Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jan 2017 22:41:11 -0200
From: Alba Pompeo <albapompeo@...il.com>
To: musl@...ts.openwall.com
Subject: Re: getrlimit failed (chromium on musl)

The patch worked.
Many thanks Samuel.
I hope they fix it upstream too for the future.
Sadly Chromium still needs some patches to compile and work on musl.



On Wed, Jan 18, 2017 at 2:13 PM, Alba Pompeo <albapompeo@...il.com> wrote:
> Ran strace -f.
>
> [pid 13354] prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024,
> rlim_max=4*1024}) = 0
> [pid 13350] clone(child_stack=NULL, flags=CLONE_NEWUSER|SIGCHLD) = -1
> EPERM (Operation not permitted)
> [pid 13354] clone(child_stack=NULL,
> flags=CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not
> permitted)
> [pid 13354] writev(2, [{iov_base=" but failed: errno = Operation
> n"..., iov_len=45}, {iov_base=NULL, iov_len=0}], 2 but failed: errno =
> Operation not permitted
>
> So the patch from Samuel should be a real solution.
>
> Thanks.
>
>
>
> On Wed, Jan 18, 2017 at 1:51 PM, Samuel Holland <samuel@...lland.org> wrote:
>> On 01/18/17 08:08, Alba Pompeo wrote:
>>>
>>> Hi.
>>>
>>> Running chromium on a musl system spams this message.
>>>
>>> getrlimit(RLIMIT_NOFILE) failed
>>>
>>> Any idea how to figure out what's wrong?
>>
>>
>> The problem is that the sandbox blocks prlimit64 with EPERM, but musl
>> only falls back to getrlimit on ENOSYS. The diff below will fix the
>> error. From the linked bug, the only reason it is blocked in the first
>> place is ChromeOS, and this change should be fine even there.
>>
>> ---
>> chromium-55.0.2883.75/content/common/sandbox_linux/bpf_renderer_policy_linux.cc.orig
>> +++
>> chromium-55.0.2883.75/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
>> @@ -88,7 +88,7 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int
>> sysno) const {
>>      case __NR_sched_setscheduler:
>>        return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
>>      case __NR_prlimit64:
>> -      return Error(EPERM);  // See crbug.com/160157.
>> +      return Error(ENOSYS);  // See crbug.com/160157.
>>      default:
>>        // Default on the content baseline policy.
>>        return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
>>
>>> Thanks.
>>
>>
>> Regards,
>> Samuel
>>

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.