From 536feffc685f3550f7b54f292d629e1643ae8c15 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 13 Jan 2015 06:18:10 +0100 Subject: [PATCH] chromium: Fix userns patch for kernel 3.18.2. Writing the gid_map is already non-fatal, but the actual sandbox process still tries to setresgid() to nogroup (usually 65534). This however fails, because if user namespace sandboxing is present, the namespace doesn't have CAP_SETGID at this point. Fortunately, the effective GID is already 65534, so we just need to check whether the target gid matches and only(!) setresgid() if it doesn't. So if someone would run a SUID version of the sandbox, it would still work nonetheless without a negative impact on security. Fixes #5730, thanks to @wizeman for reporting and initial debugging. Signed-off-by: aszlig --- .../chromium/source/sandbox_userns_36.patch | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch index 57f5992a3fa8..6f5d52b72af1 100644 --- a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch +++ b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch @@ -272,3 +272,16 @@ index 9345287..2db659e 100644 static const long kSUIDSandboxApiNumber = 1; static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ"; +diff --git a/sandbox/linux/suid/sandbox.c b/sandbox/linux/suid/sandbox.c +index 7410b71..a83593d 100644 +--- a/sandbox/linux/suid/sandbox.c ++++ b/sandbox/linux/suid/sandbox.c +@@ -330,7 +330,7 @@ static bool DropRoot() { + return false; + } + +- if (setresgid(rgid, rgid, rgid)) { ++ if (egid != rgid && setresgid(rgid, rgid, rgid)) { + perror("setresgid"); + return false; + }