Update sandbox/linux from upstream

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <errno.h>
 #include <signal.h>
 #include <stdint.h>
 #include <stdio.h>
@@ skipping 35 matching lines @@
   const bool uids_are_equal = (ruid == euid) && (ruid == suid);
   const bool gids_are_equal = (rgid == egid) && (rgid == sgid);
   if (!uids_are_equal || !gids_are_equal) return false;
   if (resuid) *resuid = euid;
   if (resgid) *resgid = egid;
   return true;
 }
 
 const int kExitSuccess = 0;
 
+#if defined(__clang__)
+// Disable sanitizers that rely on TLS and may write to non-stack memory.
+__attribute__((no_sanitize_address))
+__attribute__((no_sanitize_thread))
+__attribute__((no_sanitize_memory))
+#endif
 int ChrootToSelfFdinfo(void*) {
+  // This function can be run from a vforked child, so it should not write to
+  // any memory other than the stack or errno. Reads from TLS may be different
+  // from in the parent process.
   RAW_CHECK(sys_chroot("/proc/self/fdinfo/") == 0);
 
   // CWD is essentially an implicit file descriptor, so be careful to not
   // leave it behind.
   RAW_CHECK(chdir("/") == 0);
   _exit(kExitSuccess);
 }
 
 // chroot() to an empty dir that is "safe". To be safe, it must not contain
 // any subdirectory (chroot-ing there would allow a chroot escape) and it must
@@ skipping 17 matching lines @@
   pid_t pid = -1;
   char stack_buf[PTHREAD_STACK_MIN];
 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
     defined(ARCH_CPU_MIPS64_FAMILY) || defined(ARCH_CPU_MIPS_FAMILY)
   // The stack grows downward.
   void* stack = stack_buf + sizeof(stack_buf);
 #else
 #error "Unsupported architecture"
 #endif
 
-  pid = clone(ChrootToSelfFdinfo, stack,
-              CLONE_VM | CLONE_VFORK | CLONE_FS | LINUX_SIGCHLD, nullptr,
-              nullptr, nullptr, nullptr);
+  int clone_flags = CLONE_FS | LINUX_SIGCHLD;
+  void* tls = nullptr;
+#if defined(ARCH_CPU_X86_64) || defined(ARCH_CPU_ARM_FAMILY)
+  // Use CLONE_VM | CLONE_VFORK as an optimization to avoid copying page tables.
+  // Since clone writes to the new child's TLS before returning, we must set a
+  // new TLS to avoid corrupting the current process's TLS. On ARCH_CPU_X86,
+  // glibc performs syscalls by calling a function pointer in TLS, so we do not
+  // attempt this optimization.
+  clone_flags |= CLONE_VM | CLONE_VFORK | CLONE_SETTLS;
+
+  char tls_buf[PTHREAD_STACK_MIN] = {0};
+  tls = tls_buf;
+#endif
+
+  pid = clone(ChrootToSelfFdinfo, stack, clone_flags, nullptr, nullptr, tls,
+              nullptr);
   PCHECK(pid != -1);
 
   int status = -1;
   PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid);
 
   return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess;
 }
 
 // CHECK() that an attempt to move to a new user namespace raised an expected
 // errno.
@@ skipping 182 matching lines @@
 bool Credentials::DropFileSystemAccess(int proc_fd) {
   CHECK_LE(0, proc_fd);
 
   CHECK(ChrootToSafeEmptyDir());
   CHECK(!base::DirectoryExists(base::FilePath("/proc")));
   CHECK(!ProcUtil::HasOpenDirectory(proc_fd));
   // We never let this function fail.
   return true;
 }
 
+pid_t Credentials::ForkAndDropCapabilitiesInChild() {
+  pid_t pid = fork();
+  if (pid != 0) {
+    return pid;
+  }
+
+  // Since we just forked, we are single threaded.
+  PCHECK(DropAllCapabilitiesOnCurrentThread());
+  return 0;
+}
+
 }  // namespace sandbox.