Start all children in their own PID namespace.

content/zygote/zygote_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/zygote/zygote_linux.h"
 
 #include <fcntl.h>
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/types.h>
@@ skipping 18 matching lines @@
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "content/common/set_process_title.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_descriptors.h"
 #include "content/public/common/result_codes.h"
 #include "content/public/common/sandbox_linux.h"
 #include "content/public/common/send_zygote_child_ping_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
 #include "ipc/ipc_channel.h"
 #include "ipc/ipc_switches.h"
+#include "sandbox/linux/services/credentials.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
 namespace content {
 
 namespace {
 
 // NOP function. See below where this handler is installed.
 void SIGCHLDHandler(int signal) {
 }
 
+// On Linux, when a process is the init process of a PID namespace, it cannot be
+// terminated by signals like SIGTERM or SIGINT, since they are ignored unless
+// we register a handler for them. In the handlers, we exit with this special
+// exit code that GetTerminationStatus understands to mean that we were
+// terminated by an external signal.
+const int kKilledExitCode = 0x80;
+const int kUnexpectedExitCode = 0x81;
+
 int LookUpFd(const base::GlobalDescriptors::Mapping& fd_mapping, uint32_t key) {
   for (size_t index = 0; index < fd_mapping.size(); ++index) {
     if (fd_mapping[index].key == key)
       return fd_mapping[index].fd;
   }
   return -1;
 }
 
 void CreatePipe(base::ScopedFD* read_pipe, base::ScopedFD* write_pipe) {
   int raw_pipe[2];
@@ skipping 37 matching lines @@
   // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the
   // browser on it.
   // A SOCK_DGRAM is installed in fd 5. This is the sandbox IPC channel.
   // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
 
   // We need to accept SIGCHLD, even though our handler is a no-op because
   // otherwise we cannot wait on children. (According to POSIX 2001.)
   struct sigaction action;
   memset(&action, 0, sizeof(action));
   action.sa_handler = &SIGCHLDHandler;
-  CHECK(sigaction(SIGCHLD, &action, NULL) == 0);
+  PCHECK(sigaction(SIGCHLD, &action, NULL) == 0);
 
   if (UsingSUIDSandbox() || UsingNSSandbox()) {
     // Let the ZygoteHost know we are ready to go.
     // The receiving code is in content/browser/zygote_host_linux.cc.
     bool r = UnixDomainSocket::SendMsg(kZygoteSocketPairFd,
                                        kZygoteHelloMessage,
                                        sizeof(kZygoteHelloMessage),
                                        std::vector<int>());
 #if defined(OS_CHROMEOS)
     LOG_IF(WARNING, !r) << "Sending zygote magic failed";
@@ skipping 180 matching lines @@
       // We don't know if the process is dying, so get its status but don't
       // wait.
       *status = base::GetTerminationStatus(child, exit_code);
     }
   }
   // Successfully got a status for |real_pid|.
   if (*status != base::TERMINATION_STATUS_STILL_RUNNING) {
     // Time to forget about this process.
     process_info_map_.erase(real_pid);
   }
+
+  if (WIFEXITED(*exit_code) && WEXITSTATUS(*exit_code) == kKilledExitCode) {
+    *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED;
+  }
+
   return true;
 }
 
 void Zygote::HandleGetTerminationStatus(int fd,
                                         PickleIterator iter) {
   bool known_dead;
   base::ProcessHandle child_requested;
 
   if (!iter.ReadBool(&known_dead) || !iter.ReadInt(&child_requested)) {
     LOG(WARNING) << "Error parsing GetTerminationStatus request "
@@ skipping 50 matching lines @@
     }
     std::vector<int> fds;
     fds.push_back(ipc_channel_fd);  // kBrowserFDIndex
     fds.push_back(pid_oracle.get());  // kPIDOracleFDIndex
     pid = helper->Fork(process_type, fds, channel_id);
 
     // Helpers should never return in the child process.
     CHECK_NE(pid, 0);
   } else {
     CreatePipe(&read_pipe, &write_pipe);
-    // This is roughly equivalent to a fork(). We are using ForkWithFlags mainly
-    // to give it some more diverse test coverage.
-    pid = base::ForkWithFlags(SIGCHLD, nullptr, nullptr);
+    if (sandbox_flags_ & kSandboxLinuxPIDNS &&
+        sandbox_flags_ & kSandboxLinuxUserNS) {
+      pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace(
+          /*drop_capabilities_in_child=*/true);
+    } else {
+      pid = fork();
+    }
   }
 
   if (pid == 0) {
+    // If the process is the init process inside a PID namespace, it must have
+    // explicit signal handlers.
+    if (getpid() == 1) {
+      for (const int sig : {SIGINT, SIGTERM}) {
+        sandbox::NamespaceSandbox::InstallTerminationSignalHandler(
+            sig, kKilledExitCode);
+      }
+
+      static const int kUnexpectedSignals[] = {
+          SIGHUP, SIGQUIT, SIGABRT, SIGPIPE, SIGUSR1, SIGUSR2,
+      };
+      for (const int sig : kUnexpectedSignals) {
+        sandbox::NamespaceSandbox::InstallTerminationSignalHandler(
+            sig, kUnexpectedExitCode);
+      }
+    }
+
     // In the child process.
     write_pipe.reset();
 
     // Ping the PID oracle socket so the browser can find our PID.
     CHECK(SendZygoteChildPing(pid_oracle.get()));
 
     // Now read back our real PID from the zygote.
     base::ProcessId real_pid;
     if (!base::ReadFromFD(read_pipe.get(),
                           reinterpret_cast<char*>(&real_pid),
@@ skipping 191 matching lines @@
                                     PickleIterator iter) {
   if (HANDLE_EINTR(write(fd, &sandbox_flags_, sizeof(sandbox_flags_))) !=
                    sizeof(sandbox_flags_)) {
     PLOG(ERROR) << "write";
   }
 
   return false;
 }
 
 }  // namespace content