New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 355125 link

Starred by 6 users

Issue metadata

Status: Verified
Owner:
Email to this user bounced
Closed: Sep 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 2
Type: Bug

Blocked on:
issue 354852

Blocking:
issue 354405



Sign in to add a comment

Implement Seccomp-BPF support for ARM64

Project Member Reported by jln@chromium.org, Mar 21 2014

Issue description

 Issue 354405  is trying to get Chrome building on ARM64.

Strictly speaking, it'll "build" without seccomp-bpf in working order, since in build/common.gypi we have:

      ['((OS=="linux" or OS=="android") and '
           '(target_arch=="ia32" or target_arch=="x64" or '
             'target_arch=="arm"))', {

However, seccomp-bpf working is required to ship Chrome on Linux or Chrome OS ARM64, and possibly in the future on Android ( issue 166704 ).

We'll probably want to split this bug into multiple bugs to reflex various steps:


- There is no kernel support for seccomp-bpf on ARM64 yet
- We need to port assembly code, such as sandbox/linux/seccomp-bpf/syscall.cc
- We need to list and classify all system calls in sandbox/linux/seccomp-bpf-helpers
- We need to come up with new sandboxing policies and make them work
 

Comment 1 by jln@chromium.org, Mar 21 2014

Blocking: chromium:354405
Project Member

Comment 2 by bugdroid1@chromium.org, Apr 11 2014

------------------------------------------------------------------
r263400 | rmcilroy@chromium.org | 2014-04-11T23:26:12.350827Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/content_common.gypi?r1=263400&r2=263399&pathrev=263400
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/renderer_main_platform_delegate_android.cc?r1=263400&r2=263399&pathrev=263400

[Android]: Fix Android build if use_seccomp_bpf==0.

There is currently no Arm64 support for secomp_bpf, so use_seccomp_bpf is set to '0' on this architecture.  http://crrev.com/263017 broke the Arm64 build since it includes seccomp_bpf files even if use_seccomp_bpf==0.

BUG= 354405 , 355125 ,362357

Review URL: https://codereview.chromium.org/233413004
-----------------------------------------------------------------

Comment 3 by jln@chromium.org, Jun 16 2014

Cc: leecam@chromium.org
Lee, adding you to this bug in case you're interested.

 Issue 369594  covers the MIPS port, which would give an idea of the steps required.

I would start with porting sandbox/linux/seccomp-bpf/syscall*, the rest is more mechanical and easier.
It would be useful to have an ARM64 board though.

Comment 5 by jln@chromium.org, Jun 16 2014

It could come in handy :)

For the ARM port we used QEMU, but I'm not sure what the AARCH64 status is there..

Comment 6 by leecam@chromium.org, Jun 16 2014

QEMU has user-mode support for aarch64 in v2.0 but not sure it can boot a full kernel yet. 

ARM does provide their Foundation model which can boot an arm64 kernel built from source. I've built kernels along with a enough userspace to ssh in. I think it would be possible to use it to port seccomp-bpf. 

 
In this case we also need to port the kernel-side support though. The CL in #3 only covers userspace support.

https://github.com/redpig/seccomp has the tests that Will used for bring-up.

Lee, do you want to take this on?

Comment 8 by leecam@chromium.org, Jun 16 2014

Yeah I can take a look at this.

I'm not sure the upstream kernel is in great shape (security wise) for aarch64 yet. e.g all userspace heap pages are still marked rwx.

Is there a bug to track the aarch64 port for ChromeOS? 


I don't think we do, but I can find out.

Comment 10 by jln@chromium.org, Jun 16 2014

For Chrome, the tracking bug is  issue 354405  (which this issue is a blocker for).

I don't know about a Chrome OS tracking bug.

The kernel part indeed needs to be done, but it should be very simple. Mostly a matter of being able to test it.
Project Member

Comment 11 by bugdroid1@chromium.org, Jun 17 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3e05aa141966d1fd9ef2ae390e450eb960f83e08

commit 3e05aa141966d1fd9ef2ae390e450eb960f83e08
Author: dati91@gmail.com <dati91@gmail.com@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue Jun 17 02:16:07 2014

[ARM64]: Fix ARM64 content_shell build

Currently there is no ARM64 support for seccomp_bpf and the content_shell build will fail without this check.

BUG= 354405 ,  355125 
R=jln@chromium.org, jochen@chromium.org

Review URL: https://codereview.chromium.org/331143002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@277622 0039d316-1c4b-4281-b951-d872f2087c98


Project Member

Comment 12 by bugdroid1@chromium.org, Jun 17 2014

------------------------------------------------------------------
r277622 | dati91@gmail.com | 2014-06-17T02:16:07.183566Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc?r1=277622&r2=277621&pathrev=277622

[ARM64]: Fix ARM64 content_shell build

Currently there is no ARM64 support for seccomp_bpf and the content_shell build will fail without this check.

BUG= 354405 ,  355125 
R=jln@chromium.org, jochen@chromium.org

Review URL: https://codereview.chromium.org/331143002
-----------------------------------------------------------------
Cc: jln@chromium.org
Owner: leecam@chromium.org
Summary: Implement Seccomp-BPF support for ARM64 (was: Get the seccomp-bpf sandbox working on ARM64)
Assigning to Lee.

Kernel-side implementation posted by Linaro people:
http://thread.gmane.org/gmane.linux.kernel/1642535
Cc: rmcilroy@chromium.org
Project Member

Comment 15 by bugdroid1@chromium.org, Aug 24 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a

commit e6f6b730e646a11e6f6a3c1c5f54e052aa07584a
Author: leecam <leecam@chromium.org>
Date: Sun Aug 24 23:38:09 2014

sandbox: Add Arm64 support for seccomp-BPF

Adds support for Arm64 to 'sandbox/'. This can be used
by future CLs to provide Arm64 policy for Chrome.

BUG= 355125 
TEST=sandbox_linux_unittests

Review URL: https://codereview.chromium.org/487143003

Cr-Commit-Position: refs/heads/master@{#291631}

[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/build/common.gypi
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/BUILD.gn
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/sandbox_linux.gypi
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/seccomp-bpf/linux_seccomp.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/seccomp-bpf/syscall.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/seccomp-bpf/syscall_unittest.cc
[add] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/services/android_arm64_ucontext.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/services/android_ucontext.h
[add] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/services/arm64_linux_syscalls.h
[modify] https://chromium.googlesource.com/chromium/src.git/+/e6f6b730e646a11e6f6a3c1c5f54e052aa07584a/sandbox/linux/services/linux_syscalls.h

Status: Fixed

Comment 17 by krisr@chromium.org, Sep 17 2014

Status: Verified

Sign in to add a comment