Clean up and organize the Android Seccomp-BPF renderer policy |
|
Issue descriptionAs part of issue 730066 , I am moving the Android baseline seccomp policy from //content into //sandbox. However, in the process I noticed that there are quite a few similar allowances between the Android baseline policy and the Linux renderer policy: https://cs.chromium.org/chromium/src/content/common/sandbox_linux/bpf_renderer_policy_linux.cc?sq=package:chromium&dr=CSs. It would be nice if the //content baseline policy https://cs.chromium.org/chromium/src/content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h?sq=package:chromium&dr=CSs could selectively use sandbox::BaselinePolicy or sandbox::BaselinePolicyAndroid. Then the Android renderer policy could leverage the RendererProcessPolicy, rather than defining those allowances itself. In addition, it could be more clear to make the long switch statement of allowances be organized into syscall sets, like in the baseline policy. TBD on that, depending on how reconciling RendererProcessPolicy with BaselinePolicyAndroid goes.
,
Jul 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5fb31977a3765bdece87afb6f5ae55331a627ade commit 5fb31977a3765bdece87afb6f5ae55331a627ade Author: Robert Sesek <rsesek@chromium.org> Date: Wed Jul 12 00:21:40 2017 Create a new sandbox::SeccompStarterAndroid class. This wraps common functionality for build- and run-time detection of applying the Seccomp-BPF sandbox on Android. Refactoring this out of //content will make it easier for other processes to start the Seccomp sandbox. Bug: 730066 Bug: 739879 Change-Id: Ib75003979e662865e9557c9c4f1d7b705c0692bf Reviewed-on: https://chromium-review.googlesource.com/563739 Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#485743} [modify] https://crrev.com/5fb31977a3765bdece87afb6f5ae55331a627ade/content/public/renderer/BUILD.gn [modify] https://crrev.com/5fb31977a3765bdece87afb6f5ae55331a627ade/content/public/renderer/seccomp_sandbox_status_android.h [modify] https://crrev.com/5fb31977a3765bdece87afb6f5ae55331a627ade/content/renderer/renderer_main_platform_delegate_android.cc [modify] https://crrev.com/5fb31977a3765bdece87afb6f5ae55331a627ade/content/renderer/seccomp_sandbox_status_android.cc [modify] https://crrev.com/5fb31977a3765bdece87afb6f5ae55331a627ade/content/renderer/seccomp_sandbox_status_android.h [modify] https://crrev.com/5fb31977a3765bdece87afb6f5ae55331a627ade/sandbox/linux/BUILD.gn [add] https://crrev.com/5fb31977a3765bdece87afb6f5ae55331a627ade/sandbox/linux/seccomp-bpf-helpers/seccomp_starter_android.cc [add] https://crrev.com/5fb31977a3765bdece87afb6f5ae55331a627ade/sandbox/linux/seccomp-bpf-helpers/seccomp_starter_android.h
,
Jul 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d4b1c1382e85b3a00de286b3db957156462e7385 commit d4b1c1382e85b3a00de286b3db957156462e7385 Author: Robert Sesek <rsesek@chromium.org> Date: Thu Jul 13 21:22:05 2017 Add missing dependency for //sandbox/linux:seccomp_starter_android Commit 5fb31977a3765bdece87afb6f5ae55331a627ade added this new target but didn't depend on the //sandbox:sandbox_features target so it failed to compile: In file included from ../../sandbox/linux/seccomp-bpf-helpers/seccomp_starter_android.cc:5: ../../sandbox/linux/seccomp-bpf-helpers/seccomp_starter_android.h:10:10: fatal error: 'sandbox/sandbox_features.h' file not found #include "sandbox/sandbox_features.h" NOTRY=true Bug: 742028 Bug: 730066 Bug: 739879 Change-Id: Ib0bc9f34f0cbf35be0f9f3cf412cd0fdcf678f3f Reviewed-on: https://chromium-review.googlesource.com/570514 Commit-Queue: Robert Sesek <rsesek@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Glenn Hartmann <hartmanng@chromium.org> Cr-Commit-Position: refs/heads/master@{#486479} [modify] https://crrev.com/d4b1c1382e85b3a00de286b3db957156462e7385/sandbox/linux/BUILD.gn |
|
►
Sign in to add a comment |
|
Comment 1 by bugdroid1@chromium.org
, Jul 7 2017