crosvm

mirrors/crosvm

Fork 0

mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2025-02-06 02:25:23 +00:00

Commit graph

Author	SHA1	Message	Date
Matt Delco	2da6132389	io_jail: add additional apis This change adds additional APIs that are present in the libminijail header file but not in the rust thunk. In particular it adds the API that allows pre-compiled bpf files to be used as a policy file. The native API lacks an API to specify a filename (it only provides an API to provide the contents of the file). BUG=None TEST=Local run of build_test to confirm that both .bpf and .policy files work in a subsequent change. Change-Id: I15510ffa857b501512f3f9905882545f407bcd78 Signed-off-by: Matt Delco <delco@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1914415 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>	2019-11-16 10:29:04 +00:00
David Tolnay	63c6e2d35c	edition: Update io_jail crate to 2018 edition Separated out of CL:1513058 to make it possible to land parts individually while the affected crate has no other significant CLs pending. This avoids repeatedly introducing non-textual conflicts with new code that adds `use` statements. TEST=cargo check TEST=cargo check --all-features TEST=cargo check --target aarch64-unknown-linux-gnu Change-Id: Id5f2c4f9005498e2357bec5878761c33d2bc3d8b Reviewed-on: https://chromium-review.googlesource.com/1519697 Commit-Ready: David Tolnay <dtolnay@chromium.org> Tested-by: David Tolnay <dtolnay@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: David Tolnay <dtolnay@chromium.org>	2019-04-07 23:24:30 -07:00
Dylan Reid	d6c579fcef	io_jail: Add a wrapper around minijail The io_jail is used to jail io processes run from crosvm. Under the hood it mostly configures a minijail jail to run in. The minijail restrictions are applied when iojail::enter is called. This closes extra FDs and calls minijail_enter. The minijail_run* functions are left out as we don't have a need to exec foreign programs. libminijail will be used to jail separate processes spawned from the main crosvm process. The ability to close all open file descriptors is added. Minijail only closes FDs after forking and before exec. Change-Id: Ida7f52022c934e9e6edeb7b604cd6e6399860cb9 Signed-off-by: Dylan Reid <dgreid@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/505100 Reviewed-by: Zach Reizner <zachr@chromium.org>	2017-05-25 12:25:27 -07:00

Author

SHA1

Message

Date

Matt Delco

2da6132389

io_jail: add additional apis

This change adds additional APIs that are present in the libminijail
header file but not in the rust thunk.  In particular it adds the API
that allows pre-compiled bpf files to be used as a policy file.  The
native API lacks an API to specify a filename (it only provides an API
to provide the contents of the file).

BUG=None
TEST=Local run of build_test to confirm that both .bpf and .policy files
work in a subsequent change.

Change-Id: I15510ffa857b501512f3f9905882545f407bcd78
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1914415
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

2019-11-16 10:29:04 +00:00

David Tolnay

63c6e2d35c

edition: Update io_jail crate to 2018 edition

Separated out of CL:1513058 to make it possible to land parts
individually while the affected crate has no other significant CLs
pending. This avoids repeatedly introducing non-textual conflicts with
new code that adds `use` statements.

TEST=cargo check
TEST=cargo check --all-features
TEST=cargo check --target aarch64-unknown-linux-gnu

Change-Id: Id5f2c4f9005498e2357bec5878761c33d2bc3d8b
Reviewed-on: https://chromium-review.googlesource.com/1519697
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Tested-by: David Tolnay <dtolnay@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: David Tolnay <dtolnay@chromium.org>

2019-04-07 23:24:30 -07:00

Dylan Reid

d6c579fcef

io_jail: Add a wrapper around minijail

The io_jail is used to jail io processes run from crosvm. Under the hood
it mostly configures a minijail jail to run in.  The minijail
restrictions are applied when iojail::enter is called.  This closes
extra FDs and calls minijail_enter.

The minijail_run* functions are left out as we don't have a need to exec
foreign programs.  libminijail will be used to jail separate processes
spawned from the main crosvm process.

The ability to close all open file descriptors is added.  Minijail only
closes FDs after forking and before exec.

Change-Id: Ida7f52022c934e9e6edeb7b604cd6e6399860cb9
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/505100
Reviewed-by: Zach Reizner <zachr@chromium.org>

2017-05-25 12:25:27 -07:00

3 commits