Problem with adding file access permission to a sandboxed service.

129 views
Skip to first unread message

Ramin Halavati

unread,
Feb 2, 2022, 10:36:42 AM2/2/22
to servic...@chromium.org
Hi,

I am working on a draft CL for a sandboxed service, and I have added BrokerFilePermission for "/dev/urandom" with all permissions as:
std::vector<BrokerFilePermission> permissions{BrokerFilePermission::ReadOnly("/dev/urandom")};
sandbox::policy::SandboxLinux::GetInstance()->StartBrokerProcess(
      MakeBrokerCommandSet({sandbox::syscall_broker::COMMAND_ACCESS,
                            sandbox::syscall_broker::COMMAND_OPEN,
                            sandbox::syscall_broker::COMMAND_READLINK,
                            sandbox::syscall_broker::COMMAND_STAT,
                            sandbox::syscall_broker::COMMAND_STAT64,
                            sandbox::syscall_broker::COMMAND_UNLINK}),
      permissions, sandbox::policy::SandboxLinux::PreSandboxHook(), options);

But when I run the service, and while the file exists on the local computer, I get an error message saying:
libc++abi: terminating with uncaught exception of type std::__u::system_error: random_device failed to open /dev/urandom: No such file or directory

Here is the patch and the full error dump. Any hint is greatly appreciated.

Best,
Ramin

P.S. There has been a similar issue related to gRPC 10 days ago (b/215367007), but the timing doesn't seem to match my problem, but I maybe wrong.

Ramin Halavati

unread,
Feb 3, 2022, 10:56:05 AM2/3/22
to servic...@chromium.org
More generally, if I add:
std::vector<BrokerFilePermission> permissions{BrokerFilePermission::ReadWriteCreateRecursive("/")}; 

and have a BF policy file that returns Allow for all BPFBasePolicy::EvaluateSyscall calls (as in crrev.com/c/3358073), shouldn't I accept that the sandbox allow everything?
It would also be great if you point me to appropriate reading here.

Robert Sesek

unread,
Feb 3, 2022, 3:58:58 PM2/3/22
to Ramin Halavati, Security-dev, Matthew Denton, servic...@chromium.org
+Security-dev +Matthew Denton 

Hi Ramin,

I think this is because your CL specifies both __NR_open and __NR_openat as unconditional Allow()s. But those need to be directed to the broker for handling. Try moving the ShouldBrokerHandleSyscall() handling up first.

- Robert

--
You received this message because you are subscribed to the Google Groups "services-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to services-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/services-dev/CAORodQjs2yRSSeUOi2C0E9bgxREyyb%3DWtY-mZ0a1UhEgVLAHXQ%40mail.gmail.com.

Ramin Halavati

unread,
Feb 4, 2022, 6:06:01 AM2/4/22
to Robert Sesek, Security-dev, Matthew Denton, servic...@chromium.org
Hi Robert,

Thanks a lot, it fixed the problem.

Best,
Ramin
Reply all
Reply to author
Forward
0 new messages