93e49e49ba
This is a followup to [1]. [1] https://chromium-review.googlesource.com/c/chromium/src/+/1974901 TBR=sky Change-Id: I442ffe121378607bdc5e1b16c081b8d66b138955 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1980900 Reviewed-by: Thomas Anderson <thomasanderson@chromium.org> Commit-Queue: Thomas Anderson <thomasanderson@chromium.org> Cr-Commit-Position: refs/heads/master@{#727226}
47 lines
2.1 KiB
Markdown
47 lines
2.1 KiB
Markdown
# seccomp Sandbox Crash Dumping
|
|
|
|
Currently, Breakpad relies on facilities that are disallowed inside the Linux
|
|
seccomp sandbox. Specifically, it sets a signal handler to catch faults
|
|
(currently disallowed), forks a new process, and uses ptrace() (also disallowed)
|
|
to read the memory of the faulted process.
|
|
|
|
## Options
|
|
|
|
There are three ways we could do crash dumping of seccomp-sandboxed processes:
|
|
|
|
* Find a way to permit signal handling safely inside the sandbox (see below).
|
|
* Allow the kernel's core dumper to kick in and write a core file.
|
|
* This seems risky because this code tends not to be well-tested.
|
|
* This will not work if the process is chrooted, so it would not work if
|
|
the seccomp sandbox is stacked with the SUID sandbox.
|
|
* Have an unsandboxed helper process which `ptrace()`s the sandboxed process
|
|
to catch faults.
|
|
|
|
## Signal handling in the seccomp sandbox
|
|
|
|
In case a trusted thread faults with a SIGSEGV, we must make sure that an
|
|
untrusted thread cannot register a signal handler that will run in the context
|
|
of the trusted thread.
|
|
|
|
Here are some mechanisms that could make this safe:
|
|
|
|
* `sigaltstack()` is per-thread. If we opt not to set a signal stack for
|
|
trusted threads, and set %esp/%rsp to an invalid address, trusted threads
|
|
will die safely if they fault.
|
|
* This means the trusted thread cannot set a signal stack on behalf of the
|
|
untrusted thread once the latter has switched to seccomp mode. The
|
|
signal stack would have to be set up when the thread is created and not
|
|
subsequently changed.
|
|
* `clone()` has a `CLONE_SIGHAND` flag. By omitting this flag, trusted and
|
|
untrusted threads can have different sets of signal handlers. This means we
|
|
can opt not to set signal handlers for trusted threads.
|
|
* Again, per-thread signal handler sets would mean the trusted thread
|
|
cannot change signal handlers on behalf of untrusted threads.
|
|
* `sigprocmask()/pthread_sigmask()`: These can be used to block signal
|
|
handling in trusted threads.
|
|
|
|
## See also
|
|
|
|
* [LinuxCrashDumping](linux/crash_dumping.md)
|
|
* [Issue 37728](https://crbug.com/37728)
|