New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 795841 link

Starred by 2 users
Status: Fixed
Owner:
samanthamiller@chromium.org
Last visit > 30 days ago
Closed: Jul 31
Cc:
athilenius@chromium.org
jclinton@chromium.org
sjg@chromium.org
shapiroc@chromium.org
Components:
EstimatedDays: 10
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature

Blocked on:
issue 876480
Blocking:
issue 788213



Sign in to add a comment

Introduce a transparent wrapper that minijail’s mosys

Project Member Reported by jclinton@chromium.org, Dec 18 2017 
From the Hardening Mosys design doc: https://docs.google.com/document/d/1MkBUhp6KURhB2HArB7QYcrMpU8z1PQgknU-hx8c4K2k/edit

This feature bug will track adding a transparent wrapper (in compiled binary form) that will minijail mosys when running as root. The binary will need bindings to minijail and will also need to have a seccomp-bpf filter derived and installed with the jail.

The filter can be derived by using a new-ish feature: SECCOMP_RET_LOG. This will give us a list of syscalls issued on a particular platform. We probably need to write an Autotest or Tast test to gather this on all hardware.

Comment 1 by jclinton@chromium.org, Dec 18 2017

Labels: -Type-Bug Type-Feature

Comment 2 by jclinton@chromium.org, Jun 30 2018

Owner: samanthamiller@chromium.org
Status: Started (was: Available)
Samantha has a draft implementation at https://chromium-review.googlesource.com/1110337 .
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 30 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/7462563ba8af65c0647e9c2bb7d854746487639c

commit 7462563ba8af65c0647e9c2bb7d854746487639c
Author: Samantha Miller <samanthamiller@google.com>
Date: Mon Jul 30 19:25:29 2018

mosys: Move mosys into a minijail

BUG= chromium:795841 
TEST=built and ran on coral, bob, and caroline
CQ-DEPEND=CL:1110337

Change-Id: I4094ce95e6dfff5bbb99e7fd263f4c3fbd7736b9
Reviewed-on: https://chromium-review.googlesource.com/1121211
Commit-Ready: Samantha Miller <samanthamiller@google.com>
Tested-by: Samantha Miller <samanthamiller@google.com>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/7462563ba8af65c0647e9c2bb7d854746487639c/sys-apps/mosys/mosys-9999.ebuild
Project Member

Comment 4 by bugdroid1@chromium.org, Jul 30 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/mosys/+/d955e3dede7dcdd481709943b4a2041da7a89435

commit d955e3dede7dcdd481709943b4a2041da7a89435
Author: Samantha Miller <samanthamiller@google.com>
Date: Mon Jul 30 19:25:28 2018

mosys: Put mosys into a minijail

BUG= chromium:795841 
TEST=built and ran on coral, bob, and caroline
CQ-DEPEND=CL:1121211

Change-Id: I190405d67a1c46308428dea2f640058b6324ce10
Reviewed-on: https://chromium-review.googlesource.com/1110337
Commit-Ready: Samantha Miller <samanthamiller@google.com>
Tested-by: Samantha Miller <samanthamiller@google.com>
Reviewed-by: Jason Clinton <jclinton@chromium.org>

[modify] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/src/main.rs
[add] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/io_jail/src/lib.rs
[add] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/io_jail/Cargo.toml
[modify] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/src/lib.rs
[add] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/io_jail/src/test_filter.policy
[modify] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/Cargo.lock
[add] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/io_jail/README
[modify] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/Cargo.toml
[add] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/seccomp/mosys-seccomp-amd64.policy
[add] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/io_jail/src/libminijail.rs
[add] https://crrev.com/d955e3dede7dcdd481709943b4a2041da7a89435/seccomp/mosys-seccomp-arm.policy

Comment 5 by jclinton@chromium.org, Jul 31

Status: Fixed (was: Started)
Nice work, Samantha!

Comment 6 by vapier@chromium.org, Aug 21

Blockedon: 876480

Sign in to add a comment