diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-07-15 02:08:45 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-07-15 02:08:45 +0000 |
| commit | 48569688925a28c99ce3b92ffcd81b0c3f407c15 (patch) | |
| tree | db711e99dfce0f60acbc24f28794bc4f7ca46675 /sandbox | |
| parent | 214d0fde9003f6057ec81ba54929f4ea2d2da1fb (diff) | |
| download | chromium_src-48569688925a28c99ce3b92ffcd81b0c3f407c15.zip chromium_src-48569688925a28c99ce3b92ffcd81b0c3f407c15.tar.gz chromium_src-48569688925a28c99ce3b92ffcd81b0c3f407c15.tar.bz2 | |
Linux: various sandbox changes
* In development mode, don't let the sandbox run SUID or SGID
binaries
* Only obay CHROME_DEVEL_SANDBOX if the binary UID matches the
read UID.
* Change the default sandbox path to save those who do nothing.
R=markus
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20710 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/linux/suid/sandbox.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sandbox/linux/suid/sandbox.cc b/sandbox/linux/suid/sandbox.cc index 2c4a2fa..e784d87 100644 --- a/sandbox/linux/suid/sandbox.cc +++ b/sandbox/linux/suid/sandbox.cc @@ -256,6 +256,12 @@ int main(int argc, char **argv) { return 1; } + if ((S_ISUID | S_ISGID) & st.st_mode) { + fprintf(stderr, "The development sandbox is refusing to run %s because it " + "is SUID or SGID\n", argv[1]); + return 1; + } + char proc_fd_buffer[128]; snprintf(proc_fd_buffer, sizeof(proc_fd_buffer), "/proc/self/fd/%d", binary_fd); argv[1] = proc_fd_buffer; |