chrome/browser/zygote_host_linux.cc - Issue 647017: linux: enable seccomp sandbox by default

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/zygote_host_linux.cc

Issue 647017: linux: enable seccomp sandbox by default (Closed)

Patch Set: better Created 10 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/browser/zygote_host_linux.cc

diff --git a/chrome/browser/zygote_host_linux.cc b/chrome/browser/zygote_host_linux.cc

index 3b6a1608e5419481c303578096dec1e15d016de9..aa5d8caa9a4980626f2eed3d7f77c2782480012c 100644

--- a/chrome/browser/zygote_host_linux.cc

+++ b/chrome/browser/zygote_host_linux.cc

@@ -24,29 +24,6 @@

#include "chrome/common/chrome_switches.h"

#include "chrome/common/process_watcher.h"

-#include "sandbox/linux/suid/suid_unsafe_environment_variables.h"

-static void SaveSUIDUnsafeEnvironmentVariables() {

- // The ELF loader will clear many environment variables so we save them to

- // different names here so that the SUID sandbox can resolve them for the

- // renderer.

- for (unsigned i = 0; kSUIDUnsafeEnvironmentVariables[i]; ++i) {

- const char* const envvar = kSUIDUnsafeEnvironmentVariables[i];

- char* const saved_envvar = SandboxSavedEnvironmentVariable(envvar);

- if (!saved_envvar)

- continue;

- const char* const value = getenv(envvar);

- if (value)

- setenv(saved_envvar, value, 1 /* overwrite */);

- else

- unsetenv(saved_envvar);

- free(saved_envvar);

- }

ZygoteHost::ZygoteHost()

: pid_(-1),

init_(false),

@@ -97,29 +74,11 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) {

browser_command_line.GetSwitchValueASCII(

switches::kEnableLogging));

}

- if (browser_command_line.HasSwitch(switches::kEnableSeccompSandbox)) {

- cmd_line.AppendSwitch(switches::kEnableSeccompSandbox);

+ if (browser_command_line.HasSwitch(switches::kDisableSeccompSandbox)) {

+ cmd_line.AppendSwitch(switches::kDisableSeccompSandbox);

}

sandbox_binary_ = sandbox_cmd.c_str();

- struct stat st;

- if (!sandbox_cmd.empty() && stat(sandbox_binary_.c_str(), &st) == 0) {

- if (access(sandbox_binary_.c_str(), X_OK) == 0 &&

- (st.st_uid == 0) &&

- (st.st_mode & S_ISUID) &&

- (st.st_mode & S_IXOTH)) {

- using_suid_sandbox_ = true;

- cmd_line.PrependWrapper(ASCIIToWide(sandbox_binary_.c_str()));

- SaveSUIDUnsafeEnvironmentVariables();

- } else {

- LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "

- "configured correctly. Rather than run without sandboxing "

- "I'm aborting now. You need to make sure that "

- << sandbox_binary_ << " is mode 4755 and owned by root.";

- }

// Start up the sandbox host process and get the file descriptor for the

// renderers to talk to it.

« no previous file with comments | « chrome/browser/renderer_host/browser_render_process_host.cc ('k') | chrome/browser/zygote_main_linux.cc » ('j') | no next file with comments »