Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow sandboxed macOS actions to run /bin/ps #13727

Closed
wants to merge 1 commit into from
Closed

Allow sandboxed macOS actions to run /bin/ps #13727

wants to merge 1 commit into from

Conversation

keith
Copy link
Member

@keith keith commented Jul 22, 2021

Fixes #7448

On Apple Silicon (maybe not exclusively) using rules_foreign_cc without
this you end up seeing many /bin/ps failures when configure scripts
are running.

@keith
Allow sandboxed macOS actions to run /bin/ps
928283c 
Fixes bazelbuild#7448

On Apple Silicon (maybe not exclusively) using rules_foreign_cc without
this you end up seeing many `/bin/ps` failures when configure scripts
are running.
@google-cla google-cla bot added the cla: yes label Jul 22, 2021
@keith keith mentioned this pull request Jul 22, 2021
Closed
@aiuto aiuto assigned aiuto and larsrc-google and unassigned aiuto Aug 3, 2021
@tetromino
Copy link
Contributor

On MacOS, non-root users are not allowed to see other users' process list; this means the executables for any general purpose process-listing tool (/bin/ps, /usr/bin/top, the new-fangled procs tool, etc.) must be suid root.

I don't think there's a good reason for a Bazel action to see other users' process list; but on the other hand, carrying around our own limited, sandbox-friendly variant of ps seems a lot of work for no real security gain.

As far as I can tell from reading the ps man page and the ps.c source, the MacOS /bin/ps can't do anything nefarious. We ought to allow it.

I have also verified that (allow process-exec (with no-sandbox) (literal "/bin/ps")) only allows executing /bin/ps - not e.g. /tmp/bin/ps (so it wouldn't allow sneaking in of unrelated unsandboxed binaries under the ps name).

@tetromino tetromino self-requested a review August 4, 2021 17:24
@bazel-io bazel-io closed this in 652d1cc Aug 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tetromino tetromino tetromino approved these changes

@brentleyjones brentleyjones brentleyjones approved these changes

Assignees

@larsrc-google larsrc-google

Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Account for /bin/ps in Sandbox configuration
5 participants
@keith @tetromino @brentleyjones @aiuto @larsrc-google