Issue metadata
Sign in to add a comment
|
Add seccomp policy for biod |
||||||||||||||||||||||||
Issue descriptionWe should add seccomp filters for biod, as per https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md#seccomp-filters
,
Jan 7
,
Jan 7
Yes
,
Jan 7
Don't forget our friends in the biod/tools directory too ! :)
,
Jan 7
pmalani@ Thanks for the reminder. The docs for seccomp filters shows how to use it with minijail arguments. We have upstart jobs that run minijail for biod and bio_crypto_init, so those definitely need seccomp filters. However, the other tools (bio_wash and biod_client_tool) don't have an upstart job running minijail. It looks like bio_wash is called from "clobber-state": http://cs/chromeos_public/src/platform2/init/clobber_state.cc?l=335-345&rcl=80c7b00e09f0505d39a7848e8e8311a7c6574d85. Should bio_wash have seccomp filter? biod_client_tool probably only needs to be in the test image (and no seccomp)?
,
Jan 8
Also, the seccomp policies are architecture-specific. Currently all variants that have FP are amd64, right?
,
Jan 8
comment #5: Agreed, bio_wash and biod_client_tool don't really need a seccomp filter. biod_client_tool is only present in the dev and test images, it's installed in /usr/local. comment #6: Yep, only amd64 at the moment.
,
Jan 9
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/d42a9fef964b5bd8aeb6438c3a4c6cc2db9d4ab9 commit d42a9fef964b5bd8aeb6438c3a4c6cc2db9d4ab9 Author: Tom Hughes <tomhughes@chromium.org> Date: Fri Jan 11 21:32:04 2019 biod: install biod seccomp policy BUG= chromium:919529 TEST=emerge-nocturne biod CQ-DEPEND=I061de1deec7ad019ba8591f2e13f8ec969f3bfd0 Change-Id: I76d4f26bec566b91c6fda0c852608fcc518cd295 Reviewed-on: https://chromium-review.googlesource.com/1401255 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Tom Hughes <tomhughes@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/d42a9fef964b5bd8aeb6438c3a4c6cc2db9d4ab9/chromeos-base/biod/biod-9999.ebuild
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/e3bf1fad6527148cbc5a0dd42f394f0736516365 commit e3bf1fad6527148cbc5a0dd42f394f0736516365 Author: Tom Hughes <tomhughes@chromium.org> Date: Fri Jan 11 21:32:05 2019 biod: install bio_crypto_init seccomp policy BUG= chromium:919529 TEST=emerge-nocturne biod CQ-DEPEND=Id0b426df173e9c10c712a4687cffbc7c85cb28d3 Change-Id: Ib7b8a19ad82b082928e2a6bc99508864f3b02566 Reviewed-on: https://chromium-review.googlesource.com/1404135 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Tom Hughes <tomhughes@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/e3bf1fad6527148cbc5a0dd42f394f0736516365/chromeos-base/biod/biod-9999.ebuild
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/abeb2346c8dfb92efa06c2a1f013346719af3de9 commit abeb2346c8dfb92efa06c2a1f013346719af3de9 Author: Tom Hughes <tomhughes@chromium.org> Date: Fri Jan 11 21:32:04 2019 biod: seccomp policy for daemon Also add a helper script (run_biod_strace.sh) to make it easy to capture the syscall strace output, which can then be processed with ~/chromiumos/src/aosp/external/minijail/tools/generate_seccomp_policy.py Currently the only devices with fingerprint are amd64, so that is the only seccomp policy. BUG= chromium:919529 TEST=Add fingerprint, verify unlock works TEST=Delete fingerprint; verify fingerprint deleted on filesystem CQ-DEPEND=I76d4f26bec566b91c6fda0c852608fcc518cd295 Change-Id: I061de1deec7ad019ba8591f2e13f8ec969f3bfd0 Reviewed-on: https://chromium-review.googlesource.com/1401346 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Tom Hughes <tomhughes@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [add] https://crrev.com/abeb2346c8dfb92efa06c2a1f013346719af3de9/biod/init/seccomp/run_biod_strace.sh [add] https://crrev.com/abeb2346c8dfb92efa06c2a1f013346719af3de9/biod/init/seccomp/biod-seccomp-amd64.policy [modify] https://crrev.com/abeb2346c8dfb92efa06c2a1f013346719af3de9/biod/init/biod.conf
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/f3effa386bb84b2f43db55db358a3d5e6e3b848d commit f3effa386bb84b2f43db55db358a3d5e6e3b848d Author: Tom Hughes <tomhughes@chromium.org> Date: Fri Jan 11 21:32:05 2019 biod: seccomp for bio_crypto_init Also add a helper script (run_bio_crypto_init_strace.sh) to make it easy to capture the syscall strace output, which can then be processed with ~/chromiumos/src/aosp/external/minijail/tools/generate_seccomp_policy.py Currently the only devices with fingerprint are amd64, so that is the only seccomp policy. BUG= chromium:919529 TEST=reboot; verify log messages in /var/log/bio_crypto_init/bio_crypto_init.log TEST=Add fingerprint, verify unlock works TEST=Delete fingerprint; verify fingerprint deleted on filesystem CQ-DEPEND=Ib7b8a19ad82b082928e2a6bc99508864f3b02566 Change-Id: Id0b426df173e9c10c712a4687cffbc7c85cb28d3 Reviewed-on: https://chromium-review.googlesource.com/1403897 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Tom Hughes <tomhughes@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [add] https://crrev.com/f3effa386bb84b2f43db55db358a3d5e6e3b848d/biod/init/seccomp/bio-crypto-init-seccomp-amd64.policy [add] https://crrev.com/f3effa386bb84b2f43db55db358a3d5e6e3b848d/biod/init/seccomp/run_bio_crypto_init_strace.sh [modify] https://crrev.com/f3effa386bb84b2f43db55db358a3d5e6e3b848d/biod/init/bio_crypto_init.conf
,
Jan 14
,
Jan 14
Verified policy files (/usr/share/policy/biod-seccomp.policy, /usr/share/policy/bio-crypto-init-seccomp.policy) and upstart changes (/etc/init/biod.conf, /etc/init/bio_crypto_init.conf) are in R73-11582.0.0. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by norvez@chromium.org
, Jan 7