From 4e807800b97a954faa35fee6d0ea97b8f2156af9 Mon Sep 17 00:00:00 2001 From: Daniel Verkamp Date: Wed, 31 May 2023 15:53:36 -0700 Subject: [PATCH] docs: book: update minijail and seccomp docs - Fix the links to point to the current chromiumos repositories. - Delete a weird preachy sentence about language choice. - Update the location of the jail helpers source file and add a link. - Add a paragraph about the policy BPF build process. Change-Id: I43791eefb619e4c2cac6bb994d31ee95f5725ad0 Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4574299 Reviewed-by: Shin Kawamura Commit-Queue: Daniel Verkamp Reviewed-by: Keiichi Watanabe --- docs/book/src/appendix/minijail.md | 8 ++++---- docs/book/src/appendix/seccomp.md | 10 ++++++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/docs/book/src/appendix/minijail.md b/docs/book/src/appendix/minijail.md index 9a48906558..c675c817a0 100644 --- a/docs/book/src/appendix/minijail.md +++ b/docs/book/src/appendix/minijail.md @@ -2,13 +2,11 @@ On Linux hosts, crosvm uses [minijail](https://google.github.io/minijail/) to sandbox the child devices. The minijail C library is utilized via a -[Rust wrapper](https://android.googlesource.com/platform/external/minijail/+/refs/heads/master/rust/minijail/src/lib.rs) +[Rust wrapper](https://chromium.googlesource.com/chromiumos/platform/minijail/+/refs/heads/main/rust/minijail/src/lib.rs) so as not to repeat the intricate sequence of syscalls used to make a secure isolated child process. -The fact that minijail was written, maintained, and continuously tested by a professional security -team more than makes up for its being written in an memory unsafe language. The exact configuration of the sandbox varies by device, but they are mostly alike. See -`create_base_minijail` from `linux/jail_helpers.rs`. The set of security constraints explicitly used +[`create_base_minijail`] from `jail/src/helpers.rs`. The set of security constraints explicitly used in crosvm are: - PID Namespace @@ -23,3 +21,5 @@ in crosvm are: - [PR_SET_NO_NEW_PRIVS](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) - [seccomp](seccomp.html) with optional log failure mode - Limit to number of file descriptors + +[`create_base_minijail`]: https://crosvm.dev/doc/jail/fn.create_base_minijail.html diff --git a/docs/book/src/appendix/seccomp.md b/docs/book/src/appendix/seccomp.md index 6a2d7845d6..1e7b539738 100644 --- a/docs/book/src/appendix/seccomp.md +++ b/docs/book/src/appendix/seccomp.md @@ -6,12 +6,18 @@ the BPF programs, crosvm uses minijail's policy file format. A policy file is wr device per architecture. Each device requires a unique set of syscalls to accomplish their function and each architecture has slightly different naming for similar syscalls. The ChromeOS docs have a useful -[listing of syscalls](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md). +[listing of syscalls](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md). + +The seccomp policies are compiled from `.policy` source files into BPF bytecode by +[`jail/build.rs`](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/jail/build.rs) +and embedded in the crosvm executable, so it is not necessary to install the seccomp policy files, +only the crosvm binary itself. Be sure to remember to rebuild crosvm after changing a policy file to +observe the updated behavior. ## Writing a Policy for crosvm The detailed rules for naming policy files can be found in -[seccomp/README.md](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/seccomp/README.md) +[jail/seccomp/README.md](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/jail/seccomp/README.md) Most policy files will include the `common_device.policy` from a given architecture using this directive near the top: