OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/zygote_host/zygote_host_impl_linux.h" | 5 #include "content/browser/zygote_host/zygote_host_impl_linux.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
(...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
152 | 152 |
153 const bool using_namespace_sandbox = ShouldUseNamespaceSandbox(); | 153 const bool using_namespace_sandbox = ShouldUseNamespaceSandbox(); |
154 // A non empty sandbox_cmd means we want a SUID sandbox. | 154 // A non empty sandbox_cmd means we want a SUID sandbox. |
155 const bool using_suid_sandbox = | 155 const bool using_suid_sandbox = |
156 !sandbox_cmd.empty() && !using_namespace_sandbox; | 156 !sandbox_cmd.empty() && !using_namespace_sandbox; |
157 | 157 |
158 // Use the SUID sandbox for adjusting OOM scores when we are using the setuid | 158 // Use the SUID sandbox for adjusting OOM scores when we are using the setuid |
159 // or namespace sandbox. This is needed beacuse the processes are | 159 // or namespace sandbox. This is needed beacuse the processes are |
160 // non-dumpable, so /proc/pid/oom_score_adj can only be written by root. | 160 // non-dumpable, so /proc/pid/oom_score_adj can only be written by root. |
161 use_suid_sandbox_for_adj_oom_score_ = | 161 use_suid_sandbox_for_adj_oom_score_ = |
162 !sandbox_binary_.empty() && | 162 !sandbox_binary_.empty() && using_suid_sandbox; |
163 (using_namespace_sandbox || using_suid_sandbox); | |
164 | 163 |
165 // Start up the sandbox host process and get the file descriptor for the | 164 // Start up the sandbox host process and get the file descriptor for the |
166 // renderers to talk to it. | 165 // renderers to talk to it. |
167 const int sfd = RenderSandboxHostLinux::GetInstance()->GetRendererSocket(); | 166 const int sfd = RenderSandboxHostLinux::GetInstance()->GetRendererSocket(); |
168 fds_to_map.push_back(std::make_pair(sfd, GetSandboxFD())); | 167 fds_to_map.push_back(std::make_pair(sfd, GetSandboxFD())); |
169 | 168 |
170 base::ScopedFD dummy_fd; | 169 base::ScopedFD dummy_fd; |
171 if (using_suid_sandbox) { | 170 if (using_suid_sandbox) { |
172 scoped_ptr<sandbox::SetuidSandboxHost> sandbox_host( | 171 scoped_ptr<sandbox::SetuidSandboxHost> sandbox_host( |
173 sandbox::SetuidSandboxHost::Create()); | 172 sandbox::SetuidSandboxHost::Create()); |
(...skipping 421 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
595 } | 594 } |
596 | 595 |
597 if (!sandbox::Credentials::CanCreateProcessInNewUserNS()) { | 596 if (!sandbox::Credentials::CanCreateProcessInNewUserNS()) { |
598 return false; | 597 return false; |
599 } | 598 } |
600 | 599 |
601 return true; | 600 return true; |
602 } | 601 } |
603 | 602 |
604 } // namespace content | 603 } // namespace content |
OLD | NEW |