diff options
Diffstat (limited to 'pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch')
| -rw-r--r-- | pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch | 109 |
1 files changed, 45 insertions, 64 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch index a8f3ed0befd4..57f5992a3fa8 100644 --- a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch +++ b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch @@ -1,4 +1,4 @@ -commit 3c80951744293441c2e66345ef7d82c199f4600e +commit 0fec7e4a742f001c9816a8b58a1120fb44230867 Author: aszlig <aszlig@redmoonstudios.org> Date: Thu May 16 14:17:56 2013 +0200 @@ -47,7 +47,7 @@ index 9e39fba..00e4c79 100644 #if defined(OS_CHROMEOS) diff --git a/base/process/launch_posix.cc b/base/process/launch_posix.cc -index fe4da1a..7f118b8 100644 +index 457234f..a99ce9b 100644 --- a/base/process/launch_posix.cc +++ b/base/process/launch_posix.cc @@ -40,6 +40,10 @@ @@ -111,7 +111,7 @@ index fe4da1a..7f118b8 100644 // DANGER: fork() rule: in the child, if you don't end up doing exec*(), // you call _exit() instead of exit(). This is because _exit() does not // call any previously-registered (in the parent) exit handlers, which -@@ -451,6 +480,40 @@ bool LaunchProcess(const std::vector<std::string>& argv, +@@ -452,6 +481,40 @@ bool LaunchProcess(const std::vector<std::string>& argv, _exit(127); } else { // Parent process @@ -153,52 +153,28 @@ index fe4da1a..7f118b8 100644 // While this isn't strictly disk IO, waiting for another process to // finish is the sort of thing ThreadRestrictions is trying to prevent. diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc -index 0106a7a..a0465af 100644 +index 9d63ad9..0885705 100644 --- a/content/browser/zygote_host/zygote_host_impl_linux.cc +++ b/content/browser/zygote_host/zygote_host_impl_linux.cc -@@ -124,25 +124,31 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { +@@ -144,6 +144,9 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { + // A non empty sandbox_cmd means we want a SUID sandbox. + using_suid_sandbox_ = !sandbox_cmd.empty(); - sandbox_binary_ = sandbox_cmd.c_str(); - -- // A non empty sandbox_cmd means we want a SUID sandbox. -- using_suid_sandbox_ = !sandbox_cmd.empty(); + bool userns_sandbox = false; + const std::vector<std::string> cmd_line_unwrapped(cmd_line.argv()); - -- if (using_suid_sandbox_) { -+ if (!sandbox_cmd.empty()) { - struct stat st; - if (stat(sandbox_binary_.c_str(), &st) != 0) { - LOG(FATAL) << "The SUID sandbox helper binary is missing: " - << sandbox_binary_ << " Aborting now."; - } - -- if (access(sandbox_binary_.c_str(), X_OK) == 0 && -- (st.st_uid == 0) && -- (st.st_mode & S_ISUID) && -- (st.st_mode & S_IXOTH)) { -+ if (access(sandbox_binary_.c_str(), X_OK) == 0) { -+ using_suid_sandbox_ = true; + - cmd_line.PrependWrapper(sandbox_binary_); + // Start up the sandbox host process and get the file descriptor for the + // renderers to talk to it. + const int sfd = RenderSandboxHostLinux::GetInstance()->GetRendererSocket(); +@@ -156,11 +159,24 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { + sandbox_client->PrependWrapper(&cmd_line); + sandbox_client->SetupLaunchOptions(&options, &fds_to_map, &dummy_fd); + sandbox_client->SetupLaunchEnvironment(); ++ userns_sandbox = sandbox_client->IsNoSuid(); + } - scoped_ptr<sandbox::SetuidSandboxClient> - sandbox_client(sandbox::SetuidSandboxClient::Create()); - sandbox_client->SetupLaunchEnvironment(); -+ -+ if (!((st.st_uid == 0) && -+ (st.st_mode & S_ISUID) && -+ (st.st_mode & S_IXOTH))) { -+ userns_sandbox = true; -+ sandbox_client->SetNoSuid(); -+ } - } else { - LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " - "configured correctly. Rather than run without sandboxing " -@@ -167,7 +173,19 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { - base::LaunchOptions options; + base::ProcessHandle process = -1; options.fds_to_remap = &fds_to_map; - options.allow_new_privs = using_suid_sandbox_; // Don't PR_SET_NO_NEW_PRIVS. + if (userns_sandbox) + options.new_user_namespace = true; base::LaunchProcess(cmd_line.argv(), options, &process); @@ -213,13 +189,13 @@ index 0106a7a..a0465af 100644 + } + CHECK(process != -1) << "Failed to launch zygote process"; + dummy_fd.reset(); - if (using_suid_sandbox_) { diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc -index 5dc09fa..4e09bc4 100644 +index 11f0602..b7b8214 100644 --- a/content/zygote/zygote_main_linux.cc +++ b/content/zygote/zygote_main_linux.cc -@@ -397,6 +397,13 @@ static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox) { +@@ -389,6 +389,13 @@ static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox) { CHECK(CreateInitProcessReaper()); } @@ -234,10 +210,10 @@ index 5dc09fa..4e09bc4 100644 // Previously, we required that the binary be non-readable. This causes the // kernel to mark the process as non-dumpable at startup. The thinking was diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc -index 8ed1a97..cbdfadc 100644 +index fc03cdd..a972faa 100644 --- a/sandbox/linux/suid/client/setuid_sandbox_client.cc +++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc -@@ -173,6 +173,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const { +@@ -229,6 +229,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const { return env_->HasVar(kSandboxNETNSEnvironmentVarName); } @@ -248,20 +224,34 @@ index 8ed1a97..cbdfadc 100644 bool SetuidSandboxClient::IsSandboxed() const { return sandboxed_; } -@@ -182,4 +186,8 @@ void SetuidSandboxClient::SetupLaunchEnvironment() { - SetSandboxAPIEnvironmentVariable(env_); - } +@@ -277,8 +281,7 @@ void SetuidSandboxClient::PrependWrapper(base::CommandLine* cmd_line) { + "LinuxSUIDSandboxDevelopment."; + } -+void SetuidSandboxClient::SetNoSuid() { -+ env_->SetVar(kSandboxNoSuidVarName, "1"); -+} +- if (access(sandbox_binary.c_str(), X_OK) != 0 || (st.st_uid != 0) || +- ((st.st_mode & S_ISUID) == 0) || ((st.st_mode & S_IXOTH)) == 0) { ++ if (access(sandbox_binary.c_str(), X_OK) != 0) { + LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " + "configured correctly. Rather than run without sandboxing " + "I'm aborting now. You need to make sure that " +@@ -286,6 +289,12 @@ void SetuidSandboxClient::PrependWrapper(base::CommandLine* cmd_line) { + } + + cmd_line->PrependWrapper(sandbox_binary); + - } // namespace sandbox ++ if (!((st.st_uid == 0) && ++ (st.st_mode & S_ISUID) && ++ (st.st_mode & S_IXOTH))) { ++ env_->SetVar(kSandboxNoSuidVarName, "1"); ++ } + } + + void SetuidSandboxClient::SetupLaunchOptions( diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h -index 0f6db7a..c629391 100644 +index 2bbad7a..8605475 100644 --- a/sandbox/linux/suid/client/setuid_sandbox_client.h +++ b/sandbox/linux/suid/client/setuid_sandbox_client.h -@@ -46,6 +46,8 @@ class SANDBOX_EXPORT SetuidSandboxClient { +@@ -66,6 +66,8 @@ class SANDBOX_EXPORT SetuidSandboxClient { bool IsInNewPIDNamespace() const; // Did the setuid helper create a new network namespace ? bool IsInNewNETNamespace() const; @@ -270,15 +260,6 @@ index 0f6db7a..c629391 100644 // Are we done and fully sandboxed ? bool IsSandboxed() const; -@@ -53,6 +55,8 @@ class SANDBOX_EXPORT SetuidSandboxClient { - // helper. - void SetupLaunchEnvironment(); - -+ void SetNoSuid(); -+ - private: - // Holds the environment. Will never be NULL. - base::Environment* env_; diff --git a/sandbox/linux/suid/common/sandbox.h b/sandbox/linux/suid/common/sandbox.h index 9345287..2db659e 100644 --- a/sandbox/linux/suid/common/sandbox.h |