OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <dirent.h> | 5 #include <dirent.h> |
6 #include <fcntl.h> | 6 #include <fcntl.h> |
7 #include <sys/resource.h> | 7 #include <sys/resource.h> |
8 #include <sys/stat.h> | 8 #include <sys/stat.h> |
9 #include <sys/time.h> | 9 #include <sys/time.h> |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
(...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
133 void LinuxSandbox::PreinitializeSandbox() { | 133 void LinuxSandbox::PreinitializeSandbox() { |
134 CHECK(!pre_initialized_); | 134 CHECK(!pre_initialized_); |
135 seccomp_bpf_supported_ = false; | 135 seccomp_bpf_supported_ = false; |
136 #if defined(ANY_OF_AMTLU_SANITIZER) | 136 #if defined(ANY_OF_AMTLU_SANITIZER) |
137 // Sanitizers need to open some resources before the sandbox is enabled. | 137 // Sanitizers need to open some resources before the sandbox is enabled. |
138 // This should not fork, not launch threads, not open a directory. | 138 // This should not fork, not launch threads, not open a directory. |
139 __sanitizer_sandbox_on_notify(sanitizer_args()); | 139 __sanitizer_sandbox_on_notify(sanitizer_args()); |
140 sanitizer_args_.reset(); | 140 sanitizer_args_.reset(); |
141 #endif | 141 #endif |
142 | 142 |
143 #if !defined(NDEBUG) | 143 #if !defined(NDEBUG) || (defined(CFI_ENFORCEMENT) && !defined(OFFICIAL_BUILD)) |
144 // The in-process stack dumping needs to open /proc/self/maps and cache | 144 // The in-process stack dumping needs to open /proc/self/maps and cache |
145 // its contents before the sandbox is enabled. It also pre-opens the | 145 // its contents before the sandbox is enabled. It also pre-opens the |
146 // object files that are already loaded in the process address space. | 146 // object files that are already loaded in the process address space. |
147 base::debug::EnableInProcessStackDumpingForSandbox(); | 147 base::debug::EnableInProcessStackDumpingForSandbox(); |
148 #endif // !defined(NDEBUG) | 148 #endif // !defined(NDEBUG) |
149 | 149 |
150 // Open proc_fd_. It would break the security of the setuid sandbox if it was | 150 // Open proc_fd_. It would break the security of the setuid sandbox if it was |
151 // not closed. | 151 // not closed. |
152 // If LinuxSandbox::PreinitializeSandbox() runs, InitializeSandbox() must run | 152 // If LinuxSandbox::PreinitializeSandbox() runs, InitializeSandbox() must run |
153 // as well. | 153 // as well. |
(...skipping 300 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
454 | 454 |
455 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { | 455 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { |
456 DCHECK(thread); | 456 DCHECK(thread); |
457 base::ScopedFD proc_fd(OpenProc(proc_fd_)); | 457 base::ScopedFD proc_fd(OpenProc(proc_fd_)); |
458 PCHECK(proc_fd.is_valid()); | 458 PCHECK(proc_fd.is_valid()); |
459 CHECK( | 459 CHECK( |
460 sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_fd.get(), thread)); | 460 sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_fd.get(), thread)); |
461 } | 461 } |
462 | 462 |
463 } // namespace content | 463 } // namespace content |
OLD | NEW |