chromium: Fix userns patch for kernel 3.18.2.

Writing the gid_map is already non-fatal, but the actual sandbox process still tries to setresgid() to nogroup (usually 65534). This however fails, because if user namespace sandboxing is present, the namespace doesn't have CAP_SETGID at this point. Fortunately, the effective GID is already 65534, so we just need to check whether the target gid matches and only(!) setresgid() if it doesn't. So if someone would run a SUID version of the sandbox, it would still work nonetheless without a negative impact on security. Fixes #5730, thanks to @wizeman for reporting and initial debugging. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-01-13 06:18:10 +01:00 · 2015-01-13 06:18:10 +01:00 · 536feffc68
commit 536feffc68
parent 37bb586452
1 changed files with 13 additions and 0 deletions
--- a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch
+++ b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch
@ -272,3 +272,16 @@ index 9345287..2db659e 100644
 
 static const long kSUIDSandboxApiNumber = 1;
 static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ";
+diff --git a/sandbox/linux/suid/sandbox.c b/sandbox/linux/suid/sandbox.c
+index 7410b71..a83593d 100644
+--- a/sandbox/linux/suid/sandbox.c
+++ b/sandbox/linux/suid/sandbox.c
+@@ -330,7 +330,7 @@ static bool DropRoot() {
+     return false;
+   }
+ 
+-  if (setresgid(rgid, rgid, rgid)) {
+  if (egid != rgid && setresgid(rgid, rgid, rgid)) {
+     perror("setresgid");
+     return false;
+   }