Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(74)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/zygote/zygote_main_linux.cc

Issue 11231021: Zygote: Initialize NSS fully (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/zygote/zygote_main_linux.cc
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
index 4cd81054c2528318103d7ca0b8f257ccf2509c17..b52ea45c4931198a33e0384dd1c394fba9e0e316 100644
--- a/content/zygote/zygote_main_linux.cc
+++ b/content/zygote/zygote_main_linux.cc
@@ -490,6 +490,24 @@ bool ZygoteMain(const MainFunctionParams& params,
int sandbox_flags = linux_sandbox->GetStatus();
+#if defined(USE_NSS)
+ // Do some extra NSS initialization. We don't want to do this pre-sandbox
wtc 2012/10/23 18:52:28 Nit: change "Do some extra NSS initialization" to
jln (very slow on Chromium) 2012/10/23 19:06:50 Done.
+ // because it's not well defined what venues of attacks it could create.
+ //
+ // In addition to the benfit of doing this initialization only once, (it
+ // will be inherited), this is a good warm-up before we enable our next layer
+ // of sandbox, e.g. seccomp-bpf.
wtc 2012/10/23 18:52:28 In general a multithreaded program on Unix should
jln (very slow on Chromium) 2012/10/23 19:06:50 Yes, but we don't have threads at this point. If w
+
+ // We will soon fork, but we haven't loaded any security module.
+ crypto::DisableNSSForkCheck();
wtc 2012/10/23 18:52:28 I am not familiar with what it takes to make NSS w
jln (very slow on Chromium) 2012/10/23 19:06:50 I think that is the most important part. If you an
+ // The setuid sandbox would prevent opening user security modules anyway,
+ // but it's more correct to tell NSS to not do it.
+ // Loading user security modules would have security implications.
+ crypto::ForceNSSNoDBInit();
+ // Initialize NSS, every child process will benefit from it.
+ crypto::EnsureNSSInit();
+#endif
+
Zygote zygote(sandbox_flags, forkdelegate);
// This function call can return multiple times, once per fork().
return zygote.ProcessRequests();
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698