Dropping shill privileges: eliminate need to access every executable path in system |
||
Issue descriptionShill tries to iterate through /proc and read /proc/<PID>/exe for every PID in the system in order to find and kill a spawned DHCPCD process. Reading executable paths of processes owned by other users cannot be done by non-root user. See code below: https://cs.corp.google.com/chromeos_public/src/aosp/system/connectivity/shill/dhcp/dhcp_provider.cc?rcl=e940876477cc07e8c38a329c0808fb0fb3880477&l=86
,
May 9 2018
Under the hood, the NamedProcessIterator class tries to access /proc/<pid>/exe for every <pid> on the system. With shill running as a non-root user, this generates an EACCESS error for every process on the system that isn't owned by shill. This doesn't affect correctness of execution (since shill can still access /proc/<pid>/exe for processes it spawns, and in first iteration of dropping shill privs we give it CAP_KILL so it can kill children after they've switched UID/GID to a different user), but does produce a bunch of syscall errors that were not seen before. There is already a TODO in the NamedProcessIterator code (https://cs.corp.google.com/chromeos_public/src/aosp/external/libchrome/base/process/process_iterator_linux.cc?rcl=0b087f9dcf23367a24f0bacc738abe9ec8ed6506&l=79) to skip trying to access /proc/<pid>/exe for "processes owned by different UID", so not much more we can do here. |
||
►
Sign in to add a comment |
||
Comment 1 by mortonm@chromium.org
, Feb 5 2018Labels: OS-Chrome