https://chromium.googlesource.com/chromiumos/third_party/atrusctl/+/master/init/atrusd.conf#13

env chroot=/tmp/atrusd_chroot
pre-start script
  mkdir -p "$chroot/dev" "$chroot/lib/firmware/google" "$chroot/run/udev" \
           "$chroot/sys" "$chroot/tmp" "$chroot/usr/sbin" "$chroot/run/dbus"
end script

Does atrusd need to track this with an environment variable? This would allow a compromised Chrome browser process (or other process with privilege to talk to Upstart) to make Upstart create these directories anywhere.

If possible, just hardcode the directories.

Assigning to Emil since he wrote the original code, hopefully you can route appropriately. As per our guidelines at https://chromium.googlesource.com/chromiumos/docs/+/master/security_severity_guidelines.md, this is medium severity since it could be dangerous when combined with other bugs. Medium severity bugs get normally assigned to the latest stable milestone. Given that this runs on CFM, we might be OK with just fixing on ToT though.