Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(442)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 188193002: Linux sandbox: add basic Yama support (Closed)

Created:
6 years, 9 months ago by jln (very slow on Chromium)
Modified:
6 years, 9 months ago
CC:
chromium-reviews, agl, jln+watch_chromium.org
Visibility:
Public.

Description

Linux sandbox: add basic Yama support This CL adds basic detection of whether or not the Yama LSM module is available, and allow to opt-in and opt-out of its protections. BUG=349673 R=jorgelo@chromium.org, keescook@chromium.org Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=255475

Patch Set 1 #

Total comments: 6

Patch Set 2 : Address comments. Add testing. #

Total comments: 6

Patch Set 3 : Add explicit synchronization. #

Patch Set 4 : Address nits. #

Patch Set 5 : Work on TSAN and better comments. #

Patch Set 6 : Disable ScopedProcessAbort on Android; #

Patch Set 7 : Better comments. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+667 lines, -10 lines) Patch
M sandbox/linux/sandbox_linux.gypi View 1 1 chunk +4 lines, -0 lines 0 comments Download
M sandbox/linux/sandbox_linux_test_sources.gypi View 1 1 chunk +2 lines, -0 lines 0 comments Download
M sandbox/linux/services/broker_process.cc View 1 2 3 4 1 chunk +2 lines, -0 lines 0 comments Download
M sandbox/linux/services/broker_process_unittest.cc View 1 2 3 4 5 1 chunk +0 lines, -6 lines 0 comments Download
A sandbox/linux/services/scoped_process.h View 1 2 3 4 5 6 1 chunk +54 lines, -0 lines 0 comments Download
A sandbox/linux/services/scoped_process.cc View 1 2 3 4 5 1 chunk +119 lines, -0 lines 0 comments Download
A sandbox/linux/services/scoped_process_unittest.cc View 1 2 3 4 5 1 chunk +128 lines, -0 lines 0 comments Download
M sandbox/linux/services/thread_helpers.h View 1 2 chunks +5 lines, -3 lines 0 comments Download
M sandbox/linux/services/thread_helpers.cc View 3 chunks +19 lines, -1 line 0 comments Download
M sandbox/linux/services/thread_helpers_unittests.cc View 1 2 3 4 2 chunks +3 lines, -0 lines 0 comments Download
A sandbox/linux/services/yama.h View 1 2 3 1 chunk +57 lines, -0 lines 0 comments Download
A sandbox/linux/services/yama.cc View 1 2 3 1 chunk +116 lines, -0 lines 0 comments Download
A sandbox/linux/services/yama_unittests.cc View 1 2 1 chunk +152 lines, -0 lines 0 comments Download
M sandbox/linux/tests/unit_tests.h View 1 2 3 4 5 1 chunk +6 lines, -0 lines 0 comments Download

Messages

Total messages: 12 (0 generated)
jln (very slow on Chromium)
Kees, could you please check if yama* makes sense? I'm adding more meaningful unittests before ...
6 years, 9 months ago (2014-03-06 00:25:08 UTC) #1
Kees Cook
lgtm https://codereview.chromium.org/188193002/diff/1/sandbox/linux/services/yama.cc File sandbox/linux/services/yama.cc (right): https://codereview.chromium.org/188193002/diff/1/sandbox/linux/services/yama.cc#newcode29 sandbox/linux/services/yama.cc:29: set_ptracer_arg = PR_SET_PTRACER_ANY; PR_SET_PTRACE_ANY is an extreme disabling ...
6 years, 9 months ago (2014-03-06 00:49:30 UTC) #2
Kees Cook
On 2014/03/06 00:49:30, Kees Cook wrote: > lgtm Though, I wonder if the thread_helpers stuff ...
6 years, 9 months ago (2014-03-06 00:50:09 UTC) #3
mdempsky
https://codereview.chromium.org/188193002/diff/1/sandbox/linux/services/yama.cc File sandbox/linux/services/yama.cc (right): https://codereview.chromium.org/188193002/diff/1/sandbox/linux/services/yama.cc#newcode46 sandbox/linux/services/yama.cc:46: const char kProcfsKernelSysPath[] = "/proc/sys/kernel/"; Can this be made ...
6 years, 9 months ago (2014-03-06 01:56:27 UTC) #4
jln (very slow on Chromium)
Thanks! I've addressed the nits and added testing. I created a new ScopedProcess class for ...
6 years, 9 months ago (2014-03-06 05:06:08 UTC) #5
Jorge Lucangeli Obes
https://chromiumcodereview.appspot.com/188193002/diff/110001/sandbox/linux/services/yama.cc File sandbox/linux/services/yama.cc (right): https://chromiumcodereview.appspot.com/188193002/diff/110001/sandbox/linux/services/yama.cc#newcode70 sandbox/linux/services/yama.cc:70: return SetYamaPtracersRestriction(false /* enabled */); /* disabled */ https://chromiumcodereview.appspot.com/188193002/diff/110001/sandbox/linux/services/yama.h ...
6 years, 9 months ago (2014-03-06 15:42:09 UTC) #6
jln (very slow on Chromium)
Thanks, PTAL! I've also made some changes to ScopedProcess to support explicit synchronization to wait ...
6 years, 9 months ago (2014-03-06 21:43:46 UTC) #7
Jorge Lucangeli Obes
On 2014/03/06 21:43:46, jln wrote: > Thanks, PTAL! > > I've also made some changes ...
6 years, 9 months ago (2014-03-06 21:49:40 UTC) #8
jln (very slow on Chromium)
The CQ bit was checked by jln@chromium.org
6 years, 9 months ago (2014-03-06 22:36:32 UTC) #9
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/jln@chromium.org/188193002/220001
6 years, 9 months ago (2014-03-06 22:50:30 UTC) #10
jln (very slow on Chromium)
Committed patchset #7 manually as r255475 (presubmit successful).
6 years, 9 months ago (2014-03-07 00:24:55 UTC) #11
commit-bot: I haz the power
6 years, 9 months ago (2014-03-07 00:34:29 UTC) #12
Message was sent while issue was closed. 
Try jobs failed on following builders: mac_chromium_compile_dbg

Powered by Google App Engine
This is Rietveld 408576698