Namespace sandbox: add check for unprivileged use of CLONE_NEWUSER

sandbox/linux/suid/client/setuid_sandbox_client.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include <string>
 #include <utility>
 
 #include "base/environment.h"
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/strings/string_number_conversions.h"
 #include "sandbox/linux/suid/common/sandbox.h"
 
 namespace {
 
 bool IsFileSystemAccessDenied() {
-  base::ScopedFD root_dir(HANDLE_EINTR(open("/", O_RDONLY)));
-  return !root_dir.is_valid();
+  // We would rather check "/" instead of "/proc/self/exe" here, but
+  // that gives false positives when running as root.  See
+  // https://codereview.chromium.org/2578483002/#msg3
+  base::ScopedFD proc_self_exe(HANDLE_EINTR(open("/proc/self/exe", O_RDONLY)));
+  return !proc_self_exe.is_valid();
 }
 
 int GetHelperApi(base::Environment* env) {
   std::string api_string;
   int api_number = 0;  // Assume API version 0 if no environment was found.
   if (env->GetVar(sandbox::kSandboxEnvironmentApiProvides, &api_string) &&
       !base::StringToInt(api_string, &api_number)) {
     // It's an error if we could not convert the API number.
     api_number = -1;
   }
@@ skipping 105 matching lines @@
 
 bool SetuidSandboxClient::IsInNewNETNamespace() const {
   return env_->HasVar(kSandboxNETNSEnvironmentVarName);
 }
 
 bool SetuidSandboxClient::IsSandboxed() const {
   return sandboxed_;
 }
 
 }  // namespace sandbox