New issue
Advanced search Search tips

Issue 804941 link

Starred by 2 users
Status: Fixed
Owner:
mortonm@chromium.org
Closed: Jun 2018
Cc:
jorgelo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

Dropping shill privileges: shill expects access to /sys/kernel/debug

Project Member Reported by mortonm@chromium.org, Jan 23 2018 
Shill reads from /sys/kernel/debug/ieee80211/<interface>/queues as part of wifi monitoring and writes to /sys/kernel/debug/bootstage/mark as part of bootstat. Debugfs is mounted as mode=750, writable by root and readable by root and members of group 'debugfs-access'.

See code below.


Read: https://cs.corp.google.com/chromeos_public/src/aosp/system/connectivity/shill/wifi/mac80211_monitor.cc?rcl=e940876477cc07e8c38a329c0808fb0fb3880477&l=129

Write: https://cs.corp.google.com/chromeos_public/src/platform2/bootstat/bootstat_log.c?rcl=d43e1af7e8b2a442cb976bef467103c4d65b16e1&l=134

Comment 1 by mortonm@chromium.org, Jan 23 2018

Description: Show this description

Comment 2 by mortonm@chromium.org, Feb 5 2018

Components: Security
Labels: OS-Chrome

Comment 3 by briannorris@chromium.org, Jun 5 2018

Components: OS>Systems>Network
Project Member

Comment 4 by bugdroid1@chromium.org, Jun 15 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/0e30845991f1be900722bb84445352ac35ed7e39

commit 0e30845991f1be900722bb84445352ac35ed7e39
Author: Micah Morton <mortonm@chromium.org>
Date: Fri Jun 15 17:57:58 2018

shill: give shill access to debugfs files and /proc/net/ip_conntrack

This CL is in preparation to run the shill process tree as a non-root
user.

Adjust perms on miscellaneous files that need to be accessed by shill as part of
performing network configuration and monitoring. Shill is able to access
networking-related files in /sys/class/net and /proc/sys/net through the
use of runtime capabilities, so these 3 exceptions should be the only
ones we need to make for sandboxing shill.

BUG=chromium:649417,  chromium:804941 
TEST=tested as part of larger sandbox shill debug CL

Change-Id: I3b1ab8e10cc7fa87fbfba03272c5921ab29f8947
Reviewed-on: https://chromium-review.googlesource.com/1086211
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[add] https://crrev.com/0e30845991f1be900722bb84445352ac35ed7e39/udev/88-chown_debugfs_dir.rules
[modify] https://crrev.com/0e30845991f1be900722bb84445352ac35ed7e39/init/shill-pre-start.sh

Comment 5 by mortonm@chromium.org, Jun 29 2018

Status: Fixed (was: Untriaged)

Sign in to add a comment