New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 11 users
Status: Fixed
Owner:
Closed: Jun 6
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug


Sign in to add a comment
Security: use a seccomp-bpf sandbox on Android
Project Member Reported by jln@chromium.org, Dec 18 2012 Back to list
This bug is to track progress on getting a seccomp-bpf sandbox on Android.

Here are the loose steps:

- Get sandbox/ to compile and the unit tests to pass (requires modifications to the GYP file and additions of files to the Android NDK)
- Get seccomp-bpf wired-in Chrome for Android (get an AllowAll policy applied to renderers
- Write a real layer-2 (layer-1 is uid separation) sandbox for Android
 
Comment 1 by jln@chromium.org, Dec 18 2012
Cc: markus@chromium.org
Comment 2 by jln@chromium.org, Dec 19 2012
Cc: digit@chromium.org
https://chromiumcodereview.appspot.com/11612014/ and https://chromiumcodereview.appspot.com/11618010/ up for review.

The sum of these allow us to compile on Android. Unfortunately we had to replicate part of Android-missing headers.
Comment 3 by jln@chromium.org, Dec 19 2012
Cc: gcondra@google.com
Comment 4 by n...@chromium.org, Dec 19 2012
Cc: n...@chromium.org
Comment 7 by jln@chromium.org, Dec 20 2012
sandbox_linux_unittests pretty much all passed with a few minor bugs in the test themselves which palmer and I have now fixed (https://chromiumcodereview.appspot.com/11647024/).

Next step is to get sandbox_linux_unittests to run automatically on the bots.
Project Member Comment 8 by bugdroid1@chromium.org, Dec 20 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174116

------------------------------------------------------------------------
r174116 | palmer@chromium.org | 2012-12-20T07:56:53.490545Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc?r1=174116&r2=174115&pathrev=174116
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/services/broker_process_unittest.cc?r1=174116&r2=174115&pathrev=174116

Update Linux sandbox tests to pass on Android.

BUG= 166704 
NOTRY=true


Review URL: https://chromiumcodereview.appspot.com/11647024
------------------------------------------------------------------------
Project Member Comment 9 by bugdroid1@chromium.org, Dec 20 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174193

------------------------------------------------------------------------
r174193 | jln@chromium.org | 2012-12-20T18:46:09.479830Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/all_android.gyp?r1=174193&r2=174192&pathrev=174193

Android: compile sandbox_linux_unittests

Note: tests that require kernel seccomp-bpf support to do
anything will just pass if kernel support is lacking.

BUG= 166704 
NOTRY=true


Review URL: https://chromiumcodereview.appspot.com/11639036
------------------------------------------------------------------------
Project Member Comment 10 by bugdroid1@chromium.org, Dec 20 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174244

------------------------------------------------------------------------
r174244 | jln@chromium.org | 2012-12-20T21:18:30.367241Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/sandbox_linux.gypi?r1=174244&r2=174243&pathrev=174244

Fix Android x86 build with a quick hack.


BUG= 166704 
TBR=markus
NOTRY=true


Review URL: https://chromiumcodereview.appspot.com/11649044
------------------------------------------------------------------------
Project Member Comment 11 by bugdroid1@chromium.org, Dec 28 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174727

------------------------------------------------------------------------
r174727 | jln@chromium.org | 2012-12-28T09:59:55.360873Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/android/buildbot/buildbot_functions.sh?r1=174727&r2=174726&pathrev=174727

Add sandbox_linux_unittests to Android FYI bots.


BUG= 166704 
NOTRY=true

Review URL: https://chromiumcodereview.appspot.com/11674008
------------------------------------------------------------------------
Comment 12 Deleted
Comment 13 Deleted
Comment 14 Deleted
Project Member Comment 15 by bugdroid1@chromium.org, Jan 9 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=175695

------------------------------------------------------------------------
r175695 | jln@chromium.org | 2013-01-09T03:40:26.352793Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/android/buildbot/buildbot_functions.sh?r1=175695&r2=175694&pathrev=175695
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/android/run_tests.py?r1=175695&r2=175694&pathrev=175695

Android: enable sandbox_linux_unittests by default.

Move sandbox_linux_unittests away from the FYI bots and enable them
by default.

BUG= 166704 
NOTRY=true

Review URL: https://chromiumcodereview.appspot.com/11828008
------------------------------------------------------------------------
Project Member Comment 16 by bugdroid1@chromium.org, Jan 9 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=175711

------------------------------------------------------------------------
r175711 | ilevy@chromium.org | 2013-01-09T05:15:01.084794Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/android/run_tests.py?r1=175711&r2=175710&pathrev=175711
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/android/buildbot/bb_tests.py?r1=175711&r2=175710&pathrev=175711

Move sandbox_linux_unittests back to FYI bots

4 tests are failing to run.
http://build.chromium.org/p/chromium.linux/builders/Android%20Tests%20%28dbg%29/builds/6093/steps/sandbox_linux_unittests/logs/stdio

They were passing on FYI bot but kicking until we figure out why they
are failing here.

BUG= 166704 
TBR=jln

Review URL: https://codereview.chromium.org/11826019
------------------------------------------------------------------------
Comment 17 by jln@chromium.org, Jan 9 2013
Isaac: I don't see any error in this log. What's happening?
Project Member Comment 18 by bugdroid1@chromium.org, Jan 11 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=176254

------------------------------------------------------------------------
r176254 | jln@chromium.org | 2013-01-11T03:36:12.704011Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/android/pylib/gtest/gtest_config.py?r1=176254&r2=176253&pathrev=176254

Android: upgrade sandbox_linux_unitests to a stable test


BUG= 166704 
NOTRY=true

Review URL: https://chromiumcodereview.appspot.com/11783106
------------------------------------------------------------------------
Project Member Comment 19 by bugdroid1@chromium.org, Jan 11 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=176269

------------------------------------------------------------------------
r176269 | ilevy@chromium.org | 2013-01-11T05:39:42.105001Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/android/pylib/gtest/gtest_config.py?r1=176269&r2=176268&pathrev=176269

Revert 176254
> Android: upgrade sandbox_linux_unitests to a stable test
> 
> 
> BUG= 166704 
> NOTRY=true
> 
> Review URL: https://chromiumcodereview.appspot.com/11783106

Tests are flaky and closed the tree again...

TBR=jln@chromium.org
Review URL: https://codereview.chromium.org/11860004
------------------------------------------------------------------------
Comment 20 by jln@chromium.org, Jan 11 2013
Blockedon: chromium:169416
Project Member Comment 21 by bugdroid1@chromium.org, Jan 17 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=177321

------------------------------------------------------------------------
r177321 | jln@chromium.org | 2013-01-17T02:43:23.110295Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/services/android_arm_ucontext.h?r1=177321&r2=177320&pathrev=177321
   A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/services/android_ucontext.h?r1=177321&r2=177320&pathrev=177321
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/sandbox_linux.gypi?r1=177321&r2=177320&pathrev=177321
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf/sandbox_bpf.cc?r1=177321&r2=177320&pathrev=177321
   A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/services/android_x86_ucontext.h?r1=177321&r2=177320&pathrev=177321

Android: create a generic android_ucontext.h

We now have a generic android_ucontext.h that should work on both
ARM and X86.

Note: if this needs to be reverted on X86, please only revert
the GYP file and send me the error message.

(Thanks to Yin Fengwei for his related work in
https://chromiumcodereview.appspot.com/11639038/)

BUG= 166704 
NOTRY=true

Review URL: https://chromiumcodereview.appspot.com/11971028
------------------------------------------------------------------------
Project Member Comment 22 by bugdroid1@chromium.org, Jan 17 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=177371

------------------------------------------------------------------------
r177371 | jln@chromium.org | 2013-01-17T09:26:33.726565Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/sandbox_linux.gypi?r1=177371&r2=177370&pathrev=177371

Android: remove x86 from sandbox/linux once again.


BUG= 166704 
TBR=markus
NOTRY=true


Review URL: https://chromiumcodereview.appspot.com/11958035
------------------------------------------------------------------------
Comment 24 by jln@chromium.org, Feb 28 2013
Labels: Feature-Security
Project Member Comment 25 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-Internals -Feature-Security Cr-Internals Cr-Security
Comment 26 by jln@chromium.org, Oct 17 2013
Blockedon: chromium:308763
Comment 27 by jln@chromium.org, Oct 17 2013
Blockedon: chromium:308775
Comment 28 by jln@chromium.org, Mar 21 2014
Owner: rsesek@chromium.org
Robert is now is owner of this.
Project Member Comment 29 by bugdroid1@chromium.org, Apr 10 2014
------------------------------------------------------------------
r263017 | rsesek@chromium.org | 2014-04-10T17:04:34.294042Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/public/common/content_switches.h?r1=263017&r2=263016&pathrev=263017
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/OWNERS?r1=263017&r2=263016&pathrev=263017
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/renderer_main_platform_delegate_android.cc?r1=263017&r2=263016&pathrev=263017
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/render_process_host_impl.cc?r1=263017&r2=263016&pathrev=263017
   A http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/android?r1=263017&r2=263016&pathrev=263017
   A http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc?r1=263017&r2=263016&pathrev=263017
   A http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h?r1=263017&r2=263016&pathrev=263017
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/content_common.gypi?r1=263017&r2=263016&pathrev=263017
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/public/common/content_switches.cc?r1=263017&r2=263016&pathrev=263017

[Android] Define a baseline seccomp-bpf sandbox policy.

This is not used in production yet, since Android kernels do not have seccomp
mode two support, yet.

BUG= 308763 ,  166704 

Review URL: https://codereview.chromium.org/180783019
-----------------------------------------------------------------
Project Member Comment 30 by bugdroid1@chromium.org, Apr 10 2014
------------------------------------------------------------------
r263107 | zhenyu.liang@intel.com | 2014-04-10T22:46:07.143080Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc?r1=263107&r2=263106&pathrev=263107

Fixes for sandbox unit tests on Android

In bionic, open, access and dup2 are wrappers of openat, faccessat and dup3 instead of real syscalls.

BUG= 166704 

Review URL: https://codereview.chromium.org/226923003
-----------------------------------------------------------------
Comment 31 by jln@chromium.org, Jul 29 2014
Blockedon: chromium:398611
Cc: leecam@chromium.org
Blockedon: chromium:437067
Project Member Comment 35 by bugdroid1@chromium.org, Dec 4 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0d1b63a26471e4c3ac8acd12276010b79affc26a

commit 0d1b63a26471e4c3ac8acd12276010b79affc26a
Author: rsesek <rsesek@chromium.org>
Date: Thu Dec 04 21:29:01 2014

[Android] Get renderers working again under seccomp-bpf.

Android 5.0 added some additional prctl()s that are used by the framework. This
also permits __NR_set_tid_address and fstat().

BUG= 437067 , 166704 
R=jln@chromium.org

Review URL: https://codereview.chromium.org/775943004

Cr-Commit-Position: refs/heads/master@{#306895}

[modify] http://crrev.com/0d1b63a26471e4c3ac8acd12276010b79affc26a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
[modify] http://crrev.com/0d1b63a26471e4c3ac8acd12276010b79affc26a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

Blockedon: chromium:439573
Blockedon: chromium:584518
Blockedon: chromium:586056
Cc: -gcondra@google.com
Blockedon: 591884
Project Member Comment 41 by bugdroid1@chromium.org, May 19 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f36de642ae5dc210de4543252198c0cf2c960fc5

commit f36de642ae5dc210de4543252198c0cf2c960fc5
Author: rsesek <rsesek@chromium.org>
Date: Thu May 19 20:46:31 2016

[Android] Permit __NR_msync under the seccomp sandbox.

BUG= 166704 ,591884
R=jln@chromium.org

Review-Url: https://codereview.chromium.org/1988303003
Cr-Commit-Position: refs/heads/master@{#394853}

[modify] https://crrev.com/f36de642ae5dc210de4543252198c0cf2c960fc5/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

Blockedon: 635085
Blockedon: 655277
Blockedon: 655299
Blockedon: 655300
Project Member Comment 46 by bugdroid1@chromium.org, Dec 7 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/29172b46e7a0e89f892a52fde8145238b70893dc

commit 29172b46e7a0e89f892a52fde8145238b70893dc
Author: rsesek <rsesek@chromium.org>
Date: Wed Dec 07 21:40:18 2016

Add fieldtrial_testing_config.json entry for SeccompSandboxAndroid.

BUG= 166704 

Review-Url: https://codereview.chromium.org/2552323004
Cr-Commit-Position: refs/heads/master@{#437068}

[modify] https://crrev.com/29172b46e7a0e89f892a52fde8145238b70893dc/testing/variations/fieldtrial_testing_config.json

Blocking: 477049
Blockedon: 681960
Blockedon: 682488
Components: -Internals Internals>Sandbox
Blockedon: 701137
Project Member Comment 52 by bugdroid1@chromium.org, Mar 17 2017
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f4a66e3215736c4df4e10ad5868b7c7174c6778f

commit f4a66e3215736c4df4e10ad5868b7c7174c6778f
Author: rsesek <rsesek@chromium.org>
Date: Fri Mar 17 15:29:38 2017

Make SeccompSandboxAndroid feature enabled by default.

BUG= 166704 

Review-Url: https://codereview.chromium.org/2748393002
Cr-Commit-Position: refs/heads/master@{#457773}

[modify] https://crrev.com/f4a66e3215736c4df4e10ad5868b7c7174c6778f/content/public/common/content_features.cc

Blockedon: 703190
Project Member Comment 54 by bugdroid1@chromium.org, Jun 1
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/253f8c677519fd6e6700047a2b08a09bb438c694

commit 253f8c677519fd6e6700047a2b08a09bb438c694
Author: Robert Sesek <rsesek@chromium.org>
Date: Thu Jun 01 20:59:10 2017

[Android] Only warn about existing SIGSYS handlers pre-O.

Bug:  166704 
Change-Id: I3f95a10ea12e1155272a0d3213e1cc0eb4c7a607
Reviewed-on: https://chromium-review.googlesource.com/521388
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Alexandre Elias <aelias@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#476432}
[modify] https://crrev.com/253f8c677519fd6e6700047a2b08a09bb438c694/content/renderer/renderer_main_platform_delegate_android.cc

Project Member Comment 55 by bugdroid1@chromium.org, Jun 5
Labels: M-58
Status: Fixed
With the release of Chrome 58 on Android, the seccomp-bpf sandbox is enabled by default for all compatible devices.
Sign in to add a comment