Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(273)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/linux/suid/client/setuid_sandbox_client.cc

Issue 2578483002: Namespace sandbox: add check for unprivileged use of CLONE_NEWUSER (Closed)
Patch Set: Add comment Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/linux/suid/client/setuid_sandbox_client.cc
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc
index ca73d46444e12e386fbd9bed5c99fbcad382ed71..7b9ebf5acb0f614b348366c337c5b1d229b37848 100644
--- a/sandbox/linux/suid/client/setuid_sandbox_client.cc
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc
@@ -22,8 +22,11 @@
namespace {
bool IsFileSystemAccessDenied() {
- base::ScopedFD root_dir(HANDLE_EINTR(open("/", O_RDONLY)));
- return !root_dir.is_valid();
+ // We would rather check "/" instead of "/proc/self/exe" here, but
+ // that gives false positives when running as root. See
+ // https://codereview.chromium.org/2578483002/#msg3
+ base::ScopedFD proc_self_exe(HANDLE_EINTR(open("/proc/self/exe", O_RDONLY)));
+ return !proc_self_exe.is_valid();
}
int GetHelperApi(base::Environment* env) {
« no previous file with comments | « sandbox/linux/services/credentials.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698