Google Git
Sign in
chromium / chromium / src / sandbox / 69b167b23fb4a83d47fb196f16dd8627c6a4042b
commit69b167b23fb4a83d47fb196f16dd8627c6a4042b[log] [tgz]
authorMatthew Denton <mpdenton@chromium.org>Tue Sep 14 21:54:54 2021
committerCopybara-Service <copybara-worker@google.com>Tue Sep 14 22:08:48 2021
treef1161782f62485ae490e63ea951a576d03d7871f
parent4882d68656ada9b831b9892e751f8742252389cd [diff]
Linux sandbox: Fix conflict between syscall broker and fstat() handler

Recently glibc began rewriting fstat() calls to the seccomp-hostile
fstatat(). The baseline policy is set up to handle fstatat() calls
and rewrite them back to fstat(). However, when the syscall broker
is in use (and has the COMMAND_STAT capability), it overrides the
fstatat() handling with its own, which does not know how to rewrite
glibc's fstatat() call back to fstat() and therefore fails with EPERM.

Fix this in the seccomp policy by redirecting any fstatat() syscalls
that use the AT_EMPTY_PATH flag to our "rewriter" instead of to the
broker.

Bug: 1243290
Change-Id: Ia7f200583a58fff57e4370aeb83e1e2295121fb3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3156602
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#921428}
NOKEYCHECK=True
GitOrigin-RevId: 0d2344ef77fc4634b8e6bca6c1d7731c92291f8e
9 files changed
tree: f1161782f62485ae490e63ea951a576d03d7871f
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. constants.h
  7. DEPS
  8. DIR_METADATA
  9. features.gni
  10. ipc.dict
  11. OWNERS
  12. README.md
  13. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.