sandbox/linux/services/broker_process.cc - Issue 23619009: Do not use O_CLOEXEC for open() in the broker process.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/linux/services/broker_process.cc

Issue 23619009: Do not use O_CLOEXEC for open() in the broker process. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/linux/services/broker_process.cc

diff --git a/sandbox/linux/services/broker_process.cc b/sandbox/linux/services/broker_process.cc

index 7999e77fa34fcef4ad8575fa905d66f645df6986..29222074e667fbbf4adafc32af055c6793ec33ca 100644

--- a/sandbox/linux/services/broker_process.cc

+++ b/sandbox/linux/services/broker_process.cc

@@ -43,9 +43,6 @@ static const size_t kMaxMessageLength = 4096;

// over unix sockets just fine, so a receiver that would (incorrectly) look at

// O_CLOEXEC instead of FD_CLOEXEC may be tricked in thinking that the file

// descriptor will or won't be closed on execve().

-// Since we have to account for buggy userland (see crbug.com/237283), we will

-// open(2) the file with O_CLOEXEC in the broker process if necessary, in

-// addition to calling recvmsg(2) with MSG_CMSG_CLOEXEC.

static const int kCurrentProcessOpenFlagsMask = O_CLOEXEC;

// Check whether |requested_filename| is in |allowed_file_names|.

@@ -81,7 +78,7 @@ bool GetFileNameInWhitelist(const std::vector<std::string>& allowed_file_names,

// we're ok to allow in the broker.

// I.e. here is where we wouldn't add O_RESET_FILE_SYSTEM.

bool IsAllowedOpenFlags(int flags) {

- // First, check the access mode

+ // First, check the access mode.

const int access_mode = flags & O_ACCMODE;

if (access_mode != O_RDONLY && access_mode != O_WRONLY &&

access_mode != O_RDWR) {

@@ -95,13 +92,8 @@ bool IsAllowedOpenFlags(int flags) {

// Some flags affect the behavior of the current process. We don't support

// them and don't allow them for now.

- if (flags & kCurrentProcessOpenFlagsMask) {

- // We make an exception for O_CLOEXEC. Buggy userland could check for

- // O_CLOEXEC and the only way to set it is to originally open with this

- // flag. See the comment around kCurrentProcessOpenFlagsMask.

- if (!(flags & O_CLOEXEC))

- return false;

- }

+ if (flags & kCurrentProcessOpenFlagsMask)

+ return false;

// Now check that all the flags are known to us.

const int creation_and_status_flags = flags & ~O_ACCMODE;

@@ -217,6 +209,7 @@ int BrokerProcess::PathAndFlagsSyscall(enum IPCCommands syscall_type,

// this code if other flags are added.

RAW_CHECK(kCurrentProcessOpenFlagsMask == O_CLOEXEC);

recvmsg_flags |= MSG_CMSG_CLOEXEC;

+ flags &= ~O_CLOEXEC;

}

// There is no point in forwarding a request that we know will be denied.

« no previous file with comments | « no previous file | sandbox/linux/services/broker_process_unittest.cc » ('j') | no next file with comments »