| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/zygote_host/zygote_host_impl_linux.h" | 5 #include "content/browser/zygote_host/zygote_host_impl_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| (...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 152 | 152 |
| 153 const bool using_namespace_sandbox = ShouldUseNamespaceSandbox(); | 153 const bool using_namespace_sandbox = ShouldUseNamespaceSandbox(); |
| 154 // A non empty sandbox_cmd means we want a SUID sandbox. | 154 // A non empty sandbox_cmd means we want a SUID sandbox. |
| 155 const bool using_suid_sandbox = | 155 const bool using_suid_sandbox = |
| 156 !sandbox_cmd.empty() && !using_namespace_sandbox; | 156 !sandbox_cmd.empty() && !using_namespace_sandbox; |
| 157 | 157 |
| 158 // Use the SUID sandbox for adjusting OOM scores when we are using the setuid | 158 // Use the SUID sandbox for adjusting OOM scores when we are using the setuid |
| 159 // or namespace sandbox. This is needed beacuse the processes are | 159 // or namespace sandbox. This is needed beacuse the processes are |
| 160 // non-dumpable, so /proc/pid/oom_score_adj can only be written by root. | 160 // non-dumpable, so /proc/pid/oom_score_adj can only be written by root. |
| 161 use_suid_sandbox_for_adj_oom_score_ = | 161 use_suid_sandbox_for_adj_oom_score_ = |
| 162 !sandbox_binary_.empty() && | 162 !sandbox_binary_.empty() && using_suid_sandbox; |
| 163 (using_namespace_sandbox || using_suid_sandbox); | |
| 164 | 163 |
| 165 // Start up the sandbox host process and get the file descriptor for the | 164 // Start up the sandbox host process and get the file descriptor for the |
| 166 // renderers to talk to it. | 165 // renderers to talk to it. |
| 167 const int sfd = RenderSandboxHostLinux::GetInstance()->GetRendererSocket(); | 166 const int sfd = RenderSandboxHostLinux::GetInstance()->GetRendererSocket(); |
| 168 fds_to_map.push_back(std::make_pair(sfd, GetSandboxFD())); | 167 fds_to_map.push_back(std::make_pair(sfd, GetSandboxFD())); |
| 169 | 168 |
| 170 base::ScopedFD dummy_fd; | 169 base::ScopedFD dummy_fd; |
| 171 if (using_suid_sandbox) { | 170 if (using_suid_sandbox) { |
| 172 scoped_ptr<sandbox::SetuidSandboxHost> sandbox_host( | 171 scoped_ptr<sandbox::SetuidSandboxHost> sandbox_host( |
| 173 sandbox::SetuidSandboxHost::Create()); | 172 sandbox::SetuidSandboxHost::Create()); |
| (...skipping 421 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 595 } | 594 } |
| 596 | 595 |
| 597 if (!sandbox::Credentials::CanCreateProcessInNewUserNS()) { | 596 if (!sandbox::Credentials::CanCreateProcessInNewUserNS()) { |
| 598 return false; | 597 return false; |
| 599 } | 598 } |
| 600 | 599 |
| 601 return true; | 600 return true; |
| 602 } | 601 } |
| 603 | 602 |
| 604 } // namespace content | 603 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1560033003:
Do not use suid helper when using the namespace sandbox. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master