| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/suid/client/setuid_sandbox_host.h" | 5 #include "sandbox/linux/suid/client/setuid_sandbox_host.h" |
| 6 | 6 |
| 7 #include <fcntl.h> | 7 #include <fcntl.h> |
| 8 #include <stdlib.h> | 8 #include <stdlib.h> |
| 9 #include <sys/stat.h> | 9 #include <sys/stat.h> |
| 10 #include <unistd.h> | 10 #include <unistd.h> |
| (...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 123 base::FilePath sandbox_binary; | 123 base::FilePath sandbox_binary; |
| 124 base::FilePath exe_dir; | 124 base::FilePath exe_dir; |
| 125 if (PathService::Get(base::DIR_EXE, &exe_dir)) { | 125 if (PathService::Get(base::DIR_EXE, &exe_dir)) { |
| 126 base::FilePath sandbox_candidate = exe_dir.AppendASCII("chrome-sandbox"); | 126 base::FilePath sandbox_candidate = exe_dir.AppendASCII("chrome-sandbox"); |
| 127 if (base::PathExists(sandbox_candidate)) | 127 if (base::PathExists(sandbox_candidate)) |
| 128 sandbox_binary = sandbox_candidate; | 128 sandbox_binary = sandbox_candidate; |
| 129 } | 129 } |
| 130 | 130 |
| 131 // In user-managed builds, including development builds, an environment | 131 // In user-managed builds, including development builds, an environment |
| 132 // variable is required to enable the sandbox. See | 132 // variable is required to enable the sandbox. See |
| 133 // http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment | 133 // https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_san
dbox_development.md |
| 134 struct stat st; | 134 struct stat st; |
| 135 if (sandbox_binary.empty() && stat(base::kProcSelfExe, &st) == 0 && | 135 if (sandbox_binary.empty() && stat(base::kProcSelfExe, &st) == 0 && |
| 136 st.st_uid == getuid()) { | 136 st.st_uid == getuid()) { |
| 137 const char* devel_sandbox_path = GetDevelSandboxPath(); | 137 const char* devel_sandbox_path = GetDevelSandboxPath(); |
| 138 if (devel_sandbox_path) { | 138 if (devel_sandbox_path) { |
| 139 sandbox_binary = base::FilePath(devel_sandbox_path); | 139 sandbox_binary = base::FilePath(devel_sandbox_path); |
| 140 } | 140 } |
| 141 } | 141 } |
| 142 | 142 |
| 143 return sandbox_binary; | 143 return sandbox_binary; |
| 144 } | 144 } |
| 145 | 145 |
| 146 void SetuidSandboxHost::PrependWrapper(base::CommandLine* cmd_line) { | 146 void SetuidSandboxHost::PrependWrapper(base::CommandLine* cmd_line) { |
| 147 std::string sandbox_binary(GetSandboxBinaryPath().value()); | 147 std::string sandbox_binary(GetSandboxBinaryPath().value()); |
| 148 struct stat st; | 148 struct stat st; |
| 149 if (sandbox_binary.empty() || stat(sandbox_binary.c_str(), &st) != 0) { | 149 if (sandbox_binary.empty() || stat(sandbox_binary.c_str(), &st) != 0) { |
| 150 LOG(FATAL) << "The SUID sandbox helper binary is missing: " | 150 LOG(FATAL) << "The SUID sandbox helper binary is missing: " |
| 151 << sandbox_binary << " Aborting now. See " | 151 << sandbox_binary << " Aborting now. See " |
| 152 "https://code.google.com/p/chromium/wiki/" | 152 "https://chromium.googlesource.com/" |
| 153 "LinuxSUIDSandboxDevelopment."; | 153 "chromium/src/+/master/docs/" |
| 154 "linux_suid_sandbox_development.md."; |
| 154 } | 155 } |
| 155 | 156 |
| 156 if (access(sandbox_binary.c_str(), X_OK) != 0 || (st.st_uid != 0) || | 157 if (access(sandbox_binary.c_str(), X_OK) != 0 || (st.st_uid != 0) || |
| 157 ((st.st_mode & S_ISUID) == 0) || ((st.st_mode & S_IXOTH)) == 0) { | 158 ((st.st_mode & S_ISUID) == 0) || ((st.st_mode & S_IXOTH)) == 0) { |
| 158 LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " | 159 LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " |
| 159 "configured correctly. Rather than run without sandboxing " | 160 "configured correctly. Rather than run without sandboxing " |
| 160 "I'm aborting now. You need to make sure that " | 161 "I'm aborting now. You need to make sure that " |
| 161 << sandbox_binary << " is owned by root and has mode 4755."; | 162 << sandbox_binary << " is owned by root and has mode 4755."; |
| 162 } | 163 } |
| 163 | 164 |
| (...skipping 22 matching lines...) Expand all Loading... |
| 186 // kZygoteIdFd. Fixing this requires a sandbox API change. :( | 187 // kZygoteIdFd. Fixing this requires a sandbox API change. :( |
| 187 fds_to_remap->push_back(std::make_pair(dummy_fd->get(), kZygoteIdFd)); | 188 fds_to_remap->push_back(std::make_pair(dummy_fd->get(), kZygoteIdFd)); |
| 188 } | 189 } |
| 189 | 190 |
| 190 void SetuidSandboxHost::SetupLaunchEnvironment() { | 191 void SetuidSandboxHost::SetupLaunchEnvironment() { |
| 191 SaveSUIDUnsafeEnvironmentVariables(env_.get()); | 192 SaveSUIDUnsafeEnvironmentVariables(env_.get()); |
| 192 SetSandboxAPIEnvironmentVariable(env_.get()); | 193 SetSandboxAPIEnvironmentVariable(env_.get()); |
| 193 } | 194 } |
| 194 | 195 |
| 195 } // namespace sandbox | 196 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1538613002:
fix some obsolete code.google.com sandbox links (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master