Google Git
Sign in
chromium / chromium / src / sandbox / 25cc64abd05a60f4b446251ac679a0b844d7a979
commit25cc64abd05a60f4b446251ac679a0b844d7a979[log] [tgz]
authorJordan R Abrahams <ajordanr@google.com>Thu Aug 12 18:18:15 2021
committerCopybara-Service <copybara-worker@google.com>Thu Aug 12 18:35:23 2021
treeb39784024cedfae81c53e0c2a25745766fcb6ccb
parentf114755e2ec90bdcb86401e0e3b9e5fb19f6483d [diff]
linux sandbox: add fstatfs for arm gpu policy

This missing syscall is preventing the sandbox from starting ChromeOS
when we apply a security patch to glibc.

glibc's loader can be exploited on preload to get around no-exec
restrictions. We've implemented a patch in CrOS's glibc implementation
to resolve this. However, fstatfs is required to determine file-system
information about the shared libraries.

Without this patch, fstatfs calls on ChromeOS boards such as Trogdor
are unable to get the user to the log-in screen when glibc requires
fstatfs-ing shared objects on preload.

Bug: chromium:1182687
Test: Local images with and without patch on local Trogdor device

Change-Id: I35094cdf101e7981711e603d1e04df4214b525cf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3089652
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Cr-Commit-Position: refs/heads/master@{#911398}
NOKEYCHECK=True
GitOrigin-RevId: 7b24f4df5c4a4d13c23f42a8e33686748415dd01
1 file changed
tree: b39784024cedfae81c53e0c2a25745766fcb6ccb
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. constants.h
  7. DEPS
  8. DIR_METADATA
  9. features.gni
  10. ipc.dict
  11. OWNERS
  12. README.md
  13. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.