components/nacl/loader/nacl_helper_linux.cc - Issue 1158793003: Enable one PID namespace per process for NaCl processes.

Side by Side Diff: components/nacl/loader/nacl_helper_linux.cc

Issue 1158793003: Enable one PID namespace per process for NaCl processes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Get rid of kDefaultExitCode. Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // A mini-zygote specifically for Native Client.	5 // A mini-zygote specifically for Native Client.

6	6

7 #include "components/nacl/loader/nacl_helper_linux.h"	7 #include "components/nacl/loader/nacl_helper_linux.h"

8	8

9 #include <errno.h>	9 #include <errno.h>

10 #include <fcntl.h>	10 #include <fcntl.h>

(...skipping 23 matching lines...) Expand all Loading...
34 #include "components/nacl/common/nacl_switches.h"	34 #include "components/nacl/common/nacl_switches.h"

35 #include "components/nacl/loader/nacl_listener.h"	35 #include "components/nacl/loader/nacl_listener.h"

36 #include "components/nacl/loader/nonsfi/nonsfi_listener.h"	36 #include "components/nacl/loader/nonsfi/nonsfi_listener.h"

37 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"	37 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"

38 #include "content/public/common/content_descriptors.h"	38 #include "content/public/common/content_descriptors.h"

39 #include "content/public/common/send_zygote_child_ping_linux.h"	39 #include "content/public/common/send_zygote_child_ping_linux.h"

40 #include "content/public/common/zygote_fork_delegate_linux.h"	40 #include "content/public/common/zygote_fork_delegate_linux.h"

41 #include "crypto/nss_util.h"	41 #include "crypto/nss_util.h"

42 #include "ipc/ipc_descriptors.h"	42 #include "ipc/ipc_descriptors.h"

43 #include "ipc/ipc_switches.h"	43 #include "ipc/ipc_switches.h"

	44 #include "sandbox/linux/services/credentials.h"

44 #include "sandbox/linux/services/libc_urandom_override.h"	45 #include "sandbox/linux/services/libc_urandom_override.h"

	46 #include "sandbox/linux/services/namespace_sandbox.h"

45	47

46 #if defined(OS_NACL_NONSFI)	48 #if defined(OS_NACL_NONSFI)

47 #include "native_client/src/public/nonsfi/irt_exception_handling.h"	49 #include "native_client/src/public/nonsfi/irt_exception_handling.h"

48 #else	50 #else

49 #include <link.h>	51 #include <link.h>

50 #include "components/nacl/loader/nonsfi/irt_exception_handling.h"	52 #include "components/nacl/loader/nonsfi/irt_exception_handling.h"

51 #endif	53 #endif

52	54

53 namespace {	55 namespace {

54	56

(...skipping 128 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
183 return false;	185 return false;

184 }	186 }

185	187

186 if (content::ZygoteForkDelegate::kNumPassedFDs != child_fds.size()) {	188 if (content::ZygoteForkDelegate::kNumPassedFDs != child_fds.size()) {

187 LOG(ERROR) << "nacl_helper: unexpected number of fds, got "	189 LOG(ERROR) << "nacl_helper: unexpected number of fds, got "

188 << child_fds.size();	190 << child_fds.size();

189 return false;	191 return false;

190 }	192 }

191	193

192 VLOG(1) << "nacl_helper: forking";	194 VLOG(1) << "nacl_helper: forking";

193 pid_t child_pid = fork();	195 pid_t child_pid;

	196 #if !defined(OS_NACL_NONSFI)

	197 if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
	jln (very slow on Chromium) 2015/05/28 09:02:33 Hidehiko, Mark, what's missing for this to compile Hidehiko, Mark, what's missing for this to compile in OS_NACL_NONSFI? One PID per NS is very desirable for NONSFI. hidehiko 2015/05/29 05:46:58 base::ForkWithFlags in base/process/launch_posix.c Show quoted text On 2015/05/28 09:02:33, jln (OOO til. Jun 7th) wrote: > Hidehiko, Mark, what's missing for this to compile in OS_NACL_NONSFI? > > One PID per NS is very desirable for NONSFI. base::ForkWithFlags in base/process/launch_posix.cc. It is not built in libbase_nacl_nonsfi.a now. Supporting ForkWithFlags only would not be much difficult, IIUC. Though, other code in the file would hit problems if we build with PNaCl toolchain, especially around signals, so I just dropped the file at all, as we didn't need it. Also, in ForkInNewPidNamespace, we need to use LINUX_SIGCHLD instead of SIGCHLD for the workaround of signal ABI problem. hidehiko 2015/05/29 06:14:52 FYI: Like this https://codereview.chromium.org/116 Show quoted text On 2015/05/29 05:46:58, hidehiko wrote: > On 2015/05/28 09:02:33, jln (OOO til. Jun 7th) wrote: > > Hidehiko, Mark, what's missing for this to compile in OS_NACL_NONSFI? > > > > One PID per NS is very desirable for NONSFI. > > base::ForkWithFlags in base/process/launch_posix.cc. > It is not built in libbase_nacl_nonsfi.a now. > > Supporting ForkWithFlags only would not be much difficult, IIUC. > Though, other code in the file would hit problems if we build with PNaCl > toolchain, especially around signals, so I just dropped the file at all, as we > didn't need it. > > Also, in ForkInNewPidNamespace, we need to use LINUX_SIGCHLD instead of SIGCHLD > for the workaround of signal ABI problem. FYI: Like this https://codereview.chromium.org/1161933003/ rickyz (no longer on Chrome) 2015/05/29 23:16:39 Thanks for the comments, Hidehiko - it sounds like Show quoted text On 2015/05/29 06:14:52, hidehiko wrote: > On 2015/05/29 05:46:58, hidehiko wrote: > > On 2015/05/28 09:02:33, jln (OOO til. Jun 7th) wrote: > > > Hidehiko, Mark, what's missing for this to compile in OS_NACL_NONSFI? > > > > > > One PID per NS is very desirable for NONSFI. > > > > base::ForkWithFlags in base/process/launch_posix.cc. > > It is not built in libbase_nacl_nonsfi.a now. > > > > Supporting ForkWithFlags only would not be much difficult, IIUC. > > Though, other code in the file would hit problems if we build with PNaCl > > toolchain, especially around signals, so I just dropped the file at all, as we > > didn't need it. > > > > Also, in ForkInNewPidNamespace, we need to use LINUX_SIGCHLD instead of > SIGCHLD > > for the workaround of signal ABI problem. > > FYI: Like this https://codereview.chromium.org/1161933003/ > Thanks for the comments, Hidehiko - it sounds like there might be a little extra work involved for nonsfi, so I'll start working on that in a separate CL.
	198 // The NaCl runtime will install signal handlers for SIGINT, SIGTERM, etc.

	199 // so we do not need to install termination signal handlers ourselves.

	200 child_pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace(

	201 /drop_capabilities_in_child=/true);

	202 } else {

	203 #endif

	204 child_pid = fork();
	jln (very slow on Chromium) 2015/05/28 09:02:33 We never drop all capabilities in this codepath! We never drop all capabilities in this codepath! rickyz (no longer on Chrome) 2015/05/29 23:16:39 The combination of keeping CAP_SYS_ADMIN and hitti Show quoted text On 2015/05/28 09:02:33, jln (OOO til. Jun 7th) wrote: > We never drop all capabilities in this codepath! The combination of keeping CAP_SYS_ADMIN and hitting this codepath is probably impossible, but agreed, the separation of responsibility is really unclear :-( What do you think about this change? I added a helper that forks and drops capabilities, and call that instead of fork().
	205 #if !defined(OS_NACL_NONSFI)
	mdempsky 2015/05/28 21:23:23 nit: Having an #if block just for a } is kind of u nit: Having an #if block just for a } is kind of ugly. I'd suggest either reshuffling the "} else { #endif" to "} else #endif {" so you can have the close brace unconditionally, or the more intrusive option of something like namespace { #if defined(OS_NACL_NONSFI) pid_t ForkChild() { return sandbox::NamespaceSandbox::ForkInNewPidNamespace(...); } #else pid_t ForkChild() { return fork(); } #endif } // namespace Your call. rickyz (no longer on Chrome) 2015/05/29 23:16:39 Done. Show quoted text On 2015/05/28 21:23:23, mdempsky wrote: > nit: Having an #if block just for a } is kind of ugly. I'd suggest either > reshuffling the "} else { #endif" to "} else #endif {" so you can have the close > brace unconditionally, or the more intrusive option of something like > > namespace { > #if defined(OS_NACL_NONSFI) > pid_t ForkChild() { > return sandbox::NamespaceSandbox::ForkInNewPidNamespace(...); > } > #else > pid_t ForkChild() { > return fork(); > } > #endif > } // namespace > > Your call. Done.
	206 }

	207 #endif

	208

194 if (child_pid < 0) {	209 if (child_pid < 0) {

195 PLOG(ERROR) << "*** fork() failed.";	210 PLOG(ERROR) << "*** fork() failed.";

196 }	211 }

197	212

198 if (child_pid == 0) {	213 if (child_pid == 0) {

199 ChildNaClLoaderInit(child_fds.Pass(),	214 ChildNaClLoaderInit(child_fds.Pass(),

200 system_info,	215 system_info,

201 uses_nonsfi_mode,	216 uses_nonsfi_mode,

202 nacl_sandbox,	217 nacl_sandbox,

203 channel_id);	218 channel_id);

(...skipping 273 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
477 // Now handle requests from the Zygote.	492 // Now handle requests from the Zygote.

478 while (true) {	493 while (true) {

479 bool request_handled = HandleZygoteRequest(	494 bool request_handled = HandleZygoteRequest(

480 kNaClZygoteDescriptor, system_info, nacl_sandbox.get());	495 kNaClZygoteDescriptor, system_info, nacl_sandbox.get());

481 // Do not turn this into a CHECK() without thinking about robustness	496 // Do not turn this into a CHECK() without thinking about robustness

482 // against malicious IPC requests.	497 // against malicious IPC requests.

483 DCHECK(request_handled);	498 DCHECK(request_handled);

484 }	499 }

485 NOTREACHED();	500 NOTREACHED();

486 }	501 }

OLD	NEW

« no previous file with comments | « no previous file | components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc » ('j') | components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc » ('J')