Need to drop (namespace relative) CAP_SYS_ADMIN for non-broker non-zygote processes |
||
Issue descriptionWe are leaving CAP_SYS_ADMIN (relative to its user namespace) on for non-broker, non-zygote processes in the Linux sandbox. This is for any process that calls EnterNamespaceSandbox, so for now just the network sandbox, and in the future probably the GPU and audio sandboxes. The zygote drops this capability after entering a new PID namespace, but we don't drop it anywhere for non-zygote processes. We just need to drop it at the same time as all the other capabilities for non-zygote processes.
,
Sep 21
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/961da4b1594e23e23e73187c7703f7f06a0eb6d2 commit 961da4b1594e23e23e73187c7703f7f06a0eb6d2 Author: Matthew Denton <mpdenton@chromium.org> Date: Fri Sep 21 18:23:14 2018 Drop CAP_SYS_ADMIN for non-broker non-zygote processes Bug: 887783 Test: /proc/{network process pid}/status shows no capabilities Change-Id: I08c7d6665c520b361a1a48bcd2f1a5812dadce52 Reviewed-on: https://chromium-review.googlesource.com/1229363 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Matthew Denton <mpdenton@chromium.org> Cr-Commit-Position: refs/heads/master@{#593264} [modify] https://crrev.com/961da4b1594e23e23e73187c7703f7f06a0eb6d2/services/service_manager/sandbox/linux/sandbox_linux.cc
,
Nov 15
|
||
►
Sign in to add a comment |
||
Comment 1 by mpdenton@google.com
, Sep 21