commit | ab3129b27cd45f5ab6558460c51300cbd24d8643 | [log] [tgz] |
---|---|---|
author | Sarthak Kukreti <sarthakkukreti@google.com> | Thu Dec 06 20:28:46 2018 -0800 |
committer | Commit Bot <commit-bot@chromium.org> | Thu Feb 20 07:39:08 2020 +0000 |
tree | 9c4ede612336e6a2650ab73b1e70726932a0c5e8 | |
parent | cf2229c00aeea500b9a74f4dc15156934575f8fe [diff] |
libbrillo: lock SecureAllocator object memory In order to make sure that the SecureAllocator doesn't leak memory to other processes or gets swapped out, make sure that 1. Use page-aligned memory so that it can be locked (therefore, use mmap() instead of malloc()). 2. Always allocate memory in multiples of pages: this adds a memory overhead of ~1 page for each object. Moreover, the extra memory is not available for the allocated object to expand into: the container expects that the memory allocated to it matches the size set in reserve(). 3. Mark the pages as undumpable and unmergeable. We also use MADV_WIPEONFORK to allow child processes to function normally: otherwise they would either leak secure memory through copy-on-write (MADV_DOFORK) or SEGFAULT if the secure memory mappings were not copied to the forked process (MADV_DONTFORK). MADV_WIPEONFORK also wipes the anonymous private mmap for the forked process and ensures that the forked process cannot access the secure object. [This CL depends on MADV_WIPEONFORK backport to all kernels < 4.14.] BUG=chromium:728047 TEST=unittests. Cq-Depend: chromium:1372458,chromium:1372580,chromium:1372369 Cq-Depend: chromium:1372809,chromium:1372808,chromium:1504816 Change-Id: Ibb67e3c9582cb79905ad5d52b1843814266cd33d Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1340437 Tested-by: Sarthak Kukreti <sarthakkukreti@chromium.org> Commit-Queue: Sarthak Kukreti <sarthakkukreti@chromium.org> Reviewed-by: Eric Caruso <ejcaruso@chromium.org> Reviewed-by: Gwendal Grignou <gwendal@chromium.org> Cr-Mirrored-From: https://chromium.googlesource.com/chromiumos/platform2 Cr-Mirrored-Commit: d0b5f425c2c2868307bb27bbab11aef8199810b2
libbrillo is a shared library meant to hold common utility code that we deem useful for platform projects. It supplements the functionality provided by libbase/libchrome since that project, by design, only holds functionality that Chromium (the browser) needs. As a result, this tends to be more OS-centric code.
This project is also used by Update Engine which is maintained in AOSP. However, AOSP doesn't use this codebase directly, it maintains its own libbrillo fork.
To help keep the projects in sync, we have a gsubtree set up on our GoB: https://chromium.googlesource.com/chromiumos/platform2/libbrillo/
This allows AOSP to cherry pick or merge changes directly back into their fork.