Interesting. FWIW, this test is green on our internal continuous testing system, so something must be different... The last test results I can see are from version 8867.0.0 though, so it's possible this actually starts with 8868.0.0.

Here's the list of offenders for pid 18354 from your client.DEBUG log:

10/06 14:29:27.903 ERROR|  security_OpenFDs:0147| Found unexpected fds in chrome type=renderer: set(['0500 /usr/lib64/libasound.so.2.0.0', '0500 /usr/lib64/libgestures.so.0', '0500 /usr/lib64/libsmime3.so', '0500 /usr/lib64/libffi.so.6.0.2', '0500 /lib64/libz.so.1.2.8', '0500 /usr/lib64/libfontconfig.so.1.8.0', '0500 /usr/lib64/libminigbm.so.1.0.0', '0700 /tmp/.org.chromium.Chromium.AQueDs (deleted)', '0500 /usr/lib64/libcups.so.2', '0500 /usr/lib64/libavahi-common.so.3.5.3', '0500 /usr/lib64/libstdc++.so.6.0.20', '0500 /usr/lib64/libglib-2.0.so.0.3400.3', '0500 /usr/lib64/libdrm.so.2.4.0', '0500 /usr/lib64/libgmp.so.10.3.0', '0700 /tmp/.org.chromium.Chromium.AQsA42 (deleted)', '0500 /usr/lib64/libgcc_s.so.1', '0500 /usr/lib64/libplds4.so', '0500 /usr/lib64/libavahi-client.so.3.2.9', '0500 /opt/google/chrome/chrome', '0500 /usr/lib64/libfreetype.so.6.12.6', '0500 /lib64/libc-2.19.so', '0500 /usr/lib64/libnspr4.so', '0500 /usr/lib64/libjsoncpp.so.0.6.0', '0500 /usr/lib64/libplc4.so', '0500 /lib64/ld-2.19.so', '0500 /usr/lib64/libnettle.so.4.7', '0500 /home/chronos/Dictionaries/en-US-7-1.bdic', '0500 /usr/lib64/libpng16.so.16.25.0', '0500 /usr/lib64/libdbus-1.so.3.7.2', '0500 /usr/lib64/libhogweed.so.2.5', '0500 /lib64/libm-2.19.so', '0500 /usr/lib64/libharfbuzz.so.0.10302.0', '0500 /usr/lib64/libcras.so.0.0.0', '0500 /usr/lib64/libxkbcommon.so.0.0.0', '0500 /usr/lib64/libnssutil3.so', '0500 /usr/lib64/libexpat.so.1.6.0', '0500 /usr/lib64/libnss3.so', '0500 /usr/lib64/libevdev.so.0', '0500 /lib64/libdl-2.19.so', '0500 /lib64/librt-2.19.so', '0500 /lib64/libpthread-2.19.so', '0500 /usr/lib64/libgnutls.so.26.22.6'])

I noted that the proc-fd.txt file from our builders doesn't list any shared libraries, which would explain the failure you're seeing. More digging required...

It turns out I'm seeing regular file descriptors for shared libraries on my test device as well. This is quite odd, given that all the mmap()ed libraries shouldn't have open file descriptors. Interestingly, I only observe this for renderers, the browser process is not affected.

The zygote process has all the .so descriptors open though, so they're apparently inherited into the renderer processes. Remaining question is to figure out how the zygote process ends up in this state.

Looked some more: I think the FDs are opened by the stack dumping code here: https://cs.chromium.org/chromium/src/base/debug/stack_trace_posix.cc?rcl=0&l=592

This code is disabled for OFFICIAL_BUILD, explaining why the test succeeds on our test infrastructure.

Thus, the failure is actually a red herring and doesn't indicate a security issue.

We might adjust the test to whitelist regular file descriptors for shared modules in case we're dealing with a non-official chrome binary. This introduces the risk of mis-detection though and accidentally allowing these FDs even for release builds...

Given that, I'm hesitant to do anything about this. Maybe adjust the test output to alert readers to the fact that this test is expected to fail against non-official Chrome binaries is a reasonable solution?

Removing security labels given that there are no security risks for users.

Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot