tag | 2c39788cf1ee54da7684ec77448734ad89ae763d | |
---|---|---|
tagger | The Android Open Source Project <initial-contribution@android.com> | Tue Aug 14 13:23:09 2018 -0700 |
object | 136adca78c7df04e7bc42c74f7c1ae0e992f88e4 |
Android N IOT Release 2 (NIT1.180611.010.B1)
commit | 136adca78c7df04e7bc42c74f7c1ae0e992f88e4 | [log] [tgz] |
---|---|---|
author | Luis Hector Chavez <lhchavez@google.com> | Sat Jul 21 22:45:56 2018 -0700 |
committer | Luis Hector Chavez <lhchavez@google.com> | Wed Jul 25 05:31:49 2018 +0000 |
tree | f760fce3adbf0afc846a41982ea243577c631047 | |
parent | 1c93783b744b63906acb875abde3b31023c6ec1d [diff] |
syscall_filter: Add a small operand optimization Since all <, <=, >, >= operands are unsigned, when the immediate fits in 32-bits (which should be the vast majority of the time), we can omit one of the comparison that would normally occur. So, for arg1 >= K That would be roughly translated to if (hi(arg1) > hi(K)) jump NEXT; if (hi(arg1) == hi(K) && lo(arg1) >= lo(K)) jump NEXT; jump KILL; If the first check (|hi(arg1) > hi(K)|) fails, we then evaluate the whole second expression. If |hi(K) == 0|, then the only value of |hi(arg1)| for which it would fail would be if |hi(arg1) == 0|, so we don't need to evaluate |hi(arg1) == hi(K)| at all, since we know that it's always going to be true. In other words, // given that |hi(K) == 0|, if (hi(arg1) > 0) jump NEXT; // if the code gets here, |hi(arg1) == 0|. if (lo(arg1) >= lo(K)) jump NEXT; jump KILL; The case for > is identical, and </<= get translated into >/>= since cBPF only supports the latter two operators, which concludes the proof of correctness for this optimization. This saves one opcode. Bug: 111726641 Test: make tests Test: echo 'read: arg1 <= 0xbadc0ffee0ddf00d' | \ ./parse_seccomp_policy --dump - | \ ./libseccomp/tools/scmp_bpf_disasm Test: echo 'read: arg1 <= 0xff' | ./parse_seccomp_policy --dump - | \ ./libseccomp/tools/scmp_bpf_disasm Change-Id: Ia00362ce92ff5e858c7366dab013e2db88c09818
The Minijail homepage & main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS, and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as linux-vXX
: https://android.googlesource.com/platform/external/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000