Google Git
Sign in
chromium / chromium / src / sandbox / c53e37bab4e01a58400b18d2f9cb68d4a3d3575c
commitc53e37bab4e01a58400b18d2f9cb68d4a3d3575c[log] [tgz]
authorBrian Ho <hob@chromium.org>Mon Jul 26 17:58:40 2021
committerCopybara-Service <copybara-worker@google.com>Tue Jul 27 12:07:12 2021
tree3a02cae24ecda0d148263131936fa3ce1e540cb6
parent9f4aead3898887867cc770fc882377bb9d1b6558 [diff]
Use EACCES over EPERM for broker process denied errno

When dlopen is called without an absolute path, it looks in a number
of search paths for the requested library (e.g. /lib64/libfoo.so,
/usr/lib/libfoo.so). Often, these files don't exist and the
corresponding openat syscall should return ENOENT, but because of
the GPU sandbox, the syscall returns EPERM instead [1]. glibc's
implementation of dlopen, however, early-exits when it sees an
unexpected errno [2] and terminates without attempting the remaining
search paths. Thus, even if the library *is* allowlisted in a later
path, dlopen will still exit with a failure.

This CL fixes this issue by changing the denied errno to EACCES for
the broker process.

Bug: 1233028
Change-Id: I192098eb072f2ee6fb18aa7da3d1998f8328149f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054490
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Brian Ho <hob@chromium.org>
Cr-Commit-Position: refs/heads/master@{#905330}
NOKEYCHECK=True
GitOrigin-RevId: 0d437e022154a5a5509d1232deec787b2a0fa5ea
1 file changed
tree: 3a02cae24ecda0d148263131936fa3ce1e540cb6
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. constants.h
  7. DEPS
  8. DIR_METADATA
  9. features.gni
  10. ipc.dict
  11. OWNERS
  12. README.md
  13. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.