diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-10 21:39:04 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-10 21:39:04 +0000 |
| commit | aac449e7154720b895ff1e7f3497c2ce95ae1a5a (patch) | |
| tree | 1964554316fe4b54cd0efa6ba471dd61467bfe39 /ipc/ipc_channel_posix.cc | |
| parent | dc78796d35a53f758b2b6b729cf8a18034783d13 (diff) | |
| download | chromium_src-aac449e7154720b895ff1e7f3497c2ce95ae1a5a.zip chromium_src-aac449e7154720b895ff1e7f3497c2ce95ae1a5a.tar.gz chromium_src-aac449e7154720b895ff1e7f3497c2ce95ae1a5a.tar.bz2 | |
POSIX: make sure that we never pass directory descriptors into the sandbox.
BUG=43304
http://codereview.chromium.org/2733011/show
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@49446 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'ipc/ipc_channel_posix.cc')
| -rw-r--r-- | ipc/ipc_channel_posix.cc | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/ipc/ipc_channel_posix.cc b/ipc/ipc_channel_posix.cc index f4d6f7b..7c599ab 100644 --- a/ipc/ipc_channel_posix.cc +++ b/ipc/ipc_channel_posix.cc @@ -791,6 +791,15 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() { const unsigned num_fds = msg->file_descriptor_set()->size(); DCHECK_LE(num_fds, FileDescriptorSet::MAX_DESCRIPTORS_PER_MESSAGE); + if (msg->file_descriptor_set()->ContainsDirectoryDescriptor()) { + LOG(FATAL) << "Panic: attempting to transport directory descriptor over" + " IPC. Aborting to maintain sandbox isolation."; + // If you have hit this then something tried to send a file descriptor + // to a directory over an IPC channel. Since IPC channels span + // sandboxes this is very bad: the receiving process can use openat + // with ".." elements in the path in order to reach the real + // filesystem. + } msgh.msg_control = buf; msgh.msg_controllen = CMSG_SPACE(sizeof(int) * num_fds); |