[Chrome][Minijail] Crash when minijail executes program with policy but no log_seccomp_filter_failures setting

71 views
Skip to first unread message

梁博翔

unread,
Jul 19, 2019, 4:50:00 AM7/19/19
to mini...@chromium.org, jj.c...@emc.com.tw, james...@emc.com.tw, karen...@emc.com.tw, alber...@emc.com.tw, jeff....@emc.com.tw, Ryan...@dell.com, Crag...@dell.com, Omaca...@compal.com

Hi Minijail team,

 

I am Elan SW RD Paul.

I made a firmware update tool of elan touch-screen for chrome sarien device.

It’s for chrome auto-update service so I implement a firmware update script which uses minijail to execute my tool with policy setting.

The policy file is generated with strace tool and generate_syscall_policy.py script, as the description of document “Sandboxing Chrome OS system services”.

However, after testing the policy with “minijail –S seccomp.policy –L <cmd>”, we removed the “-L” parameter and it crashed without any error information or notification.

I only found some message in /var/log/messages.

System seems to catch some notifications with signal 31 for elan_i2chid_read_fwid.

I think it seems to relate with hidraw because the operation killed is to lookup hidraw device.

We have no idea about the direction to debug and hope to seek for some guides from you.

Thank you so much.

 

Best regards,

Paul

********************************************************

梁博翔 Paul Liang

ELAN MICROELECTRONICS CORP.

Address : Rm. 2, 10F, No. 30, Zhongzheng S. Rd.,
Yongkang Dist., Tainan City 710,
Taiwan (R.O.C.)
Tel :+886-6-2819970#8903
Fax :+886-6-2819971

********************************************************

 

image001.jpg
image002.jpg
image003.jpg
image004.jpg
image005.jpg

Jorge Lucangeli Obes

unread,
Jul 19, 2019, 11:01:21 AM7/19/19
to 梁博翔, mini...@chromium.org, jj.c...@emc.com.tw, james...@emc.com.tw, karen...@emc.com.tw, alber...@emc.com.tw, Jeff.Chuang, Ryan...@dell.com, Crag...@dell.com, Omaca...@compal.com
Hi Paul,

Sarien devices run a 4.19 kernel. On 4.19 kernels, the -L Minijail option uses the SECCOMP_RET_LOG functionality in the kernel (see http://man7.org/linux/man-pages/man2/seccomp.2.html for details). This means that -L will essentially allow all syscalls, and list the ones that were *not* listed in the policy. When you remove the -L option, all those syscalls that were not included in the policy now cause the program to be killed.

The way forward here is to effectively use the -L option for what it does: list the syscalls that are not included in the policy. When running the tool using -L, the kernel will print all the syscalls the program does that are not included in the policy. These will be printed to the audit log.

Example:
Say I have an empty policy:
localhost ~ # touch empty.policy
Since the policy is empty, all syscalls are blocked and even a trivial binary like 'true' fails, and MInijail returns a non-zero exit code:
localhost ~ # minijail0 -S empty.policy -n -- /bin/true
localhost ~ # echo $?
253
When adding -L, this new mode allows all system calls, so 'true' succeeds:
localhost ~ # minijail0 -S empty.policy -n -L -- /bin/true
localhost ~ # echo $?
0
Now we can check the logs for the logged-but-allowed syscalls:
localhost ~ # journalctl -g SECCOMP | grep true
Jul 19 10:54:26 audit[5231]: SECCOMP auid=0 uid=0 gid=0 ses=6 subj=u:r:minijail:s0 pid=5231 comm="true" exe="/usr/bin/coreutils" sig=0 arch=c000003e syscall=157 compat=0 ip=0x7f7078eaa9da code=0x7ffc0000
Jul 19 10:54:26 audit[5231]: SECCOMP auid=0 uid=0 gid=0 ses=6 subj=u:r:minijail:s0 pid=5231 comm="true" exe="/usr/bin/coreutils" sig=0 arch=c000003e syscall=157 compat=0 ip=0x7f7078eaa9da code=0x7ffc0000
Jul 19 10:54:26 audit[5231]: SECCOMP auid=0 uid=0 gid=0 ses=6 subj=u:r:minijail:s0 pid=5231 comm="true" exe="/usr/bin/coreutils" sig=0 arch=c000003e syscall=231 compat=0 ip=0x7f7078e745e6 code=0x7ffc0000
Looks like 'true' needs syscall 157 (prctl, called twice) and 231 (exit_group):
localhost ~ # minijail0 -H | grep 157
  prctl [157]
localhost ~ # minijail0 -H | grep 231
  exit_group [231]

You can use this mechanism to figure out which syscalls are missing in the policy. Ideally, the code would be reworked to not need those syscalls, but for syscalls that can't be avoided, they can be added to the policy and sent out for code review. Hope this helps!

Cheers,
Jorge

--
You received this message because you are subscribed to the Google Groups "minijail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to minijail+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/2A6892C41BAA4BC788868F682CD4216A%40elan.corp.

梁博翔

unread,
Jul 22, 2019, 1:59:48 AM7/22/19
to Jorge Lucangeli Obes, mini...@chromium.org, jj.c...@emc.com.tw, james...@emc.com.tw, karen...@emc.com.tw, alber...@emc.com.tw, Jeff.Chuang, Ryan...@dell.com, Crag...@dell.com, Omaca...@compal.com

Hi Jorge,

 

You gave very valuable information.

It helps a lot in this issue.

Thank you very much.

 

BR,

Paul

image001.jpg
image002.jpg
image003.jpg
image004.jpg
image005.jpg
Reply all
Reply to author
Forward
0 new messages