chromeos-kernel-3.8 lacks support for cgroup namespace |
|||||
Issue descriptionchromeos-kernel-3.8 lacks support for cgroup namespace, which means `miniajail0 -N` will abort at runtime. We should consider a few potential actions: 1. Audit existing usages of cgroup namespace in Chrome OS to see if they run on kernel 3.8 and are affected by this issue 2. Backport cgroup namespace support to 3.8, where the benefit may or may not justify the effort 3. Modify minijail to handle lack of cgroup namespace more gracefully 4. Document the disparities in namespace support (and other security features) among different kernel versions 5. Explicitly specify security features in the build process (e.g. using USE flags and conditional RDEPENDs cgroup_namespace? (>=chromeos-kernel-3.14)) It also raises an interesting question on how we should tackle disparities of security features among different versions of kernel in a long run. The disparities may exist for practical reasons, so we may need to live with that. However, it'd be crucial to have some mechanisms to identify and catch inappropriate assumptions on security features available on a system.
,
Jun 6 2018
i think we've decided to just wait this one out ? in a year or two, all linux-3.8 devices should be EOL.
,
Jun 21 2018
,
Aug 8
According to https://cros-goldeneye.corp.google.com/chromeos/console/listDevice, the last device with 3.8 kernel is the LG monroe chromebook whose update support ends in 2020-06-30.
,
Aug 8
We should probably go back through the services running with minijail at that time and add the -N flag where it makes sense.
,
Aug 8
,
Aug 8
yes, the plan would be, once we no longer ship 3.8, we'll go through all the services and drop in -N. i'm not sure we have any services that wouldn't use it tbh as our cgroup utilization has been quite low.
,
Aug 8
3.10 does not have cgroup namespaces either and we will not backport them there, the effort would be too much. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by jorgelo@chromium.org
, Jun 6 2017