0

Use EACCES over EPERM for broker process denied errno

When dlopen is called without an absolute path, it looks in a number
of search paths for the requested library (e.g. /lib64/libfoo.so,
/usr/lib/libfoo.so). Often, these files don't exist and the
corresponding openat syscall should return ENOENT, but because of
the GPU sandbox, the syscall returns EPERM instead [1]. glibc's
implementation of dlopen, however, early-exits when it sees an
unexpected errno [2] and terminates without attempting the remaining
search paths. Thus, even if the library *is* allowlisted in a later
path, dlopen will still exit with a failure.

This CL fixes this issue by changing the denied errno to EACCES for
the broker process.

Bug: 1233028
Change-Id: I192098eb072f2ee6fb18aa7da3d1998f8328149f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054490
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Brian Ho <hob@chromium.org>
Cr-Commit-Position: refs/heads/master@{#905330}
This commit is contained in:
Brian Ho
2021-07-26 17:58:40 +00:00
committed by Chromium LUCI CQ
parent f6989a4654
commit 0d437e0221

@ -490,8 +490,12 @@ void SandboxLinux::StartBrokerProcess(
PreSandboxHook broker_side_hook,
const Options& options) {
// Leaked at shutdown, so use bare |new|.
// Use EACCES as the policy's default error number to remain consistent with
// other LSMs like AppArmor and Landlock. Some userspace code, such as
// glibc's |dlopen|, expect to see EACCES rather than EPERM. See
// crbug.com/1233028 for an example.
broker_process_ = new syscall_broker::BrokerProcess(
BPFBasePolicy::GetFSDeniedErrno(), allowed_command_set, permissions,
EACCES, allowed_command_set, permissions,
syscall_broker::BrokerProcess::BrokerType::SIGNAL_BASED);
// The initialization callback will perform generic initialization and then