Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 367986 Restrict tgkill and kill to the process' thread group. Disallow tkill.
Starred by 2 users Project Member Reported by jln@chromium.org, Apr 28 2014 Back to list
Status: Verified
Owner:
Last visit 29 days ago
Closed: Jun 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Chrome
Pri: 2
Type: Bug

Blocked on:
issue 123263

Blocking:
issue 413855



Sign in to add a comment
Make sure that tgkill(2) and kill(2) are only allowed against the sandboxed process, not any other process.
 
Project Member Comment 1 by bugdroid1@chromium.org, Apr 29 2014
Labels: merge-merged-git-svn
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3788a74e495d05b87548d9bd4dbb667531f17495

commit 3788a74e495d05b87548d9bd4dbb667531f17495
Author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue Apr 29 01:15:08 2014 +0000

Linux GPU sandbox: only allocate broker policy in the broker.

The GPU broker policy was allocated in the main GPU process and then used in
the broker process. We switch the logic so that the broker policy is only ever
allocated in the broker process itself.

Besides fixing a small memory leak (in the GPU process), this makes sure that a
policy is only ever used in the process that allocated it. This will allow to
bind policies with properties such as "which processes does this policy allow
to send signal to".

BUG= 367986 
R=jorgelo@chromium.org

Review URL: https://codereview.chromium.org/251183004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@266726 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 2 by bugdroid1@chromium.org, Apr 29 2014
------------------------------------------------------------------
r266726 | jln@chromium.org | 2014-04-29T01:15:08.294683Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/bpf_gpu_policy_linux.h?r1=266726&r2=266725&pathrev=266726
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc?r1=266726&r2=266725&pathrev=266726
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/bpf_gpu_policy_linux.cc?r1=266726&r2=266725&pathrev=266726

Linux GPU sandbox: only allocate broker policy in the broker.

The GPU broker policy was allocated in the main GPU process and then used in
the broker process. We switch the logic so that the broker policy is only ever
allocated in the broker process itself.

Besides fixing a small memory leak (in the GPU process), this makes sure that a
policy is only ever used in the process that allocated it. This will allow to
bind policies with properties such as "which processes does this policy allow
to send signal to".

BUG= 367986 
R=jorgelo@chromium.org

Review URL: https://codereview.chromium.org/251183004
-----------------------------------------------------------------
Project Member Comment 3 by bugdroid1@chromium.org, Apr 29 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f700f51f5aafb24272990444d5ca392004d7e19f

commit f700f51f5aafb24272990444d5ca392004d7e19f
Author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue Apr 29 18:42:09 2014 +0000

Linux sandbox: restrict *kill to the current process.

Restrict tgkill(2) and kill(2) to the current process, forbid tkill.

BUG= 367986 
R=jorgelo@chromium.org

Review URL: https://codereview.chromium.org/258073008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@266926 0039d316-1c4b-4281-b951-d872f2087c98


Comment 5 by jln@chromium.org, Apr 29 2014
Seems to be unhappy on ASAN. Looking...

[ RUN      ] BrowserCloseManagerBrowserTest/BrowserCloseManagerBrowserTest.TestAddWindowDuringShutdown/1
Xlib:  extension "RANDR" missing on display ":9".
Xlib:  extension "RANDR" missing on display ":9".
[11637:11637:0429/154710:WARNING:password_store_factory.cc(213)] Using basic (unencrypted) store for password storage. See http://code.google.com/p/chromium/wiki/LinuxPasswordStorage for more information about password storage options.
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:(tg)kill() failure
ASAN:SIGSEGV
=================================================================
==9==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000b (pc 0x00000e327380 sp 0x7fffe4eb6e80 bp 0x7fffe4eb6f10 T0)
    #0 0xe32737f (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0xe32737f)
    #1 0xe314c2f (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0xe314c2f)
    #2 0x7f4fa42b5caf (/lib/x86_64-linux-gnu/libpthread.so.0+0xfcaf)
    #3 0x7f4f9d6af706 (/lib/x86_64-linux-gnu/libc.so.6+0x36706)
    #4 0x7f4f95e36a3f (/usr/lib/x86_64-linux-gnu/nss/libfreebl3.so+0x4a3f)
    #5 0x7f4f95e44f7d (/usr/lib/x86_64-linux-gnu/nss/libfreebl3.so+0x12f7d)
    #6 0x7f4fa17256b9 (/usr/lib/x86_64-linux-gnu/libnspr4.so+0x1b6b9)
    #7 0x7f4f95e44724 (/usr/lib/x86_64-linux-gnu/nss/libfreebl3.so+0x12724)
    #8 0x7f4f96370f2d (/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so+0x10f2d)
    #9 0x7f4f963712b3 (/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so+0x112b3)
    #10 0x7f4fa21d87c8 (/usr/lib/x86_64-linux-gnu/libnss3.so+0x387c8)
    #11 0x7f4fa21d8d11 (/usr/lib/x86_64-linux-gnu/libnss3.so+0x38d11)
    #12 0x7f4fa21e1dcb (/usr/lib/x86_64-linux-gnu/libnss3.so+0x41dcb)
    #13 0x7f4fa21e1e69 (/usr/lib/x86_64-linux-gnu/libnss3.so+0x41e69)
    #14 0x7f4fa21bb652 (/usr/lib/x86_64-linux-gnu/libnss3.so+0x1b652)
    #15 0x7f4fa21bbafc (/usr/lib/x86_64-linux-gnu/libnss3.so+0x1bafc)
    #16 0x4ee5986 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0x4ee5986)
    #17 0x300a427 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0x300a427)
    #18 0x2ff7095 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0x2ff7095)
    #19 0xbdfe1f6 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0xbdfe1f6)
    #20 0xe425835 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0xe425835)
    #21 0xe1d5d85 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0xe1d5d85)
    #22 0xe1d8140 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0xe1d8140)
    #23 0xe1d564f (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0xe1d564f)
    #24 0xc5906b6 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0xc5906b6)
    #25 0x31ac78b (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0x31ac78b)
    #26 0x1ee5838 (/b/build/slave/Linux_ASan_Tests__sandboxed_/build/src/out/Release/browser_tests+0x1ee5838)
Comment 6 by jln@chromium.org, Apr 30 2014
Cc: glider@chromium.org
I can't figure out what's going on and I can't reproduce anything locally. Random browser_tests seem to fail on the ASAN sandboxed bot, however the run with r266926 was green and the bot is green again now.

Theories:

1. It looks like we don't prevent fork() on ASAN. So it's possible that "something" is forking and then trying to send a signal to self, which fails because the pid has changed and the BPF policy only allows to kill the old PID.

2. Or it's possible that some tests trigger ASAN failures in a flaky way and that ASAN somehow tries to use "tkill" (or tgkill in a weird way). Although by introducing a stack BOF to trigger an ASAN failure I can't reproduce this.

I'll try to land https://chromiumcodereview.appspot.com/261543003/ to test for (1).

Alexander, do you have any idea what could be happening?
Project Member Comment 7 by bugdroid1@chromium.org, Apr 30 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01cd469fdafbf1b53235202368c93629f817ec88

commit 01cd469fdafbf1b53235202368c93629f817ec88
Author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed Apr 30 00:28:13 2014 +0000

Linux sandbox: allow *kill on ASAN

Restricting *kill on ASAN is crashing somehow. Allow *kill on ASAN for
now.

BUG= 367986 
R=jorgelo@chromium.org, mdempsky@chromium.org

Review URL: https://codereview.chromium.org/261543003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@267005 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 8 by bugdroid1@chromium.org, Apr 30 2014
------------------------------------------------------------------
r267005 | jln@chromium.org | 2014-04-30T00:28:13.001229Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc?r1=267005&r2=267004&pathrev=267005

Linux sandbox: allow *kill on ASAN

Restricting *kill on ASAN is crashing somehow. Allow *kill on ASAN for
now.

BUG= 367986 
R=jorgelo@chromium.org, mdempsky@chromium.org

Review URL: https://codereview.chromium.org/261543003
-----------------------------------------------------------------
Comment 9 by jln@chromium.org, Apr 30 2014
Ok, so it turns out that https://build.chromium.org/p/chromium.memory/builders/Linux%20ASan%20Tests%20%28sandboxed%29/builds/1231/steps/browser_tests/logs/stdio appears green but is not really green.

The tests pass, even though the whole thing is blowing up with ASAN..
Cc: wtc@chromium.org
This is an issue where NSS is not sandbox friendly, in part due to FIPS 140-2 issues.

The offending function is http://mxr.mozilla.org/nss/source/lib/freebl/unix_rand.c#813 - RNG_SystemInfoForRNG - which tries to make entropy appear out of the air. It does this by a variety of means - reading in various fixed files, hashing in the environment, and trying /dev/urandom

If it fails to get any entropy, it'll fork and attempt to load netstat for additional entropy.

Based on your callstack - frame 6 having NSPR on the stack - I suspect you're hitting this particular invocation of RNG_SystemInfoForRNG - http://mxr.mozilla.org/nss/source/lib/freebl/drbg.c#374 , which is called when RNG_RNGInit is called ( http://mxr.mozilla.org/nss/source/lib/freebl/drbg.c#457 )

RNG_RNGInit is called during nsc_CommonInitialize ( http://mxr.mozilla.org/nss/source/lib/softoken/pkcs11.c#2818 ), which is ultimately wired up to PKCS#11's C_Initialize call. That's the two frames in libsoftokn3 (Frames #8 and 9)

Without symbolication of the browser_test bits, I'm not entirely sure. However, it would appear that /dev/urandom is failing to be opened in the sandbox, which should be the only way we can reach that path. 

On ChromeOS, we have modified NSS to explicitly abort if this is the case - https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/master/dev-libs/nss/files/nss-3.15-abort-on-failed-urandom-access.patch - but that's where I suspect the line of inquiry should begin.
Comment 11 by jln@chromium.org, Apr 30 2014
glider: it looks like there a bunch of issues adding up, so it's extremely hard to understand what's going on.

"Linux ASan Tests sandboxed" has been completely blowing up for a while but the tests still appear as passing. Is this known?
Oh, and the reason /dev/urandom fails to open under ASAN/MSAN (which ultimately causes the call to fork() and attempt to open netstat) is because the urandom override isn't enabled for ASAN/MSAN

https://code.google.com/p/chromium/codesearch#chromium/src/sandbox/linux/services/libc_urandom_override.cc&l=27

Tracked as  Issue 123263 
Blockedon: chromium:123263
Comment 14 by jln@chromium.org, Apr 30 2014
There is a bot that is giving a symbolized stack trace for some reason (I have no idea why it just started doing this).

So that says that #10 is right.

Also all the tests appear as passing on this bot even when everything blows up. I'll create another bug for this.

==9==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000b (pc 0x00000e32fc50 sp 0x7fff4c2b85c0 bp 0x7fff4c2b8650 T0)
    #0 0xe32fc4f in WriteToStdErr /b/build/slave/Linux_ASan_LSan_Builder/build/src/out/Release/../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:39:0
    #1 0xe32fc4f in sandbox::SIGSYSKillFailure(sandbox::arch_seccomp_data const&, void*) /b/build/slave/Linux_ASan_LSan_Builder/build/src/out/Release/../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:155:0
    #2 0xe31d4ff in sandbox::Trap::SigSys(int, siginfo*, void*) /b/build/slave/Linux_ASan_LSan_Builder/build/src/out/Release/../../sandbox/linux/seccomp-bpf/trap.cc:198:0
    #3 0x7f6371ae3caf in _L_unlock_16 ??:0
    #4 0x7f636aedd706 in kill /build/buildd/eglibc-2.15/signal/../sysdeps/unix/syscall-template.S:82:0
    #5 0x7f6363664a3f in safe_pclose /build/buildd/nss-3.15.3/nss/lib/freebl/unix_rand.c:796:0
    #6 0x7f6363664a3f in RNG_SystemInfoForRNG /build/buildd/nss-3.15.3/nss/lib/freebl/unix_rand.c:952:0
    #7 0x7f6363672f7d in rng_init /build/buildd/nss-3.15.3/nss/lib/freebl/drbg.c:426:0
    #8 0x7f6363672f7d in rng_init /build/buildd/nss-3.15.3/nss/lib/freebl/drbg.c:374:0
    #9 0x7f636ef536b9 in PR_CallOnce /build/buildd/nspr-4.9.5/mozilla/nsprpub/pr/src/misc/prinit.c:775:0
    #10 0x7f6363672724 in RNG_RNGInit /build/buildd/nss-3.15.3/nss/lib/freebl/drbg.c:470:0
    #11 0x7f6363b9ef2d in nsc_CommonInitialize /build/buildd/nss-3.15.3/nss/lib/softoken/pkcs11.c:2839:0
    #12 0x7f6363b9f2b3 in NSC_Initialize /build/buildd/nss-3.15.3/nss/lib/softoken/pkcs11.c:2967:0
    #13 0x7f636fa067c8 in secmod_ModuleInit /build/buildd/nss-3.15.3/nss/lib/pk11wrap/pk11load.c:221:0
    #14 0x7f636fa06d11 in secmod_LoadPKCS11Module /build/buildd/nss-3.15.3/nss/lib/pk11wrap/pk11load.c:464:0
    #15 0x7f636fa0fdcb in SECMOD_LoadModule /build/buildd/nss-3.15.3/nss/lib/pk11wrap/pk11pars.c:1010:0
    #16 0x7f636fa0fe69 in SECMOD_LoadModule /build/buildd/nss-3.15.3/nss/lib/pk11wrap/pk11pars.c:1045:0
    #17 0x7f636f9e9652 in nss_InitModules /build/buildd/nss-3.15.3/nss/lib/nss/nssinit.c:435:0
    #18 0x7f636f9e9652 in nss_Init /build/buildd/nss-3.15.3/nss/lib/nss/nssinit.c:639:0
    #19 0x7f636f9e9afc in NSS_NoDB_Init /build/buildd/nss-3.15.3/nss/lib/nss/nssinit.c:874:0
Comment 15 by jln@chromium.org, Apr 30 2014
I created issue 368525 for ASAN blowing up and the tests passing.
Project Member Comment 16 by bugdroid1@chromium.org, Apr 30 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8a6f6dfe1b7da88d509742e8a6d3d9b5949eae13

commit 8a6f6dfe1b7da88d509742e8a6d3d9b5949eae13
Author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed Apr 30 01:25:05 2014 +0000

Linux sandbox: allow *kill in the GPU process.

BUG= 367986 
R=mdempsky@chromium.org
TBR=jorgelo

Review URL: https://codereview.chromium.org/252323005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@267025 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 17 by bugdroid1@chromium.org, Apr 30 2014
------------------------------------------------------------------
r267025 | jln@chromium.org | 2014-04-30T01:25:05.148290Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/bpf_gpu_policy_linux.cc?r1=267025&r2=267024&pathrev=267025

Linux sandbox: allow *kill in the GPU process.

BUG= 367986 
R=mdempsky@chromium.org
TBR=jorgelo

Review URL: https://codereview.chromium.org/252323005
-----------------------------------------------------------------
Comment 18 by jln@chromium.org, Apr 30 2014
TODO list:

1. Restrict fork() and *kill on ASAN (https://chromiumcodereview.appspot.com/263563004/)

2. Move RestrictCloneToThreadsAndEPERMFork to the baseline policy for consistency with *kill. Add an exception to the GPU process, NaCl and Android to keep the policies as-is.

3. Get rid of the exceptions.
Comment 19 by jln@chromium.org, Apr 30 2014
Cc: -glider@chromium.org
Alexander: removing you from cc: to avoid spamming you. Please, have a look at https://crbug.com/368525
Project Member Comment 20 by bugdroid1@chromium.org, Apr 30 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ba85593c777001530b0cdce2e939385ce28da76b

commit ba85593c777001530b0cdce2e939385ce28da76b
Author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed Apr 30 19:17:26 2014 +0000

Linux sandbox: disallow fork() and *kill for ASAN

Treat ASAN like non-ASAN and disallow fork() and *kill there as well.

BUG= 367986 
R=jorgelo@chromium.org

Review URL: https://codereview.chromium.org/263563004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@267292 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 21 by bugdroid1@chromium.org, Apr 30 2014
------------------------------------------------------------------
r267292 | jln@chromium.org | 2014-04-30T19:17:26.527671Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc?r1=267292&r2=267291&pathrev=267292

Linux sandbox: disallow fork() and *kill for ASAN

Treat ASAN like non-ASAN and disallow fork() and *kill there as well.

BUG= 367986 
R=jorgelo@chromium.org

Review URL: https://codereview.chromium.org/263563004
-----------------------------------------------------------------
Project Member Comment 22 by bugdroid1@chromium.org, May 9 2014
------------------------------------------------------------------
r269114 | jln@chromium.org | 2014-05-09T00:04:16.306022Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/bpf_renderer_policy_linux.cc?r1=269114&r2=269113&pathrev=269114
   A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/bpf_ppapi_policy_linux.cc?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/bpf_gpu_policy_linux.cc?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/sandbox_linux_test_sources.gypi?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc?r1=269114&r2=269113&pathrev=269114
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/tests/unit_tests.cc?r1=269114&r2=269113&pathrev=269114

Linux sandbox: always restrict clone() in baseline policy.

Always restrict clone() to thread creation in the baseline policy.

This CL does the following
- Extend RestrictCloneToThreadsAndEPERMFork to support Android.
- Always EPERM anything that looks like fork()
- Add unit tests to the baseline policy related to clone() and fork().

This CL also modifies any other BPF policy so that if clone() was not
restricted before, it remains so. That is, only renderers and PPAPI
processes have clone() restrictions applied to them, as before.

BUG= 367986 
R=jorgelo@chromium.org, mdempsky@chromium.org

Review URL: https://codereview.chromium.org/270613008
-----------------------------------------------------------------
Project Member Comment 23 by bugdroid1@chromium.org, May 9 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/632f4add724e1c0dcf5f811abac85f4da1a72a20

commit 632f4add724e1c0dcf5f811abac85f4da1a72a20
Author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Fri May 09 00:04:16 2014

Linux sandbox: always restrict clone() in baseline policy.

Always restrict clone() to thread creation in the baseline policy.

This CL does the following
- Extend RestrictCloneToThreadsAndEPERMFork to support Android.
- Always EPERM anything that looks like fork()
- Add unit tests to the baseline policy related to clone() and fork().

This CL also modifies any other BPF policy so that if clone() was not
restricted before, it remains so. That is, only renderers and PPAPI
processes have clone() restrictions applied to them, as before.

BUG= 367986 
R=jorgelo@chromium.org, mdempsky@chromium.org

Review URL: https://codereview.chromium.org/270613008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@269114 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 24 by bugdroid1@chromium.org, May 9 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6d081f6717239300a223dc0ee47fc48344f332a8

commit 6d081f6717239300a223dc0ee47fc48344f332a8
Author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Fri May 09 06:53:21 2014

Linux NaCl BPF sandbox : restrict clone()

Restrict clone() by defaulting to the baseline policy. This means that
fork() will EPERM and only the flags used by pthread_create() will be allowed.

BUG= 367986 
R=mseaborn@chromium.org

Review URL: https://codereview.chromium.org/272083002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@269167 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 25 by bugdroid1@chromium.org, May 9 2014
------------------------------------------------------------------
r269167 | jln@chromium.org | 2014-05-09T06:53:21.033843Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc?r1=269167&r2=269166&pathrev=269167

Linux NaCl BPF sandbox : restrict clone()

Restrict clone() by defaulting to the baseline policy. This means that
fork() will EPERM and only the flags used by pthread_create() will be allowed.

BUG= 367986 
R=mseaborn@chromium.org

Review URL: https://codereview.chromium.org/272083002
-----------------------------------------------------------------
Project Member Comment 26 by bugdroid1@chromium.org, May 9 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f20f380420696d076d4af6c5a505e0c00450b449

commit f20f380420696d076d4af6c5a505e0c00450b449
Author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Fri May 09 07:01:03 2014

GPU Linux sandbox: block clone() and *kill

- Restrict *kill to the current process
- EPERM process creation with clone()
- Restrict thread creation flags to the standard pthread_create()
flags.

BUG= 367986 
R=jorgelo@chromium.org

Review URL: https://codereview.chromium.org/273963003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@269174 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 27 by bugdroid1@chromium.org, May 9 2014
------------------------------------------------------------------
r269174 | jln@chromium.org | 2014-05-09T07:01:03.570024Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_linux/bpf_gpu_policy_linux.cc?r1=269174&r2=269173&pathrev=269174

GPU Linux sandbox: block clone() and *kill

- Restrict *kill to the current process
- EPERM process creation with clone()
- Restrict thread creation flags to the standard pthread_create()
flags.

BUG= 367986 
R=jorgelo@chromium.org

Review URL: https://codereview.chromium.org/273963003
-----------------------------------------------------------------
Comment 28 by jln@chromium.org, Jun 5 2014
Status: Fixed
Comment 29 by krisr@chromium.org, Jun 24 2014
Status: VerifyIn-37
Comment 30 by krisr@chromium.org, Jun 24 2014
Labels: VerifyIn-37
Status: Fixed
Oops.
Labels: VerifyIn-38
Comment 32 by jln@chromium.org, Sep 12 2014
Blocking: chromium:413855
Comment 33 by krisr@chromium.org, Sep 17 2014
Status: Verified
Sign in to add a comment