|tagger||The Android Open Source Project <firstname.lastname@example.org>||Tue Aug 14 13:23:09 2018 -0700|
Android N IOT Release 2 (NIT1.180611.010.B1) -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCW3M6LQAKCRDorT+BmrEO eG0aAJ9BFdAj5A6/0alGXtF95xZusGRPVQCfdGPWvrfuvKtfBhLU8LbrNL6vmfc= =u9JP -----END PGP SIGNATURE-----
|author||Luis Hector Chavez <email@example.com>||Sat Jul 21 22:45:56 2018 -0700|
|committer||Luis Hector Chavez <firstname.lastname@example.org>||Wed Jul 25 05:31:49 2018 +0000|
syscall_filter: Add a small operand optimization Since all <, <=, >, >= operands are unsigned, when the immediate fits in 32-bits (which should be the vast majority of the time), we can omit one of the comparison that would normally occur. So, for arg1 >= K That would be roughly translated to if (hi(arg1) > hi(K)) jump NEXT; if (hi(arg1) == hi(K) && lo(arg1) >= lo(K)) jump NEXT; jump KILL; If the first check (|hi(arg1) > hi(K)|) fails, we then evaluate the whole second expression. If |hi(K) == 0|, then the only value of |hi(arg1)| for which it would fail would be if |hi(arg1) == 0|, so we don't need to evaluate |hi(arg1) == hi(K)| at all, since we know that it's always going to be true. In other words, // given that |hi(K) == 0|, if (hi(arg1) > 0) jump NEXT; // if the code gets here, |hi(arg1) == 0|. if (lo(arg1) >= lo(K)) jump NEXT; jump KILL; The case for > is identical, and </<= get translated into >/>= since cBPF only supports the latter two operators, which concludes the proof of correctness for this optimization. This saves one opcode. Bug: 111726641 Test: make tests Test: echo 'read: arg1 <= 0xbadc0ffee0ddf00d' | \ ./parse_seccomp_policy --dump - | \ ./libseccomp/tools/scmp_bpf_disasm Test: echo 'read: arg1 <= 0xff' | ./parse_seccomp_policy --dump - | \ ./libseccomp/tools/scmp_bpf_disasm Change-Id: Ia00362ce92ff5e858c7366dab013e2db88c09818
The Minijail homepage & main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS, and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000