Linux: have the sandbox binary create the sandbox directory.

chrome/browser/zygote_main_linux.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <unistd.h>
 #include <sys/epoll.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/signal.h>
 #include <sys/prctl.h>
@@ skipping 197 matching lines @@
       return false;
     const int fd = fd_long;
 
     // Before entering the sandbox, "prime" any systems that need to open
     // files and cache the results or the descriptors.
     base::RandUint64();
 
     static const char kChrootMe = 'C';
     static const char kChrootMeSuccess = 'O';
 
-    if (HANDLE_EINTR(write(fd, &kChrootMe, 1)) != 1)
+    if (HANDLE_EINTR(write(fd, &kChrootMe, 1)) != 1) {
+      LOG(ERROR) << "Failed to write to chroot pipe: " << errno;
       return false;
+    }
 
     char reply;
-    if (HANDLE_EINTR(read(fd, &reply, 1)) != 1)
+    std::vector<int> fds;
+    if (!base::RecvMsg(fd, &reply, 1, &fds)) {
+      LOG(ERROR) << "Failed to read from chroot pipe: " << errno;
       return false;
-    if (reply != kChrootMeSuccess)
+    }
+    if (reply != kChrootMeSuccess) {
+      LOG(ERROR) << "Error code reply from chroot helper";
+      for (size_t i = 0; i < fds.size(); ++i)
+        HANDLE_EINTR(close(fds[i]));
       return false;
-    if (chdir("/") == -1)
+    }
+    if (fds.size() != 1) {
+      LOG(ERROR) << "Bad number of file descriptors from chroot helper";
+      for (size_t i = 0; i < fds.size(); ++i)
+        HANDLE_EINTR(close(fds[i]));
       return false;
+    }
+    if (fchdir(fds[0]) == -1) {
+      LOG(ERROR) << "Failed to chdir to root directory: " << errno;
+      HANDLE_EINTR(close(fds[0]));
+      return false;
+    }
+    HANDLE_EINTR(close(fds[0]));
 
     static const int kMagicSandboxIPCDescriptor = 5;
     SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
 
     // Previously, we required that the binary be non-readable. This causes the
     // kernel to mark the process as non-dumpable at startup. The thinking was
     // that, although we were putting the renderers into a PID namespace (with
     // the SUID sandbox), they would nonetheless be in the /same/ PID
     // namespace. So they could ptrace each other unless they were non-dumpable.
     //
     // If the binary was readable, then there would be a window between process
     // startup and the point where we set the non-dumpable flag in which a
     // compromised renderer could ptrace attach.
     //
     // However, now that we have a zygote model, only the (trusted) zygote
     // exists at this point and we can set the non-dumpable flag which is
     // inherited by all our renderer children.
     prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
-    if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0))
+    if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
+      LOG(ERROR) << "Failed to set non-dumpable flag";
       return false;
+    }
   } else {
     SkiaFontConfigUseDirectImplementation();
   }
 
   return true;
 }
 
 bool ZygoteMain(const MainFunctionParams& params) {
   if (!MaybeEnterChroot()) {
     LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
                << errno << ")";
     return false;
   }
 
   Zygote zygote;
   return zygote.ProcessRequests();
 }