Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(171)

Issue 260793003: [MIPS] Add seccomp bpf support (Closed)

Created:
6 years, 7 months ago by nedeljko
Modified:
6 years, 5 months ago
CC:
chromium-reviews, darin-cc_chromium.org, jam, agl, jln+watch_chromium.org, Kees Cook, Will Drewry, szager1
Base URL:
https://git.chromium.org/git/chromium/src.git@master
Visibility:
Public.

Description

[MIPS] Add seccomp bpf support Add support for seccomp bpf sandboxing on MIPS architecture for O32 ABI. Enable testing of seccomp bpf sandbox. Support for seccomp bpf for MIPS was added in Linux kernel version 3.15. BUG=369594 TEST= sandbox_linux_unittests

Patch Set 1 #

Patch Set 2 : Rebase. #

Total comments: 36

Patch Set 3 : Update per code review #

Patch Set 4 : Fix problem with truncation of syscall value in CrashSIGSYS_Handler #

Total comments: 35

Patch Set 5 : Update per code review #

Total comments: 31

Patch Set 6 : Update per code review #

Total comments: 25

Patch Set 7 : Update per code review #

Total comments: 18

Patch Set 8 : Update per code review #

Total comments: 11

Patch Set 9 : Update per code review #

Total comments: 2

Patch Set 10 : Add 8 args syscall support for Mips #

Total comments: 22

Patch Set 11 : Update per code review #

Unified diffs Side-by-side diffs Delta from patch set Stats (+1913 lines, -86 lines) Patch
M build/common.gypi View 1 2 3 4 5 6 7 8 9 10 1 chunk +2 lines, -2 lines 0 comments Download
M components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc View 1 2 3 4 5 6 7 8 9 10 4 chunks +3 lines, -5 lines 0 comments Download
M content/common/sandbox_linux/bpf_gpu_policy_linux.cc View 1 2 3 4 5 6 7 8 9 1 chunk +1 line, -1 line 0 comments Download
M content/common/sandbox_linux/bpf_renderer_policy_linux.cc View 1 2 3 4 5 6 7 1 chunk +1 line, -1 line 0 comments Download
M content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc View 1 2 3 4 5 6 7 8 9 1 chunk +2 lines, -2 lines 0 comments Download
M sandbox/linux/sandbox_linux.gypi View 1 2 3 4 5 6 7 8 2 chunks +4 lines, -1 line 0 comments Download
M sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc View 1 2 3 4 5 6 7 6 chunks +12 lines, -6 lines 0 comments Download
M sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc View 1 2 3 4 5 6 7 3 chunks +27 lines, -3 lines 0 comments Download
M sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h View 1 2 3 4 5 6 7 1 chunk +1 line, -1 line 0 comments Download
M sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc View 1 2 3 4 5 6 7 4 chunks +13 lines, -2 lines 0 comments Download
M sandbox/linux/seccomp-bpf-helpers/syscall_sets.h View 1 2 3 4 5 6 7 3 chunks +7 lines, -3 lines 0 comments Download
M sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc View 1 2 3 4 5 6 7 8 9 10 33 chunks +76 lines, -49 lines 0 comments Download
M sandbox/linux/seccomp-bpf/errorcode.h View 1 2 3 4 5 6 7 1 chunk +5 lines, -0 lines 0 comments Download
M sandbox/linux/seccomp-bpf/linux_seccomp.h View 1 2 3 4 5 6 7 8 9 10 4 chunks +67 lines, -0 lines 0 comments Download
M sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc View 1 2 3 4 5 6 7 8 9 10 3 chunks +9 lines, -1 line 0 comments Download
M sandbox/linux/seccomp-bpf/syscall.h View 1 2 3 4 5 6 7 8 9 10 3 chunks +21 lines, -0 lines 0 comments Download
M sandbox/linux/seccomp-bpf/syscall.cc View 1 2 3 4 5 6 7 8 9 10 4 chunks +104 lines, -0 lines 0 comments Download
M sandbox/linux/seccomp-bpf/syscall_iterator.cc View 1 2 1 chunk +12 lines, -1 line 0 comments Download
M sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc View 1 2 3 4 5 6 7 8 4 chunks +43 lines, -3 lines 0 comments Download
M sandbox/linux/seccomp-bpf/syscall_unittest.cc View 1 2 3 4 5 6 7 8 9 1 chunk +3 lines, -0 lines 0 comments Download
M sandbox/linux/seccomp-bpf/trap.cc View 1 2 3 4 5 6 7 8 9 10 4 chunks +31 lines, -5 lines 0 comments Download
A sandbox/linux/services/android_mips_ucontext.h View 1 chunk +51 lines, -0 lines 0 comments Download
M sandbox/linux/services/android_ucontext.h View 1 chunk +2 lines, -0 lines 0 comments Download
M sandbox/linux/services/linux_syscalls.h View 1 chunk +4 lines, -0 lines 0 comments Download
A sandbox/linux/services/mips_linux_syscalls.h View 1 2 3 4 5 6 7 1 chunk +1412 lines, -0 lines 0 comments Download

Messages

Total messages: 65 (0 generated)
nedeljko
Please take a look at the change. Thanks, Nedeljko
6 years, 7 months ago (2014-04-30 17:39:11 UTC) #1
nedeljko
The CQ bit was checked by nedeljko.babic@imgtec.com
6 years, 7 months ago (2014-04-30 18:08:57 UTC) #2
nedeljko
The CQ bit was unchecked by nedeljko.babic@imgtec.com
6 years, 7 months ago (2014-04-30 18:08:58 UTC) #3
jln (very slow on Chromium)
Here is a first batch of comments. I have created https://crbug.com/369594 to track this and ...
6 years, 7 months ago (2014-05-02 20:42:03 UTC) #4
Kees Cook
https://chromiumcodereview.appspot.com/260793003/diff/10001/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc File sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc (right): https://chromiumcodereview.appspot.com/260793003/diff/10001/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc#newcode48 sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc:48: SyscallSets::IsMipsSpecific(sysno) || ...Private vs ...Specific ?
6 years, 7 months ago (2014-05-02 22:06:35 UTC) #5
nedeljko
New patch added. Please take a look. Thanks, Nedeljko https://chromiumcodereview.appspot.com/260793003/diff/10001/content/common/sandbox_linux/bpf_gpu_policy_linux.cc File content/common/sandbox_linux/bpf_gpu_policy_linux.cc (right): https://chromiumcodereview.appspot.com/260793003/diff/10001/content/common/sandbox_linux/bpf_gpu_policy_linux.cc#newcode101 content/common/sandbox_linux/bpf_gpu_policy_linux.cc:101: ...
6 years, 7 months ago (2014-05-07 15:40:05 UTC) #6
nedeljko
PING
6 years, 7 months ago (2014-05-13 07:41:06 UTC) #7
nedeljko
6 years, 7 months ago (2014-05-13 07:41:34 UTC) #8
nedeljko
Hello, Can someone check if the newest patch set is ok, please. Thanks, Nedeljko
6 years, 7 months ago (2014-05-16 13:00:49 UTC) #9
jln (very slow on Chromium)
On 2014/05/16 13:00:49, nedeljko wrote: > Hello, > > Can someone check if the newest ...
6 years, 7 months ago (2014-05-16 18:54:18 UTC) #10
jln (very slow on Chromium)
Sorry for the long delay. I wanted to land a new unit test suite (basline_policy_unittests.cc) ...
6 years, 7 months ago (2014-05-16 19:30:17 UTC) #11
jln (very slow on Chromium)
https://chromiumcodereview.appspot.com/260793003/diff/50001/sandbox/linux/services/kernel_to_errno.h File sandbox/linux/services/kernel_to_errno.h (right): https://chromiumcodereview.appspot.com/260793003/diff/50001/sandbox/linux/services/kernel_to_errno.h#newcode19 sandbox/linux/services/kernel_to_errno.h:19: inline int RetValToKernelRet(int ret_val, ucontext_t* ctx) { Let's have ...
6 years, 7 months ago (2014-05-16 21:27:10 UTC) #12
nedeljko
Thank you on your review. I have a few questions. https://codereview.chromium.org/260793003/diff/50001/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc File sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc (right): https://codereview.chromium.org/260793003/diff/50001/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc#newcode54 ...
6 years, 7 months ago (2014-05-19 17:37:22 UTC) #13
jln (very slow on Chromium)
https://chromiumcodereview.appspot.com/260793003/diff/50001/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc File sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc (right): https://chromiumcodereview.appspot.com/260793003/diff/50001/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc#newcode38 sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc:38: if (MIN_SYSCALL) { On 2014/05/19 17:37:23, nedeljko wrote: > ...
6 years, 7 months ago (2014-05-20 01:57:46 UTC) #14
nedeljko
https://codereview.chromium.org/260793003/diff/50001/sandbox/linux/services/kernel_to_errno.h File sandbox/linux/services/kernel_to_errno.h (right): https://codereview.chromium.org/260793003/diff/50001/sandbox/linux/services/kernel_to_errno.h#newcode1 sandbox/linux/services/kernel_to_errno.h:1: // Copyright 2014 The Chromium Authors. All rights reserved. ...
6 years, 7 months ago (2014-05-20 14:36:40 UTC) #15
nedeljko
I changed patch set according to previous review and rebased it to the newest version. ...
6 years, 7 months ago (2014-05-22 17:38:55 UTC) #16
jln (very slow on Chromium)
https://chromiumcodereview.appspot.com/260793003/diff/50001/sandbox/linux/seccomp-bpf/syscall.cc File sandbox/linux/seccomp-bpf/syscall.cc (right): https://chromiumcodereview.appspot.com/260793003/diff/50001/sandbox/linux/seccomp-bpf/syscall.cc#newcode171 sandbox/linux/seccomp-bpf/syscall.cc:171: #elif defined(__mips__) Could Petarj take a look at this? ...
6 years, 7 months ago (2014-05-28 00:06:57 UTC) #17
nedeljko
https://codereview.chromium.org/260793003/diff/70001/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc File sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc (right): https://codereview.chromium.org/260793003/diff/70001/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc#newcode51 sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:51: // we are truncating valid syscall value to offset ...
6 years, 6 months ago (2014-05-28 09:33:43 UTC) #18
nedeljko
Please take a look. Thanks, Nedeljko https://codereview.chromium.org/260793003/diff/70001/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc File sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc (right): https://codereview.chromium.org/260793003/diff/70001/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc#newcode51 sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:51: // we are ...
6 years, 6 months ago (2014-05-29 14:06:44 UTC) #19
jln (very slow on Chromium)
I'm getting very confused by the interface and the conversions between errno and -errno back ...
6 years, 6 months ago (2014-06-03 01:00:32 UTC) #20
nedeljko
On 2014/06/03 01:00:32, jln wrote: > I'm getting very confused by the interface and the ...
6 years, 6 months ago (2014-06-03 15:06:12 UTC) #21
nedeljko
This patch set has all the changes that don't depend on the new interface. Please ...
6 years, 6 months ago (2014-06-03 15:32:18 UTC) #22
nedeljko
Ping. Do I need to do any additional changes before new interface is created? Thanks, ...
6 years, 6 months ago (2014-06-10 08:44:11 UTC) #23
jln (very slow on Chromium)
On 2014/06/10 08:44:11, nedeljko wrote: > Ping. > > Do I need to do any ...
6 years, 6 months ago (2014-06-11 23:39:56 UTC) #24
jln (very slow on Chromium)
On 2014/06/03 15:06:12, nedeljko wrote: > On 2014/06/03 01:00:32, jln wrote: > > One major ...
6 years, 6 months ago (2014-06-13 02:25:49 UTC) #25
jln (very slow on Chromium)
Sorry for the back and forth :( This is not far from ready. As mentioned ...
6 years, 6 months ago (2014-06-13 02:47:37 UTC) #26
jln (very slow on Chromium)
Hey! Just making sure that you saw the previous update. Also FYI, I'll be leaving ...
6 years, 6 months ago (2014-06-17 17:35:50 UTC) #27
nedeljko
Hello, I made requested changes, so ErrnoToKernelRet() function is eliminated and PutValueInUcontext() function is moved ...
6 years, 6 months ago (2014-06-18 13:41:00 UTC) #28
jln (very slow on Chromium)
This is pretty much done. What remains: - Have petarj@ review syscall.cc - Some concern ...
6 years, 6 months ago (2014-06-20 00:37:07 UTC) #29
nedeljko
Requested changes done. Question regarding indirect syscalls with 6 arguments on MIPS still remains. Please ...
6 years, 6 months ago (2014-06-20 14:09:51 UTC) #30
petarj
On 2014/06/20 00:37:07, jln wrote: > This is pretty much done. What remains: > > ...
6 years, 6 months ago (2014-06-20 15:16:24 UTC) #31
jln (very slow on Chromium)
https://chromiumcodereview.appspot.com/260793003/diff/130001/sandbox/linux/seccomp-bpf/trap.cc File sandbox/linux/seccomp-bpf/trap.cc (right): https://chromiumcodereview.appspot.com/260793003/diff/130001/sandbox/linux/seccomp-bpf/trap.cc#newcode187 sandbox/linux/seccomp-bpf/trap.cc:187: SECCOMP_PARM6(ctx)); On 2014/06/20 14:09:51, nedeljko wrote: > On 2014/06/20 ...
6 years, 6 months ago (2014-06-20 21:18:18 UTC) #32
jln (very slow on Chromium)
On 2014/06/20 15:16:24, petarj wrote: > On 2014/06/20 00:37:07, jln wrote: > > This is ...
6 years, 6 months ago (2014-06-20 21:19:40 UTC) #33
petarj
On 2014/06/20 21:19:40, jln wrote: > On 2014/06/20 15:16:24, petarj wrote: > > On 2014/06/20 ...
6 years, 6 months ago (2014-06-21 01:21:18 UTC) #34
nedeljko
On 2014/06/21 01:21:18, petarj wrote: > On 2014/06/20 21:19:40, jln wrote: > > On 2014/06/20 ...
6 years, 6 months ago (2014-06-23 10:33:50 UTC) #35
nedeljko
On 2014/06/23 10:33:50, nedeljko wrote: > On 2014/06/21 01:21:18, petarj wrote: > > On 2014/06/20 ...
6 years, 6 months ago (2014-06-26 08:10:25 UTC) #36
jln (very slow on Chromium)
On 2014/06/26 08:10:25, nedeljko wrote: > Ping. > > How shall we proceed with this? ...
6 years, 6 months ago (2014-06-26 19:22:01 UTC) #37
nedeljko
On 2014/06/26 19:22:01, jln (OOO til July 15th) wrote: > On 2014/06/26 08:10:25, nedeljko wrote: ...
6 years, 5 months ago (2014-06-27 14:11:50 UTC) #38
jln (very slow on Chromium)
On 2014/06/27 14:11:50, nedeljko wrote: > I am ok with this. > > I run ...
6 years, 5 months ago (2014-06-27 18:25:33 UTC) #39
nedeljko
Usage of 8 arguments for syscall enabled for Mips. However, more than six arguments can ...
6 years, 5 months ago (2014-07-09 13:29:57 UTC) #40
nedeljko
Ping. Is this change ok? Thanks, Nedeljko
6 years, 5 months ago (2014-07-14 09:13:19 UTC) #41
mdempsky
Sorry for the delays. Seems generally okay to me, just a handful of nits I ...
6 years, 5 months ago (2014-07-14 18:10:51 UTC) #42
nedeljko
Please have a look. Thanks. https://codereview.chromium.org/260793003/diff/190001/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc File components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc (right): https://codereview.chromium.org/260793003/diff/190001/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc#newcode58 components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc:58: #elif defined(__i386__) || defined(__mips__) ...
6 years, 5 months ago (2014-07-15 15:22:16 UTC) #43
mdempsky
lgtm It looks like there are a couple of other system calls that probably aren't ...
6 years, 5 months ago (2014-07-15 17:32:42 UTC) #44
mdempsky
The CQ bit was checked by mdempsky@chromium.org
6 years, 5 months ago (2014-07-15 17:32:51 UTC) #45
mdempsky
The CQ bit was unchecked by mdempsky@chromium.org
6 years, 5 months ago (2014-07-15 17:32:56 UTC) #46
nedeljko
The CQ bit was checked by nedeljko.babic@imgtec.com
6 years, 5 months ago (2014-07-16 05:46:37 UTC) #47
nedeljko
The CQ bit was unchecked by nedeljko.babic@imgtec.com
6 years, 5 months ago (2014-07-17 07:26:45 UTC) #48
nedeljko
The CQ bit was checked by nedeljko.babic@imgtec.com
6 years, 5 months ago (2014-07-17 07:27:01 UTC) #49
nedeljko
The CQ bit was unchecked by nedeljko.babic@imgtec.com
6 years, 5 months ago (2014-07-17 10:00:45 UTC) #50
nedeljko
The CQ bit was checked by nedeljko.babic@imgtec.com
6 years, 5 months ago (2014-07-17 12:06:24 UTC) #51
nedeljko
On 2014/07/17 12:06:24, nedeljko wrote: > The CQ bit was checked by mailto:nedeljko.babic@imgtec.com Should I ...
6 years, 5 months ago (2014-07-18 10:44:54 UTC) #52
mdempsky
The CQ bit was unchecked by mdempsky@chromium.org
6 years, 5 months ago (2014-07-18 17:07:30 UTC) #53
mdempsky
The CQ bit was checked by mdempsky@chromium.org
6 years, 5 months ago (2014-07-18 17:07:31 UTC) #54
mdempsky
On 2014/07/18 10:44:54, nedeljko wrote: > Should I do something else in order for commit-bot ...
6 years, 5 months ago (2014-07-18 17:08:27 UTC) #55
nedeljko
On 2014/07/18 17:08:27, mdempsky wrote: > On 2014/07/18 10:44:54, nedeljko wrote: > > Should I ...
6 years, 5 months ago (2014-07-21 15:45:18 UTC) #56
jln (very slow on Chromium)
On 2014/07/21 15:45:18, nedeljko wrote: > On 2014/07/18 17:08:27, mdempsky wrote: > > On 2014/07/18 ...
6 years, 5 months ago (2014-07-21 17:06:08 UTC) #57
nedeljko
On 2014/07/21 17:06:08, jln wrote: > On 2014/07/21 15:45:18, nedeljko wrote: > > On 2014/07/18 ...
6 years, 5 months ago (2014-07-22 11:58:46 UTC) #58
jln (very slow on Chromium)
On 2014/07/22 11:58:46, nedeljko wrote: > On 2014/07/21 17:06:08, jln wrote: > > On 2014/07/21 ...
6 years, 5 months ago (2014-07-22 21:21:13 UTC) #59
nedeljko
On 2014/07/22 21:21:13, jln wrote: > > You could ask chromium-dev@ for help. > > ...
6 years, 5 months ago (2014-07-23 12:10:49 UTC) #60
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/nedeljko.babic@imgtec.com/260793003/210001
6 years, 5 months ago (2014-07-24 13:17:57 UTC) #61
commit-bot: I haz the power
FYI, CQ is re-trying this CL (attempt #1). The failing builders are: android_aosp on tryserver.chromium ...
6 years, 5 months ago (2014-07-24 15:19:32 UTC) #62
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 5 months ago (2014-07-24 15:22:45 UTC) #63
commit-bot: I haz the power
Try jobs failed on following builders: chromium_presubmit on tryserver.chromium (http://build.chromium.org/p/tryserver.chromium/builders/chromium_presubmit/builds/82070)
6 years, 5 months ago (2014-07-24 15:22:46 UTC) #64
jln (very slow on Chromium)
6 years, 5 months ago (2014-07-24 17:20:27 UTC) #65
Yeah, let's close (but not delete) this one.

(It looks like the CQ is finally working actually... but never mind).

Powered by Google App Engine
This is Rietveld 408576698