Google Git
Sign in
android / platform / external / libbrillo / ab3129b27cd45f5ab6558460c51300cbd24d8643
commitab3129b27cd45f5ab6558460c51300cbd24d8643[log] [tgz]
authorSarthak Kukreti <sarthakkukreti@google.com>Thu Dec 06 20:28:46 2018 -0800
committerCommit Bot <commit-bot@chromium.org>Thu Feb 20 07:39:08 2020 +0000
tree9c4ede612336e6a2650ab73b1e70726932a0c5e8
parentcf2229c00aeea500b9a74f4dc15156934575f8fe [diff]
libbrillo: lock SecureAllocator object memory

In order to make sure that the SecureAllocator doesn't leak
memory to other processes or gets swapped out, make sure that

 1. Use page-aligned memory so that it can be locked (therefore, use mmap()
    instead of malloc()).

 2. Always allocate memory in multiples of pages: this adds a memory overhead
    of ~1 page for each object. Moreover, the extra memory is not available
    for the allocated object to expand into: the container expects that the
    memory allocated to it matches the size set in reserve().

 3. Mark the pages as undumpable and unmergeable. We also use MADV_WIPEONFORK
    to allow child processes to function normally: otherwise they would either
    leak secure memory through copy-on-write (MADV_DOFORK) or SEGFAULT if the
    secure memory mappings were not copied to the forked process
    (MADV_DONTFORK). MADV_WIPEONFORK also wipes the anonymous private mmap
    for the forked process and ensures that the forked process cannot access
    the secure object.

    [This CL depends on MADV_WIPEONFORK backport to all kernels < 4.14.]

BUG=chromium:728047
TEST=unittests.

Cq-Depend: chromium:1372458,chromium:1372580,chromium:1372369
Cq-Depend: chromium:1372809,chromium:1372808,chromium:1504816
Change-Id: Ibb67e3c9582cb79905ad5d52b1843814266cd33d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1340437
Tested-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Commit-Queue: Sarthak Kukreti <sarthakkukreti@chromium.org>
Reviewed-by: Eric Caruso <ejcaruso@chromium.org>
Reviewed-by: Gwendal Grignou <gwendal@chromium.org>
Cr-Mirrored-From: https://chromium.googlesource.com/chromiumos/platform2
Cr-Mirrored-Commit: d0b5f425c2c2868307bb27bbab11aef8199810b2
3 files changed
tree: 9c4ede612336e6a2650ab73b1e70726932a0c5e8
  1. brillo/
  2. install_attributes/
  3. policy/
  4. BUILD.gn
  5. libpolicy.ver
  6. OWNERS
  7. PRESUBMIT.cfg
  8. README.md
  9. testrunner.cc
README.md

libbrillo: platform utility library

libbrillo is a shared library meant to hold common utility code that we deem useful for platform projects. It supplements the functionality provided by libbase/libchrome since that project, by design, only holds functionality that Chromium (the browser) needs. As a result, this tends to be more OS-centric code.

AOSP Usage

This project is also used by Update Engine which is maintained in AOSP. However, AOSP doesn't use this codebase directly, it maintains its own libbrillo fork.

To help keep the projects in sync, we have a gsubtree set up on our GoB: https://chromium.googlesource.com/chromiumos/platform2/libbrillo/

This allows AOSP to cherry pick or merge changes directly back into their fork.