Issue metadata
Sign in to add a comment
|
CUPS: eliminate use of symlink in /var/spool/cups |
|||||||||||||||||||||||
Issue descriptionSymlinks and FIFOs are being blocked on the stateful file system for security reasons (see https://goo.gl/8xICW6 for context). CUPS uses a symlink in /var/spool/cups. For now we are adding an exception to the blocking policy to allow CUPS to use the symlink, but the symlink and exception should be removed. skau@ -- could you provide a pointer to the code that creates/uses the symlink?
,
Mar 2 2018
,
Mar 2 2018
,
Mar 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/8c48f932f4789a0b673d13a061d8cc2627003885 commit 8c48f932f4789a0b673d13a061d8cc2627003885 Author: Micah Morton <mortonm@chromium.org> Date: Thu Mar 08 08:37:38 2018 net-print/cups: Add symlink exception for CUPS. CUPS uses a symlink in /var/spool/cups. Create an exception so this symlink can be traversed by CUPS until it is patched to use a regular file instead of a symlink. This exception should be removed when CL:945141 lands. BUG= chromium:817851 TEST=Emerged CUPS to board and saw that file was created in symlink exceptions directory. Change-Id: Ica46b8510911678ab1fd3a25bbff813cdbc27e9f Reviewed-on: https://chromium-review.googlesource.com/953164 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Sean Kau <skau@chromium.org> [rename] https://crrev.com/8c48f932f4789a0b673d13a061d8cc2627003885/net-print/cups/cups-2.1.4-r38.ebuild [modify] https://crrev.com/8c48f932f4789a0b673d13a061d8cc2627003885/net-print/cups/cups-2.1.4.ebuild [add] https://crrev.com/8c48f932f4789a0b673d13a061d8cc2627003885/net-print/cups/files/cups-symlink-exceptions.txt
,
Aug 10
,
Aug 10
,
Sep 17
,
Sep 17
,
Sep 17
This symlink has now been used in an exploit so we need to address this in M-69.
,
Sep 18
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18
,
Sep 19
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/3115babf0238a66fd2909923d731a9c167dbfd34 commit 3115babf0238a66fd2909923d731a9c167dbfd34 Author: Mike Frysinger <vapier@chromium.org> Date: Wed Sep 19 22:40:45 2018 cups: clear out any stale symlinks If the filters get into a bad state, make sure the next restart cleans it all up for us. BUG= chromium:817851 ,chromium:886901 TEST=precq passes Change-Id: I5a7e117e4abdaaf5e350c4a980e52fde783a2a88 Reviewed-on: https://chromium-review.googlesource.com/1231738 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> [modify] https://crrev.com/3115babf0238a66fd2909923d731a9c167dbfd34/net-print/cups/files/init/cupsd.conf
,
Sep 19
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/f37947723da6c3dc22aa9437355e31baf3a97cd4 commit f37947723da6c3dc22aa9437355e31baf3a97cd4 Author: Mike Frysinger <vapier@chromium.org> Date: Wed Sep 19 22:40:37 2018 cups: tighten symlink exception to /var/spool/cups While cups uses symlinks under /var/spool/cups/, there's no need to allow all of /var/spool since /var/spool/cups itself isn't a symlink. BUG= chromium:817851 TEST=precq passes Change-Id: I03b907028a9d10ed4a1aa48ee5982532f2de0d6d Reviewed-on: https://chromium-review.googlesource.com/1232833 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> [modify] https://crrev.com/f37947723da6c3dc22aa9437355e31baf3a97cd4/net-print/cups/files/cups-symlink-exceptions.txt
,
Sep 20
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/25eadd23ea3bb024d30e046011c1fcced3be05e3 commit 25eadd23ea3bb024d30e046011c1fcced3be05e3 Author: Bernie Thompson <bhthompson@chromium.org> Date: Thu Sep 20 17:44:26 2018 Revert "cups: tighten symlink exception to /var/spool/cups" This reverts commit f37947723da6c3dc22aa9437355e31baf3a97cd4. Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=887500 Original change's description: > cups: tighten symlink exception to /var/spool/cups > > While cups uses symlinks under /var/spool/cups/, there's no need to > allow all of /var/spool since /var/spool/cups itself isn't a symlink. > > BUG= chromium:817851 > TEST=precq passes > > Change-Id: I03b907028a9d10ed4a1aa48ee5982532f2de0d6d > Reviewed-on: https://chromium-review.googlesource.com/1232833 > Commit-Ready: Mike Frysinger <vapier@chromium.org> > Tested-by: Mike Frysinger <vapier@chromium.org> > Reviewed-by: Micah Morton <mortonm@chromium.org> > Reviewed-by: Brian Norris <briannorris@chromium.org> Bug: chromium:817851 Change-Id: Iffb897f0372f3a7b854c010d05dc870c6ff1969b Reviewed-on: https://chromium-review.googlesource.com/1236994 Commit-Queue: Bernie Thompson <bhthompson@chromium.org> Tested-by: Bernie Thompson <bhthompson@chromium.org> Reviewed-by: Bernie Thompson <bhthompson@chromium.org> [modify] https://crrev.com/25eadd23ea3bb024d30e046011c1fcced3be05e3/net-print/cups/files/cups-symlink-exceptions.txt
,
Sep 20
the attempt at reducing symlink usage didn't go well as these two changes are "fighting" each other would be really nice to fix cups because the current exception involves whitelisting all of /var/spool/ which affects more than just cups
,
Sep 20
skau has a change out for review which removes the use of the symlink from CUPS itself. https://crrev.com/c/1236775
,
Sep 24
,
Sep 25
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/cups/+/49a182a4c42d95c998d97071bba57257090b63ec commit 49a182a4c42d95c998d97071bba57257090b63ec Author: Sean Kau <skau@chromium.org> Date: Tue Sep 25 18:58:25 2018 Stop using symlinks in /var/spool One usage of symlinks in /var/spool used by CUPS when a PPD is cached locally. Prefer to copy the file instead. BUG= chromium:817851 TEST=Run platform_AddPrinter Change-Id: I4a67f3c3dd98aab7e871fb9e719aa9842bf37fa7 Reviewed-on: https://chromium-review.googlesource.com/1236775 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Sean Kau <skau@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> [modify] https://crrev.com/49a182a4c42d95c998d97071bba57257090b63ec/cups/util.c
,
Sep 25
Trying to merge these fixes back to 69+.
,
Sep 25
This bug requires manual review: M70 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 25
Can you get it into M70 and test, happy to approve merge to M69 once verified.
,
Sep 25
Did not mean to approve just yet.
,
Sep 25
Merge approved, M70... per chat with geohsu@. Once verified, I'll approve for M69.
,
Sep 25
BTW, isn't the point of this bug to remove 'symlink' from the cupsd seccomp filters and/or removing the symlink-exception file from the ebuild? Otherwise, there's not much point in the CL from #18, right? So I'd expect we should merge something like that in ToT before worrying too much about a M70 merge. Also, luum is working on this while skau is out.
,
Sep 26
I put up the CL to kill the exception: https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1244749
,
Sep 26
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 26
briannorris@, I agree, makes sense to focus on actually taking out the security exception on ToT for now, since without that, merging the CL in #18 doesn't fix the bug as it relates to issue 884511.
,
Sep 27
,
Sep 28
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/f290ea3051c55b16c1b216d217b9d95cb631531e commit f290ea3051c55b16c1b216d217b9d95cb631531e Author: Brian Norris <briannorris@chromium.org> Date: Fri Sep 28 02:45:01 2018 net-print/cups: remove symlink exception As of CL:1236775, we've stopped utilizing symlinks in cups. So remove the exception. BUG= chromium:817851 TEST=`test_that ... platform_AddPrinter.epson` Change-Id: If42ce8918251dd3ed23b2ca5cdf4f995e0e7c77c Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1244749 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: David Valleau <valleau@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [delete] https://crrev.com/cec5252b247b9f4bd3cc4bede623893a380857d8/net-print/cups/files/cups-symlink-exceptions.txt [modify] https://crrev.com/f290ea3051c55b16c1b216d217b9d95cb631531e/net-print/cups/cups-9999.ebuild
,
Sep 28
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/cups/+/c41e8256e3a757332776c7f9c63aeeac1354dcfc commit c41e8256e3a757332776c7f9c63aeeac1354dcfc Author: Sean Kau <skau@chromium.org> Date: Wed Sep 26 22:12:40 2018 Stop using symlinks in /var/spool One usage of symlinks in /var/spool used by CUPS when a PPD is cached locally. Prefer to copy the file instead. BUG= chromium:817851 TEST=Run platform_AddPrinter Change-Id: I4a67f3c3dd98aab7e871fb9e719aa9842bf37fa7 Reviewed-on: https://chromium-review.googlesource.com/1236775 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Sean Kau <skau@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> (cherry picked from commit 49a182a4c42d95c998d97071bba57257090b63ec) [modify] https://crrev.com/c41e8256e3a757332776c7f9c63aeeac1354dcfc/cups/util.c
,
Sep 28
I'd suggest somebody run through more thorough (e.g., manual; not just the autotests -- do you have tests for the more esoteric PPDs/filters?) tests on M71 and then merge #29 back. I'll assume luum can either do that or figure out who should do that.
,
Sep 28
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/b52953c80b1b7fe515c7f8482503697f39d37d4f commit b52953c80b1b7fe515c7f8482503697f39d37d4f Author: Mike Frysinger <vapier@chromium.org> Date: Fri Sep 28 22:12:10 2018 cups: clear out any stale symlinks If the filters get into a bad state, make sure the next restart cleans it all up for us. BUG= chromium:817851 ,chromium:886901 TEST=precq passes Change-Id: I5a7e117e4abdaaf5e350c4a980e52fde783a2a88 Reviewed-on: https://chromium-review.googlesource.com/1231738 (cherry picked from commit 3115babf0238a66fd2909923d731a9c167dbfd34) Reviewed-on: https://chromium-review.googlesource.com/1252284 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/b52953c80b1b7fe515c7f8482503697f39d37d4f/net-print/cups/files/init/cupsd.conf
,
Oct 1
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 4
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 4
I think we're looking for this to land still? Otherwise that was a pointless merge to M70: https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1257598 So I guess I'll just submit it.
,
Oct 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/585331abd10c14fbd75abef287b6ebc8b489e0b0 commit 585331abd10c14fbd75abef287b6ebc8b489e0b0 Author: Brian Norris <briannorris@chromium.org> Date: Thu Oct 04 17:30:01 2018 net-print/cups: remove symlink exception As of CL:1236775, we've stopped utilizing symlinks in cups. So remove the exception. BUG= chromium:817851 TEST=`test_that ... platform_AddPrinter.epson` Change-Id: If42ce8918251dd3ed23b2ca5cdf4f995e0e7c77c Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1244749 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: David Valleau <valleau@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> (cherry picked from commit f290ea3051c55b16c1b216d217b9d95cb631531e) Reviewed-on: https://chromium-review.googlesource.com/c/1257598 Tested-by: Luum Habtemariam <luum@chromium.org> Trybot-Ready: Luum Habtemariam <luum@chromium.org> [delete] https://crrev.com/f39e0d7c6e9fe3ca74478f49d10205d7625a217a/net-print/cups/files/cups-symlink-exceptions.txt [modify] https://crrev.com/585331abd10c14fbd75abef287b6ebc8b489e0b0/net-print/cups/cups-9999.ebuild
,
Oct 4
+ Matthias: We're done with M70 merges. Is this still important for M69?
,
Oct 17
,
Dec 5
,
Dec 6
,
Jan 2
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||
Comment 1 by skau@chromium.org
, Mar 2 2018