New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 919538 link

Starred by 1 user
Status: Verified
Owner:
tomhughes@chromium.org
Closed: Jan 14
Cc:
pmalani@chromium.org
norvez@chromium.org
zalcorn@chromium.org
jessejames@chromium.org
hllee@chromium.org
jdufault@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Feature
Proj-Fingerprints

Blocked on:
issue 919529


Sign in to add a comment

Improve biod sandboxing

Project Member Reported by norvez@chromium.org, Jan 7 

We're not doing everything listed in the sandboxing guide https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md

Among other things:
- seccomp (see  Issue 919529 )
- tweaks to namespaces

Comment 1 by norvez@chromium.org, Jan 7

Blockedon: 919529
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 12 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/415bb7a7c8583767683c346f13a9398443f6343f

commit 415bb7a7c8583767683c346f13a9398443f6343f
Author: Tom Hughes <tomhughes@chromium.org>
Date: Sat Jan 12 22:04:56 2019

biod: enable uts/net/ipc/cgroup/pid minijail namespaces

BUG= chromium:919538 
TEST=Add fingerprint, verify unlock works
TEST=Delete fingerprint; verify fingerprint deleted on filesystem

Change-Id: I70af430c2148c161b89a95a13ac5a5c9d9fbeeee
Reviewed-on: https://chromium-review.googlesource.com/1406268
Commit-Ready: Tom Hughes <tomhughes@chromium.org>
Tested-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/415bb7a7c8583767683c346f13a9398443f6343f/biod/init/biod.conf
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 12 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/dc523d4e8781cbafb8bc2a21a8d694f7766c8c52

commit dc523d4e8781cbafb8bc2a21a8d694f7766c8c52
Author: Tom Hughes <tomhughes@chromium.org>
Date: Sat Jan 12 22:04:56 2019

biod: enable uts/net/ipc/cgroup/pid minijail namespaces for bio_crypto_init

BUG= chromium:919538 
TEST=reboot; verify log messages in
     /var/log/bio_crypto_init/bio_crypto_init.log
TEST=Add fingerprint, verify unlock works
TEST=Delete fingerprint; verify fingerprint deleted on filesystem

Change-Id: I8a72e26dcd521c615be21322e2c9c308195c98f5
Reviewed-on: https://chromium-review.googlesource.com/1406961
Commit-Ready: Tom Hughes <tomhughes@chromium.org>
Tested-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-by: Nicolas Norvez <norvez@chromium.org>

[modify] https://crrev.com/dc523d4e8781cbafb8bc2a21a8d694f7766c8c52/biod/init/bio_crypto_init.conf

Comment 4 by tomhughes@chromium.org, Jan 14

Status: Fixed (was: Assigned)
Added seccomp in 919529.


Reviewed the sandboxing doc and the only additional parts missing were restricting namespaces. Added that as part of this bug.

Comment 5 by tomhughes@chromium.org, Jan 14

Status: Verified (was: Fixed)
Verified upstart changes for restricting namespaces (/etc/init/biod.conf, /etc/init/bio_crypto_init.conf) are in R73-11582.0.0.
Project Member

Comment 6 by bugdroid1@chromium.org, Jan 18 (5 days ago) 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/f306e251d031ab976d7ec180166b461a38af4497

commit f306e251d031ab976d7ec180166b461a38af4497
Author: Tom Hughes <tomhughes@chromium.org>
Date: Fri Jan 18 04:20:54 2019

autotest: validate biod/bio_crypto_init namespaces in test

BUG= chromium:919538 
TEST=test_that --board=nocturne <IP> security_SandboxedServices

Change-Id: I813a396d5447d448dea882a954bae2a146cd20f0
Reviewed-on: https://chromium-review.googlesource.com/1410305
Commit-Ready: Tom Hughes <tomhughes@chromium.org>
Tested-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/f306e251d031ab976d7ec180166b461a38af4497/client/site_tests/security_SandboxedServices/baseline

Sign in to add a comment