summaryrefslogtreecommitdiffstats
path: root/sandbox/linux/seccomp/securemem.cc
Commit message (Collapse)AuthorAgeFilesLines
* Pull seccomp-sandbox in via DEPS rather than using an in-tree copy mseaborn@chromium.org2010-09-011-105/+0
| | | | | | | | | | | | | | | | This means changes to the sandbox won't have to be committed twice, to both trees. This is a retry of r57921, which was committed with git-svn and failed to remove the "seccomp" directory. This caused problems when trying to "svn checkout" to the same location, and the change was reverted. This time I will use SVN to commit the change. BUG=none TEST=smoke test of running chromium with --enable-seccomp-sandbox Review URL: http://codereview.chromium.org/3225010 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@58184 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 57921 - Pull seccomp-sandbox in via DEPS rather than using an in-tree ↵nsylvain@chromium.org2010-08-311-0/+105
| | | | | | | | | | | | | | | | | copy This means changes to the sandbox won't have to be committed twice, to both trees. BUG=none TEST=smoke test of running chromium with --enable-seccomp-sandbox Review URL: http://codereview.chromium.org/3249003 TBR=mseaborn@chromium.org Review URL: http://codereview.chromium.org/3245011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57933 0039d316-1c4b-4281-b951-d872f2087c98
* Pull seccomp-sandbox in via DEPS rather than using an in-tree copymseaborn@chromium.org2010-08-301-105/+0
| | | | | | | | | | | | This means changes to the sandbox won't have to be committed twice, to both trees. BUG=none TEST=smoke test of running chromium with --enable-seccomp-sandbox Review URL: http://codereview.chromium.org/3249003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57921 0039d316-1c4b-4281-b951-d872f2087c98
* Make the use of signals inside of the sandbox safe.markus@chromium.org2010-04-201-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We previously assumed that no signals would ever be enabled in the sandbox and thus there was no way to trick the trusted thread into executing potentially untrusted code. In an attempt to lift this restriction, this changelist modifies the trusted thread so that - it has an invalid stack pointer at all times. Any attempt to handle a signal would result in the kernel trying to push a signal stack, which would immediately result in a SEGV and then terminate the application. - all signals are blocked while outside of trusted code. If a signal is triggered, it either gets handled on one of the sandboxed threads (for asynchronous signals), or it results in the application getting terminated by the kernel (for synchronous signals). This changelist is difficult not only because eliminating all uses of the stack pointer requires some very careful assembly coding, but more importantly because we have to restore signals after we enter seccomp mode. As sigprocmask() is a restricted system call, the only way to restore the signal mask is by calling sigreturn() with a suitably tweaked signal stack frame. While the first couple of bytes of the signal stack frame are well-defined and unlikely to change, the entire signal stack frame is not documented as part of the stable ABI. The exact format depends on the number of modified CPU registers (e.g. SSE, MMX, floating point, ...) The only way for us to get a valid signal stack frame is to trigger a signal, and to create a (possibly adjusted) copy of the signal frame. We obviously have to do this _before_ we block all signals upon entering trusted code. The two places where this needs to happen is upon start of the sandbox when launching the initial trusted thread, and upon any call to clone(). BUG=37728 TEST=Run chrome and verify that /proc/$PID/status shows the correct signal mask for trusted threads. The latter can be identified with strace. Review URL: http://codereview.chromium.org/1594040 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45055 0039d316-1c4b-4281-b951-d872f2087c98
* Added missing copyright header.markus@chromium.org2010-03-081-0/+4
| | | | | | | | BUG=32501 TEST=none Review URL: http://codereview.chromium.org/672011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40946 0039d316-1c4b-4281-b951-d872f2087c98
* Allow the seccomp sandbox to be enabled, even if the suid sandbox hasmarkus@chromium.org2009-11-071-11/+15
| | | | | | | | | | already put a chroot() jail around it. The only tricky part is access to /proc/self/maps, but we can safely pass in an open file descriptor. BUG=26527 Review URL: http://codereview.chromium.org/371047 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31372 0039d316-1c4b-4281-b951-d872f2087c98
* Initial version of the Seccomp sandbox. Imported from ↵markus@chromium.org2009-08-111-0/+97
http://code.google.com/p/seccompsandbox/ Make the seccomp sandbox dependant on the --enable-seccomp-sandbox flag Review URL: http://codereview.chromium.org/165310 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23087 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-02-01 15:32:21 +0000