mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2025-01-27 10:36:40 +00:00
crosvm: use tsync for seccomp jails
TSYNC isn't particularly useful for the device jails since they start with just a single thread. But a useful side effect of having minijail use TSYNC is that instead of the default SECCOMP_RET_KILL_THREAD behavior, minijail switches to SECCOMP_RET_TRAP and uses the default signal disposition which dumps core. Until SECCOMP_RET_KILL_PROCESS is available on all kernel versions with crosvm, using TSYNC this way allows killing the entire device process instead of just one thread. This ensures if seccomp kills a worker thread in a device, the entire device process will die, and the crosvm main process will exit. BUG=chromium:799523 TEST=add banned syscall to net device worker thread and ensure crosvm exits Change-Id: Ie9ebfc90c79dcf49283cb2628dc8d4c848e8385b Reviewed-on: https://chromium-review.googlesource.com/853302 Commit-Ready: Stephen Barber <smbarber@chromium.org> Tested-by: Stephen Barber <smbarber@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org>
This commit is contained in:
parent
a0ce5322f7
commit
3b1d8a5773
1 changed files with 3 additions and 0 deletions
|
@ -191,6 +191,9 @@ fn create_base_minijail(root: &Path, seccomp_policy: &Path) -> Result<Minijail>
|
||||||
j.namespace_net();
|
j.namespace_net();
|
||||||
// Apply the block device seccomp policy.
|
// Apply the block device seccomp policy.
|
||||||
j.no_new_privs();
|
j.no_new_privs();
|
||||||
|
// Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill
|
||||||
|
// the entire device process if a worker thread commits a seccomp violation.
|
||||||
|
j.set_seccomp_filter_tsync();
|
||||||
j.parse_seccomp_filters(seccomp_policy)
|
j.parse_seccomp_filters(seccomp_policy)
|
||||||
.map_err(|e| Error::DeviceJail(e))?;
|
.map_err(|e| Error::DeviceJail(e))?;
|
||||||
j.use_seccomp_filter();
|
j.use_seccomp_filter();
|
||||||
|
|
Loading…
Reference in a new issue