Issue 314903002: Linux sandbox: restrict futex operations.

Issue 314903002: Linux sandbox: restrict futex operations. (Closed)

Created:
6 years, 6 months ago by jln (very slow on Chromium)

Modified:
6 years, 6 months ago

Reviewers:
Mark Seaborn, mdempsky

CC:
chromium-reviews, agl, jln+watch_chromium.org, Mark Seaborn, Kees Cook, Will Drewry

Base URL:
svn://svn.chromium.org/chrome/trunk/src

Visibility:
Public.

More Reviews

Description

Linux sandbox: restrict futex operations. First-pass at restricting futex operations. We ban FUTEX_CMP_REQUEUE_PI, as it is not used throughout Chrome. BUG=377392 R=mdempsky@chromium.org Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=274934

Patch Set 1 #

Total comments: 4

Patch Set 2 : Add own SIGSYS handler. #

Patch Set 3 : Add Android header file. #

Total comments: 2

Patch Set 4 : Address nit #

Created: 6 years, 6 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+112 lines, -5 lines)			Patch
M	sandbox/linux/BUILD.gn	View	1 2	1 chunk	+1 line, -0 lines	0 comments	Download
M	sandbox/linux/sandbox_linux.gypi	View	1 2	1 chunk	+1 line, -0 lines	0 comments	Download
M	sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc	View		2 chunks	+4 lines, -1 line	0 comments	Download
M	sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc	View	1 2	3 chunks	+21 lines, -0 lines	0 comments	Download
M	sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h	View	1	2 chunks	+7 lines, -1 line	0 comments	Download
M	sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc	View	1 2 3	3 chunks	+17 lines, -0 lines	0 comments	Download
M	sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h	View		1 chunk	+3 lines, -0 lines	0 comments	Download
M	sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc	View	1 2	3 chunks	+27 lines, -0 lines	0 comments	Download
M	sandbox/linux/seccomp-bpf-helpers/syscall_sets.h	View		1 chunk	+1 line, -1 line	0 comments	Download
M	sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc	View		1 chunk	+2 lines, -2 lines	0 comments	Download
A	sandbox/linux/services/android_futex.h	View	1 2	1 chunk	+28 lines, -0 lines	0 comments	Download

Messages

Total messages: 12 (0 generated)

Expand Messages | Collapse Messages

jln (very slow on Chromium)

Matthew, this may not be ready, but I wouldn't mind a sanity check.

6 years, 6 months ago (2014-06-04 01:24:55 UTC) #1

mdempsky

https://codereview.chromium.org/314903002/diff/1/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc File sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc (right): https://codereview.chromium.org/314903002/diff/1/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc#newcode251 sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc:251: const int banned_futex_bits = kBannedFutexBits? Also, I don't think ...

6 years, 6 months ago (2014-06-04 04:55:34 UTC) #2

jln (very slow on Chromium)

PTAL! https://codereview.chromium.org/314903002/diff/1/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc File sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc (right): https://codereview.chromium.org/314903002/diff/1/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc#newcode251 sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc:251: const int banned_futex_bits = On 2014/06/04 04:55:34, mdempsky ...

6 years, 6 months ago (2014-06-04 19:30:22 UTC) #3

jln (very slow on Chromium)

The CQ bit was checked by jln@chromium.org

6 years, 6 months ago (2014-06-04 20:10:49 UTC) #6

jln (very slow on Chromium)

The CQ bit was unchecked by jln@chromium.org

6 years, 6 months ago (2014-06-04 20:10:59 UTC) #7

jln (very slow on Chromium)

The CQ bit was checked by jln@chromium.org

6 years, 6 months ago (2014-06-04 20:22:48 UTC) #8

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/jln@chromium.org/314903002/60001

6 years, 6 months ago (2014-06-04 20:24:02 UTC) #9

Mark Seaborn

https://codereview.chromium.org/314903002/diff/60001/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc File sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc (right): https://codereview.chromium.org/314903002/diff/60001/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc#newcode170 sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:170: static const char kSeccompFutexError[] = Nit: alignment is off ...

6 years, 6 months ago (2014-06-04 20:29:40 UTC) #10

jln (very slow on Chromium)

6 years, 6 months ago (2014-06-04 20:40:16 UTC) #11

jln (very slow on Chromium)

6 years, 6 months ago (2014-06-04 22:25:53 UTC) #12

Message was sent while issue was closed.

Committed patchset #4 manually as r274934 (presubmit successful).

Expand Messages | Collapse Messages