diff options
| author | Matt Delco <delco@chromium.org> | 2019-11-13 08:11:09 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-01-22 17:36:35 +0000 |
| commit | 45caf91aaa80d2d37a63ed2bf99da69b4da0aafa (patch) | |
| tree | 5c9648f6a34c359ff496bcb61d8f33951e4c5082 /src/main.rs | |
| parent | 425aaacad18166faf42075b0e49db6aa554d32ae (diff) | |
| download | crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.gz crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.bz2 crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.lz crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.xz crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.tar.zst crosvm-45caf91aaa80d2d37a63ed2bf99da69b4da0aafa.zip | |
crosvm: add support for bpf policy files
Change adds supports for providing pre-compiled bpf files as the policy file for jailing. In short it's more effient to compile once on the build machine than each time at runtime. Additionally libminijail's support for more efficient bpfs (which use a binary tree instead of a linear search) is currently only available via tools that are based around pre-compiled use. BUG=None TEST=Ran build_test and verified that tests can pass with both bpf and policy files (though the tests might only exercise the jail for the plugin). Change-Id: Idd93e3c802fc79da93850d6bad1db660576bc9ba Signed-off-by: Matt Delco <delco@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1914416 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'src/main.rs')
| -rw-r--r-- | src/main.rs | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/main.rs b/src/main.rs index 017fb45..45efc0f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -827,6 +827,23 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument:: cfg.seccomp_policy_dir = PathBuf::from(value.unwrap()); } "seccomp-log-failures" => { + // A side-effect of this flag is to force the use of .policy files + // instead of .bpf files (.bpf files are expected and assumed to be + // compiled to fail an unpermitted action with "trap"). + // Normally crosvm will first attempt to use a .bpf file, and if + // not present it will then try to use a .policy file. It's up + // to the build to decide which of these files is present for + // crosvm to use (for CrOS the build will use .bpf files for + // x64 builds and .policy files for arm/arm64 builds). + // + // This flag will likely work as expected for builds that use + // .policy files. For builds that only use .bpf files the initial + // result when using this flag is likely to be a file-not-found + // error (since the .policy files are not present). + // For .bpf builds you can either 1) manually add the .policy files, + // or 2) do not use this command-line parameter and instead + // temporarily change the build by passing "log" rather than + // "trap" as the "--default-action" to compile_seccomp_policy.py. cfg.seccomp_log_failures = true; } "plugin" => { |