Issue 919203002: Linux Sandbox: add resource limits to NaCl

Issue 919203002: Linux Sandbox: add resource limits to NaCl (Closed)

Created:
5 years, 10 months ago by jln (very slow on Chromium)

Modified:
5 years, 9 months ago

Reviewers:
Mark Seaborn

CC:
chromium-reviews, darin-cc_chromium.org, jam, rickyz+watch_chromium.org, jln+watch_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Linux Sandbox: add resource limits to NaCl Add address space resource limits to NaCl processes. BUG=455839 Committed: https://crrev.com/97718598d764d4798333044869c7639737bf88bf Cr-Commit-Position: refs/heads/master@{#316286}

Patch Set 1 #

Patch Set 2 : Switch type to rlim_t #

Patch Set 3 : Disable on sanitizers. #

Total comments: 13

Patch Set 4 : Rebase #

Patch Set 5 : Address nits. #

Total comments: 2

Patch Set 6 : Correct typo. #

Created: 5 years, 10 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+142 lines, -19 lines)			Patch
M	components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h	View		1 chunk	+3 lines, -1 line	0 comments	Download
M	components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc	View	1 2 3 4 5	4 chunks	+36 lines, -0 lines	0 comments	Download
M	content/common/sandbox_linux/sandbox_linux.cc	View		3 chunks	+5 lines, -18 lines	0 comments	Download
M	sandbox/linux/BUILD.gn	View	1 2 3	2 chunks	+3 lines, -0 lines	0 comments	Download
M	sandbox/linux/sandbox_linux.gypi	View	1 2 3	1 chunk	+2 lines, -0 lines	0 comments	Download
M	sandbox/linux/sandbox_linux_test_sources.gypi	View		1 chunk	+1 line, -0 lines	0 comments	Download
A	sandbox/linux/services/resource_limits.h	View	1	1 chunk	+30 lines, -0 lines	0 comments	Download
A	sandbox/linux/services/resource_limits.cc	View	1 2 3 4	1 chunk	+26 lines, -0 lines	0 comments	Download
A	sandbox/linux/services/resource_limits_unittests.cc	View	1 2 3 4	1 chunk	+36 lines, -0 lines	0 comments	Download

Messages

Total messages: 13 (3 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

jln (very slow on Chromium)

Mark: so nacl_loader builds with ASAN? I'm surprised (see the failure in PS#2): http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_asan_rel/builds/34972/steps/browser_tests%20%28with%20patch%29

5 years, 10 months ago (2015-02-13 05:20:10 UTC) #3

Mark Seaborn

LGTM https://codereview.chromium.org/919203002/diff/40001/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc File components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc (right): https://codereview.chromium.org/919203002/diff/40001/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc#newcode82 components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc:82: // Add a limit to the brk() heap ...

5 years, 10 months ago (2015-02-13 17:11:54 UTC) #4

jln (very slow on Chromium)

Thanks Mark! https://chromiumcodereview.appspot.com/919203002/diff/40001/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc File components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc (right): https://chromiumcodereview.appspot.com/919203002/diff/40001/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc#newcode82 components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc:82: // Add a limit to the brk() ...

5 years, 10 months ago (2015-02-13 18:00:06 UTC) #6

Thanks Mark!

https://chromiumcodereview.appspot.com/919203002/diff/40001/components/nacl/l...
File components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc (right):

https://chromiumcodereview.appspot.com/919203002/diff/40001/components/nacl/l...
components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc:82: // Add a limit to
the brk() heap that would prevent allocations that can't be
On 2015/02/13 17:11:54, Mark Seaborn wrote:
> This probably has no benefit, because glibc will fall back to mmap() when
brk()
> allocations start failing.  You could perhaps add a comment along the lines of
> "what the hell, might as well do this just in case it helps". :-)

Does NaCl always uses glibc malloc and not tcmalloc?

In tcmalloc I tuned that a while back and it was different between 32 bits and
64 bits and Release and Debug.

Done in any case!

https://chromiumcodereview.appspot.com/919203002/diff/40001/components/nacl/l...
components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc:88: // 128 GB.
On 2015/02/13 17:11:54, Mark Seaborn wrote:
> Can you add some explanation of how we picked this, using my explanation from
> the issue, please?  i.e. Mention the 88GB minimum for x86-64 NaCl.

Done.

https://chromiumcodereview.appspot.com/919203002/diff/40001/components/nacl/l...
components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc:91: const rlim_t
kNewAddressSpaceLimit = std::numeric_limits<uint32_t>::max();
On 2015/02/13 17:11:54, Mark Seaborn wrote:
> Well, this is no limit at all. :-)  You might as well leave out the call in
this
> case and save a few bytes of code size.

This is true because we're enabling this as part of the "layer-2" sandbox (with
seccomp).

But if we didn't have seccomp, this is definitely useful on IA32 if running
under a 64 bits kernel. I'll keep itn as it's nice to not have to rely on
seccomp and have some security in depth.

I added a comment.

https://chromiumcodereview.appspot.com/919203002/diff/40001/sandbox/linux/ser...
File sandbox/linux/services/resource_limits.cc (right):

https://chromiumcodereview.appspot.com/919203002/diff/40001/sandbox/linux/ser...
sandbox/linux/services/resource_limits.cc:8: #include <sys/resource.h>
On 2015/02/13 17:11:54, Mark Seaborn wrote:
> Nit: sort #includes

Done.

https://chromiumcodereview.appspot.com/919203002/diff/40001/sandbox/linux/ser...
File sandbox/linux/services/resource_limits.h (right):

https://chromiumcodereview.appspot.com/919203002/diff/40001/sandbox/linux/ser...
sandbox/linux/services/resource_limits.h:18: class SANDBOX_EXPORT ResourceLimits
{
On 2015/02/13 17:11:54, Mark Seaborn wrote:
> Aside: In my opinion, using a class that will never be instantiated as a
> namespace is a slightly odd style.  But I suppose this is a common style in
> sandbox/?

I think it's even the prevailing style in all of Chromium. base/ is definitely
the same and I see this all over the place. It's rare to see namespaces used
with file scopes.

Moreover "exporting" is much more concise with classes.

https://chromiumcodereview.appspot.com/919203002/diff/40001/sandbox/linux/ser...
File sandbox/linux/services/resource_limits_unittests.cc (right):

https://chromiumcodereview.appspot.com/919203002/diff/40001/sandbox/linux/ser...
sandbox/linux/services/resource_limits_unittests.cc:21: // Not being able to
fork breaks LSAN, so disable on
On 2015/02/13 17:11:54, Mark Seaborn wrote:
> LSAN -> LeakSanitizer perhaps.  (Mentioning LSAN and then ASAN looks like it
> could be a typo if you don't know how they relate.)

Done.

Mark Seaborn

https://chromiumcodereview.appspot.com/919203002/diff/40001/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc File components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc (right): https://chromiumcodereview.appspot.com/919203002/diff/40001/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc#newcode91 components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc:91: const rlim_t kNewAddressSpaceLimit = std::numeric_limits<uint32_t>::max(); On 2015/02/13 18:00:05, jln ...

5 years, 10 months ago (2015-02-13 18:33:41 UTC) #7

jln (very slow on Chromium)

https://chromiumcodereview.appspot.com/919203002/diff/80001/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc File components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc (right): https://chromiumcodereview.appspot.com/919203002/diff/80001/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc#newcode100 components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc:100: // bits when running under 64 bits kerneks. Set ...

5 years, 10 months ago (2015-02-13 18:58:30 UTC) #8

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/919203002/100001

5 years, 10 months ago (2015-02-13 19:00:06 UTC) #10

commit-bot: I haz the power

Patchset 6 (id:??) landed as https://crrev.com/97718598d764d4798333044869c7639737bf88bf Cr-Commit-Position: refs/heads/master@{#316286}

5 years, 10 months ago (2015-02-13 20:59:51 UTC) #12

Mark Seaborn

5 years, 9 months ago (2015-03-09 17:18:19 UTC) #13

Message was sent while issue was closed.

Adding some context now that the rowhammer blog post is published (at
http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-t...):

This change is a rowhammer mitigation, albeit a relatively weak one.  This is a
mitigation to limit the PTE-spraying attack described in the blog post.

This change just brings the NaCl loader process into line with other Chromium
sandboxed processes, which had address space limits before.

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages