mandoline sandbox: prewarm libraries before we raise the sandbox.

mandoline/app/desktop/main.cc

Index: mandoline/app/desktop/main.cc
diff --git a/mandoline/app/desktop/main.cc b/mandoline/app/desktop/main.cc
index c01b36bed1b06b9c437ba00fc3a7827f78eb3656..aaec6972aea95a051f34177ae26091b4fd26a19b 100644
--- a/mandoline/app/desktop/main.cc
+++ b/mandoline/app/desktop/main.cc
@@ -14,6 +14,8 @@
 #include "mojo/shell/native_runner.h"
 
 #if defined(OS_LINUX) && !defined(OS_ANDROID)
+#include "base/rand_util.h"
+#include "base/sys_info.h"
 #include "mandoline/app/desktop/linux_sandbox.h"
 #endif
 
@@ -22,30 +24,52 @@ int main(int argc, char** argv) {
   const base::CommandLine& command_line =
       *base::CommandLine::ForCurrentProcess();
 
+  base::NativeLibrary app_library = 0;
 #if defined(OS_LINUX) && !defined(OS_ANDROID)
   using sandbox::syscall_broker::BrokerFilePermission;
   scoped_ptr<mandoline::LinuxSandbox> sandbox;
-  if (command_line.HasSwitch(switches::kChildProcess) &&
-      command_line.HasSwitch(switches::kEnableSandbox)) {
-    std::vector<BrokerFilePermission> permissions =
-        mandoline::LinuxSandbox::GetPermissions();
-    permissions.push_back(BrokerFilePermission::ReadOnly(
-        command_line.GetSwitchValueNative(switches::kChildProcess)));
-
-    sandbox.reset(new mandoline::LinuxSandbox(permissions));
-    sandbox->Warmup();
-    sandbox->EngageNamespaceSandbox();
-    sandbox->EngageSeccompSandbox();
-    sandbox->Seal();
-  }
 #endif
+  if (command_line.HasSwitch(switches::kChildProcess)) {
+    // Load the application library before we engage the sandbox.
+    mojo::shell::NativeApplicationCleanup cleanup =
+        command_line.HasSwitch(switches::kDeleteAfterLoad) ?
+        mojo::shell::NativeApplicationCleanup::DELETE :
+        mojo::shell::NativeApplicationCleanup::DONT_DELETE;
+    app_library = mojo::runner::LoadNativeApplication(
+        command_line.GetSwitchValuePath(switches::kChildProcess),
+        cleanup);

[Elliot Glaysher, 2015/07/29 17:36:38]

Fun fact: app cleanup was also broken in the previous patch. When we were trying
to run LoadNativeApplication() inside the sandbox and had read only access to
the path where the .mojo lives, we couldn't delete the shared object afterwards.

Not that anyone cares because we don't support ephemeral mojo apps yet (and
won't for a very long time), but I thought this was interesting.

+#if defined(OS_LINUX) && !defined(OS_ANDROID)
+    if (command_line.HasSwitch(switches::kEnableSandbox)) {
+      // Warm parts of base.
+      base::RandUint64();
+      base::SysInfo::AmountOfPhysicalMemory();
+      base::SysInfo::MaxSharedMemorySize();
+      base::SysInfo::NumberOfProcessors();
+
+      // Do whatever warming that the mojo application wants.
+      typedef void(*SandboxWarmFunction)();
+      SandboxWarmFunction sandbox_warm = reinterpret_cast<SandboxWarmFunction>(
+          base::GetFunctionPointerFromNativeLibrary(app_library,
+                                                    "MojoSandboxWarm"));
+      if (sandbox_warm)
+        sandbox_warm();
+
+      std::vector<BrokerFilePermission> permissions;
+      sandbox.reset(new mandoline::LinuxSandbox(permissions));
+      sandbox->Warmup();
+      sandbox->EngageNamespaceSandbox();
+      sandbox->EngageSeccompSandbox();
+      sandbox->Seal();
+    }
+#endif
+  }
 
   base::AtExitManager at_exit;
   mojo::runner::InitializeLogging();
   mojo::runner::WaitForDebuggerIfNecessary();
 
   if (command_line.HasSwitch(switches::kChildProcess))
-    return mojo::runner::ChildProcessMain();
+    return mojo::runner::ChildProcessMain(app_library);
 
   return mandoline::LauncherProcessMain(argc, argv);
 }