Sandboxing the imageloader process into a minijail.

This sandboxes the imageloader into a minijail using a non-root user,
namespaces, and a seccomp filter. Imageloader runs as a non-priveleged
user during component registration, and then as root when mounting
components at boot time.

BUG=chromium:630421
TEST=run imageloader on x86,amd64, and arm devices

Change-Id: Ib5f720fc8b4b10e1a7bd54dba5d0f10b772acee8
Reviewed-on: https://chromium-review.googlesource.com/406507
Commit-Ready: Greg Kerr <kerrnel@chromium.org>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
8 files changed
tree: 9653638da00a3b535624338966d97bc138e6b1e9
  1. .presubmitignore
  2. README.md
  3. imageloadclient-glue.xml
  4. imageloadclient.cc
  5. imageloadclient.h
  6. imageloader-glue.xml
  7. imageloader-seccomp-amd64.policy
  8. imageloader-seccomp-arm.policy
  9. imageloader-seccomp-x86.policy
  10. imageloader.conf
  11. imageloader.gyp
  12. imageloader.h
  13. imageloader_common.cc
  14. imageloader_common.h
  15. imageloader_impl.cc
  16. imageloader_impl.h
  17. imageloader_main.cc
  18. imageloader_unittest.cc
  19. imageloader_wrapper
  20. mock_verity_mounter.h
  21. org.chromium.ImageLoader.conf
  22. org.chromium.ImageLoader.service
  23. public_keys/
  24. run_tests.cc
  25. test/
  26. verity_mounter.cc
  27. verity_mounter.h
README.md

src/platform/imageloader

This aims to provide a generic utility to load (mount) and unload (unmount) verified disk images through DBus IPC.

Binaries

  • imageloader
  • imageloadclient

imageloader can be run as root and can handle mounting and unmounting of disk images. imageloadclient is a simple client (intended to be run as chronos) that can talk to imageloader and ask it to mount and unmount stuff. When imageloader is not running, DBus can invoke it via the one time run option (imageloader -o) and get the task done.