| Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| index 05a730259314f3678b87e44083ca3281e2712e4a..68d1cc97e173e52dd97871c6a061d44699985093 100644
|
| --- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| +++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| @@ -30,12 +30,10 @@
|
| #include "sandbox/linux/services/credentials.h"
|
| #include "sandbox/linux/services/namespace_sandbox.h"
|
| #include "sandbox/linux/services/proc_util.h"
|
| +#include "sandbox/linux/services/resource_limits.h"
|
| #include "sandbox/linux/services/thread_helpers.h"
|
| #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
|
|
|
| -#if !defined(OS_NACL_NONSFI)
|
| -#include "sandbox/linux/services/resource_limits.h"
|
| -#endif
|
|
|
| namespace nacl {
|
|
|
| @@ -66,10 +64,12 @@ bool MaybeSetProcessNonDumpable() {
|
| return prctl(PR_GET_DUMPABLE) == 0;
|
| }
|
|
|
| -#if !defined(OS_NACL_NONSFI)
|
| -// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
|
| -// This function is used only in InitializeLayerTwoSandbox().
|
| -// TODO(hidehiko): Enable the sandbox.
|
| +// TODO(hidehiko): Move this to
|
| +// native_client/src/public/linux_syscalls/sys/resource.h
|
| +#if !defined(RLIMIT_DATA)
|
| +#define RLIMIT_DATA 2
|
| +#endif
|
| +
|
| void RestrictAddressSpaceUsage() {
|
| #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
|
| defined(THREAD_SANITIZER)
|
| @@ -100,7 +100,6 @@ void RestrictAddressSpaceUsage() {
|
| #endif
|
| CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit));
|
| }
|
| -#endif // !OS_NACL_NONSFI
|
|
|
| } // namespace
|
|
|
| @@ -161,11 +160,6 @@ void NaClSandbox::InitializeLayerOneSandbox() {
|
| #endif // !OS_NACL_NONSFI
|
| }
|
|
|
| -#if !defined(OS_NACL_NONSFI)
|
| -// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
|
| -// TODO(hidehiko): Enable the sandbox.
|
| -// Note that CheckForExpectedNumberOfOpenFds() is just referred from
|
| -// InitializeLayerTwoSandbox(). Enable them together.
|
| void NaClSandbox::CheckForExpectedNumberOfOpenFds() {
|
| // We expect to have the following FDs open:
|
| // 1-3) stdin, stdout, stderr.
|
| @@ -196,6 +190,10 @@ void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) {
|
|
|
| RestrictAddressSpaceUsage();
|
|
|
| +#if defined(OS_NACL_NONSFI)
|
| + layer_two_enabled_ = nacl::nonsfi::InitializeBPFSandbox(proc_fd_.Pass());
|
| + layer_two_is_nonsfi_ = true;
|
| +#else
|
| // Pass proc_fd_ ownership to the BPF sandbox, which guarantees it will
|
| // be closed. There is no point in keeping it around since the BPF policy
|
| // will prevent its usage.
|
| @@ -205,8 +203,8 @@ void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) {
|
| } else {
|
| layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_fd_.Pass());
|
| }
|
| +#endif
|
| }
|
| -#endif // OS_NACL_NONSFI
|
|
|
| void NaClSandbox::SealLayerOneSandbox() {
|
| if (proc_fd_.is_valid() && !layer_two_enabled_) {
|
| @@ -238,9 +236,6 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() {
|
| LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg;
|
| }
|
|
|
| -#if !defined(OS_NACL_NONSFI)
|
| - // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
|
| - // TODO(hidehiko): Enable the sandbox.
|
| if (!layer_two_enabled_) {
|
| static const char kNoBpfMsg[] =
|
| "The seccomp-bpf sandbox is not engaged for NaCl:";
|
| @@ -249,7 +244,6 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() {
|
| else
|
| LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;
|
| }
|
| -#endif
|
| }
|
|
|
| } // namespace nacl
|
|
|
Chromium Code Reviews
Issue 1029283003:
WIP: Implement seccomp-bpf sandbox for nacl_helper_nonsfi.
Base URL: https://chromium.googlesource.com/chromium/src.git@master