Closed Bug 1228649 Opened 9 years ago Closed 8 years ago

B2G Aries opens egl/eglsubAndroid.so in sandboxed content process

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: tedd, Unassigned)

References

Details

(Whiteboard: sb-)

Attachments

(1 file)

GDB backtrace
5.22 KB, text/plain
Details
Attached file GDB backtrace
When I ran a app that uses WebGL, the process tries to link egl/eglsubAndroid.so. It actually uses a relative path when requesting the file, the following is the output of the permissive log: > E/Sandbox ( 1505): SandboxBroker: denied op=0 rflags=2400000 path=egl/eglsubAndroid.so for pid=2526 permissive=1 error="Success" Adding a relative path to the whitelist could potentially be a danger depending on what the current working directory is. At the same time I don't know if or how this could be fixed. The actual path of the library is: /system/vendor/lib/egl/eglsubAndroid.so Attached the GDB backtrace when opening is denied.
What happens if that syscall just fails? Does the dlopen() implementation fall back to an absolute path instead? (/vendor/lib/egl/eglsubAndroid.so would be whitelisted already.)
I tested it without whitelisting it, and as expected the request gets denied: > Sandbox: Rejected errno 13 op 0 flags 02400000 path egl/eglsubAndroid.so but, the app still works, and looking at the /proc/<pid>/maps, it shows that > /system/vendor/lib/egl/eglsubAndroid.so is mapped. Now I don't recall that /system/vendor/lib/egl/ is whitelisted somewhere, but the b2g parent process has the same library loaded, so I guess that the child inherited it from the parent. I assume it is part of the link_map in the linker and therefore the required symbols from that library should have been found in the already loaded library.
/vendor is a symlink to /system/vendor. The file could have been opened as /vendor/lib/..., which is whitelisted, but the paths from procfs are canonical (they're reconstructed from following the chain of parent-directory references, I think).
Whiteboard: sb-
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: