Non-SFI mode: Open primary IPC::Channel before seccomp-sandbox enabled.

components/nacl/loader/nacl_helper_linux.cc

Index: components/nacl/loader/nacl_helper_linux.cc
diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc
index 8206eca99b49f6776a528c34e6f68fde83f544bf..e8ac2af77e7c4d82c884d8608a953e85a7b6b765 100644
--- a/components/nacl/loader/nacl_helper_linux.cc
+++ b/components/nacl/loader/nacl_helper_linux.cc
@@ -106,26 +106,35 @@ void BecomeNaClLoader(base::ScopedFD browser_fd,
   // We do this before seccomp-bpf is initialized.
   PCHECK(signal(SIGPIPE, SIG_IGN) != SIG_ERR);
 
+  base::GlobalDescriptors::GetInstance()->Set(kPrimaryIPCChannel,
+                                              browser_fd.release());
+  scoped_ptr<nacl::nonsfi::NonSfiListener> nonsfi_listener;
+  if (uses_nonsfi_mode) {
+    // NonSfiListener internally creates an IPC::Channel in CLIENT mode.
+    // Inside the creation, a socket pair is created as a dedicated pipe

[Mark Seaborn, 2015/05/13 17:40:58]

This is working around some hackery in ipc_channel_posix.cc that is very likely
obsolete.

See IPC_USES_READWRITE in ipc_channel_posix.{h,cc}, which says:

// On Linux, the seccomp sandbox makes it very expensive to call
// recvmsg() and sendmsg(). The restriction on calling read() and write(), which
// are cheap, is that we can't pass file descriptors over them.

This is referring to the old seccomp v1 sandbox
(http://code.google.com/p/seccompsandbox/), where read()/write() were fast but
sendmsg()/recvmsg() had to be intercepted and forwarded and so were slow.

ipc_channel_posix.cc creates a *second* socket for sending FDs so that we can
avoid sendmsg()/recvmsg() unless we know we need to send/receive an FD.

I had no idea that logic was still there and enabled on Linux.  It's probably a
pessimisation these days, since it means that sending/receiving IPC messages
will require two syscalls instead of one.

@jln: We should probably remove IPC_USES_READWRITE and thereby simplify the
code.  What do you think?

+    // for FD passing over IPC. On nacl_helper_nonsfi, socketpair() is
+    // prohibited by seccomp-bpf sandbox enabled below. So, it is necessary
+    // to create the IPC::Channel beforehand.
+    nonsfi_listener.reset(new nacl::nonsfi::NonSfiListener);
+  }
+
   // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox.
   CHECK(!nacl_sandbox->HasOpenDirectory());
   nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode);
   nacl_sandbox->SealLayerOneSandbox();
   nacl_sandbox->CheckSandboxingStateWithPolicy();
 
-  base::GlobalDescriptors::GetInstance()->Set(kPrimaryIPCChannel,
-                                              browser_fd.release());
-
   base::MessageLoopForIO main_message_loop;
 #if defined(OS_NACL_NONSFI)
   CHECK(uses_nonsfi_mode);
-  nacl::nonsfi::NonSfiListener listener;
-  listener.Listen();
+  CHECK(nonsfi_listener.get());
+  nonsfi_listener->Listen();
 #else
   // TODO(hidehiko): Drop Non-SFI supporting from nacl_helper after the
   // nacl_helper_nonsfi switching is done.
   if (uses_nonsfi_mode) {
-    nacl::nonsfi::NonSfiListener listener;
-    listener.Listen();
+    CHECK(nonsfi_listener.get());
+    nonsfi_listener->Listen();
   } else {
     NaClListener listener;
     listener.set_prereserved_sandbox_size(system_info.prereserved_sandbox_size);