StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Revert memfd file sealing for embeded files

Browse Source 
Ideally, we'd seal the embedded SAPI binary using fcntl(). However, in rare
cases, adding the file seals `F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW |
F_SEAL_WRITE` results in `EBUSY` errors.

This is likely because of an interaction of `SEAL_WRITE` with pending writes
to the mapped memory region (see `memfd_wait_for_pins()` in Linux'
`mm/memfd.c`). Since `fsync()` is a no-op on memfds, it doesn't help to
ameliorate the problem.

On systems where it is enabled, ksmd might also be a source of pending writes.

PiperOrigin-RevId: 385741435
Change-Id: I21bd6a9039be4b6298774e837ce3628180ed91a8
This commit is contained in:
Christian Blichmann 2021-07-20 02:28:54 -07:00 committed by Copybara-Service
parent 7b711b85e8
commit 9c21744460
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sandboxed_api/embed_file.cc
View File

@ -59,12 +59,13 @@ int EmbedFile::CreateFdForFileToc(const FileToc* toc) {
return -1;
}
// Seal the file
if (fcntl(embed_fd.get(), F_ADD_SEALS,
F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) == -1) {
SAPI_RAW_PLOG(ERROR, "Couldn't apply file seals to FD=%d", embed_fd.get());
return -1;
}
// Ideally, we'd seal the file here using fcntl(). However, in rare cases,
// adding the file seals F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW |
// F_SEAL_WRITE results in EBUSY errors.
// This is likely because of an interaction of SEAL_WRITE with pending writes
// to the mapped memory region (see memfd_wait_for_pins() in Linux'
// mm/memfd.c). Since fsync() is a no-op on memfds, it doesn't help to
// ameliorate the problem.
return embed_fd.Release();
}