
Cr-Commit-Position: refs/heads/master@{#324194}
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that the API has been simplified, SandboxBPF should always take a
policy in its constructor.
BUG=434820
TBR=nasko
Review URL: https://codereview.chromium.org/761673006
Cr-Commit-Position: refs/heads/master@{#305922}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change how we detect seccomp kernel support and its initialization.
Before, detecting seccomp kernel supports would involve starting probe processes
that would enable seccomp. A crash would mean that seccomp was not supported.
This was necessary with old kernel version and old glibc versions that were
problematic.
Now that these shouldn't exist in the field, we move the checks to unit
tests instead.
Following the refactor in https://chromiumcodereview.appspot.com/733303004/
we can greatly simplify both detection and starting of the sandbox to make the API
more sane.
BUG=434820
TBR=piman
Review URL: https://codereview.chromium.org/759473002
Cr-Commit-Position: refs/heads/master@{#305706}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CL makes SupportsSandbox() more straightforward by returning the
level of support in the kernel.
One major advantage is that being single threaded is now checked right before engaging
the sandbox.
Now, StartSandbox() is required to be able to check the number of threads
in the current process. For this the LinuxSandbox class in content/ and
in nacl/ are modified to always pass a file descriptor to /proc/self/tasks/
to SandboxBPF::StartSandbox().
In content::LinuxSandbox, such a descriptor was only available in DEBUG builds
for security reasons. We make sure to always close it, as long as InitializeSandbox()
is called. However, a few fringe processes, such as the init process or the ASAN
coverage helper need to close it manually.
BUG=434820
Review URL: https://codereview.chromium.org/733303004
Cr-Commit-Position: refs/heads/master@{#305569}
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
At the same time, move Policy into a new "policy.h" header file, add a
"bpf_dsl_forward.h" header file to provide forward declarations of
bpf_dsl types, and cleanup #include directives throughout.
BUG=414363
TBR=jam@chromium.org
Review URL: https://codereview.chromium.org/674993003
Cr-Commit-Position: refs/heads/master@{#301219}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This splits out the policy-to-BPF-program handling code from
SandboxBPF into a new "PolicyCompiler" class. Additionally, it
extracts an interface "TrapRegistry" to decouple PolicyCompiler from
Trap (which should probably eventually be renamed something like
SIGSYSTrapRegistry).
Most significantly this CL means bpf_dsl no longer depends on
SandboxBPF, which also now focuses primarily on the task of
installing a compiled policy.
BUG=414363
Review URL: https://codereview.chromium.org/660433002
Cr-Commit-Position: refs/heads/master@{#299905}
|
| |
|
|
|
|
|
|
|
|
| |
We now exclusively use SandboxBPFDSLPolicy throughout.
BUG=414363
Review URL: https://codereview.chromium.org/642453005
Cr-Commit-Position: refs/heads/master@{#299530}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'm reasonably confident that all of the seccomp-bpf/*.h files are now
IWYU clean. There might still be some missing/superfluous #include lines
in some of the .cc files, but it should overall be much better than
before.
Two particular changes to note:
1. "base/basictypes.h" is deprecated in favor of <stdint.h> (for standard
*int*_t types) and/or "base/macros.h" for DISALLOW_*() macros.
2. This also moves the #include "foo.h" lines to the top of each foo.cc
file, per style guide.
BUG=408845
Review URL: https://codereview.chromium.org/570163003
Cr-Commit-Position: refs/heads/master@{#295161}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak Sanitizer did not run in SANDBOX_TEST (i.e. tests running in their
own subprocesses) since they called _exit(2).
We now explicitly call __lsan_do_leak_checks() before calling _exit().
This feature is still disabled for any test that enables a real sandbox since
it may not be compatible with LSAN.
BUG=376120
R=mdempsky@chromium.org
Review URL: https://codereview.chromium.org/288063005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@272121 0039d316-1c4b-4281-b951-d872f2087c98
|
|
|
Remove more void* in favor of strong typing. Create a new global
SandboxTestRunner interface that can be implemented by specific test runners.
Implement BPF_TEST via a SandboxBPFTestRunner class which takes a delegate
to implement allocating the BPF policy and actually running the function.
This allows us to confine templating to this new BPFTesterSimpleDelegate class.
BUG=368970
R=jorgelo@chromium.org, mdempsky@chromium.org
Review URL: https://codereview.chromium.org/265283003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@268608 0039d316-1c4b-4281-b951-d872f2087c98
|
