DescriptionLinux sandbox: Allow restricting sched_* on other processes.
Adds a RestrictSchedTarget parameter restriction which only allows
sched_* syscalls if the pid argument is the sandboxed process's pid or
if the pid is 0, which means the current thread. glibc's pthread
implementation sometimes calls these syscalls with pid equal to the
current tid. On these calls, the policy triggers a SIGSYS, and the
SIGSYS handler reruns the syscall with a pid argument of 0.
R=jln@chromium.org
BUG=413855
Committed: https://crrev.com/282ba301cf990ce291c45a05b5226df6804ae271
Cr-Commit-Position: refs/heads/master@{#297059}
Patch Set 1 #
Total comments: 19
Patch Set 2 : Add missing space. #Patch Set 3 : Add missing include. #Patch Set 4 : Ugh, add another missing include. #Patch Set 5 : More includse (sorry for the spam) #Patch Set 6 : Respond to comments, switch test to sched_getparam #Patch Set 7 : Oops, accidentally deleted an include. #Patch Set 8 : Rebase #
Total comments: 1
Patch Set 9 : List the supported syscalls. #
Messages
Total messages: 14 (2 generated)
|