Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

interfaces/browser-support: allow sched_setaffinity with browser-sandbox: true #9865

Merged
merged 1 commit into from Jan 28, 2021
Merged

interfaces/browser-support: allow sched_setaffinity with browser-sandbox: true #9865

merged 1 commit into from Jan 28, 2021

Conversation

anonymouse64
Copy link
Member

This is used by chromium to try and optimize some render threads, and there are
already more dangerous system calls allowed in the browser-sandbox: true policy.

Additionally, on some user's machines this system call is called relentlessly by
Chromium and thus ends up spamming the logs.

Fixes: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1900679

@anonymouse64
interfaces/browser-support: allow sched_setaffinity with browser-sand…
11bfa81 
…box: true

This is used by chromium to try and optimize some render threads, and there are 
already more dangerous system calls allowed in the browser-sandbox: true policy.

Additionally, on some user's machines this system call is called relentlessly by
Chromium and thus ends up spamming the logs.

Fixes: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1900679

Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
@anonymouse64 anonymouse64 added Simple 😃 A small PR which can be reviewed quickly Bug Needs security review Can only be merged once security gave a :+1: labels Jan 26, 2021
bboozzoo
bboozzoo approved these changes Jan 27, 2021
View reviewed changes
Copy link
Collaborator

@bboozzoo bboozzoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

interfaces/builtin/browser_support.go
# Chromium will attempt to set the affinity of it's renderer threads, primarily
# on android, but also on Linux where it is available. See
# https://github.com/chromium/chromium/blob/99314be8152e688bafbbf9a615536bdbb289ea87/content/common/android/cpu_affinity.cc#L51
sched_setaffinity
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Side observation, we already allow sched_setscheduler.

@bboozzoo bboozzoo added this to the 2.49 milestone Jan 27, 2021
@alexmurray
Copy link
Collaborator

LGTM as well, there isn't much more security risk from this change given how privileged this interface already is.

@alexmurray alexmurray removed the Needs security review Can only be merged once security gave a :+1: label Jan 27, 2021
@pedronis pedronis self-requested a review January 27, 2021 17:37
pedronis
pedronis reviewed Jan 28, 2021
View reviewed changes
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you

@mvo5 mvo5 merged commit d16e410 into snapcore:master Jan 28, 2021
@anonymouse64 anonymouse64 deleted the bugfix/browser-support-allow-set-sched-affinity branch January 28, 2021 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bboozzoo bboozzoo bboozzoo approved these changes

@pedronis pedronis pedronis approved these changes

Assignees
No one assigned
Labels
Simple 😃 A small PR which can be reviewed quickly
Projects
None yet
Milestone
2.49
5 participants
@anonymouse64 @alexmurray @bboozzoo @pedronis @mvo5