crosvm: use tsync for seccomp jails

TSYNC isn't particularly useful for the device jails since they start with just a single thread. But a useful side effect of having minijail use TSYNC is that instead of the default SECCOMP_RET_KILL_THREAD behavior, minijail switches to SECCOMP_RET_TRAP and uses the default signal disposition which dumps core. Until SECCOMP_RET_KILL_PROCESS is available on all kernel versions with crosvm, using TSYNC this way allows killing the entire device process instead of just one thread. This ensures if seccomp kills a worker thread in a device, the entire device process will die, and the crosvm main process will exit. BUG=chromium:799523 TEST=add banned syscall to net device worker thread and ensure crosvm exits Change-Id: Ie9ebfc90c79dcf49283cb2628dc8d4c848e8385b Reviewed-on: https://chromium-review.googlesource.com/853302 Commit-Ready: Stephen Barber <smbarber@chromium.org> Tested-by: Stephen Barber <smbarber@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org>
2025-01-12 16:45:31 +00:00 · 2018-01-06 17:34:51 -08:00 · 2018-01-06 17:34:51 -08:00 · 3b1d8a5773
commit 3b1d8a5773
parent a0ce5322f7
1 changed files with 3 additions and 0 deletions
--- a/src/linux.rs
+++ b/src/linux.rs
@ -191,6 +191,9 @@ fn create_base_minijail(root: &Path, seccomp_policy: &Path) -> Result<Minijail>
    j.namespace_net();
    // Apply the block device seccomp policy.
    j.no_new_privs();
+    // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill
+    // the entire device process if a worker thread commits a seccomp violation.
+    j.set_seccomp_filter_tsync();
    j.parse_seccomp_filters(seccomp_policy)
        .map_err(|e| Error::DeviceJail(e))?;
    j.use_seccomp_filter();