Google Git
Sign in
chromium / chromium / src / sandbox / 6155bd3051255038b0aa62e72fb51898e4ba771e^! / .
commit6155bd3051255038b0aa62e72fb51898e4ba771e[log] [tgz]
authorMatthew Denton <mpdenton@chromium.org>Fri Feb 18 19:41:21 2022
committerCopybara-Service <copybara-worker@google.com>Fri Feb 18 19:57:03 2022
treecece2c8934775dbad87cd9128932dfc39ca655c9
parent714d2e84b90ea1425310f1b231dad6a9c6a122f0 [diff]
[Linux sandbox] Fix current seccomp failures

pidfd_open is a syscall new in Linux 5.3. For some reason we are
getting seccomp crashes for it, even though it's unused in chromium
and glibc. Just return ENOSYS instead of crashing, and any code should
be able to handle its nonexistence for backwards compatibility.

We are also getting a lot of seccomp crashes for sched_getaffinity.
There isn't enough reason to block it, so allow it (restricted to the
current process) in the utility and service sandboxes.

Bug: 758557
Change-Id: I0d7354839be37912f35068dfacfaf78c35e894b9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3472467
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#973068}
NOKEYCHECK=True
GitOrigin-RevId: b2ea904d412adfeba5ff24f59497d659b2329a20

diff --git a/linux/seccomp-bpf-helpers/baseline_policy.cc b/linux/seccomp-bpf-helpers/baseline_policy.cc
index 74ce4c7..30c15cc 100644
--- a/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/linux/seccomp-bpf-helpers/baseline_policy.cc

@@ -182,6 +182,13 @@
     return Error(ENOSYS);
   }
 
+  // pidfd_open provides a file descriptor that refers to a process, meant to
+  // replace the pid as the method of identifying processes. For now there is no
+  // reason to support this, so just pretend pidfd_open doesn't exist.
+  if (sysno == __NR_pidfd_open) {
+    return Error(ENOSYS);
+  }
+
   if (sysno == __NR_fcntl)
     return RestrictFcntlCommands();
 

diff --git a/policy/linux/bpf_service_policy_linux.cc b/policy/linux/bpf_service_policy_linux.cc
index 3ddc8bf..81a8237 100644
--- a/policy/linux/bpf_service_policy_linux.cc
+++ b/policy/linux/bpf_service_policy_linux.cc

@@ -24,6 +24,10 @@
   switch (sysno) {
     case __NR_ioctl:
       return RestrictIoctl();
+    // Some third party libraries seem to call sched_getaffinity(). There's not
+    // much reason to block the syscall.
+    case __NR_sched_getaffinity:
+      return RestrictSchedTarget(GetPolicyPid(), sysno);
       // Allow the system calls below.
 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
     defined(__aarch64__)

diff --git a/policy/linux/bpf_utility_policy_linux.cc b/policy/linux/bpf_utility_policy_linux.cc
index dfe9e9c..b9f0aa7 100644
--- a/policy/linux/bpf_utility_policy_linux.cc
+++ b/policy/linux/bpf_utility_policy_linux.cc

@@ -30,6 +30,10 @@
     case __NR_prlimit64:
       // Restrict prlimit() to reference only the calling process.
       return RestrictPrlimitToGetrlimit(GetPolicyPid());
+    // Some third party libraries seem to call sched_getaffinity(). There's not
+    // much reason to block the syscall.
+    case __NR_sched_getaffinity:
+      return RestrictSchedTarget(GetPolicyPid(), sysno);
     // Allow the system calls below.
     case __NR_fdatasync:
     case __NR_fsync: