Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: allow unsandboxed renderers to request new privileges #19953

Merged
merged 2 commits into from Aug 27, 2019
Merged

fix: allow unsandboxed renderers to request new privileges #19953

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
aacb2b6
fix: allow unsandboxed renderers to request new privileges
nornagon Aug 26, 2019
cb18ff7
add test
nornagon Aug 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions patches/chromium/.patches
View file
Open in desktop
Expand Up @@ -75,3 +75,4 @@ disable_color_correct_rendering.patch
add_contentgpuclient_precreatemessageloop_callback.patch
picture-in-picture.patch
disable_compositor_recycling.patch
allow_new_privileges_in_unsandboxed_child_processes.patch
30 changes: 30 additions & 0 deletions patches/chromium/allow_new_privileges_in_unsandboxed_child_processes.patch
View file
Open in desktop
@@ -0,0 +1,30 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Apthorp <nornagon@nornagon.net>
Date: Mon, 26 Aug 2019 12:02:51 -0700
Subject: allow new privileges in unsandboxed child processes

This allows unsandboxed renderers to launch setuid processes on Linux.

diff --git a/content/browser/child_process_launcher_helper_linux.cc b/content/browser/child_process_launcher_helper_linux.cc
index 720b92a1a3a7ab5512f839005b272e4989d2ac65..b1759109627cd00053489dcdd397e942fa9d289f 100644
--- a/content/browser/child_process_launcher_helper_linux.cc
+++ b/content/browser/child_process_launcher_helper_linux.cc
@@ -54,6 +54,18 @@ bool ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
const int sandbox_fd = SandboxHostLinux::GetInstance()->GetChildSocket();
options->fds_to_remap.push_back(
std::make_pair(sandbox_fd, service_manager::GetSandboxFD()));
+
+ // (For Electron), if we're launching without zygote, that means we're
+ // launching an unsandboxed process (since all sandboxed processes are
+ // forked from the zygote). Relax the allow_new_privs option to permit
+ // launching suid processes from unsandboxed renderers.
+ service_manager::ZygoteHandle zygote_handle =
+ base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kNoZygote)
+ ? nullptr
+ : delegate_->GetZygote();
+ if (!zygote_handle) {
+ options->allow_new_privs = true;
+ }
}

options->environment = delegate_->GetEnvironment();
13 changes: 13 additions & 0 deletions spec/node-spec.js
View file
Open in desktop
Expand Up @@ -155,6 +155,19 @@ describe('node feature', () => {
})
})
})

describe('child_process.exec', () => {
(process.platform === 'linux' ? it : it.skip)('allows executing a setuid binary from non-sandboxed renderer', () => {
// Chrome uses prctl(2) to set the NO_NEW_PRIVILEGES flag on Linux (see
// https://github.com/torvalds/linux/blob/40fde647cc/Documentation/userspace-api/no_new_privs.rst).
// We disable this for unsandboxed processes, which the remote tests
// are running in. If this test fails with an error like 'effective uid
// is not 0', then it's likely that our patch to prevent the flag from
// being set has become ineffective.
const stdout = ChildProcess.execSync('sudo --help')
expect(stdout).to.not.be.empty()
})
})
})

describe('contexts', () => {
Expand Down