| tag | 2c39788cf1ee54da7684ec77448734ad89ae763d | |
|---|---|---|
| tagger | The Android Open Source Project <initial-contribution@android.com> | Tue Aug 14 13:23:09 2018 -0700 |
| object | 136adca78c7df04e7bc42c74f7c1ae0e992f88e4 |
Android N IOT Release 2 (NIT1.180611.010.B1)
| commit | 136adca78c7df04e7bc42c74f7c1ae0e992f88e4 | [log] [tgz] |
|---|---|---|
| author | Luis Hector Chavez <lhchavez@google.com> | Sat Jul 21 22:45:56 2018 -0700 |
| committer | Luis Hector Chavez <lhchavez@google.com> | Wed Jul 25 05:31:49 2018 +0000 |
| tree | f760fce3adbf0afc846a41982ea243577c631047 | |
| parent | 1c93783b744b63906acb875abde3b31023c6ec1d [diff] |
syscall_filter: Add a small operand optimization
Since all <, <=, >, >= operands are unsigned, when the immediate fits in
32-bits (which should be the vast majority of the time), we can omit one
of the comparison that would normally occur. So, for
arg1 >= K
That would be roughly translated to
if (hi(arg1) > hi(K)) jump NEXT;
if (hi(arg1) == hi(K) && lo(arg1) >= lo(K)) jump NEXT;
jump KILL;
If the first check (|hi(arg1) > hi(K)|) fails, we then evaluate the
whole second expression. If |hi(K) == 0|, then the only value of
|hi(arg1)| for which it would fail would be if |hi(arg1) == 0|, so we
don't need to evaluate |hi(arg1) == hi(K)| at all, since we know that
it's always going to be true. In other words,
// given that |hi(K) == 0|,
if (hi(arg1) > 0) jump NEXT;
// if the code gets here, |hi(arg1) == 0|.
if (lo(arg1) >= lo(K)) jump NEXT;
jump KILL;
The case for > is identical, and </<= get translated into >/>= since
cBPF only supports the latter two operators, which concludes the
proof of correctness for this optimization.
This saves one opcode.
Bug: 111726641
Test: make tests
Test: echo 'read: arg1 <= 0xbadc0ffee0ddf00d' | \
./parse_seccomp_policy --dump - | \
./libseccomp/tools/scmp_bpf_disasm
Test: echo 'read: arg1 <= 0xff' | ./parse_seccomp_policy --dump - | \
./libseccomp/tools/scmp_bpf_disasm
Change-Id: Ia00362ce92ff5e858c7366dab013e2db88c09818
The Minijail homepage & main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS, and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000