We currently have a very simple network process using --enable-network-service We should investigate how much we can sandbox it.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2 commit a8fefcd5b469c0423ca7853d9bee73f3532c9ad2 Author: Tom Sepez <tsepez@chromium.org> Date: Wed Jul 12 19:22:11 2017 Provide finer control over sandboxing in utility process. First patch in a series to move from a world where the sandbox is either on or off as controlled by a boolean to one in which a number of sandbox types may exist. Use the existing content::SandboxType enum for this purpose, and add a value for the unsandboxed case and for the future network process work. Change the content browser client API to do all service registrations through a single RegisterOutOfProcessServices() call. Bug: 715679 Change-Id: I9efc3fe2c1796118770d23d126b069c7bb9f7cf1 Reviewed-on: https://chromium-review.googlesource.com/565933 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Cr-Commit-Position: refs/heads/master@{#486051} [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/chrome/browser/chrome_content_browser_client.cc [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/chrome/browser/importer/external_process_importer_client.cc [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/browser/service_manager/service_manager_context.cc [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/browser/utility_process_host_impl.cc [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/browser/utility_process_host_impl.h [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/common/sandbox_mac.mm [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/common/sandbox_mac_unittest_helper.mm [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/public/browser/content_browser_client.h [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/public/browser/utility_process_host.h [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/public/browser/utility_process_mojo_client.h [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/public/common/sandbox_type.h [modify] https://crrev.com/a8fefcd5b469c0423ca7853d9bee73f3532c9ad2/content/shell/browser/shell_content_browser_client.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/29a4b4828204655298e77b83d2fc01a5e88f2141 commit 29a4b4828204655298e77b83d2fc01a5e88f2141 Author: Tom Sepez <tsepez@chromium.org> Date: Mon Jul 24 22:02:32 2017 Consolidate use of sandbox_type in SandboxedProcessLauncherDelegate Second patch in a series to move from a world where the sandbox is either on or off as controlled by a boolean to one in which a number of sandbox types may exist. Remove window's reliance on the windows-specific ShouldSandbox() method and rely on the GetSandboxType() on all platforms. Bug: 715679 Change-Id: I30ba0f0156b685cce2c2d9b24eecc3768a826267 Reviewed-on: https://chromium-review.googlesource.com/568377 Reviewed-by: Penny MacNeil <pennymac@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#489091} [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/chrome/service/service_utility_process_host.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/components/nacl/broker/nacl_broker_listener.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/components/nacl/broker/nacl_broker_listener.h [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/components/nacl/browser/nacl_broker_host_win.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/components/nacl/browser/nacl_process_host.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/content/browser/gpu/gpu_process_host.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/content/browser/ppapi_plugin_process_host.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/content/browser/utility_process_host_impl.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/content/browser/utility_process_host_impl.h [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/content/common/sandbox_win.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/content/public/common/sandboxed_process_launcher_delegate.cc [modify] https://crrev.com/29a4b4828204655298e77b83d2fc01a5e88f2141/content/public/common/sandboxed_process_launcher_delegate.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/aa5be0d53b3f148ee3d76cfb842de37ffc57be6b commit aa5be0d53b3f148ee3d76cfb842de37ffc57be6b Author: Tom Sepez <tsepez@chromium.org> Date: Mon Aug 28 18:55:47 2017 Add sandbox_type field to service manager catalog entries. First step in being able to specify sandboxing requirements using the same manifest in which services are specified. Bug: 715679 Change-Id: I696081e42a712ec3ee154384b14578bd21fe5ca5 Reviewed-on: https://chromium-review.googlesource.com/624732 Reviewed-by: Ken Rockot <rockot@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#497818} [modify] https://crrev.com/aa5be0d53b3f148ee3d76cfb842de37ffc57be6b/services/catalog/entry.cc [modify] https://crrev.com/aa5be0d53b3f148ee3d76cfb842de37ffc57be6b/services/catalog/entry.h [modify] https://crrev.com/aa5be0d53b3f148ee3d76cfb842de37ffc57be6b/services/catalog/entry_unittest.cc [modify] https://crrev.com/aa5be0d53b3f148ee3d76cfb842de37ffc57be6b/services/catalog/store.cc [modify] https://crrev.com/aa5be0d53b3f148ee3d76cfb842de37ffc57be6b/services/catalog/store.h [modify] https://crrev.com/aa5be0d53b3f148ee3d76cfb842de37ffc57be6b/services/catalog/test_data/simple
Apologies, applied the wrong component in bulk.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c28719614107018ceda54742d0a4a67a445a16cc commit c28719614107018ceda54742d0a4a67a445a16cc Author: Tom Sepez <tsepez@chromium.org> Date: Wed Nov 08 00:13:26 2017 Implement generic method for determining broker sandbox policy. Moves some logic out of gpu_main.cc and into the sandbox code, where it is anticipated to be re-used to make a network sandbox broker process. Other tidying: Rename BrokerProcess::policy_ to broker_policy_, to distinguish it from the sandbox policies that are flying around and update comment. Remove an else-after-return. Bug: 715679 Change-Id: I69c6d6cb9ab64ee830ab7175ca47543e973e2e12 Reviewed-on: https://chromium-review.googlesource.com/755888 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Antoine Labour <piman@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#514666} [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/content/gpu/gpu_sandbox_hook_linux.cc [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/sandbox/linux/syscall_broker/broker_process.cc [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/sandbox/linux/syscall_broker/broker_process.h [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/bpf_base_policy_linux.cc [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/bpf_base_policy_linux.h [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/bpf_cros_amd_gpu_policy_linux.cc [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/bpf_cros_amd_gpu_policy_linux.h [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/bpf_cros_arm_gpu_policy_linux.cc [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/bpf_cros_arm_gpu_policy_linux.h [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.h [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc [modify] https://crrev.com/c28719614107018ceda54742d0a4a67a445a16cc/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c17d4221aed92a67e759483e644ae7143fe6f91d commit c17d4221aed92a67e759483e644ae7143fe6f91d Author: Tom Sepez <tsepez@chromium.org> Date: Thu Nov 09 20:59:00 2017 Move broker process forking to sandbox_linux.cc Extract code from gpu_sandbox_hooks_linux.cc for re-use when starting a network service broker in the future. Moves some code up from sandbox_seccomp_bpf_linux.cc so as to keep that layer unaware of the notion of a broker. In particular, sandbox_linux.cc now handles the scheduling of callbacks, and types are adjusted to account for this. Kill some redundant service_manager:: scope qualifiers while we're at it. Bug: 715679 Change-Id: Id2106bda14ef06fdabe054e66b72938bb54f6f5b Reviewed-on: https://chromium-review.googlesource.com/758962 Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Antoine Labour <piman@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#515284} [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/content/gpu/gpu_sandbox_hook_linux.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/content/gpu/gpu_sandbox_hook_linux.h [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/content/ppapi_plugin/ppapi_plugin_main.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/content/renderer/renderer_main_platform_delegate_linux.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/content/utility/utility_main.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/public/cpp/standalone_service/standalone_service.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/bpf_base_policy_linux.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/bpf_base_policy_linux.h [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/bpf_cros_amd_gpu_policy_linux.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/bpf_cros_amd_gpu_policy_linux.h [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/bpf_cros_arm_gpu_policy_linux.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/bpf_cros_arm_gpu_policy_linux.h [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.h [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/sandbox_linux.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/sandbox_linux.h [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.h [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/sandbox.cc [modify] https://crrev.com/c17d4221aed92a67e759483e644ae7143fe6f91d/services/service_manager/sandbox/sandbox.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/800938f9cb9600a21b7d23b45e06de9d6c31c049 commit 800938f9cb9600a21b7d23b45e06de9d6c31c049 Author: Tom Sepez <tsepez@chromium.org> Date: Tue Nov 14 22:28:59 2017 Run network process in a (fully-permissive) seccomp-bpf sandbox. First steps towards an actual sandbox. This fixes some issues in the utility process code to deal with a non-zygote but nonetheless sandboxed utility process where it had assumed that one implied the other. Bug: 715679 Change-Id: I691b67937ded36a37d9d450278977f531a0a2e3a Reviewed-on: https://chromium-review.googlesource.com/764567 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#516464} [modify] https://crrev.com/800938f9cb9600a21b7d23b45e06de9d6c31c049/content/browser/utility_process_host_impl.cc [modify] https://crrev.com/800938f9cb9600a21b7d23b45e06de9d6c31c049/content/public/test/network_service_test_helper.cc [modify] https://crrev.com/800938f9cb9600a21b7d23b45e06de9d6c31c049/content/utility/utility_main.cc [modify] https://crrev.com/800938f9cb9600a21b7d23b45e06de9d6c31c049/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc [modify] https://crrev.com/800938f9cb9600a21b7d23b45e06de9d6c31c049/services/service_manager/sandbox/sandbox_type.cc [modify] https://crrev.com/800938f9cb9600a21b7d23b45e06de9d6c31c049/services/service_manager/sandbox/sandbox_type.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/322a049cf1e90d6711d7715ddde03130a09a00c7 commit 322a049cf1e90d6711d7715ddde03130a09a00c7 Author: Tom Sepez <tsepez@chromium.org> Date: Thu Nov 16 00:59:57 2017 Start up network service syscall broker process. This does no actual sandboxing, but ensures that all the file open calls can indeed be proxied via the same technique as used in the GPU. AllowAllPolicy becomes unused as a result and is removed. Bug: 715679 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Id7a0ee51d8c98c0bd3f59b2e468dc2a3eb11f50e Reviewed-on: https://chromium-review.googlesource.com/764539 Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#516931} [modify] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/content/network/BUILD.gn [modify] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/content/network/DEPS [add] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/content/network/network_sandbox_hook_linux.cc [add] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/content/network/network_sandbox_hook_linux.h [modify] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/content/utility/utility_main.cc [modify] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/sandbox/linux/syscall_broker/broker_file_permission.h [modify] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/services/service_manager/sandbox/BUILD.gn [add] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/services/service_manager/sandbox/linux/bpf_network_policy_linux.cc [add] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/services/service_manager/sandbox/linux/bpf_network_policy_linux.h [modify] https://crrev.com/322a049cf1e90d6711d7715ddde03130a09a00c7/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/12b8d4ba28076fdfe6e947d3c18d0a95c70861fc commit 12b8d4ba28076fdfe6e947d3c18d0a95c70861fc Author: Tom Sepez <tsepez@chromium.org> Date: Thu Nov 30 00:51:31 2017 Broker stat(2) system calls subject to read permissions. The network service tries to stat a bunch of files related to NSS, so these calls will need to be proxied later on. Also, AMD GPU drivers will need this if they are to be namespace sandboxed down the road. Bug: 715679 Change-Id: Iff01da8818f41e08e3bbf735eb5f5f82da37538d Reviewed-on: https://chromium-review.googlesource.com/776128 Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#520352} [modify] https://crrev.com/12b8d4ba28076fdfe6e947d3c18d0a95c70861fc/sandbox/linux/syscall_broker/broker_client.cc [modify] https://crrev.com/12b8d4ba28076fdfe6e947d3c18d0a95c70861fc/sandbox/linux/syscall_broker/broker_client.h [modify] https://crrev.com/12b8d4ba28076fdfe6e947d3c18d0a95c70861fc/sandbox/linux/syscall_broker/broker_common.h [modify] https://crrev.com/12b8d4ba28076fdfe6e947d3c18d0a95c70861fc/sandbox/linux/syscall_broker/broker_host.cc [modify] https://crrev.com/12b8d4ba28076fdfe6e947d3c18d0a95c70861fc/sandbox/linux/syscall_broker/broker_process.cc [modify] https://crrev.com/12b8d4ba28076fdfe6e947d3c18d0a95c70861fc/sandbox/linux/syscall_broker/broker_process.h [modify] https://crrev.com/12b8d4ba28076fdfe6e947d3c18d0a95c70861fc/sandbox/linux/syscall_broker/broker_process_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1 commit e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1 Author: Tom Sepez <tsepez@chromium.org> Date: Thu Nov 30 19:05:12 2017 Broker rename(2) system call subject to write permissions. This was also seen in strace of network service. Moved some code around to put reading command and writing reply to the socket in the same function. Bug: 715679 Change-Id: I381607c50e8aa1cf85f59fb7817efdf725f8c768 Reviewed-on: https://chromium-review.googlesource.com/780440 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#520629} [modify] https://crrev.com/e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1/sandbox/linux/syscall_broker/broker_client.cc [modify] https://crrev.com/e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1/sandbox/linux/syscall_broker/broker_client.h [modify] https://crrev.com/e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1/sandbox/linux/syscall_broker/broker_common.h [modify] https://crrev.com/e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1/sandbox/linux/syscall_broker/broker_host.cc [modify] https://crrev.com/e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1/sandbox/linux/syscall_broker/broker_process.cc [modify] https://crrev.com/e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1/sandbox/linux/syscall_broker/broker_process.h [modify] https://crrev.com/e51d4d944f64fb532e7af0ce37c101e9f6dfa9a1/sandbox/linux/syscall_broker/broker_process_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a4a56a31a4ce3e83545952a19e05c8f76025ce9d commit a4a56a31a4ce3e83545952a19e05c8f76025ce9d Author: Tom Sepez <tsepez@chromium.org> Date: Thu Nov 30 23:07:04 2017 Trap stat and rename syscalls in the network service This forces stat (and variants like stat64) and rename to execute in the broker process rather than in the network service itself. Bug: 715679 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ie58d695bcf6c2fb5b2940a88571219645b3b2e56 Reviewed-on: https://chromium-review.googlesource.com/783882 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#520735} [modify] https://crrev.com/a4a56a31a4ce3e83545952a19e05c8f76025ce9d/services/service_manager/sandbox/linux/bpf_broker_policy_linux.cc [modify] https://crrev.com/a4a56a31a4ce3e83545952a19e05c8f76025ce9d/services/service_manager/sandbox/linux/bpf_network_policy_linux.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2d078a67b3e511b7954bc6df209d6110cb17584a commit 2d078a67b3e511b7954bc6df209d6110cb17584a Author: Tom Sepez <tsepez@chromium.org> Date: Fri Dec 01 18:41:37 2017 Broker readlink system call subject to read permissions. This allows the readlink call to trap into a broker process rather than being denied inside a sandbox. Bug: 715679 Change-Id: Id03f45b298ba3c09de9a9b8ac3afc93a368bb4d5 Reviewed-on: https://chromium-review.googlesource.com/795012 Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#520996} [modify] https://crrev.com/2d078a67b3e511b7954bc6df209d6110cb17584a/sandbox/linux/syscall_broker/broker_client.cc [modify] https://crrev.com/2d078a67b3e511b7954bc6df209d6110cb17584a/sandbox/linux/syscall_broker/broker_client.h [modify] https://crrev.com/2d078a67b3e511b7954bc6df209d6110cb17584a/sandbox/linux/syscall_broker/broker_common.h [modify] https://crrev.com/2d078a67b3e511b7954bc6df209d6110cb17584a/sandbox/linux/syscall_broker/broker_host.cc [modify] https://crrev.com/2d078a67b3e511b7954bc6df209d6110cb17584a/sandbox/linux/syscall_broker/broker_process.cc [modify] https://crrev.com/2d078a67b3e511b7954bc6df209d6110cb17584a/sandbox/linux/syscall_broker/broker_process.h [modify] https://crrev.com/2d078a67b3e511b7954bc6df209d6110cb17584a/sandbox/linux/syscall_broker/broker_process_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9dc1b9e2243e7d78014159c9660d93ed2d31e27a commit 9dc1b9e2243e7d78014159c9660d93ed2d31e27a Author: Tom Sepez <tsepez@chromium.org> Date: Wed Dec 13 17:56:57 2017 Place network service into namespace sandbox on linux, try 2 Next step forward towards sandboxing network service. Ensures that all FS access goes through the proxy, even if it is not being subject to any whitelist restrictions yet. All other syscalls are still allowed. Bug: 715679 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ibe8dd5a09bbf498bc10c9ae289222b8e46b8e4b7 Reviewed-on: https://chromium-review.googlesource.com/817697 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Cr-Commit-Position: refs/heads/master@{#523811} [modify] https://crrev.com/9dc1b9e2243e7d78014159c9660d93ed2d31e27a/content/network/network_sandbox_hook_linux.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a84722ada699c85cce70ef4e4b39c5b81c7ff3fc commit a84722ada699c85cce70ef4e4b39c5b81c7ff3fc Author: Tom Sepez <tsepez@chromium.org> Date: Mon Dec 18 18:54:42 2017 Allow stat() in syscall broker if create permissions granted [linux] Otherwise, base's directory creation has trouble figuring out if intermediate directories exist. Bug: 715679 Change-Id: Ib7cad23cf606bc4e1e00cb9520b282d2df7796fa Reviewed-on: https://chromium-review.googlesource.com/827611 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#524754} [modify] https://crrev.com/a84722ada699c85cce70ef4e4b39c5b81c7ff3fc/sandbox/linux/syscall_broker/broker_command.cc [modify] https://crrev.com/a84722ada699c85cce70ef4e4b39c5b81c7ff3fc/sandbox/linux/syscall_broker/broker_file_permission.cc [modify] https://crrev.com/a84722ada699c85cce70ef4e4b39c5b81c7ff3fc/sandbox/linux/syscall_broker/broker_file_permission.h [modify] https://crrev.com/a84722ada699c85cce70ef4e4b39c5b81c7ff3fc/sandbox/linux/syscall_broker/broker_permission_list.cc [modify] https://crrev.com/a84722ada699c85cce70ef4e4b39c5b81c7ff3fc/sandbox/linux/syscall_broker/broker_permission_list.h [modify] https://crrev.com/a84722ada699c85cce70ef4e4b39c5b81c7ff3fc/sandbox/linux/syscall_broker/broker_process_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/797b82e5692ae4dd51cc69e9d35be53817368c41 commit 797b82e5692ae4dd51cc69e9d35be53817368c41 Author: Tom Sepez <tsepez@chromium.org> Date: Mon Dec 18 21:13:11 2017 [linux] tighten newtork service syscall list. Many on this list could still be dangerous, but at least we remove the others. Bug: 715679 Change-Id: Id901af97b1aae03465ea9601f86d05e2550aeb61 Reviewed-on: https://chromium-review.googlesource.com/826128 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#524798} [modify] https://crrev.com/797b82e5692ae4dd51cc69e9d35be53817368c41/services/service_manager/sandbox/linux/bpf_network_policy_linux.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dddc0af119fb757a2f4539f59b099e326fdb4509 commit dddc0af119fb757a2f4539f59b099e326fdb4509 Author: Tom Sepez <tsepez@chromium.org> Date: Mon Dec 18 23:04:01 2017 Revert "[linux] tighten newtork service syscall list." This reverts commit 797b82e5692ae4dd51cc69e9d35be53817368c41. Reason for revert: <INSERT REASONING HERE> Original change's description: > [linux] tighten newtork service syscall list. > > Many on this list could still be dangerous, but at least we > remove the others. > > Bug: 715679 > Change-Id: Id901af97b1aae03465ea9601f86d05e2550aeb61 > Reviewed-on: https://chromium-review.googlesource.com/826128 > Commit-Queue: Tom Sepez <tsepez@chromium.org> > Reviewed-by: John Abd-El-Malek <jam@chromium.org> > Reviewed-by: Robert Sesek <rsesek@chromium.org> > Cr-Commit-Position: refs/heads/master@{#524798} TBR=rdsmith@chromium.org,jam@chromium.org,tsepez@chromium.org,rsesek@chromium.org Change-Id: I9261f1f59f7c57070bf6bdd178d38241c8500372 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 715679 Reviewed-on: https://chromium-review.googlesource.com/832523 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#524846} [modify] https://crrev.com/dddc0af119fb757a2f4539f59b099e326fdb4509/services/service_manager/sandbox/linux/bpf_network_policy_linux.cc
Comment 1 by yzshen@chromium.org
, May 24 2017