From: Nix <nix@esperi.org.uk>
To: linux-kernel@vger.kernel.org
Cc: Andy Lutomirski <luto@mit.edu>, mseaborn@chromium.org
Subject: [3.1 REGRESSION] Commit 5cec93c216db77c45f7ce970d46283bcb1933884 breaks the Chromium seccomp sandbox
Date: Mon, 14 Nov 2011 00:40:43 +0000 [thread overview]
Message-ID: <8762inleno.fsf@spindle.srvr.nix> (raw)
With this commit installed:
commit 5cec93c216db77c45f7ce970d46283bcb1933884
Author: Andy Lutomirski <luto@MIT.EDU>
Date: Sun Jun 5 13:50:24 2011 -0400
x86-64: Emulate legacy vsyscalls
With CONFIG_SECCOMP set, and the Chromium seccomp sandbox compiled in
and enabled (which is not the default), on a system running glibc 2.12.x
(thus, relying on emulated vsyscalls), Chromium renderers sometimes hang
or abruptly abort before rendering anything (both of which show as pages
that never complete rendering and eventually get a Chromium kill request
dialog). The hang is consistent for a given page, but not all pages
hang. (One that *does* hang is the chrome://extensions page, so network
access is not the problem here.)
vsyscall=native does not help.
Turning off CONFIG_SECCOMP, or running Chromium with the seccomp sandbox
disabled, fixes it.
I speculate that do_emulate_vsyscall() is broken, but it's hard to debug
the Chromium renderer sandboxing to see what's failing because the
multiple layers of sandboxing get in the way, as they are designed to :)
(also, I am not in any way shape or form a Chromium hacker). Chromium
does downright terrible things to convert syscalls into IPC calls
outside the seccomp sandbox (mostly to a separate, nonseccomped,
assembler thread in the same process, but in some cases via IPC to an
entirely separate process for validation followed by IPC back and
execution in that separate thread). I suspect this delicate dance (for
which see seccompsandbox/ in a Chromium source tree) has been disrupted.
I have raised Chromium bug
<http://code.google.com/p/chromium/issues/detail?id=104084> to attract
the Chromium hackers' attention to this, and am Cc:ing a Chromium hacker
whose fingers are all over the seccomp sandbox as well. Hopefully the
cause, or a diagnostic trick, will be obvious to someone other than me.
--
NULL && (void)
next reply other threads:[~2011-11-14 1:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-14 0:40 Nix [this message]
2011-11-14 2:36 ` [3.1 REGRESSION] Commit 5cec93c216db77c45f7ce970d46283bcb1933884 breaks the Chromium seccomp sandbox Andrew Lutomirski
2011-11-14 4:00 ` Andrew Lutomirski
2011-11-14 6:50 ` Mark Seaborn
2011-11-14 8:38 ` Andrew Lutomirski
2011-11-14 11:41 ` Nix
2011-11-14 16:26 ` Mark Seaborn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8762inleno.fsf@spindle.srvr.nix \
--to=nix@esperi.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mseaborn@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox