Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(9)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2641513004: Namespace sandbox: add check for unprivileged use of CLONE_NEWUSER (Closed)

Created:
3 years, 11 months ago by Tom (Use chromium acct)
Modified:
3 years, 11 months ago
Reviewers:
sky, mdempsky
CC:
chromium-reviews, tfarina, rickyz+watch_chromium.org, jln+watch_chromium.org
Target Ref:
refs/pending/branch-heads/2924
Project:
chromium
Visibility:
Public.

Description

Namespace sandbox: add check for unprivileged use of CLONE_NEWUSER > Debian 8 restricts use of CLONE_NEWUSER to only processes with > CAP_SYS_ADMIN. (https://github.com/semplice/linux/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch) > Chrome was previously checking if the kernel supported CLONE_NEWUSER > by running clone(CLONE_NEWUSER, ...) with the same capabilities chrome > was launched with. This leads to 2 scenarios: > > 1. If Chrome was run as root: > The check for CLONE_NEWUSER will succeed. Chrome will then set up > the namespace sandbox by clone()'ing and dropping CAP_SYS_ADMIN. > Subsequent clone()'s with CLONE_NEWUSER will then fail. > > 2. If Chrome was run as a normal user: > The check for CLONE_NEWUSER will fail. Chrome will fallback to > using the setuid sandbox. > > The solution is to simply drop CAP_SYS_ADMIN before the check. > > In addition, this CL disallows running Chromium as root unless launched > with --no-sandbox. > > BUG=638180 > > Review-Url: https://codereview.chromium.org/2578483002 > Cr-Commit-Position: refs/heads/master@{#443062} NOTRY=true NOPRESUBMIT=true BUG=638180 TBR=sky@chromium.org,mdempsky@chromium.org Review-Url: https://codereview.chromium.org/2641513004 Cr-Commit-Position: refs/branch-heads/2924@{#785} Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059} Committed: https://chromium.googlesource.com/chromium/src/+/8b6103c5b1029b52feb6f34e2594d7e125a28f3e

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+45 lines, -24 lines) Patch
M chrome/app/generated_resources.grd View 1 chunk +1 line, -1 line 0 comments Download
M chrome/browser/ui/views/chrome_browser_main_extra_parts_views.cc View 2 chunks +3 lines, -3 lines 0 comments Download
M sandbox/linux/services/credentials.cc View 4 chunks +36 lines, -18 lines 0 comments Download
M sandbox/linux/suid/client/setuid_sandbox_client.cc View 1 chunk +5 lines, -2 lines 0 comments Download

Messages

Total messages: 9 (4 generated)
Tom (Use chromium acct)
sky@ + mdempsky@ PTAL/RS this merge
3 years, 11 months ago (2017-01-17 23:40:23 UTC) #2
mdempsky
lgtm
3 years, 11 months ago (2017-01-17 23:45:40 UTC) #3
sky
LGTM
3 years, 11 months ago (2017-01-17 23:52:38 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2641513004/1
3 years, 11 months ago (2017-01-17 23:53:54 UTC) #6
commit-bot: I haz the power
3 years, 11 months ago (2017-01-17 23:58:22 UTC) #9
Message was sent while issue was closed. 
Committed patchset #1 (id:1) as
https://chromium.googlesource.com/chromium/src/+/8b6103c5b1029b52feb6f34e2594...

Powered by Google App Engine
This is Rietveld 408576698