From 9c2174446004e4f712cb566ade05721be6653ed0 Mon Sep 17 00:00:00 2001 From: Christian Blichmann Date: Tue, 20 Jul 2021 02:28:54 -0700 Subject: [PATCH] Revert memfd file sealing for embeded files Ideally, we'd seal the embedded SAPI binary using fcntl(). However, in rare cases, adding the file seals `F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE` results in `EBUSY` errors. This is likely because of an interaction of `SEAL_WRITE` with pending writes to the mapped memory region (see `memfd_wait_for_pins()` in Linux' `mm/memfd.c`). Since `fsync()` is a no-op on memfds, it doesn't help to ameliorate the problem. On systems where it is enabled, ksmd might also be a source of pending writes. PiperOrigin-RevId: 385741435 Change-Id: I21bd6a9039be4b6298774e837ce3628180ed91a8 --- sandboxed_api/embed_file.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/sandboxed_api/embed_file.cc b/sandboxed_api/embed_file.cc index 6f3a071..5a25c8c 100644 --- a/sandboxed_api/embed_file.cc +++ b/sandboxed_api/embed_file.cc @@ -59,12 +59,13 @@ int EmbedFile::CreateFdForFileToc(const FileToc* toc) { return -1; } - // Seal the file - if (fcntl(embed_fd.get(), F_ADD_SEALS, - F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) == -1) { - SAPI_RAW_PLOG(ERROR, "Couldn't apply file seals to FD=%d", embed_fd.get()); - return -1; - } + // Ideally, we'd seal the file here using fcntl(). However, in rare cases, + // adding the file seals F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | + // F_SEAL_WRITE results in EBUSY errors. + // This is likely because of an interaction of SEAL_WRITE with pending writes + // to the mapped memory region (see memfd_wait_for_pins() in Linux' + // mm/memfd.c). Since fsync() is a no-op on memfds, it doesn't help to + // ameliorate the problem. return embed_fd.Release(); }