One of the reasons I love ChromeOS is because its open source. Its so open, that Google encourages folks to openly hack it as well. And it pays experts reporting good reproducible security bugs. But more importantly each and everyone of those security bug reports makes the OS more secure.
One of the best examples of such bugs was published in great detail today as crbug.com/1329945. Rory, the bug reporter, has openly reported at least total of 27 other security bugs to the Chrome team and the latest one allowed Rory to gain root access with arbitrary code execution status within ChromeOS.
Here is the gist of the bug he filed which was fixed in M102.
Unsafe use of eval allows for the compromise of the shill-scripts user. This user can be used to bypass noexec restrictions and execute arbitrary binaries. This user is also able to interfere with debugd calls to crash_sender resulting in semi-arbitrary file deletion. The authpolicyd init script unsafely targets a directory in /tmp when creating a pivot_root which can be raced to partially control the mount namespace. Minijail0 bind mount flag dropping allows for further bypass of noexec restrictions. Late resolution of usernames to user ids in minijail running inside a controlled mount namespace allows for the loading of custom libraries, which due to the order of operations will result in code execution as root. This code execution can then break out of the partial minijail jail to achieve full arbitrary code execution as root.
What may not be super obvious to most folks is that it required Rory to exploit a series of bugs before they were able to fully exploit the OS.
Congrats to Rory for the discovery and the reward he is surely going to be awarded for finding it.