New NaCl zygote implementation 2

content/browser/zygote_main_linux.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/zygote_host_linux.h"
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <sys/socket.h>
@@ skipping 19 matching lines @@
 #include "content/common/chrome_descriptors.h"
 #include "content/common/content_switches.h"
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/main_function_params.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "content/common/process_watcher.h"
 #include "content/common/result_codes.h"
 #include "content/common/sandbox_methods_linux.h"
 #include "content/common/set_process_title.h"
 #include "content/common/unix_domain_socket_posix.h"
+#include "content/common/zygote_fork_delegate_linux.h"
 #include "seccompsandbox/sandbox.h"
 #include "skia/ext/SkFontHost_fontconfig_control.h"
 #include "unicode/timezone.h"
+#include "ipc/ipc_switches.h"
 
 #if defined(OS_LINUX)
 #include <sys/epoll.h>
 #include <sys/prctl.h>
 #include <sys/signal.h>
 #else
 #include <signal.h>
 #endif
 
 #if defined(CHROMIUM_SELINUX)
@@ skipping 32 matching lines @@
   freecon(security_context);
 
   if (r) {
     LOG(FATAL) << "dynamic transition to type '" << type << "' failed. "
                   "(this binary has been built with SELinux support, but maybe "
                   "the policies haven't been loaded into the kernel?)";
   }
 }
 #endif  // CHROMIUM_SELINUX
 
+static std::string ExtractArg(std::vector<std::string> args,

[Evan Martin, 2011/06/24 18:57:33]

Use namespace{} instead of static

Why no comments?

[Brad Chen, 2011/06/25 22:14:51]

Comments added.

Given the consistent use of "static" throughout this file I'd prefer to leave it
as is. There is a lot of code in here pertaining to SELINUX and the SECCOMP
sandbox that I'd rather not change because I am not set up to test it.

Okay?

On 2011/06/24 18:57:33, Evan Martin wrote:

+                       const std::string swtch) {

[Evan Martin, 2011/06/24 18:57:33]

Pass by reference, not by copying

[Brad Chen, 2011/06/25 22:14:51]

Done.

+  const std::string key = "--" + swtch + "=";
+  int len = key.length();
+  for (size_t i = 0; i < args.size(); i++) {
+    if (key.compare(0, len, args[i], 0, len) == 0) {
+      return args[i];
+    }
+  }
+  return "";
+}
+
 // This is the object which implements the zygote. The ZygoteMain function,
 // which is called from ChromeMain, simply constructs one of these objects and
 // runs it.
 class Zygote {
  public:
-  explicit Zygote(int sandbox_flags)
-      : sandbox_flags_(sandbox_flags) {
+  explicit Zygote(int sandbox_flags, ZygoteForkDelegate* helper)
+    : sandbox_flags_(sandbox_flags),
+      helper_(helper) {
   }
 
   bool ProcessRequests() {
     // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the
     // browser on it.
     // A SOCK_DGRAM is installed in fd 5. This is the sandbox IPC channel.
     // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
 
     // We need to accept SIGCHLD, even though our handler is a no-op because
     // otherwise we cannot wait on children. (According to POSIX 2001.)
@@ skipping 41 matching lines @@
 
     if (len == -1) {
       PLOG(ERROR) << "Error reading message from browser";
       return false;
     }
 
     Pickle pickle(buf, len);
     void* iter = NULL;
 
     int kind;
+    std::string process_type;
     if (pickle.ReadInt(&iter, &kind)) {
       switch (kind) {
         case ZygoteHost::kCmdFork:
           // This function call can return multiple times, once per fork().
-          return HandleForkRequest(fd, pickle, iter, fds);
+          pickle.ReadString(&iter, &process_type);
+          return HandleForkRequest(fd, pickle, iter, fds, process_type);

[Evan Martin, 2011/06/24 18:57:33]

Since HandleForkRequest reaches into the pickle anyway, why not have it extract
the process type as well?

[Brad Chen, 2011/06/25 22:14:51]

Done.

+
         case ZygoteHost::kCmdReap:
           if (!fds.empty())
             break;
           HandleReapRequest(fd, pickle, iter);
           return false;
         case ZygoteHost::kCmdGetTerminationStatus:
           if (!fds.empty())
             break;
           HandleGetTerminationStatus(fd, pickle, iter);
           return false;
@@ skipping 62 matching lines @@
     ssize_t written =
         HANDLE_EINTR(write(fd, write_pickle.data(), write_pickle.size()));
     if (written != static_cast<ssize_t>(write_pickle.size()))
       PLOG(ERROR) << "write";
   }
 
   // This is equivalent to fork(), except that, when using the SUID
   // sandbox, it returns the real PID of the child process as it
   // appears outside the sandbox, rather than returning the PID inside
   // the sandbox.
-  int ForkWithRealPid() {
-    if (!g_suid_sandbox_active)
+  int ForkWithRealPid(const std::string process_type, std::vector<int>& fds,
+                      const std::string channel_switch) {
+    const bool use_helper = (helper_ && helper_->CanHelp(process_type));
+    if (!(use_helper || g_suid_sandbox_active)) {
       return fork();
+    }
 
     int dummy_fd;
     ino_t dummy_inode;
     int pipe_fds[2] = { -1, -1 };
     base::ProcessId pid = 0;
 
     dummy_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
     if (dummy_fd < 0) {
       LOG(ERROR) << "Failed to create dummy FD";
       goto error;
     }
     if (!base::FileDescriptorGetInode(&dummy_inode, dummy_fd)) {
       LOG(ERROR) << "Failed to get inode for dummy FD";
       goto error;
     }
     if (pipe(pipe_fds) != 0) {
       LOG(ERROR) << "Failed to create pipe";
       goto error;
     }
 
-    pid = fork();
+    if (use_helper) {
+      fds.push_back(dummy_fd);
+      fds.push_back(pipe_fds[0]);
+      pid = helper_->Fork(fds);
+    } else {
+      pid = fork();
+    }
     if (pid < 0) {
       goto error;
     } else if (pid == 0) {
       // In the child process.
       close(pipe_fds[1]);
       char buffer[1];
       // Wait until the parent process has discovered our PID.  We
       // should not fork any child processes (which the seccomp
       // sandbox does) until then, because that can interfere with the
       // parent's discovery of our PID.
       if (HANDLE_EINTR(read(pipe_fds[0], buffer, 1)) != 1 ||
           buffer[0] != 'x') {
         LOG(FATAL) << "Failed to synchronise with parent zygote process";
       }
       close(pipe_fds[0]);
       close(dummy_fd);
       return 0;
     } else {
       // In the parent process.
       close(dummy_fd);
       dummy_fd = -1;
       close(pipe_fds[0]);
       pipe_fds[0] = -1;
-      uint8_t reply_buf[512];
-      Pickle request;
-      request.WriteInt(LinuxSandbox::METHOD_GET_CHILD_WITH_INODE);
-      request.WriteUInt64(dummy_inode);
+      base::ProcessId real_pid;
+      if (g_suid_sandbox_active) {
+        uint8_t reply_buf[512];
+        Pickle request;
+        request.WriteInt(LinuxSandbox::METHOD_GET_CHILD_WITH_INODE);
+        request.WriteUInt64(dummy_inode);
 
-      const ssize_t r = UnixDomainSocket::SendRecvMsg(
-          kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL,
-          request);
-      if (r == -1) {
-        LOG(ERROR) << "Failed to get child process's real PID";
-        goto error;
+        const ssize_t r = UnixDomainSocket::SendRecvMsg(
+            kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL,
+            request);
+        if (r == -1) {
+          LOG(ERROR) << "Failed to get child process's real PID";
+          goto error;
+        }
+
+        Pickle reply(reinterpret_cast<char*>(reply_buf), r);
+        void* iter2 = NULL;
+        if (!reply.ReadInt(&iter2, &real_pid))
+          goto error;
+        if (real_pid <= 0) {
+          // METHOD_GET_CHILD_WITH_INODE failed. Did the child die already?
+          LOG(ERROR) << "METHOD_GET_CHILD_WITH_INODE failed";
+          goto error;
+        }
+        real_pids_to_sandbox_pids[real_pid] = pid;
       }
-
-      base::ProcessId real_pid;
-      Pickle reply(reinterpret_cast<char*>(reply_buf), r);
-      void* iter2 = NULL;
-      if (!reply.ReadInt(&iter2, &real_pid))
-        goto error;
-      if (real_pid <= 0) {
-        // METHOD_GET_CHILD_WITH_INODE failed. Did the child die already?
-        LOG(ERROR) << "METHOD_GET_CHILD_WITH_INODE failed";
-        goto error;
-      }
-      real_pids_to_sandbox_pids[real_pid] = pid;
-      if (HANDLE_EINTR(write(pipe_fds[1], "x", 1)) != 1) {
-        LOG(ERROR) << "Failed to synchronise with child process";
-        goto error;
+      if (use_helper) {
+        real_pid = pid;
+        if (!helper_->AckChild(pipe_fds[1], channel_switch)) {
+          LOG(ERROR) << "Failed to synchronise with NaCl child process";
+          goto error;
+        }
+      } else {
+        if (HANDLE_EINTR(write(pipe_fds[1], "x", 1)) != 1) {
+          LOG(ERROR) << "Failed to synchronise with child process";
+          goto error;
+        }
       }
       close(pipe_fds[1]);
       return real_pid;
     }
 
    error:
     if (pid > 0) {
       if (waitpid(pid, NULL, WNOHANG) == -1)
         LOG(ERROR) << "Failed to wait for process";
     }
     if (dummy_fd >= 0)
       close(dummy_fd);
     if (pipe_fds[0] >= 0)
       close(pipe_fds[0]);
     if (pipe_fds[1] >= 0)
       close(pipe_fds[1]);
     return -1;
   }
 
   // Handle a 'fork' request from the browser: this means that the browser
   // wishes to start a new renderer.
-  bool HandleForkRequest(int fd, const Pickle& pickle, void* iter,
-                         std::vector<int>& fds) {
+  bool HandleForkRequest(int fd, const Pickle& pickle,
+                         void* iter, std::vector<int>& fds,
+                         const std::string process_type) {

[Evan Martin, 2011/06/24 18:57:33]

Pass by reference, not copy

[Brad Chen, 2011/06/25 22:14:51]

As per your suggestion I'm no longer passing process_type.

     std::vector<std::string> args;
     int argc, numfds;
     base::GlobalDescriptors::Mapping mapping;
     base::ProcessId child;
 
     if (!pickle.ReadInt(&iter, &argc))
       goto error;
 
     for (int i = 0; i < argc; ++i) {
       std::string arg;
@@ skipping 10 matching lines @@
     for (int i = 0; i < numfds; ++i) {
       base::GlobalDescriptors::Key key;
       if (!pickle.ReadUInt32(&iter, &key))
         goto error;
       mapping.push_back(std::make_pair(key, fds[i]));
     }
 
     mapping.push_back(std::make_pair(
         static_cast<uint32_t>(kSandboxIPCChannel), kMagicSandboxIPCDescriptor));
 
-    child = ForkWithRealPid();
+    child = ForkWithRealPid(process_type, fds,
+                            ExtractArg(args, switches::kProcessChannelID));
 
     if (!child) {
 #if defined(SECCOMP_SANDBOX)
       // Try to open /proc/self/maps as the seccomp sandbox needs access to it
       if (g_proc_fd >= 0) {
         int proc_self_maps = openat(g_proc_fd, "self/maps", O_RDONLY);
         if (proc_self_maps >= 0) {
           SeccompSandboxSetProcSelfMaps(proc_self_maps);
         }
         close(g_proc_fd);
@@ skipping 52 matching lines @@
     return false;
   }
 
   // In the SUID sandbox, we try to use a new PID namespace. Thus the PIDs
   // fork() returns are not the real PIDs, so we need to map the Real PIDS
   // into the sandbox PID namespace.
   typedef base::hash_map<base::ProcessHandle, base::ProcessHandle> ProcessMap;
   ProcessMap real_pids_to_sandbox_pids;
 
   const int sandbox_flags_;
+  ZygoteForkDelegate* helper_;
 };
 
 // With SELinux we can carve out a precise sandbox, so we don't have to play
 // with intercepting libc calls.
 #if !defined(CHROMIUM_SELINUX)
 
 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
                                         char* timezone_out,
                                         size_t timezone_out_len) {
   Pickle request;
@@ skipping 238 matching lines @@
 #else  // CHROMIUM_SELINUX
 
 static bool EnterSandbox() {
   PreSandboxInit();
   SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
   return true;
 }
 
 #endif  // CHROMIUM_SELINUX
 
-bool ZygoteMain(const MainFunctionParams& params) {
+bool ZygoteMain(const MainFunctionParams& params,
+                ZygoteForkDelegate* forkdelegate) {
 #if !defined(CHROMIUM_SELINUX)
   g_am_zygote_or_renderer = true;
 #endif
 
 #if defined(SECCOMP_SANDBOX)
   // The seccomp sandbox needs access to files in /proc, which might be denied
   // after one of the other sandboxes have been started. So, obtain a suitable
   // file handle in advance.
   if (CommandLine::ForCurrentProcess()->HasSwitch(
           switches::kEnableSeccompSandbox)) {
     g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY);
     if (g_proc_fd < 0) {
       LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp "
                     "sandboxing.";
     }
   }
 #endif  // SECCOMP_SANDBOX
 
+  // initialize the fork helper

[Evan Martin, 2011/06/24 18:57:33]

This comment is uninformative.  I suggest deleting it.

[Brad Chen, 2011/06/25 22:14:51]

Done.

+  VLOG(1) << "initializing fork delegate";
+  forkdelegate->Init(getenv("SBX_D") != NULL, // g_suid_sandbox_active,
+                     kBrowserDescriptor, kMagicSandboxIPCDescriptor);
+
   // Turn on the SELinux or SUID sandbox
   if (!EnterSandbox()) {
     LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
                << errno << ")";
     return false;
   }
 
   int sandbox_flags = 0;
   if (getenv("SBX_D"))
     sandbox_flags |= ZygoteHost::kSandboxSUID;
@@ skipping 16 matching lines @@
       LOG(ERROR) << "WARNING! This machine lacks support needed for the "
                     "Seccomp sandbox. Running renderers with Seccomp "
                     "sandboxing disabled.";
     } else {
       VLOG(1) << "Enabling experimental Seccomp sandbox.";
       sandbox_flags |= ZygoteHost::kSandboxSeccomp;
     }
   }
 #endif  // SECCOMP_SANDBOX
 
-  Zygote zygote(sandbox_flags);
+  Zygote zygote(sandbox_flags, forkdelegate);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }