From 3b1d8a577313891da7d904ce66b6cb03453cccac Mon Sep 17 00:00:00 2001 From: Stephen Barber Date: Sat, 6 Jan 2018 17:34:51 -0800 Subject: [PATCH] crosvm: use tsync for seccomp jails TSYNC isn't particularly useful for the device jails since they start with just a single thread. But a useful side effect of having minijail use TSYNC is that instead of the default SECCOMP_RET_KILL_THREAD behavior, minijail switches to SECCOMP_RET_TRAP and uses the default signal disposition which dumps core. Until SECCOMP_RET_KILL_PROCESS is available on all kernel versions with crosvm, using TSYNC this way allows killing the entire device process instead of just one thread. This ensures if seccomp kills a worker thread in a device, the entire device process will die, and the crosvm main process will exit. BUG=chromium:799523 TEST=add banned syscall to net device worker thread and ensure crosvm exits Change-Id: Ie9ebfc90c79dcf49283cb2628dc8d4c848e8385b Reviewed-on: https://chromium-review.googlesource.com/853302 Commit-Ready: Stephen Barber Tested-by: Stephen Barber Reviewed-by: Dylan Reid --- src/linux.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/linux.rs b/src/linux.rs index 46faed2753..4ac793fbbb 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -191,6 +191,9 @@ fn create_base_minijail(root: &Path, seccomp_policy: &Path) -> Result j.namespace_net(); // Apply the block device seccomp policy. j.no_new_privs(); + // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill + // the entire device process if a worker thread commits a seccomp violation. + j.set_seccomp_filter_tsync(); j.parse_seccomp_filters(seccomp_policy) .map_err(|e| Error::DeviceJail(e))?; j.use_seccomp_filter();