commit | 69b167b23fb4a83d47fb196f16dd8627c6a4042b | [log] [tgz] |
---|---|---|
author | Matthew Denton <mpdenton@chromium.org> | Tue Sep 14 21:54:54 2021 |
committer | Copybara-Service <copybara-worker@google.com> | Tue Sep 14 22:08:48 2021 |
tree | f1161782f62485ae490e63ea951a576d03d7871f | |
parent | 4882d68656ada9b831b9892e751f8742252389cd [diff] |
Linux sandbox: Fix conflict between syscall broker and fstat() handler Recently glibc began rewriting fstat() calls to the seccomp-hostile fstatat(). The baseline policy is set up to handle fstatat() calls and rewrite them back to fstat(). However, when the syscall broker is in use (and has the COMMAND_STAT capability), it overrides the fstatat() handling with its own, which does not know how to rewrite glibc's fstatat() call back to fstat() and therefore fails with EPERM. Fix this in the seccomp policy by redirecting any fstatat() syscalls that use the AT_EMPTY_PATH flag to our "rewriter" instead of to the broker. Bug: 1243290 Change-Id: Ia7f200583a58fff57e4370aeb83e1e2295121fb3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3156602 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Commit-Queue: Matthew Denton <mpdenton@chromium.org> Cr-Commit-Position: refs/heads/main@{#921428} NOKEYCHECK=True GitOrigin-RevId: 0d2344ef77fc4634b8e6bca6c1d7731c92291f8e
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.