New issue
Advanced search Search tips

Issue 854832 link

Starred by 0 users

Issue metadata

Status: Available
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature

Blocking:
issue 764455



Sign in to add a comment

minijail: support cgroups device management

Project Member Reported by vapier@chromium.org, Jun 20 2018

Issue description

cgroups has a device controller that allows us to control access to device nodes based on their major/minor/type characteristics.  that means, in addition to mounting a subset of /dev nodes, we could further prevent people from running mknod() on a unique path and then using that new node to bypass our set.

this would also help in cases like rsyslog where we can't create a unique /dev because of how /dev/log is managed, so all of /dev is visible.  but we'd be able to deny access to those nodes via cgroups.

we might want to start the work but not deploy it until linux-3.8 cycles out as i think it'd rely (at least for sanity sake) on cgroups namespaces.

current docs:
https://chromium.googlesource.com/chromiumos/third_party/kernel/+/v4.17/Documentation/cgroup-v1/devices.txt

 

Comment 1 by vapier@chromium.org, Jun 21 2018

Components: OS>Systems>Minijail

Comment 2 by vapier@chromium.org, Jun 21 2018

Blocking: 764455

Sign in to add a comment