diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-07-10 17:50:24 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-07-10 17:50:24 +0000 |
| commit | 415493bea409a054a89b153abf3e508842f1d73c (patch) | |
| tree | a71a33d4c988baf582fd981a1f38980531bf2644 | |
| parent | 058b13225061a013cd839f36a73b08a9dbaf6f1e (diff) | |
| download | chromium_src-415493bea409a054a89b153abf3e508842f1d73c.zip chromium_src-415493bea409a054a89b153abf3e508842f1d73c.tar.gz chromium_src-415493bea409a054a89b153abf3e508842f1d73c.tar.bz2 | |
Linux: all the binary to be readable with the SUID sandbox.
Previously, we required that the binary be non-readable. This causes the
kernel to mark the process as non-dumpable at startup. The thinking was
that, although we were putting the renderers into a PID namespace (with
the SUID sandbox), they would none the less be in the /same/ PID
namespace. So they could ptrace each other unless they were non-dumpable.
If the binary was readable, then there would be a window between process
startup and the point where we set the non-dumpable flag in which a
compromised renderer could ptrace attach.
However, now that we have a zygote model, only the (trusted) zygote
exists at this point and we can set the non-dumpable flag which is
inherited by all our renderer children.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20383 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/browser/zygote_main_linux.cc | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc index 8e4fb55..c6854e9 100644 --- a/chrome/browser/zygote_main_linux.cc +++ b/chrome/browser/zygote_main_linux.cc @@ -229,15 +229,19 @@ static bool MaybeEnterChroot() { static const int kMagicSandboxIPCDescriptor = 5; SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor); - if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) { - LOG(ERROR) << "CRITICAL: The SUID sandbox is being used, but the chrome " - "binary is also marked as readable. This means that the " - "process starts up dumpable. That means that there's a " - "window where another renderer process can ptrace this " - "process and sequestrate it. This is a packaging error. " - "Please report it as such."; - } - + // Previously, we required that the binary be non-readable. This causes the + // kernel to mark the process as non-dumpable at startup. The thinking was + // that, although we were putting the renderers into a PID namespace (with + // the SUID sandbox), they would nonetheless be in the /same/ PID + // namespace. So they could ptrace each other unless they were non-dumpable. + // + // If the binary was readable, then there would be a window between process + // startup and the point where we set the non-dumpable flag in which a + // compromised renderer could ptrace attach. + // + // However, now that we have a zygote model, only the (trusted) zygote + // exists at this point and we can set the non-dumpable flag which is + // inherited by all our renderer children. prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) return false; |