commit | 8079cee5f9f963f525051a53128affdcf9dc3fa4 | [log] [tgz] |
---|---|---|
author | Kyle Horimoto <khorimoto@chromium.org> | Fri Apr 16 03:02:28 2021 |
committer | Chromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com> | Fri Apr 16 03:02:28 2021 |
tree | ec6b52acd1a2864d79e1ae8510d8895a21c89bf9 | |
parent | cc68781020815770d5e56cf555c858681ab6d002 [diff] |
Revert "Linux sandbox: fix fstatat() crash" This reverts commit 7dc8a6aaa03d40a92150d86abd3f2fc4ba807193. Reason for revert: Causes https://bugs.chromium.org/p/chromium/issues/detail?id=1199431 Exempt-From-Owner-Approval: Urgent revert Original change's description: > Linux sandbox: fix fstatat() crash > > Glibc has started rewriting fstat(fd, stat_buf) to > fstatat(fd, "", stat_buf, AT_EMPTY_PATH). This works because when > AT_EMPTY_PATH is specified, and the second argument is an empty string, > then fstatat just performs an fstat on fd like normal. > > Unfortunately, fstatat() also allows stat-ing arbitrary pathnames like > with fstatat(AT_FDCWD, "/i/am/a/file", stat_buf, 0); > The baseline policy needs to prevent this usage of fstatat() since it > doesn't allow access to arbitrary pathnames. > > Sadly, if the second argument is not an empty string, AT_EMPTY_PATH is > simply ignored by current kernels. > > This means fstatat() is completely unsandboxable with seccomp, since > we *need* to verify that the second argument is the empty string, but > we can't dereference pointers in seccomp (due to limitations of BPF, > and the difficulty of addressing these limitations due to TOCTOU > issues). > > So, this CL Traps (raises a SIGSYS via seccomp) on any fstatat syscall. > The signal handler, which runs in the sandboxed process, checks for > AT_EMPTY_PATH and the empty string, and then rewrites any applicable > fstatat() back into the old-style fstat(). > > Bug: 1164975 > Change-Id: Ie7394a32f9cc9f915c2d8400f068df2f914831a2 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2801873 > Commit-Queue: Matthew Denton <mpdenton@chromium.org> > Reviewed-by: Robert Sesek <rsesek@chromium.org> > Cr-Commit-Position: refs/heads/master@{#873132} Bug: 1164975 Change-Id: I06296096dd4dbf2cc64b41bb2bcf7dd00c74cbcc No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2830830 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Matthew Denton <mpdenton@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Reviewed-by: David Staessens <dstaessens@chromium.org> Reviewed-by: Azeem Arshad <azeemarshad@chromium.org> Auto-Submit: Kyle Horimoto <khorimoto@chromium.org> Cr-Commit-Position: refs/heads/master@{#873172}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
To check out the source code locally, don't use git clone
! Instead, follow the instructions on how to get the code.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .
For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.