content/zygote/zygote_main_linux.cc - Issue 11231021: Zygote: Initialize NSS fully

Side by Side Diff: content/zygote/zygote_main_linux.cc

Issue 11231021: Zygote: Initialize NSS fully (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 8 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <dlfcn.h>	5 #include <dlfcn.h>

6 #include <fcntl.h>	6 #include <fcntl.h>

7 #include <pthread.h>	7 #include <pthread.h>

8 #include <stdio.h>	8 #include <stdio.h>

9 #include <sys/socket.h>	9 #include <sys/socket.h>

10 #include <sys/stat.h>	10 #include <sys/stat.h>

(...skipping 472 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
483 }	483 }

484	484

485 if (setuid_sandbox->IsInNewPIDNamespace() && !has_started_new_init) {	485 if (setuid_sandbox->IsInNewPIDNamespace() && !has_started_new_init) {

486 LOG(ERROR) << "The SUID sandbox created a new PID namespace but Zygote "	486 LOG(ERROR) << "The SUID sandbox created a new PID namespace but Zygote "

487 "is not the init process. Please, make sure the SUID "	487 "is not the init process. Please, make sure the SUID "

488 "binary is up to date.";	488 "binary is up to date.";

489 }	489 }

490	490

491 int sandbox_flags = linux_sandbox->GetStatus();	491 int sandbox_flags = linux_sandbox->GetStatus();

492	492

	493 #if defined(USE_NSS)
	ddorwin 2012/10/20 00:45:32 If we take this patch, should we remove http://cod If we take this patch, should we remove http://code.google.com/searchframe#OAMlx_jo-ck/src/chrome/renderer/chrome_ren... ? Should the #if check match that one? jln (very slow on Chromium) 2012/10/20 01:14:09 This comment is misleading on Linux. On Linux the Show quoted text On 2012/10/20 00:45:32, ddorwin wrote: > If we take this patch, should we remove > http://code.google.com/searchframe#OAMlx_jo-ck/src/chrome/renderer/chrome_ren... > ? Should the #if check match that one? This comment is misleading on Linux. On Linux the setuid sandbox is already engaged at that point since this is called from a process within the Zygote. See content/app/content_main_runner.cc, in RunZygote(), it calls ContentClientInitializer::Set(), which will in turn call CreateContentRendererClient which will create the observer. You're probably correct that I need to remove this on Linux, even though it would most likely exit quickly. Ryan: this seems to indicate that we're already paying the cost for this in every renderer anyway, isn't it?
	494 // Do some extra NSS initialization. We don't want to do this pre-sandbox

	495 // because it's not well defined what venues of attacks it could create.

	496 //

	497 // In addition to the benfit of doing this initialization only once, (it

	498 // will be inherited), this is a good warm-up before we enable our next layer

	499 // of sandbox, e.g. seccomp-bpf.

	500

	501 // We will soon fork, but we haven't loaded any security module.

	502 crypto::DisableNSSForkCheck();
	Ryan Sleevi 2012/10/19 23:50:10 Is modifying the \|env\| like this permitted at this Is modifying the \|env\| like this permitted at this time? For some reason I was thinking this needed to be done before the first layer. jln (very slow on Chromium) 2012/10/20 00:51:30 I didn't now that the env was affected, but I don' Show quoted text On 2012/10/19 23:50:10, Ryan Sleevi wrote: > Is modifying the \|env\| like this permitted at this time? > > For some reason I was thinking this needed to be done before the first layer. I didn't now that the env was affected, but I don't see any reason why that would be a problem, no.
	503 // Without this line on Linux, HMAC::Init will instantiate a singleton that

	504 // in turn attempts to open a file.
	Ryan Sleevi 2012/10/19 23:50:10 drop the comment on 503-504. It doesn't matter wha drop the comment on 503-504. It doesn't matter what function - ANY attempt to open NSS will attempt to open /dev/urandom - which I'd argue the sandbox should allow (hence the libc overrides) Or are you seeing a different file? jln (very slow on Chromium) 2012/10/20 00:51:30 Done. Show quoted text On 2012/10/19 23:50:10, Ryan Sleevi wrote: > drop the comment on 503-504. It doesn't matter what function - ANY attempt to > open NSS will attempt to open /dev/urandom - which I'd argue the sandbox should > allow (hence the libc overrides) > > Or are you seeing a different file? Done.
	505 // The sandbox will prevent that anyway, but if it didn't, this would also

	506 // leak descriptors to private files.
	Ryan Sleevi 2012/10/19 23:50:10 What files are being opened? What descriptors are What files are being opened? What descriptors are you worried about? I'm not sure I can make sense of this comment? jln (very slow on Chromium) 2012/10/20 00:51:30 I modified it to make it more generic. What we don Show quoted text On 2012/10/19 23:50:10, Ryan Sleevi wrote: > What files are being opened? What descriptors are you worried about? I'm not > sure I can make sense of this comment? I modified it to make it more generic. What we don't want, is as you explained, a module to load private data to memory or to open file descriptors and keep them open.
	507 crypto::ForceNSSNoDBInit();

	508 // Initialize NSS, every child process will benefit from it.

	509 crypto::EnsureNSSInit();
	Ryan Sleevi 2012/10/19 23:50:10 s/benefit/suffer/ :) It's not clear to me what ho s/benefit/suffer/ :) It's not clear to me what holes that are punched can be closed with this, thus it's not clear to me the benefit this brings, compared to the overhead. jln (very slow on Chromium) 2012/10/20 00:51:30 When this function is called, NSS will make some s Show quoted text On 2012/10/19 23:50:10, Ryan Sleevi wrote: > s/benefit/suffer/ :) > > It's not clear to me what holes that are punched can be closed with this, thus > it's not clear to me the benefit this brings, compared to the overhead. When this function is called, NSS will make some system calls that we want to restrict (they bring attack surface). For instance: advanced scheduling system calls and sysinfo / uname. This is why crbug.com/156864 exists: the seccomp-bpf sandbox (that restricts the kernel's API) was started before NSS. In renderers, this also happens, except, unlike for PPAPI, in renderers we allowed sysinfo / uname and some of the advanced scheduling operations (this is the "hole" I'm talking about). I'm now thinking of closing it. I'm trying to understand the impact of EnsureNSSInit(). Am I correct that if anything calls, say, crypto::HMAC, this will have the same impact that EnsureNSSInit() ? I would think calling it once and for all from the Zygote is a good thing. All processes forking from the Zygote (renderers, PPAPI), wouldn't have to go through it again.
	510 #endif

	511

493 Zygote zygote(sandbox_flags, forkdelegate);	512 Zygote zygote(sandbox_flags, forkdelegate);

494 // This function call can return multiple times, once per fork().	513 // This function call can return multiple times, once per fork().

495 return zygote.ProcessRequests();	514 return zygote.ProcessRequests();

496 }	515 }

497	516

498 } // namespace content	517 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »