Allow app zygote preload to retain files across fork
The bug proposes to 'move' the /proc/self/fd/ readlink/stat/etc checks performed by the FileDescriptorAllowlist from before-fork to an earlier stage. The original aim was to allow the app zygote Preload hook to open ashmem/memfd read-only regions to save more RAM (around 5MiB on aarch64) via sharing more across processes. Potentially other files/sockets can be opened - the app zygote takes responsibility of managing file descriptor access controls across its own processes. App Zygote Preload does not run 3rd party code. Unfortunately a straightforward move of the checks to just-before-preload has disadvantages: * opens more codepaths for potential accidental misuse (the zygote accepts commands between preload and fork, there are valid usecases for extending these commands) * this way FileDescriptorAllowlist would need to support more file descriptor types (sockets and maybe pipes), which is not needed now because these FDs are closed right before forking The solution proposed here is to: 1. Determine the set of file descriptors open before preload 2. Run the preload hook 3. Determine FDs opened by the hook and allow them to remain open across fork 4. Hypothetical new attempts to preload (if ever supported) will not affect the allowed FDs - the preload will be able to toss its own FDs the way it wants, but not open the new-new ones Bug: 184808875 Test: Manual: unreleased Chrome patch: while in app zygote preload, create ashmem region, passes it to 'untrusted_app' (=browser process), and call mmap(2) on it. Change-Id: Ie302eabca83a0e4f409cb131e4308b73e5f6a580
Loading
Please register or sign in to comment