Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(342)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: docs/seccomp_sandbox_crash_dumping.md

Issue 1324603002: [Docs] Another round of stylistic fixes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « docs/script_preprocessor.md ('k') | docs/spelling_panel_planning_doc.md » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 ## Introduction 1 # seccomp Sandbox Crash Dumping
2 Currently, Breakpad relies on facilities that are disallowed inside the Linux se ccomp sandbox. Specifically, it sets a signal handler to catch faults (currentl y disallowed), forks a new process, and uses ptrace() (also disallowed) to read the memory of the faulted process. 2
3 Currently, Breakpad relies on facilities that are disallowed inside the Linux
4 seccomp sandbox. Specifically, it sets a signal handler to catch faults
5 (currently disallowed), forks a new process, and uses ptrace() (also disallowed)
6 to read the memory of the faulted process.
3 7
4 ## Options 8 ## Options
9
5 There are three ways we could do crash dumping of seccomp-sandboxed processes: 10 There are three ways we could do crash dumping of seccomp-sandboxed processes:
6 * Find a way to permit signal handling safely inside the sandbox (see below). 11
7 * Allow the kernel's core dumper to kick in and write a core file. 12 * Find a way to permit signal handling safely inside the sandbox (see below).
8 * This seems risky because this code tends not to be well-tested. 13 * Allow the kernel's core dumper to kick in and write a core file.
9 * This will not work if the process is chrooted, so it would not work if the seccomp sandbox is stacked with the SUID sandbox. 14 * This seems risky because this code tends not to be well-tested.
10 * Have an unsandboxed helper process which ptrace()s the sandboxed process to catch faults. 15 * This will not work if the process is chrooted, so it would not work if
16 the seccomp sandbox is stacked with the SUID sandbox.
17 * Have an unsandboxed helper process which `ptrace()`s the sandboxed process
18 to catch faults.
11 19
12 ## Signal handling in the seccomp sandbox 20 ## Signal handling in the seccomp sandbox
13 In case a trusted thread faults with a SIGSEGV, we must make sure that an untrus ted thread cannot register a signal handler that will run in the context of the trusted thread. 21
22 In case a trusted thread faults with a SIGSEGV, we must make sure that an
23 untrusted thread cannot register a signal handler that will run in the context
24 of the trusted thread.
14 25
15 Here are some mechanisms that could make this safe: 26 Here are some mechanisms that could make this safe:
16 * sigaltstack() is per-thread. If we opt not to set a signal stack for truste d threads, and set %esp/%rsp to an invalid address, trusted threads will die saf ely if they fault. 27
17 * This means the trusted thread cannot set a signal stack on behalf of the u ntrusted thread once the latter has switched to seccomp mode. The signal stack would have to be set up when the thread is created and not subsequently changed. 28 * `sigaltstack()` is per-thread. If we opt not to set a signal stack for
18 * clone() has a CLONE\_SIGHAND flag. By omitting this flag, trusted and untru sted threads can have different sets of signal handlers. This means we can opt not to set signal handlers for trusted threads. 29 trusted threads, and set %esp/%rsp to an invalid address, trusted threads
19 * Again, per-thread signal handler sets would mean the trusted thread cannot change signal handlers on behalf of untrusted threads. 30 will die safely if they fault.
20 * sigprocmask()/pthread\_sigmask(): These can be used to block signal handling in trusted threads. 31 * This means the trusted thread cannot set a signal stack on behalf of the
32 untrusted thread once the latter has switched to seccomp mode. The
33 signal stack would have to be set up when the thread is created and not
34 subsequently changed.
35 * `clone()` has a `CLONE_SIGHAND` flag. By omitting this flag, trusted and
36 untrusted threads can have different sets of signal handlers. This means we
37 can opt not to set signal handlers for trusted threads.
38 * Again, per-thread signal handler sets would mean the trusted thread
39 cannot change signal handlers on behalf of untrusted threads.
40 * `sigprocmask()/pthread_sigmask()`: These can be used to block signal
41 handling in trusted threads.
21 42
22 ## See also 43 ## See also
23 * LinuxCrashDumping 44
24 * [Issue 37728](http://code.google.com/p/chromium/issues/detail?id=37728) 45 * [LinuxCrashDumping](linux_crash_dumping.md)
46 * [Issue 37728](https://crbug.com/37728)
OLDNEW
« no previous file with comments | « docs/script_preprocessor.md ('k') | docs/spelling_panel_planning_doc.md » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698