commit | 3b41ae3db9adecad11ed519f891e784c16f21393 | [log] [tgz] |
---|---|---|
author | Luis Hector Chavez <lhchavez@google.com> | Sat Mar 09 18:46:20 2019 -0800 |
committer | Luis Hector Chavez <lhchavez@google.com> | Wed Mar 27 08:02:50 2019 -0700 |
tree | cee5ad9c88f68df3ceedd347910a052dcf48a117 | |
parent | 89a2710839563aaaeefd19906f4bb4431219dac7 [diff] |
tools/compile_seccomp_policy: Optimize AST visitation Since the AST nodes form a graph (and NOT a tree), the Block.accept() method was running into a combinatorial explosion of calls to Block.accept(). Some of the Visitor.visit() methods had some logic to prevent processing a Block more than once, but it would still be invoked multiple times. This change adds a Visitor.visited() method so that Block.accept() can stop unnecessary recursion, so that Block.accept() will be evaluated exactly once per Visitor-Block pair, thus strengthening the previous guarantee of Visitor.visit() being evaluated just once (and changing the visitation guard to an assert). This also adds a unit test to prevent this from regression. Bug: chromium:856315 Test: ./tools/compiler_unittest.py Change-Id: I79ba9f66ee63c51ada18175519c2cdab32efcd5b
The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone
away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as linux-vXX
: https://android.googlesource.com/platform/external/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000