CRAS: Add seccomp policy files to adhd/cras |
|||||
Issue descriptionI've uploaded CL to add seccomp policy files in https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/1136345/2 but things are not working smooth for the ioctl syscall :( Basically when I specify all the ioctl arguments in arg whiltelist, minijail0/cras crashes. And I just figured that out there're two issues in it: (1) minijail has line length limit 1024, per: https://chromium.googlesource.com/chromiumos/platform/minijail/+/master/syscall_filter.c#14 and we just have so many arguments to whitelist, as in asound.h https://chromium.googlesource.com/chromiumos/third_party/kernel/+/chromeos-4.4/include/uapi/sound/asound.h#260 (2) After I doubled the limit to 2048, I still see CRAS got blocked at ioctl syscall. Turns out it's a problem in alsa-lib, where SNDRV_CTL_IOCTL_TLV_* first set to an local int, and then pass to ioctl() where "unsigned long" arg1 is accepted. http://git.alsa-project.org/?p=alsa-lib.git;a=blob;f=src/control/control_hw.c#l238 so we should fix (1) (2) above, and then we're close to land the seccomp policy files.
,
Aug 7
,
Aug 9
,
Aug 30
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/c63919d7c78f57739bd9bc509c75b5de107d8aad commit c63919d7c78f57739bd9bc509c75b5de107d8aad Author: Hsin-Yu Chao <hychao@chromium.org> Date: Thu Aug 30 16:52:52 2018 alsa-lib: Apply upstream patches This change copies alsa-lib-1.1.6 from portage-stable and applies below patch from upstream. 7c5c0500 seq: Fix signedness in MIDI encoder/decoder a8491636 control_hw: Fix issue when applying seccomp policy BUG= chromium:870321 , chromium:843791 TEST=emerge and deploy alsa-lib, apply seccomp policy file for adhd to verify ioctl doesn't get blocked. Run midis unit tests with fuzzer and asan. Change-Id: Ide0fcf97a3c4c3f20cde52d9964cb75a87d3fc13 Reviewed-on: https://chromium-review.googlesource.com/1175652 Commit-Ready: Hsinyu Chao <hychao@chromium.org> Tested-by: Hsinyu Chao <hychao@chromium.org> Reviewed-by: Prashant Malani <pmalani@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/alsa-lib-1.1.6-r2.ebuild [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/files/0001-control_hw-Fix-issue-when-applying-seccomp-policy.patch [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/files/alsa-lib-1.1.6-missing_files.patch [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/files/0002-seq-Fix-signedness-in-MIDI-encoder-decoder.patch [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/Manifest [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/metadata.xml
,
Aug 31
There are 3 other CLs landed for this and I forgot to associate them with the bug: https://chromium-review.googlesource.com/1149767 https://chromium-review.googlesource.com/1149769 https://chromium-review.googlesource.com/1136345 I'll do some test on M70 image first and request M69 merge then.
,
Sep 27
It has been a few weeks since we added seccomp files in M70, and things are looking stable. Request merge to M69, so we can test system AEC on CFM(board Buddy).
,
Oct 17
No longer need this in 69. Mark as fixed now. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by hychao@chromium.org
, Aug 6