| Index: chrome/browser/zygote_main_linux.cc
|
| ===================================================================
|
| --- chrome/browser/zygote_main_linux.cc (revision 75653)
|
| +++ chrome/browser/zygote_main_linux.cc (working copy)
|
| @@ -1,752 +0,0 @@
|
| -// Copyright (c) 2010 The Chromium Authors. All rights reserved.
|
| -// Use of this source code is governed by a BSD-style license that can be
|
| -// found in the LICENSE file.
|
| -
|
| -#include <dlfcn.h>
|
| -#include <fcntl.h>
|
| -#include <pthread.h>
|
| -#include <sys/epoll.h>
|
| -#include <sys/prctl.h>
|
| -#include <sys/signal.h>
|
| -#include <sys/socket.h>
|
| -#include <sys/stat.h>
|
| -#include <sys/types.h>
|
| -#include <sys/wait.h>
|
| -#include <unistd.h>
|
| -
|
| -#if defined(CHROMIUM_SELINUX)
|
| -#include <selinux/selinux.h>
|
| -#include <selinux/context.h>
|
| -#endif
|
| -
|
| -#include "base/basictypes.h"
|
| -#include "base/command_line.h"
|
| -#include "base/eintr_wrapper.h"
|
| -#include "base/file_path.h"
|
| -#include "base/global_descriptors_posix.h"
|
| -#include "base/hash_tables.h"
|
| -#include "base/linux_util.h"
|
| -#include "base/path_service.h"
|
| -#include "base/pickle.h"
|
| -#include "base/process_util.h"
|
| -#include "base/rand_util.h"
|
| -#include "base/scoped_ptr.h"
|
| -#include "base/sys_info.h"
|
| -#include "build/build_config.h"
|
| -#include "chrome/browser/zygote_host_linux.h"
|
| -#include "chrome/common/chrome_descriptors.h"
|
| -#include "chrome/common/chrome_switches.h"
|
| -#include "chrome/common/font_config_ipc_linux.h"
|
| -#include "chrome/common/main_function_params.h"
|
| -#include "chrome/common/pepper_plugin_registry.h"
|
| -#include "chrome/common/process_watcher.h"
|
| -#include "chrome/common/result_codes.h"
|
| -#include "chrome/common/sandbox_methods_linux.h"
|
| -#include "chrome/common/set_process_title.h"
|
| -#include "chrome/common/unix_domain_socket_posix.h"
|
| -#include "media/base/media.h"
|
| -#include "seccompsandbox/sandbox.h"
|
| -#include "skia/ext/SkFontHost_fontconfig_control.h"
|
| -#include "unicode/timezone.h"
|
| -
|
| -#if defined(ARCH_CPU_X86_FAMILY) && !defined(CHROMIUM_SELINUX) && \
|
| - !defined(__clang__)
|
| -// The seccomp sandbox is enabled on all ia32 and x86-64 processor as long as
|
| -// we aren't using SELinux or clang.
|
| -#define SECCOMP_SANDBOX
|
| -#endif
|
| -
|
| -// http://code.google.com/p/chromium/wiki/LinuxZygote
|
| -
|
| -static const int kBrowserDescriptor = 3;
|
| -static const int kMagicSandboxIPCDescriptor = 5;
|
| -static const int kZygoteIdDescriptor = 7;
|
| -static bool g_suid_sandbox_active = false;
|
| -#if defined(SECCOMP_SANDBOX)
|
| -// |g_proc_fd| is used only by the seccomp sandbox.
|
| -static int g_proc_fd = -1;
|
| -#endif
|
| -
|
| -#if defined(CHROMIUM_SELINUX)
|
| -static void SELinuxTransitionToTypeOrDie(const char* type) {
|
| - security_context_t security_context;
|
| - if (getcon(&security_context))
|
| - LOG(FATAL) << "Cannot get SELinux context";
|
| -
|
| - context_t context = context_new(security_context);
|
| - context_type_set(context, type);
|
| - const int r = setcon(context_str(context));
|
| - context_free(context);
|
| - freecon(security_context);
|
| -
|
| - if (r) {
|
| - LOG(FATAL) << "dynamic transition to type '" << type << "' failed. "
|
| - "(this binary has been built with SELinux support, but maybe "
|
| - "the policies haven't been loaded into the kernel?)";
|
| - }
|
| -}
|
| -#endif // CHROMIUM_SELINUX
|
| -
|
| -// This is the object which implements the zygote. The ZygoteMain function,
|
| -// which is called from ChromeMain, simply constructs one of these objects and
|
| -// runs it.
|
| -class Zygote {
|
| - public:
|
| - explicit Zygote(int sandbox_flags)
|
| - : sandbox_flags_(sandbox_flags) {
|
| - }
|
| -
|
| - bool ProcessRequests() {
|
| - // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the
|
| - // browser on it.
|
| - // A SOCK_DGRAM is installed in fd 5. This is the sandbox IPC channel.
|
| - // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
|
| -
|
| - // We need to accept SIGCHLD, even though our handler is a no-op because
|
| - // otherwise we cannot wait on children. (According to POSIX 2001.)
|
| - struct sigaction action;
|
| - memset(&action, 0, sizeof(action));
|
| - action.sa_handler = SIGCHLDHandler;
|
| - CHECK(sigaction(SIGCHLD, &action, NULL) == 0);
|
| -
|
| - if (g_suid_sandbox_active) {
|
| - // Let the ZygoteHost know we are ready to go.
|
| - // The receiving code is in chrome/browser/zygote_host_linux.cc.
|
| - std::vector<int> empty;
|
| - bool r = UnixDomainSocket::SendMsg(kBrowserDescriptor, kZygoteMagic,
|
| - sizeof(kZygoteMagic), empty);
|
| - CHECK(r) << "Sending zygote magic failed";
|
| - }
|
| -
|
| - for (;;) {
|
| - // This function call can return multiple times, once per fork().
|
| - if (HandleRequestFromBrowser(kBrowserDescriptor))
|
| - return true;
|
| - }
|
| - }
|
| -
|
| - private:
|
| - // See comment below, where sigaction is called.
|
| - static void SIGCHLDHandler(int signal) { }
|
| -
|
| - // ---------------------------------------------------------------------------
|
| - // Requests from the browser...
|
| -
|
| - // Read and process a request from the browser. Returns true if we are in a
|
| - // new process and thus need to unwind back into ChromeMain.
|
| - bool HandleRequestFromBrowser(int fd) {
|
| - std::vector<int> fds;
|
| - static const unsigned kMaxMessageLength = 1024;
|
| - char buf[kMaxMessageLength];
|
| - const ssize_t len = UnixDomainSocket::RecvMsg(fd, buf, sizeof(buf), &fds);
|
| -
|
| - if (len == 0 || (len == -1 && errno == ECONNRESET)) {
|
| - // EOF from the browser. We should die.
|
| - _exit(0);
|
| - return false;
|
| - }
|
| -
|
| - if (len == -1) {
|
| - PLOG(ERROR) << "Error reading message from browser";
|
| - return false;
|
| - }
|
| -
|
| - Pickle pickle(buf, len);
|
| - void* iter = NULL;
|
| -
|
| - int kind;
|
| - if (pickle.ReadInt(&iter, &kind)) {
|
| - switch (kind) {
|
| - case ZygoteHost::kCmdFork:
|
| - // This function call can return multiple times, once per fork().
|
| - return HandleForkRequest(fd, pickle, iter, fds);
|
| - case ZygoteHost::kCmdReap:
|
| - if (!fds.empty())
|
| - break;
|
| - HandleReapRequest(fd, pickle, iter);
|
| - return false;
|
| - case ZygoteHost::kCmdGetTerminationStatus:
|
| - if (!fds.empty())
|
| - break;
|
| - HandleGetTerminationStatus(fd, pickle, iter);
|
| - return false;
|
| - case ZygoteHost::kCmdGetSandboxStatus:
|
| - HandleGetSandboxStatus(fd, pickle, iter);
|
| - return false;
|
| - default:
|
| - NOTREACHED();
|
| - break;
|
| - }
|
| - }
|
| -
|
| - LOG(WARNING) << "Error parsing message from browser";
|
| - for (std::vector<int>::const_iterator
|
| - i = fds.begin(); i != fds.end(); ++i)
|
| - close(*i);
|
| - return false;
|
| - }
|
| -
|
| - void HandleReapRequest(int fd, const Pickle& pickle, void* iter) {
|
| - base::ProcessId child;
|
| - base::ProcessId actual_child;
|
| -
|
| - if (!pickle.ReadInt(&iter, &child)) {
|
| - LOG(WARNING) << "Error parsing reap request from browser";
|
| - return;
|
| - }
|
| -
|
| - if (g_suid_sandbox_active) {
|
| - actual_child = real_pids_to_sandbox_pids[child];
|
| - if (!actual_child)
|
| - return;
|
| - real_pids_to_sandbox_pids.erase(child);
|
| - } else {
|
| - actual_child = child;
|
| - }
|
| -
|
| - ProcessWatcher::EnsureProcessTerminated(actual_child);
|
| - }
|
| -
|
| - void HandleGetTerminationStatus(int fd, const Pickle& pickle, void* iter) {
|
| - base::ProcessHandle child;
|
| -
|
| - if (!pickle.ReadInt(&iter, &child)) {
|
| - LOG(WARNING) << "Error parsing GetTerminationStatus request "
|
| - << "from browser";
|
| - return;
|
| - }
|
| -
|
| - base::TerminationStatus status;
|
| - int exit_code;
|
| - if (g_suid_sandbox_active)
|
| - child = real_pids_to_sandbox_pids[child];
|
| - if (child) {
|
| - status = base::GetTerminationStatus(child, &exit_code);
|
| - } else {
|
| - // Assume that if we can't find the child in the sandbox, then
|
| - // it terminated normally.
|
| - status = base::TERMINATION_STATUS_NORMAL_TERMINATION;
|
| - exit_code = ResultCodes::NORMAL_EXIT;
|
| - }
|
| -
|
| - Pickle write_pickle;
|
| - write_pickle.WriteInt(static_cast<int>(status));
|
| - write_pickle.WriteInt(exit_code);
|
| - ssize_t written =
|
| - HANDLE_EINTR(write(fd, write_pickle.data(), write_pickle.size()));
|
| - if (written != static_cast<ssize_t>(write_pickle.size()))
|
| - PLOG(ERROR) << "write";
|
| - }
|
| -
|
| - // This is equivalent to fork(), except that, when using the SUID
|
| - // sandbox, it returns the real PID of the child process as it
|
| - // appears outside the sandbox, rather than returning the PID inside
|
| - // the sandbox.
|
| - int ForkWithRealPid() {
|
| - if (!g_suid_sandbox_active)
|
| - return fork();
|
| -
|
| - int dummy_fd;
|
| - ino_t dummy_inode;
|
| - int pipe_fds[2] = { -1, -1 };
|
| - base::ProcessId pid = 0;
|
| -
|
| - dummy_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
|
| - if (dummy_fd < 0) {
|
| - LOG(ERROR) << "Failed to create dummy FD";
|
| - goto error;
|
| - }
|
| - if (!base::FileDescriptorGetInode(&dummy_inode, dummy_fd)) {
|
| - LOG(ERROR) << "Failed to get inode for dummy FD";
|
| - goto error;
|
| - }
|
| - if (pipe(pipe_fds) != 0) {
|
| - LOG(ERROR) << "Failed to create pipe";
|
| - goto error;
|
| - }
|
| -
|
| - pid = fork();
|
| - if (pid < 0) {
|
| - goto error;
|
| - } else if (pid == 0) {
|
| - // In the child process.
|
| - close(pipe_fds[1]);
|
| - char buffer[1];
|
| - // Wait until the parent process has discovered our PID. We
|
| - // should not fork any child processes (which the seccomp
|
| - // sandbox does) until then, because that can interfere with the
|
| - // parent's discovery of our PID.
|
| - if (HANDLE_EINTR(read(pipe_fds[0], buffer, 1)) != 1 ||
|
| - buffer[0] != 'x') {
|
| - LOG(FATAL) << "Failed to synchronise with parent zygote process";
|
| - }
|
| - close(pipe_fds[0]);
|
| - close(dummy_fd);
|
| - return 0;
|
| - } else {
|
| - // In the parent process.
|
| - close(dummy_fd);
|
| - dummy_fd = -1;
|
| - close(pipe_fds[0]);
|
| - pipe_fds[0] = -1;
|
| - uint8_t reply_buf[512];
|
| - Pickle request;
|
| - request.WriteInt(LinuxSandbox::METHOD_GET_CHILD_WITH_INODE);
|
| - request.WriteUInt64(dummy_inode);
|
| -
|
| - const ssize_t r = UnixDomainSocket::SendRecvMsg(
|
| - kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL,
|
| - request);
|
| - if (r == -1) {
|
| - LOG(ERROR) << "Failed to get child process's real PID";
|
| - goto error;
|
| - }
|
| -
|
| - base::ProcessId real_pid;
|
| - Pickle reply(reinterpret_cast<char*>(reply_buf), r);
|
| - void* iter2 = NULL;
|
| - if (!reply.ReadInt(&iter2, &real_pid))
|
| - goto error;
|
| - if (real_pid <= 0) {
|
| - // METHOD_GET_CHILD_WITH_INODE failed. Did the child die already?
|
| - LOG(ERROR) << "METHOD_GET_CHILD_WITH_INODE failed";
|
| - goto error;
|
| - }
|
| - real_pids_to_sandbox_pids[real_pid] = pid;
|
| - if (HANDLE_EINTR(write(pipe_fds[1], "x", 1)) != 1) {
|
| - LOG(ERROR) << "Failed to synchronise with child process";
|
| - goto error;
|
| - }
|
| - close(pipe_fds[1]);
|
| - return real_pid;
|
| - }
|
| -
|
| - error:
|
| - if (pid > 0) {
|
| - if (waitpid(pid, NULL, WNOHANG) == -1)
|
| - LOG(ERROR) << "Failed to wait for process";
|
| - }
|
| - if (dummy_fd >= 0)
|
| - close(dummy_fd);
|
| - if (pipe_fds[0] >= 0)
|
| - close(pipe_fds[0]);
|
| - if (pipe_fds[1] >= 0)
|
| - close(pipe_fds[1]);
|
| - return -1;
|
| - }
|
| -
|
| - // Handle a 'fork' request from the browser: this means that the browser
|
| - // wishes to start a new renderer.
|
| - bool HandleForkRequest(int fd, const Pickle& pickle, void* iter,
|
| - std::vector<int>& fds) {
|
| - std::vector<std::string> args;
|
| - int argc, numfds;
|
| - base::GlobalDescriptors::Mapping mapping;
|
| - base::ProcessId child;
|
| -
|
| - if (!pickle.ReadInt(&iter, &argc))
|
| - goto error;
|
| -
|
| - for (int i = 0; i < argc; ++i) {
|
| - std::string arg;
|
| - if (!pickle.ReadString(&iter, &arg))
|
| - goto error;
|
| - args.push_back(arg);
|
| - }
|
| -
|
| - if (!pickle.ReadInt(&iter, &numfds))
|
| - goto error;
|
| - if (numfds != static_cast<int>(fds.size()))
|
| - goto error;
|
| -
|
| - for (int i = 0; i < numfds; ++i) {
|
| - base::GlobalDescriptors::Key key;
|
| - if (!pickle.ReadUInt32(&iter, &key))
|
| - goto error;
|
| - mapping.push_back(std::make_pair(key, fds[i]));
|
| - }
|
| -
|
| - mapping.push_back(std::make_pair(
|
| - static_cast<uint32_t>(kSandboxIPCChannel), kMagicSandboxIPCDescriptor));
|
| -
|
| - child = ForkWithRealPid();
|
| -
|
| - if (!child) {
|
| -#if defined(SECCOMP_SANDBOX)
|
| - // Try to open /proc/self/maps as the seccomp sandbox needs access to it
|
| - if (g_proc_fd >= 0) {
|
| - int proc_self_maps = openat(g_proc_fd, "self/maps", O_RDONLY);
|
| - if (proc_self_maps >= 0) {
|
| - SeccompSandboxSetProcSelfMaps(proc_self_maps);
|
| - }
|
| - close(g_proc_fd);
|
| - g_proc_fd = -1;
|
| - }
|
| -#endif
|
| -
|
| - close(kBrowserDescriptor); // our socket from the browser
|
| - if (g_suid_sandbox_active)
|
| - close(kZygoteIdDescriptor); // another socket from the browser
|
| - base::GlobalDescriptors::GetInstance()->Reset(mapping);
|
| -
|
| -#if defined(CHROMIUM_SELINUX)
|
| - SELinuxTransitionToTypeOrDie("chromium_renderer_t");
|
| -#endif
|
| -
|
| - // Reset the process-wide command line to our new command line.
|
| - CommandLine::Reset();
|
| - CommandLine::Init(0, NULL);
|
| - CommandLine::ForCurrentProcess()->InitFromArgv(args);
|
| -
|
| - // Update the process title. The argv was already cached by the call to
|
| - // SetProcessTitleFromCommandLine in ChromeMain, so we can pass NULL here
|
| - // (we don't have the original argv at this point).
|
| - SetProcessTitleFromCommandLine(NULL);
|
| -
|
| - // The fork() request is handled further up the call stack.
|
| - return true;
|
| - } else if (child < 0) {
|
| - LOG(ERROR) << "Zygote could not fork: " << errno;
|
| - goto error;
|
| - }
|
| -
|
| - for (std::vector<int>::const_iterator
|
| - i = fds.begin(); i != fds.end(); ++i)
|
| - close(*i);
|
| -
|
| - if (HANDLE_EINTR(write(fd, &child, sizeof(child))) < 0)
|
| - PLOG(ERROR) << "write";
|
| - return false;
|
| -
|
| - error:
|
| - LOG(ERROR) << "Error parsing fork request from browser";
|
| - for (std::vector<int>::const_iterator
|
| - i = fds.begin(); i != fds.end(); ++i)
|
| - close(*i);
|
| - return false;
|
| - }
|
| -
|
| - bool HandleGetSandboxStatus(int fd, const Pickle& pickle, void* iter) {
|
| - if (HANDLE_EINTR(write(fd, &sandbox_flags_, sizeof(sandbox_flags_)) !=
|
| - sizeof(sandbox_flags_))) {
|
| - PLOG(ERROR) << "write";
|
| - }
|
| -
|
| - return false;
|
| - }
|
| -
|
| - // In the SUID sandbox, we try to use a new PID namespace. Thus the PIDs
|
| - // fork() returns are not the real PIDs, so we need to map the Real PIDS
|
| - // into the sandbox PID namespace.
|
| - typedef base::hash_map<base::ProcessHandle, base::ProcessHandle> ProcessMap;
|
| - ProcessMap real_pids_to_sandbox_pids;
|
| -
|
| - const int sandbox_flags_;
|
| -};
|
| -
|
| -// With SELinux we can carve out a precise sandbox, so we don't have to play
|
| -// with intercepting libc calls.
|
| -#if !defined(CHROMIUM_SELINUX)
|
| -
|
| -static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
|
| - char* timezone_out,
|
| - size_t timezone_out_len) {
|
| - Pickle request;
|
| - request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
|
| - request.WriteString(
|
| - std::string(reinterpret_cast<char*>(&input), sizeof(input)));
|
| -
|
| - uint8_t reply_buf[512];
|
| - const ssize_t r = UnixDomainSocket::SendRecvMsg(
|
| - kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL, request);
|
| - if (r == -1) {
|
| - memset(output, 0, sizeof(struct tm));
|
| - return;
|
| - }
|
| -
|
| - Pickle reply(reinterpret_cast<char*>(reply_buf), r);
|
| - void* iter = NULL;
|
| - std::string result, timezone;
|
| - if (!reply.ReadString(&iter, &result) ||
|
| - !reply.ReadString(&iter, &timezone) ||
|
| - result.size() != sizeof(struct tm)) {
|
| - memset(output, 0, sizeof(struct tm));
|
| - return;
|
| - }
|
| -
|
| - memcpy(output, result.data(), sizeof(struct tm));
|
| - if (timezone_out_len) {
|
| - const size_t copy_len = std::min(timezone_out_len - 1, timezone.size());
|
| - memcpy(timezone_out, timezone.data(), copy_len);
|
| - timezone_out[copy_len] = 0;
|
| - output->tm_zone = timezone_out;
|
| - } else {
|
| - output->tm_zone = NULL;
|
| - }
|
| -}
|
| -
|
| -static bool g_am_zygote_or_renderer = false;
|
| -
|
| -// Sandbox interception of libc calls.
|
| -//
|
| -// Because we are running in a sandbox certain libc calls will fail (localtime
|
| -// being the motivating example - it needs to read /etc/localtime). We need to
|
| -// intercept these calls and proxy them to the browser. However, these calls
|
| -// may come from us or from our libraries. In some cases we can't just change
|
| -// our code.
|
| -//
|
| -// It's for these cases that we have the following setup:
|
| -//
|
| -// We define global functions for those functions which we wish to override.
|
| -// Since we will be first in the dynamic resolution order, the dynamic linker
|
| -// will point callers to our versions of these functions. However, we have the
|
| -// same binary for both the browser and the renderers, which means that our
|
| -// overrides will apply in the browser too.
|
| -//
|
| -// The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
|
| -// renderer process. It's set in ZygoteMain and inherited by the renderers when
|
| -// they fork. (This means that it'll be incorrect for global constructor
|
| -// functions and before ZygoteMain is called - beware).
|
| -//
|
| -// Our replacement functions can check this global and either proxy
|
| -// the call to the browser over the sandbox IPC
|
| -// (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
|
| -// dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
|
| -// current module.
|
| -//
|
| -// Other avenues:
|
| -//
|
| -// Our first attempt involved some assembly to patch the GOT of the current
|
| -// module. This worked, but was platform specific and doesn't catch the case
|
| -// where a library makes a call rather than current module.
|
| -//
|
| -// We also considered patching the function in place, but this would again by
|
| -// platform specific and the above technique seems to work well enough.
|
| -
|
| -typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
|
| -typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
|
| - struct tm* result);
|
| -
|
| -static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
|
| -static LocaltimeFunction g_libc_localtime;
|
| -static LocaltimeRFunction g_libc_localtime_r;
|
| -
|
| -static void InitLibcLocaltimeFunctions() {
|
| - g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
|
| - dlsym(RTLD_NEXT, "localtime"));
|
| - g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
|
| - dlsym(RTLD_NEXT, "localtime_r"));
|
| -
|
| - if (!g_libc_localtime || !g_libc_localtime_r) {
|
| - // http://code.google.com/p/chromium/issues/detail?id=16800
|
| - //
|
| - // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
|
| - // it with a version which doesn't work. In this case we'll get a NULL
|
| - // result. There's not a lot we can do at this point, so we just bodge it!
|
| - LOG(ERROR) << "Your system is broken: dlsym doesn't work! This has been "
|
| - "reported to be caused by Nvidia's libGL. You should expect"
|
| - " time related functions to misbehave. "
|
| - "http://code.google.com/p/chromium/issues/detail?id=16800";
|
| - }
|
| -
|
| - if (!g_libc_localtime)
|
| - g_libc_localtime = gmtime;
|
| - if (!g_libc_localtime_r)
|
| - g_libc_localtime_r = gmtime_r;
|
| -}
|
| -
|
| -struct tm* localtime(const time_t* timep) {
|
| - if (g_am_zygote_or_renderer) {
|
| - static struct tm time_struct;
|
| - static char timezone_string[64];
|
| - ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
|
| - sizeof(timezone_string));
|
| - return &time_struct;
|
| - } else {
|
| - CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
|
| - InitLibcLocaltimeFunctions));
|
| - return g_libc_localtime(timep);
|
| - }
|
| -}
|
| -
|
| -struct tm* localtime_r(const time_t* timep, struct tm* result) {
|
| - if (g_am_zygote_or_renderer) {
|
| - ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
|
| - return result;
|
| - } else {
|
| - CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
|
| - InitLibcLocaltimeFunctions));
|
| - return g_libc_localtime_r(timep, result);
|
| - }
|
| -}
|
| -
|
| -#endif // !CHROMIUM_SELINUX
|
| -
|
| -// This function triggers the static and lazy construction of objects that need
|
| -// to be created before imposing the sandbox.
|
| -static void PreSandboxInit() {
|
| - base::RandUint64();
|
| -
|
| - base::SysInfo::MaxSharedMemorySize();
|
| -
|
| - // ICU DateFormat class (used in base/time_format.cc) needs to get the
|
| - // Olson timezone ID by accessing the zoneinfo files on disk. After
|
| - // TimeZone::createDefault is called once here, the timezone ID is
|
| - // cached and there's no more need to access the file system.
|
| - scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault());
|
| -
|
| - FilePath module_path;
|
| - if (PathService::Get(base::DIR_MODULE, &module_path))
|
| - media::InitializeMediaLibrary(module_path);
|
| -
|
| - // Ensure access to the Pepper plugins before the sandbox is turned on.
|
| - PepperPluginRegistry::PreloadModules();
|
| -}
|
| -
|
| -#if !defined(CHROMIUM_SELINUX)
|
| -static bool EnterSandbox() {
|
| - // The SUID sandbox sets this environment variable to a file descriptor
|
| - // over which we can signal that we have completed our startup and can be
|
| - // chrooted.
|
| - const char* const sandbox_fd_string = getenv("SBX_D");
|
| -
|
| - if (sandbox_fd_string) {
|
| - // Use the SUID sandbox. This still allows the seccomp sandbox to
|
| - // be enabled by the process later.
|
| - g_suid_sandbox_active = true;
|
| -
|
| - char* endptr;
|
| - const long fd_long = strtol(sandbox_fd_string, &endptr, 10);
|
| - if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX)
|
| - return false;
|
| - const int fd = fd_long;
|
| -
|
| - PreSandboxInit();
|
| -
|
| - static const char kMsgChrootMe = 'C';
|
| - static const char kMsgChrootSuccessful = 'O';
|
| -
|
| - if (HANDLE_EINTR(write(fd, &kMsgChrootMe, 1)) != 1) {
|
| - LOG(ERROR) << "Failed to write to chroot pipe: " << errno;
|
| - return false;
|
| - }
|
| -
|
| - // We need to reap the chroot helper process in any event:
|
| - wait(NULL);
|
| -
|
| - char reply;
|
| - if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) {
|
| - LOG(ERROR) << "Failed to read from chroot pipe: " << errno;
|
| - return false;
|
| - }
|
| -
|
| - if (reply != kMsgChrootSuccessful) {
|
| - LOG(ERROR) << "Error code reply from chroot helper";
|
| - return false;
|
| - }
|
| -
|
| - SkiaFontConfigSetImplementation(
|
| - new FontConfigIPC(kMagicSandboxIPCDescriptor));
|
| -
|
| - // Previously, we required that the binary be non-readable. This causes the
|
| - // kernel to mark the process as non-dumpable at startup. The thinking was
|
| - // that, although we were putting the renderers into a PID namespace (with
|
| - // the SUID sandbox), they would nonetheless be in the /same/ PID
|
| - // namespace. So they could ptrace each other unless they were non-dumpable.
|
| - //
|
| - // If the binary was readable, then there would be a window between process
|
| - // startup and the point where we set the non-dumpable flag in which a
|
| - // compromised renderer could ptrace attach.
|
| - //
|
| - // However, now that we have a zygote model, only the (trusted) zygote
|
| - // exists at this point and we can set the non-dumpable flag which is
|
| - // inherited by all our renderer children.
|
| - //
|
| - // Note: a non-dumpable process can't be debugged. To debug sandbox-related
|
| - // issues, one can specify --allow-sandbox-debugging to let the process be
|
| - // dumpable.
|
| - const CommandLine& command_line = *CommandLine::ForCurrentProcess();
|
| - if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) {
|
| - prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
|
| - if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
|
| - LOG(ERROR) << "Failed to set non-dumpable flag";
|
| - return false;
|
| - }
|
| - }
|
| - } else if (switches::SeccompSandboxEnabled()) {
|
| - PreSandboxInit();
|
| - SkiaFontConfigSetImplementation(
|
| - new FontConfigIPC(kMagicSandboxIPCDescriptor));
|
| - } else {
|
| - SkiaFontConfigUseDirectImplementation();
|
| - }
|
| -
|
| - return true;
|
| -}
|
| -#else // CHROMIUM_SELINUX
|
| -
|
| -static bool EnterSandbox() {
|
| - PreSandboxInit();
|
| - SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
|
| - return true;
|
| -}
|
| -
|
| -#endif // CHROMIUM_SELINUX
|
| -
|
| -bool ZygoteMain(const MainFunctionParams& params) {
|
| -#if !defined(CHROMIUM_SELINUX)
|
| - g_am_zygote_or_renderer = true;
|
| -#endif
|
| -
|
| -#if defined(SECCOMP_SANDBOX)
|
| - // The seccomp sandbox needs access to files in /proc, which might be denied
|
| - // after one of the other sandboxes have been started. So, obtain a suitable
|
| - // file handle in advance.
|
| - if (switches::SeccompSandboxEnabled()) {
|
| - g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY);
|
| - if (g_proc_fd < 0) {
|
| - LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp "
|
| - "sandboxing.";
|
| - }
|
| - }
|
| -#endif // SECCOMP_SANDBOX
|
| -
|
| - // Turn on the SELinux or SUID sandbox
|
| - if (!EnterSandbox()) {
|
| - LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
|
| - << errno << ")";
|
| - return false;
|
| - }
|
| -
|
| - int sandbox_flags = 0;
|
| - if (getenv("SBX_D"))
|
| - sandbox_flags |= ZygoteHost::kSandboxSUID;
|
| - if (getenv("SBX_PID_NS"))
|
| - sandbox_flags |= ZygoteHost::kSandboxPIDNS;
|
| - if (getenv("SBX_NET_NS"))
|
| - sandbox_flags |= ZygoteHost::kSandboxNetNS;
|
| -
|
| -#if defined(SECCOMP_SANDBOX)
|
| - // The seccomp sandbox will be turned on when the renderers start. But we can
|
| - // already check if sufficient support is available so that we only need to
|
| - // print one error message for the entire browser session.
|
| - if (g_proc_fd >= 0 && switches::SeccompSandboxEnabled()) {
|
| - if (!SupportsSeccompSandbox(g_proc_fd)) {
|
| - // There are a good number of users who cannot use the seccomp sandbox
|
| - // (e.g. because their distribution does not enable seccomp mode by
|
| - // default). While we would prefer to deny execution in this case, it
|
| - // seems more realistic to continue in degraded mode.
|
| - LOG(ERROR) << "WARNING! This machine lacks support needed for the "
|
| - "Seccomp sandbox. Running renderers with Seccomp "
|
| - "sandboxing disabled.";
|
| - } else {
|
| - VLOG(1) << "Enabling experimental Seccomp sandbox.";
|
| - sandbox_flags |= ZygoteHost::kSandboxSeccomp;
|
| - }
|
| - }
|
| -#endif // SECCOMP_SANDBOX
|
| -
|
| - Zygote zygote(sandbox_flags);
|
| - // This function call can return multiple times, once per fork().
|
| - return zygote.ProcessRequests();
|
| -}
|
|
|
Chromium Code Reviews
Issue 6538111:
Move the rest of the core files in chrome\browser to content\browser.... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/