Use EACCES over EPERM for broker process denied errno
When dlopen is called without an absolute path, it looks in a number of search paths for the requested library (e.g. /lib64/libfoo.so, /usr/lib/libfoo.so). Often, these files don't exist and the corresponding openat syscall should return ENOENT, but because of the GPU sandbox, the syscall returns EPERM instead [1]. glibc's implementation of dlopen, however, early-exits when it sees an unexpected errno [2] and terminates without attempting the remaining search paths. Thus, even if the library *is* allowlisted in a later path, dlopen will still exit with a failure. This CL fixes this issue by changing the denied errno to EACCES for the broker process. Bug: 1233028 Change-Id: I192098eb072f2ee6fb18aa7da3d1998f8328149f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054490 Reviewed-by: Matthew Denton <mpdenton@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Brian Ho <hob@chromium.org> Cr-Commit-Position: refs/heads/master@{#905330}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
f6989a4654
commit
0d437e0221
@ -490,8 +490,12 @@ void SandboxLinux::StartBrokerProcess(
|
||||
PreSandboxHook broker_side_hook,
|
||||
const Options& options) {
|
||||
// Leaked at shutdown, so use bare |new|.
|
||||
// Use EACCES as the policy's default error number to remain consistent with
|
||||
// other LSMs like AppArmor and Landlock. Some userspace code, such as
|
||||
// glibc's |dlopen|, expect to see EACCES rather than EPERM. See
|
||||
// crbug.com/1233028 for an example.
|
||||
broker_process_ = new syscall_broker::BrokerProcess(
|
||||
BPFBasePolicy::GetFSDeniedErrno(), allowed_command_set, permissions,
|
||||
EACCES, allowed_command_set, permissions,
|
||||
syscall_broker::BrokerProcess::BrokerType::SIGNAL_BASED);
|
||||
|
||||
// The initialization callback will perform generic initialization and then
|
||||
|
Reference in New Issue
Block a user