Issue 622094 link

Starred by 2 users

Issue metadata

Status:	Verified
Owner:	dgreid@chromium.org
Closed:	Jul 2016
Cc:	adlr@chromium.org dgreid@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	1
Type:	Feature
merge-merged-chromeos-3.18 merge-merged-chromeos-4.4

add alt syscall table for generic containers

Project Member Reported by ashishgaurav@chromium.org, Jun 21 2016

Issue description

add alt syscall table for generic containers

Comment 1 by dgreid@chromium.org, Jul 13 2016

Status: Verified (was: Started)

ksanthanam landed this.

Project Member

Comment 2 by bugdroid1@chromium.org, Aug 2 2016

Labels: merge-merged-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/779985b557c6ffd17fcefd504228ce83545ebdeb

commit 779985b557c6ffd17fcefd504228ce83545ebdeb
Author: Keshav Santhanam <ksanthanam@google.com>
Date: Tue Jun 21 18:20:55 2016

CHROMIUM: alt-syscall: Added a more restrictive alt syscall table.

The existing alt syscall table for Android has a set of calls
that exceed what is necessary for running smaller utility
programs. Thus this new table will provide tighter security
by only allowing a subset of the calls that the Android table
allows.

BUG= chromium:622094 
TEST=Ran minijail0 with option "-a third_party" on busybox
container to invoke the new table. Ran "adb pull" inside
the container to retrieve a file from an Android device.
Checked dmesg log to verify that no syscalls were blocked.
Tested on ARM (veyron_speedy) and x86-64 (celes).

Signed-off-by: Keshav Santhanam <ksanthanam@google.com>
Change-Id: If52cd525746e0ca6d97d22cff7fc8ca6e487f647
Reviewed-on: https://chromium-review.googlesource.com/354784
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/779985b557c6ffd17fcefd504228ce83545ebdeb/security/chromiumos/alt-syscall.c

Project Member

Comment 3 by bugdroid1@chromium.org, Aug 16 2016

Labels: merge-merged-chromeos-4.4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bd642ab545f53b21a1b0302bdd0bfc19de244eaf

commit bd642ab545f53b21a1b0302bdd0bfc19de244eaf
Author: Keshav Santhanam <ksanthanam@google.com>
Date: Tue Jun 21 18:20:55 2016

CHROMIUM: alt-syscall: Added a more restrictive alt syscall table.

The existing alt syscall table for Android has a set of calls
that exceed what is necessary for running smaller utility
programs. Thus this new table will provide tighter security
by only allowing a subset of the calls that the Android table
allows.

BUG= chromium:622094 
TEST=ran trybot

Signed-off-by: Keshav Santhanam <ksanthanam@google.com>
Change-Id: If52cd525746e0ca6d97d22cff7fc8ca6e487f647
Reviewed-on: https://chromium-review.googlesource.com/366054
Commit-Ready: Dylan Reid <dgreid@chromium.org>
Tested-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/bd642ab545f53b21a1b0302bdd0bfc19de244eaf/security/chromiumos/alt-syscall.c

►

Issue 622094 link

Issue metadata

add alt syscall table for generic containers

Issue description

Comment 1 by dgreid@chromium.org, Jul 13 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Aug 2 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Aug 16 2016

Comment 3 Deleted

Sign in to add a comment