Harden boot against malicious data from stateful |
|||||||||||
Issue descriptionAs a follow-up to issue 649039 , we need to look into how to systematically solve the problem of a system getting re-exploited after reboot due to the boot process (init scripts and started jobs) ingesting (malicious) data from the stateful file system in an uncontrolled fashion. From a first look, it appears promising to: * disallow symlinks on stateful * prevent arbitrary access to stateful from init scripts * sanitize any stateful data consumed by the boot process Further investigation is required to determine the practicality of these mitigations. A preliminary design doc is here: https://docs.google.com/document/d/1_m4b24WKECRDGcsE5W3ZPojO2s5QK6sok8HcT8aMZcs/edit#
,
Jan 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/66e52c9350abc9a59cfefaebadd70fe8034dc74a commit 66e52c9350abc9a59cfefaebadd70fe8034dc74a Author: Mattias Nissler <mnissler@chromium.org> Date: Wed Nov 02 15:10:42 2016 CHROMIUM: LSM: Add support for symlink traversal policy. This change adds functionality to the chromiumos LSM to pin inodes and associate tracking information with them. This allows tracking symlink traversal policy for an inode. Whenever the FS layer follows a link, it calls out to the LSM, which can then check whether a symlink traversal policy has been set on any directory on the path in question. If a policy is set and it specifies that symlink traversal should be blocked, the corresponding FS system call will fail with EPERM. Note that readlink() continues to work, so userspace may resort to resolving symlinks manually if desired. Symlink traversal policy is configured via securityfs. Files in /sys/kernel/security/chromiumos/symlink_policy/ are used to set the symlink traversal policy: * .../allow: Write a path to the file to set the symlink traversal policy for corresponding inode to "allow". * .../block: Write a path to the file to set the symlink traversal policy for corresponding inode to "block". * .../reset: Write a path to clear the symlink traversal policy for the corresponding inode. * .../flush: Write a path to clear symlink traversal policy for the entire file system the corresponding inode belongs to. Note that this may affect paths outside the subtree corresponding to the specified path (e.g. parents, siblings, or parts of the file system not visible in the affected (bind) mount). BUG= chromium:655606 TEST=Set symlink traversal policy and test paths containing symlinks. Change-Id: I5c507609899c25a86407dc8c8b3284e1d19399e1 Reviewed-on: https://chromium-review.googlesource.com/420988 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/66e52c9350abc9a59cfefaebadd70fe8034dc74a/security/chromiumos/inode_mark.c [modify] https://crrev.com/66e52c9350abc9a59cfefaebadd70fe8034dc74a/security/chromiumos/Makefile [add] https://crrev.com/66e52c9350abc9a59cfefaebadd70fe8034dc74a/security/chromiumos/inode_mark.h [add] https://crrev.com/66e52c9350abc9a59cfefaebadd70fe8034dc74a/security/chromiumos/securityfs.c [modify] https://crrev.com/66e52c9350abc9a59cfefaebadd70fe8034dc74a/security/chromiumos/lsm.c
,
Jan 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/9759d1ebd7e92b886752ada03baa0e98947c68f2 commit 9759d1ebd7e92b886752ada03baa0e98947c68f2 Author: Mattias Nissler <mnissler@chromium.org> Date: Wed Nov 02 15:10:42 2016 CHROMIUM: LSM: Add support for symlink traversal policy. This change adds functionality to the chromiumos LSM to pin inodes and associate tracking information with them. This allows tracking symlink traversal policy for an inode. Whenever the FS layer follows a link, it calls out to the LSM, which can then check whether a symlink traversal policy has been set on any directory on the path in question. If a policy is set and it specifies that symlink traversal should be blocked, the corresponding FS system call will fail with EPERM. Note that readlink() continues to work, so userspace may resort to resolving symlinks manually if desired. Symlink traversal policy is configured via securityfs. Files in /sys/kernel/security/chromiumos/symlink_policy/ are used to set the symlink traversal policy: * .../allow: Write a path to the file to set the symlink traversal policy for corresponding inode to "allow". * .../block: Write a path to the file to set the symlink traversal policy for corresponding inode to "block". * .../reset: Write a path to clear the symlink traversal policy for the corresponding inode. * .../flush: Write a path to clear symlink traversal policy for the entire file system the corresponding inode belongs to. Note that this may affect paths outside the subtree corresponding to the specified path (e.g. parents, siblings, or parts of the file system not visible in the affected (bind) mount). BUG= chromium:655606 TEST=Set symlink traversal policy and test paths containing symlinks. Change-Id: Ifa5f49fe3619bfb7bf7e1099279496fcf215d96c Reviewed-on: https://chromium-review.googlesource.com/424534 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/9759d1ebd7e92b886752ada03baa0e98947c68f2/security/chromiumos/inode_mark.c [modify] https://crrev.com/9759d1ebd7e92b886752ada03baa0e98947c68f2/security/chromiumos/Makefile [add] https://crrev.com/9759d1ebd7e92b886752ada03baa0e98947c68f2/security/chromiumos/inode_mark.h [add] https://crrev.com/9759d1ebd7e92b886752ada03baa0e98947c68f2/security/chromiumos/securityfs.c [modify] https://crrev.com/9759d1ebd7e92b886752ada03baa0e98947c68f2/security/chromiumos/lsm.c
,
Jan 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/16b8d5b3505b2566692755c3d7ee7946cc5fb483 commit 16b8d5b3505b2566692755c3d7ee7946cc5fb483 Author: Mattias Nissler <mnissler@chromium.org> Date: Wed Jan 04 23:50:14 2017 CHROMIUM: LSM: Fix error path when creating inode mark The previous code was calling iput() on the wrong struct field, which could lead to the inode reference not being dropped when exiting through chromiumos_inode_mark_create's error exit path, leading to a situation where the inode is still referenced after unmount. BUG= chromium:655606 TEST=Manual with modified kernel to trigger the error exit path. Fixes: 66e52c9350abc9a59cfefaebadd70fe8034dc74a ("CHROMIUM: LSM: Add support for symlink traversal policy.") Change-Id: I26ee6ab3a36bce1454bdf71792eee1eb7ba481e0 Reviewed-on: https://chromium-review.googlesource.com/423059 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/16b8d5b3505b2566692755c3d7ee7946cc5fb483/security/chromiumos/inode_mark.c
,
Jan 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f4bdc6b7eb9055575b43d2a9d428ae5917c45245 commit f4bdc6b7eb9055575b43d2a9d428ae5917c45245 Author: Mattias Nissler <mnissler@chromium.org> Date: Wed Nov 02 15:10:42 2016 CHROMIUM: LSM: Add support for symlink traversal policy. This change adds functionality to the chromiumos LSM to pin inodes and associate tracking information with them. This allows tracking symlink traversal policy for an inode. Whenever the FS layer follows a link, it calls out to the LSM, which can then check whether a symlink traversal policy has been set on any directory on the path in question. If a policy is set and it specifies that symlink traversal should be blocked, the corresponding FS system call will fail with EPERM. Note that readlink() continues to work, so userspace may resort to resolving symlinks manually if desired. Symlink traversal policy is configured via securityfs. Files in /sys/kernel/security/chromiumos/symlink_policy/ are used to set the symlink traversal policy: * .../allow: Write a path to the file to set the symlink traversal policy for corresponding inode to "allow". * .../block: Write a path to the file to set the symlink traversal policy for corresponding inode to "block". * .../reset: Write a path to clear the symlink traversal policy for the corresponding inode. * .../flush: Write a path to clear symlink traversal policy for the entire file system the corresponding inode belongs to. Note that this may affect paths outside the subtree corresponding to the specified path (e.g. parents, siblings, or parts of the file system not visible in the affected (bind) mount). BUG= chromium:655606 TEST=Set symlink traversal policy and test paths containing symlinks. Change-Id: Ia31fe20d18ba31857a96a6c846aeca767328a018 Reviewed-on: https://chromium-review.googlesource.com/422334 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/f4bdc6b7eb9055575b43d2a9d428ae5917c45245/security/chromiumos/inode_mark.h [add] https://crrev.com/f4bdc6b7eb9055575b43d2a9d428ae5917c45245/security/chromiumos/securityfs.c [modify] https://crrev.com/f4bdc6b7eb9055575b43d2a9d428ae5917c45245/include/linux/security.h [add] https://crrev.com/f4bdc6b7eb9055575b43d2a9d428ae5917c45245/security/chromiumos/inode_mark.c [modify] https://crrev.com/f4bdc6b7eb9055575b43d2a9d428ae5917c45245/security/chromiumos/Makefile [modify] https://crrev.com/f4bdc6b7eb9055575b43d2a9d428ae5917c45245/security/chromiumos/lsm.c [modify] https://crrev.com/f4bdc6b7eb9055575b43d2a9d428ae5917c45245/security/security.c
,
Jan 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1bccfce819193092710be1a3882a1f34d3fbbb7f commit 1bccfce819193092710be1a3882a1f34d3fbbb7f Author: Mattias Nissler <mnissler@chromium.org> Date: Wed Nov 02 15:10:42 2016 CHROMIUM: LSM: Add support for symlink traversal policy. This change adds functionality to the chromiumos LSM to pin inodes and associate tracking information with them. This allows tracking symlink traversal policy for an inode. Whenever the FS layer follows a link, it calls out to the LSM, which can then check whether a symlink traversal policy has been set on any directory on the path in question. If a policy is set and it specifies that symlink traversal should be blocked, the corresponding FS system call will fail with EPERM. Note that readlink() continues to work, so userspace may resort to resolving symlinks manually if desired. Symlink traversal policy is configured via securityfs. Files in /sys/kernel/security/chromiumos/symlink_policy/ are used to set the symlink traversal policy: * .../allow: Write a path to the file to set the symlink traversal policy for corresponding inode to "allow". * .../block: Write a path to the file to set the symlink traversal policy for corresponding inode to "block". * .../reset: Write a path to clear the symlink traversal policy for the corresponding inode. * .../flush: Write a path to clear symlink traversal policy for the entire file system the corresponding inode belongs to. Note that this may affect paths outside the subtree corresponding to the specified path (e.g. parents, siblings, or parts of the file system not visible in the affected (bind) mount). BUG= chromium:655606 TEST=Set symlink traversal policy and test paths containing symlinks. Change-Id: I1f824d4e78b8a7ec6aad2c1d6b9ef48b7f2dbabd Reviewed-on: https://chromium-review.googlesource.com/422207 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/1bccfce819193092710be1a3882a1f34d3fbbb7f/security/chromiumos/inode_mark.h [add] https://crrev.com/1bccfce819193092710be1a3882a1f34d3fbbb7f/security/chromiumos/securityfs.c [modify] https://crrev.com/1bccfce819193092710be1a3882a1f34d3fbbb7f/include/linux/security.h [add] https://crrev.com/1bccfce819193092710be1a3882a1f34d3fbbb7f/security/chromiumos/inode_mark.c [modify] https://crrev.com/1bccfce819193092710be1a3882a1f34d3fbbb7f/security/chromiumos/Makefile [modify] https://crrev.com/1bccfce819193092710be1a3882a1f34d3fbbb7f/security/chromiumos/lsm.c [modify] https://crrev.com/1bccfce819193092710be1a3882a1f34d3fbbb7f/security/security.c
,
Apr 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/08884bd105d6bb9e57dd95db7f7b4f87ad9c9e7a commit 08884bd105d6bb9e57dd95db7f7b4f87ad9c9e7a Author: Mattias Nissler <mnissler@chromium.org> Date: Fri Apr 14 06:54:13 2017 CHROMIUM: LSM: Add support for symlink traversal policy. This change adds functionality to the chromiumos LSM to pin inodes and associate tracking information with them. This allows tracking symlink traversal policy for an inode. Whenever the FS layer follows a link, it calls out to the LSM, which can then check whether a symlink traversal policy has been set on any directory on the path in question. If a policy is set and it specifies that symlink traversal should be blocked, the corresponding FS system call will fail with EPERM. Note that readlink() continues to work, so userspace may resort to resolving symlinks manually if desired. Symlink traversal policy is configured via securityfs. Files in /sys/kernel/security/chromiumos/symlink_policy/ are used to set the symlink traversal policy: * .../allow: Write a path to the file to set the symlink traversal policy for corresponding inode to "allow". * .../block: Write a path to the file to set the symlink traversal policy for corresponding inode to "block". * .../reset: Write a path to clear the symlink traversal policy for the corresponding inode. * .../flush: Write a path to clear symlink traversal policy for the entire file system the corresponding inode belongs to. Note that this may affect paths outside the subtree corresponding to the specified path (e.g. parents, siblings, or parts of the file system not visible in the affected (bind) mount). BUG= chromium:655606 TEST=Set symlink traversal policy and test paths containing symlinks. Change-Id: I844b2aedd7f022d97d28b074d5e98450b66c6992 Reviewed-on: https://chromium-review.googlesource.com/422333 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/08884bd105d6bb9e57dd95db7f7b4f87ad9c9e7a/security/chromiumos/inode_mark.c [modify] https://crrev.com/08884bd105d6bb9e57dd95db7f7b4f87ad9c9e7a/security/chromiumos/Makefile [add] https://crrev.com/08884bd105d6bb9e57dd95db7f7b4f87ad9c9e7a/security/chromiumos/inode_mark.h [add] https://crrev.com/08884bd105d6bb9e57dd95db7f7b4f87ad9c9e7a/security/chromiumos/securityfs.c [modify] https://crrev.com/08884bd105d6bb9e57dd95db7f7b4f87ad9c9e7a/security/chromiumos/lsm.c
,
Apr 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/1880db97e53857696cc116cba7529feb428c97d0 commit 1880db97e53857696cc116cba7529feb428c97d0 Author: Mattias Nissler <mnissler@chromium.org> Date: Tue Apr 25 18:34:02 2017 Adjust platform_FilePerms to allow additional bind mounts. This is in preparation for switching on symlink traversal restrictions. Since symlinks on stateful are dangerous, we want to eradicate them as much as possible, and some file system locations that have been using symlinks will use bind mounts set up at boot instead. Most notably, this affects /var/run and /var/lock, but there are other exceptions for developer mode. This CL adjusts the platform_FilePerms tests to allow these additional mounts, so the main CL that switches to bind mounts and enables symlink blocking doesn't cause test failures. BUG= chromium:655606 TEST=platform_FilePerms still passes. Change-Id: I8b1dfbc7f54f290d45b1f85f197390bcd0d8269e Reviewed-on: https://chromium-review.googlesource.com/481301 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/1880db97e53857696cc116cba7529feb428c97d0/client/site_tests/platform_FilePerms/platform_FilePerms.py
,
May 3 2017
,
Jun 15 2017
,
Nov 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e037e6ddf799e53b0ea17b3b94284cd49258b04f commit e037e6ddf799e53b0ea17b3b94284cd49258b04f Author: Micah Morton <mortonm@chromium.org> Date: Wed Nov 29 20:22:20 2017 Initialize symlink policy variable in directory traversal. Currently, chromiumos_get_symlink_traversal_policy() assumes that either the dentry passed in or some directory higher up the path will contain metadata regarding the symlink traversal policy. If this is not the case, the function will return the uninitialized "policy" variable. This CL initializes that variable to CHROMIUMOS_SYMLINK_TRAVERSAL_INHERIT, so the function still returns the correct value even if no directory on the path has the metadata. Currently, security/chromiumos/lsm.c is the only file that calls this function, and in that case the uninitialized variable would only cause unexpected behavior if no directory on the path has the metadata and the uninitialized variable happens to equal CHROMIUMOS_SYMLINK_TRAVERSAL_BLOCK. BUG= chromium:655606 TEST=ran autotest client/site_tests/security_StatefulSymlinkTraversal Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I5ddcdd27298a0b7f74593aa1b303572803213c85 Reviewed-on: https://chromium-review.googlesource.com/792095 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/e037e6ddf799e53b0ea17b3b94284cd49258b04f/security/chromiumos/inode_mark.c
,
Jan 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3aa6760c93900123744c104b67fecda917f73fde commit 3aa6760c93900123744c104b67fecda917f73fde Author: Micah Morton <mortonm@chromium.org> Date: Fri Jan 12 22:31:17 2018 Block FIFO access on stateful partition. Extend the system for attaching security policy metadata to inodes and enforcing security policies at runtime. Make the framework for adding a new inode security policy simple: just set a new enum value in inode_mark.h and add the corresponding file entry structures to the array in securityfs.c. Any hooks in lsm.c can then query the policy data for a dentry. This CL adds a specific hook for blocking access to FIFOs during the open() syscall. BUG= chromium:655606 TEST=Manually confirm no blocked accesses during boot (init scripts and autotest in another CL) Change-Id: I9c700344b1822aa5e9a18f74fc70351b1a954743 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/814654 Reviewed-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/3aa6760c93900123744c104b67fecda917f73fde/security/chromiumos/inode_mark.c [modify] https://crrev.com/3aa6760c93900123744c104b67fecda917f73fde/security/chromiumos/lsm.c [modify] https://crrev.com/3aa6760c93900123744c104b67fecda917f73fde/security/chromiumos/inode_mark.h [modify] https://crrev.com/3aa6760c93900123744c104b67fecda917f73fde/security/chromiumos/securityfs.c
,
Jan 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/686965c7d884e6d5c9a28e3938d7c87f22b779f7 commit 686965c7d884e6d5c9a28e3938d7c87f22b779f7 Author: Guenter Roeck <groeck@chromium.org> Date: Sat Jan 20 01:18:08 2018 FIXUP: Block FIFO access on stateful partition. 0day says: security/chromiumos/inode_mark.c: In function 'chromiumos_update_inode_security_policy': security/chromiumos/inode_mark.c:268:4: warning: this 'if' clause does not guard... if (chromiumos_to_inode_mark(mark)->policies[i] ^~ security/chromiumos/inode_mark.c:271:5: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if' break; ^~~~~ It has a point. BUG= chromium:655606 TEST=Test whatever chromium:655606 was supposed to fix. Change-Id: I2b0f6a54d0809cee465660dd22fe04515e28a63d Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/875202 Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> [modify] https://crrev.com/686965c7d884e6d5c9a28e3938d7c87f22b779f7/security/chromiumos/inode_mark.c
,
Feb 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/243d1d3506eb031fc73fc2aa98c4aa301afbd267 commit 243d1d3506eb031fc73fc2aa98c4aa301afbd267 Author: Micah Morton <mortonm@chromium.org> Date: Fri Feb 02 15:43:09 2018 Block FIFO access on stateful partition. Extend the system for attaching security policy metadata to inodes and enforcing security policies at runtime. Make the framework for adding a new inode security policy simple: just set a new enum value in inode_mark.h and add the corresponding file entry structures to the array in securityfs.c. Any hooks in lsm.c can then query the policy data for a dentry. This CL adds a specific hook for blocking access to FIFOs during the open() syscall. BUG= chromium:655606 TEST=Manually confirm no blocked accesses during boot (init scripts and autotest in another CL) Change-Id: I413db46b810ec5fb555965f4afb92c6dbe142c0b Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/871979 Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/243d1d3506eb031fc73fc2aa98c4aa301afbd267/security/chromiumos/inode_mark.c [modify] https://crrev.com/243d1d3506eb031fc73fc2aa98c4aa301afbd267/security/chromiumos/lsm.c [modify] https://crrev.com/243d1d3506eb031fc73fc2aa98c4aa301afbd267/security/chromiumos/inode_mark.h [modify] https://crrev.com/243d1d3506eb031fc73fc2aa98c4aa301afbd267/security/chromiumos/securityfs.c
,
Feb 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d22905fea79dc77365ba35221b1dc2e3cd9a7248 commit d22905fea79dc77365ba35221b1dc2e3cd9a7248 Author: Micah Morton <mortonm@chromium.org> Date: Fri Feb 02 21:19:27 2018 Block FIFO access on stateful partition. Extend the system for attaching security policy metadata to inodes and enforcing security policies at runtime. Make the framework for adding a new inode security policy simple: just set a new enum value in inode_mark.h and add the corresponding file entry structures to the array in securityfs.c. Any hooks in lsm.c can then query the policy data for a dentry. This CL adds a specific hook for blocking access to FIFOs during the open() syscall. BUG= chromium:655606 TEST=Manually confirm no blocked accesses during boot (init scripts and autotest in another CL) Change-Id: Ia93d263d860b903949928a53784cb5e8a2c9060d Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/875127 Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/d22905fea79dc77365ba35221b1dc2e3cd9a7248/security/chromiumos/inode_mark.c [modify] https://crrev.com/d22905fea79dc77365ba35221b1dc2e3cd9a7248/security/chromiumos/lsm.c [modify] https://crrev.com/d22905fea79dc77365ba35221b1dc2e3cd9a7248/security/chromiumos/inode_mark.h [modify] https://crrev.com/d22905fea79dc77365ba35221b1dc2e3cd9a7248/security/chromiumos/securityfs.c
,
Feb 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/9b0447c5e31b1e481ef32c1b384ab403a10dc25a commit 9b0447c5e31b1e481ef32c1b384ab403a10dc25a Author: Micah Morton <mortonm@chromium.org> Date: Fri Feb 02 21:19:30 2018 Block FIFO access on stateful partition. Extend the system for attaching security policy metadata to inodes and enforcing security policies at runtime. Make the framework for adding a new inode security policy simple: just set a new enum value in inode_mark.h and add the corresponding file entry structures to the array in securityfs.c. Any hooks in lsm.c can then query the policy data for a dentry. This CL adds a specific hook for blocking access to FIFOs during the open() syscall. BUG= chromium:655606 TEST=Manually confirm no blocked accesses during boot (init scripts and autotest in another CL) Change-Id: I8ce9ccc49f9b829e85cc73a64b6fbf5ffd72b0df Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/875920 Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/9b0447c5e31b1e481ef32c1b384ab403a10dc25a/security/chromiumos/inode_mark.h [modify] https://crrev.com/9b0447c5e31b1e481ef32c1b384ab403a10dc25a/security/chromiumos/securityfs.c [modify] https://crrev.com/9b0447c5e31b1e481ef32c1b384ab403a10dc25a/include/linux/security.h [modify] https://crrev.com/9b0447c5e31b1e481ef32c1b384ab403a10dc25a/security/chromiumos/inode_mark.c [modify] https://crrev.com/9b0447c5e31b1e481ef32c1b384ab403a10dc25a/security/chromiumos/lsm.c [modify] https://crrev.com/9b0447c5e31b1e481ef32c1b384ab403a10dc25a/security/security.c
,
Feb 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d8581bd0571211c83d7e512521c8b4cb79647e93 commit d8581bd0571211c83d7e512521c8b4cb79647e93 Author: Micah Morton <mortonm@chromium.org> Date: Fri Feb 02 21:19:38 2018 Block FIFO access on stateful partition. Extend the system for attaching security policy metadata to inodes and enforcing security policies at runtime. Make the framework for adding a new inode security policy simple: just set a new enum value in inode_mark.h and add the corresponding file entry structures to the array in securityfs.c. Any hooks in lsm.c can then query the policy data for a dentry. This CL adds a specific hook for blocking access to FIFOs during the open() syscall. BUG= chromium:655606 TEST=Manually confirm no blocked accesses during boot (init scripts and autotest in another CL) Change-Id: If72aaedc06f7c88183eb3640cb1b07e47a8ee1d9 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/874611 Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/d8581bd0571211c83d7e512521c8b4cb79647e93/security/chromiumos/inode_mark.h [modify] https://crrev.com/d8581bd0571211c83d7e512521c8b4cb79647e93/security/chromiumos/securityfs.c [modify] https://crrev.com/d8581bd0571211c83d7e512521c8b4cb79647e93/include/linux/security.h [modify] https://crrev.com/d8581bd0571211c83d7e512521c8b4cb79647e93/security/chromiumos/inode_mark.c [modify] https://crrev.com/d8581bd0571211c83d7e512521c8b4cb79647e93/security/chromiumos/lsm.c [modify] https://crrev.com/d8581bd0571211c83d7e512521c8b4cb79647e93/security/security.c
,
Feb 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/206ae430d5ed43e8e5f94dea727750fbd133e558 commit 206ae430d5ed43e8e5f94dea727750fbd133e558 Author: Micah Morton <mortonm@chromium.org> Date: Fri Feb 02 21:19:41 2018 Block FIFO access on stateful partition. Extend the system for attaching security policy metadata to inodes and enforcing security policies at runtime. Make the framework for adding a new inode security policy simple: just set a new enum value in inode_mark.h and add the corresponding file entry structures to the array in securityfs.c. Any hooks in lsm.c can then query the policy data for a dentry. This CL adds a specific hook for blocking access to FIFOs during the open() syscall. BUG= chromium:655606 TEST=Manually confirm no blocked accesses during boot (init scripts and autotest in another CL) Change-Id: Ifc9992e6ac0858231ffa9622e22845eefafd6611 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/871654 Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/206ae430d5ed43e8e5f94dea727750fbd133e558/security/chromiumos/inode_mark.c [modify] https://crrev.com/206ae430d5ed43e8e5f94dea727750fbd133e558/security/chromiumos/lsm.c [modify] https://crrev.com/206ae430d5ed43e8e5f94dea727750fbd133e558/security/chromiumos/inode_mark.h [modify] https://crrev.com/206ae430d5ed43e8e5f94dea727750fbd133e558/security/chromiumos/securityfs.c
,
Feb 5 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8d9e2b5b155450966ecc54803e1479f392cccd16 commit 8d9e2b5b155450966ecc54803e1479f392cccd16 Author: Micah Morton <mortonm@chromium.org> Date: Mon Feb 05 23:44:49 2018 Block FIFO access on stateful partition. Extend the system for attaching security policy metadata to inodes and enforcing security policies at runtime. Make the framework for adding a new inode security policy simple: just set a new enum value in inode_mark.h and add the corresponding file entry structures to the array in securityfs.c. Any hooks in lsm.c can then query the policy data for a dentry. This CL adds a specific hook for blocking access to FIFOs during the open() syscall. BUG= chromium:655606 TEST=Manually confirm no blocked accesses during boot (init scripts and autotest in another CL) Change-Id: I528c252c93cb7b1b978dca28c4464115b0fb9de5 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/875191 Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/8d9e2b5b155450966ecc54803e1479f392cccd16/security/chromiumos/inode_mark.c [modify] https://crrev.com/8d9e2b5b155450966ecc54803e1479f392cccd16/security/chromiumos/lsm.c [modify] https://crrev.com/8d9e2b5b155450966ecc54803e1479f392cccd16/security/chromiumos/inode_mark.h [modify] https://crrev.com/8d9e2b5b155450966ecc54803e1479f392cccd16/security/chromiumos/securityfs.c
,
Feb 9 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/6ab38609688965b57492aca017de14133cfeb8ab commit 6ab38609688965b57492aca017de14133cfeb8ab Author: Micah Morton <mortonm@chromium.org> Date: Fri Feb 09 07:42:10 2018 init: bind mount tmpfs instead of symlinking Continue to enable /run (tmpfs for runtime data) to be accessed through /var for backwards compatibility, while also eliminating use of symlinks in preparation for blocking symlink traversal on the stateful file system. BUG= chromium:655606 TEST=Image still boots and passes tests Change-Id: I62339e6b9cdef7aafe6a7123d42dd4546a562e39 Reviewed-on: https://chromium-review.googlesource.com/906889 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/6ab38609688965b57492aca017de14133cfeb8ab/init/chromeos_startup
,
Mar 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/966ec0ee3c8988e2cbac32f178cdac319c48f1b5 commit 966ec0ee3c8988e2cbac32f178cdac319c48f1b5 Author: Mattias Nissler <mnissler@chromium.org> Date: Wed Mar 14 02:00:22 2018 init: Block symlinks and FIFOs on the stateful file system. This makes use of the inode security policy code added to the chromiumos LSM in the kernel. By default, symlink traversal and opening of FIFOs on the stateful file system are now blocked. There are exceptions to the symlink policy for a handful of file system locations that actually do rely on symlinks. BUG= chromium:655606 TEST=Image still boots and passes tests, no symlink/FIFO warnings in dmesg. Change-Id: I9b135c3a4aa4d6534d14d7a4f5c146e0e950d599 Reviewed-on: https://chromium-review.googlesource.com/472908 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/966ec0ee3c8988e2cbac32f178cdac319c48f1b5/init/chromeos_startup [modify] https://crrev.com/966ec0ee3c8988e2cbac32f178cdac319c48f1b5/init/dev_utils.sh
,
Mar 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/151066f542e33a38989bc3f7d7ad865a1eae02c5 commit 151066f542e33a38989bc3f7d7ad865a1eae02c5 Author: Junichi Uekawa <uekawa@chromium.org> Date: Thu Mar 15 04:38:42 2018 Revert "init: Block symlinks and FIFOs on the stateful file system." This reverts commit 966ec0ee3c8988e2cbac32f178cdac319c48f1b5. Reason for revert: breaks CTS BUG=b:74868050 BUG= chromium:655606 Original change's description: > init: Block symlinks and FIFOs on the stateful file system. > > This makes use of the inode security policy code added to the > chromiumos LSM in the kernel. By default, symlink traversal and > opening of FIFOs on the stateful file system are now blocked. > There are exceptions to the symlink policy for a handful of > file system locations that actually do rely on symlinks. > > BUG= chromium:655606 > TEST=Image still boots and passes tests, no symlink/FIFO warnings > in dmesg. > > Change-Id: I9b135c3a4aa4d6534d14d7a4f5c146e0e950d599 > Reviewed-on: https://chromium-review.googlesource.com/472908 > Commit-Ready: Micah Morton <mortonm@chromium.org> > Tested-by: Micah Morton <mortonm@chromium.org> > Reviewed-by: Micah Morton <mortonm@chromium.org> > Reviewed-by: Mike Frysinger <vapier@chromium.org> Bug: chromium:655606 Change-Id: If2bf282a7d26548db92c895b4c809b6db84387c5 Reviewed-on: https://chromium-review.googlesource.com/963881 Reviewed-by: Kazuhiro Inaba <kinaba@chromium.org> Commit-Queue: Junichi Uekawa <uekawa@chromium.org> Tested-by: Junichi Uekawa <uekawa@chromium.org> Trybot-Ready: Junichi Uekawa <uekawa@chromium.org> [modify] https://crrev.com/151066f542e33a38989bc3f7d7ad865a1eae02c5/init/chromeos_startup [modify] https://crrev.com/151066f542e33a38989bc3f7d7ad865a1eae02c5/init/dev_utils.sh
,
Mar 17 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/ap-daemons/+/c6bff4971940a22b9c2f9f304ac9e425b30a1140 commit c6bff4971940a22b9c2f9f304ac9e425b30a1140 Author: Micah Morton <mortonm@chromium.org> Date: Sat Mar 17 01:31:28 2018
,
Mar 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/69bfffd3e8d9bf6362fc9d36c45669963e2dfb2c commit 69bfffd3e8d9bf6362fc9d36c45669963e2dfb2c Author: Mattias Nissler <mnissler@chromium.org> Date: Mon Mar 19 21:19:02 2018 init: Block symlinks on the stateful file system. This is a reland of 966ec0ee3c8988e2cbac32f178cdac319c48f1b5 Changes since prior merge: 1) Added a global exception to symlink blocking for Jetstream boards (TBD whether the global exception will stay or we will refine the exception to only include parts of the stateful file system where Jetstream uses symlinks legitimately). 2) Removed FIFO blocking in this commit to see if the symlink blocking sticks by itself. FIFO blocking will be landed in another CL once necessary exceptions are added to the FIFO policy for ARC++. Original change's description: > init: Block symlinks and FIFOs on the stateful file system. > > This makes use of the inode security policy code added to the > chromiumos LSM in the kernel. By default, symlink traversal and > opening of FIFOs on the stateful file system are now blocked. > There are exceptions to the symlink policy for a handful of > file system locations that actually do rely on symlinks. > > BUG= chromium:655606 > TEST=Image still boots and passes tests, no symlink/FIFO warnings > in dmesg. > > Change-Id: I9b135c3a4aa4d6534d14d7a4f5c146e0e950d599 > Reviewed-on: https://chromium-review.googlesource.com/472908 > Commit-Ready: Micah Morton <mortonm@chromium.org> > Tested-by: Micah Morton <mortonm@chromium.org> > Reviewed-by: Micah Morton <mortonm@chromium.org> > Reviewed-by: Mike Frysinger <vapier@chromium.org> BUG= chromium:655606 TEST=Image still boots and passes tests, no symlink/FIFO warnings in dmesg. Change-Id: I0cfbf0afe6c48ce1ae10d1fa3b18fcc7e5445ea8 Reviewed-on: https://chromium-review.googlesource.com/966683 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> [modify] https://crrev.com/69bfffd3e8d9bf6362fc9d36c45669963e2dfb2c/init/chromeos_startup [modify] https://crrev.com/69bfffd3e8d9bf6362fc9d36c45669963e2dfb2c/init/dev_utils.sh
,
Mar 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/56ce03401d8cc6ea8a57a9c757f408b14236c351 commit 56ce03401d8cc6ea8a57a9c757f408b14236c351 Author: Micah Morton <mortonm@chromium.org> Date: Tue Mar 20 02:21:41 2018 arc: Add exception file for FIFO blocking on stateful. Symlink and FIFO access on the stateful partition are being blocked by CL:966683 for security reasons. New file specifies a policy exception so that FIFOs can be used in the /data directory (under /home). See b/74868050 for details on the need for the exception. BUG= chromium:655606 TEST=emerged to board and observed file Change-Id: I86241ce440254ff81091f3145258a41d561cc130 Reviewed-on: https://chromium-review.googlesource.com/961305 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org> [add] https://crrev.com/56ce03401d8cc6ea8a57a9c757f408b14236c351/arc/container-bundle/master/arc-fifo-exceptions.txt
,
Mar 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/69ad8d9136bc63c9dddfad356d863ee23acc532b commit 69ad8d9136bc63c9dddfad356d863ee23acc532b Author: Micah Morton <mortonm@chromium.org> Date: Tue Mar 20 04:34:27 2018 arc-base: Add exception for FIFO blocking on stateful. Symlink and FIFO access on the stateful partition are being blocked by CL:966683 for security reasons. Add an exception so that FIFOs can be used in the /data directory (under /home). See b/74868050 for details on the need for the exception. CQ-DEPEND=CL:961305 BUG= chromium:655606 TEST=emerged to board and observed file Change-Id: Ic9bccd1d89973ae9eec18810aea08cc561173feb Reviewed-on: https://chromium-review.googlesource.com/961304 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org> [modify] https://crrev.com/69ad8d9136bc63c9dddfad356d863ee23acc532b/chromeos-base/arc-base/arc-base-9999.ebuild
,
Mar 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/0935b9ad7cdac01358286c2e3ad433b8736a8371 commit 0935b9ad7cdac01358286c2e3ad433b8736a8371 Author: Mattias Nissler <mnissler@chromium.org> Date: Wed Mar 21 05:21:40 2018 init: Block FIFOs on the stateful file system. This makes use of the inode security policy code added to the chromiumos LSM in the kernel. By default, opening of FIFOs on the stateful file system will now be blocked, as was recently done in CL:966683 for symlinks. There are exceptions to the FIFO blocking policy for a couple of file system locations that actually do rely on FIFOs. BUG= chromium:655606 TEST=Image still boots and passes tests, no FIFO warnings in dmesg. Change-Id: I0c54cee75e43b0e8f695da0cd07388038311efbd Reviewed-on: https://chromium-review.googlesource.com/970905 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/0935b9ad7cdac01358286c2e3ad433b8736a8371/init/chromeos_startup [modify] https://crrev.com/0935b9ad7cdac01358286c2e3ad433b8736a8371/init/dev_utils.sh
,
Mar 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/a710c9b1f70e77977adef691be7846d8ff073356 commit a710c9b1f70e77977adef691be7846d8ff073356 Author: Micah Morton <mortonm@chromium.org> Date: Thu Mar 22 10:01:22 2018 init: fix typo to enable symlink/FIFO blocking on stateful. This typo prevents these lines from ever evaluating to true and brings the rest of stateful partition symlink/FIFO blocking down with it. Oops. BUG= chromium:655606 TEST=manually modified script and tested mounting/blocking policy. Change-Id: I5689f487b9cb16b7374a7d1edc81a9bd334194d4 Reviewed-on: https://chromium-review.googlesource.com/974562 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/a710c9b1f70e77977adef691be7846d8ff073356/init/chromeos_startup
,
Mar 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/d1cddac79a9c0221fd589f44dd9b5eb1fed4cec5 commit d1cddac79a9c0221fd589f44dd9b5eb1fed4cec5 Author: Micah Morton <mortonm@chromium.org> Date: Sat Mar 24 00:29:39 2018 arc: Modify exception file for FIFO blocking on stateful. Symlink and FIFO access on the stateful partition are being blocked by CL:966683 for security reasons. We already attempted to add an exception file for this policy for the /home/root subtree, so that the Android /data dir could use FIFOs. Turns out /home/root/$hash is a bind-mount of /home/.shadow/$hash/mount/root, meaning the FIFOs are used under /home/.shadow, not /home/root. Backing this exception one step up the tree to /home allows Android to use FIFOs in the /data directory. See b/76173776 for details. BUG= chromium:655606 TEST=ran cheets_CTS_N.7.1_r15.arm.CtsLibcoreTestCases (works for x86 as well) and obseved FIFO blocking in existing code, but no FIFO blocking with this change. Change-Id: Ia91ca8fc350730b65ec682688ad455542236bb2f Reviewed-on: https://chromium-review.googlesource.com/978661 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/d1cddac79a9c0221fd589f44dd9b5eb1fed4cec5/arc/container-bundle/master/arc-fifo-exceptions.txt
,
Mar 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/43327729a1292fa9a708a956acadef2c8c14de6d commit 43327729a1292fa9a708a956acadef2c8c14de6d Author: Micah Morton <mortonm@chromium.org> Date: Sat Mar 24 21:18:35 2018 init: Reland "init: Block FIFOs on the stateful file system." Original change I0c54cee75e43b0e8f695da0cd07388038311efbd was reverted since we failed to install an exception for the correct location in the file system to allow use of FIFOs for /data on Android. BUG= chromium:655606 CQ-DEPEND=CL:978661 TEST=ran cheets_CTS_N.7.1_r15.arm.CtsLibcoreTestCases (works for x86 as well) and obseved FIFO blocking in existing code, but no FIFO blocking with this change. Change-Id: I3637875c337d1419c2c244de598da66637fdefaf Reviewed-on: https://chromium-review.googlesource.com/978780 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/43327729a1292fa9a708a956acadef2c8c14de6d/init/chromeos_startup [modify] https://crrev.com/43327729a1292fa9a708a956acadef2c8c14de6d/init/dev_utils.sh
,
Mar 30 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/13376b77e691251a451b08351137a4144f7a59eb commit 13376b77e691251a451b08351137a4144f7a59eb Author: Mattias Nissler <mnissler@chromium.org> Date: Fri Mar 30 02:51:54 2018 Autotest to verify symlink and FIFO access policy The new security_StatefulPartitionHardening autotest verifies that symlink and FIFO access policies are correctly enforced on the stateful file system, i.e. file access generally fails when running into a symlink or FIFO. The test also verifies that symlink traversal continues to work for whitelisted locations. BUG= chromium:655606 TEST=Run security_StatefulPartitionHardening test. Change-Id: I72dbdeb5e53331f91cd4e0717161f59da596c167 Reviewed-on: https://chromium-review.googlesource.com/481262 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: David Haddock <dhaddock@chromium.org> [add] https://crrev.com/13376b77e691251a451b08351137a4144f7a59eb/client/site_tests/security_StatefulPartitionHardening/security_StatefulPartitionHardening.py [add] https://crrev.com/13376b77e691251a451b08351137a4144f7a59eb/client/site_tests/security_StatefulPartitionHardening/control
,
Mar 30 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/983990b24ec02b4029759c3e73fb61105acfd9eb commit 983990b24ec02b4029759c3e73fb61105acfd9eb Author: Micah Morton <mortonm@chromium.org> Date: Fri Mar 30 23:53:02 2018 Add new test for stateful partition hardening. CQ-DEPEND=CL:481262 TEST=emerge autotest-tests and run test_that. BUG= chromium:655606 Change-Id: I9c20b524cda10b5f07898e174573a4c1eeb65b40 Reviewed-on: https://chromium-review.googlesource.com/962871 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> [modify] https://crrev.com/983990b24ec02b4029759c3e73fb61105acfd9eb/chromeos-base/autotest-tests-security/autotest-tests-security-9999.ebuild
,
Jun 13 2018
Symlink hardening has landed a while ago. I've split out the remaining stateful hardening work into issue 852282 and will close this bug now.
,
Jan 16
Actually closing... |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by mnissler@chromium.org
, Dec 19 2016