docs/seccomp_sandbox_crash_dumping.md - Issue 1309473002: WIP: Migrate Wiki content over to src/docs

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: docs/seccomp_sandbox_crash_dumping.md

Issue 1309473002: WIP: Migrate Wiki content over to src/docs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 ## Introduction

	2 Currently, Breakpad relies on facilities that are disallowed inside the Linux se ccomp sandbox. Specifically, it sets a signal handler to catch faults (currentl y disallowed), forks a new process, and uses ptrace() (also disallowed) to read the memory of the faulted process.

	3

	4 ## Options

	5 There are three ways we could do crash dumping of seccomp-sandboxed processes:

	6 * Find a way to permit signal handling safely inside the sandbox (see below).

	7 * Allow the kernel's core dumper to kick in and write a core file.

	8 * This seems risky because this code tends not to be well-tested.

	9 * This will not work if the process is chrooted, so it would not work if the seccomp sandbox is stacked with the SUID sandbox.

	10 * Have an unsandboxed helper process which ptrace()s the sandboxed process to catch faults.

	11

	12 ## Signal handling in the seccomp sandbox

	13 In case a trusted thread faults with a SIGSEGV, we must make sure that an untrus ted thread cannot register a signal handler that will run in the context of the trusted thread.

	14

	15 Here are some mechanisms that could make this safe:

	16 * sigaltstack() is per-thread. If we opt not to set a signal stack for truste d threads, and set %esp/%rsp to an invalid address, trusted threads will die saf ely if they fault.

	17 * This means the trusted thread cannot set a signal stack on behalf of the u ntrusted thread once the latter has switched to seccomp mode. The signal stack would have to be set up when the thread is created and not subsequently changed.

	18 * clone() has a CLONE\_SIGHAND flag. By omitting this flag, trusted and untru sted threads can have different sets of signal handlers. This means we can opt not to set signal handlers for trusted threads.

	19 * Again, per-thread signal handler sets would mean the trusted thread cannot change signal handlers on behalf of untrusted threads.

	20 * sigprocmask()/pthread\_sigmask(): These can be used to block signal handling in trusted threads.

	21

	22 ## See also

	23 * LinuxCrashDumping

	24 * [Issue 37728](http://code.google.com/p/chromium/issues/detail?id=37728)

OLD	NEW

« no previous file with comments | « docs/script_preprocessor.md ('k') | docs/shift_based_development.md » ('j') | no next file with comments »