Merge 249937 "Linux Sandbox: Stop GPU watchdog in accountable way."

content/common/sandbox_linux/sandbox_linux.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
 
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/common/sandbox_linux.h"
 
 template <typename T> struct DefaultSingletonTraits;
+namespace base {
+class Thread;
+}
 namespace sandbox { class SetuidSandboxClient; }
 
 namespace content {
 
 // A singleton class to represent and change our sandboxing state for the
 // three main Linux sandboxes.
 class LinuxSandbox {
  public:
   // This is a list of sandbox IPC methods which the renderer may send to the
   // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
@@ skipping 13 matching lines @@
 
   // Do some initialization that can only be done before any of the sandboxes
   // are enabled. If using the setuid sandbox, this should be called manually
   // before the setuid sandbox is engaged.
   void PreinitializeSandbox();
 
   // Initialize the sandbox with the given pre-built configuration. Currently
   // seccomp-bpf and address space limitations (the setuid sandbox works
   // differently and is set-up in the Zygote). This will instantiate the
   // LinuxSandbox singleton if it doesn't already exist.
+  // This function should only be called without any thread running.
   static bool InitializeSandbox();
 
+  // Stop |thread| in a way that can be trusted by the sandbox.
+  static void StopThread(base::Thread* thread);
+
   // Returns the status of the renderer, worker and ppapi sandbox. Can only
   // be queried after going through PreinitializeSandbox(). This is a bitmask
   // and uses the constants defined in "enum LinuxSandboxStatus". Since the
   // status needs to be provided before the sandboxes are actually started,
   // this returns what will actually happen once InitializeSandbox()
   // is called from inside these processes.
   int GetStatus();
   // Returns true if the current process is single-threaded or if the number
   // of threads cannot be determined.
   bool IsSingleThreaded() const;
@@ skipping 11 matching lines @@
   // started we will crash.
   bool StartSeccompBPF(const std::string& process_type);
 
   // Limit the address space of the current process (and its children).
   // to make some vulnerabilities harder to exploit.
   bool LimitAddressSpace(const std::string& process_type);
 
  private:
   friend struct DefaultSingletonTraits<LinuxSandbox>;
 
-  // InitializeSandbox() is static and gets an instance of the Singleton. This
-  // is the non-static implementation.
+  // Some methods are static and get an instance of the Singleton. These
+  // are the non-static implementations.
   bool InitializeSandboxImpl();
+  void StopThreadImpl(base::Thread* thread);
   // We must have been pre_initialized_ before using this.
   bool seccomp_bpf_supported() const;
   // Returns true if it can be determined that the current process has open
   // directories that are not managed by the LinuxSandbox class. This would
   // be a vulnerability as it would allow to bypass the setuid sandbox.
-  bool HasOpenDirectories();
+  bool HasOpenDirectories() const;
   // The last part of the initialization is to make sure any temporary "hole"
   // in the sandbox is closed. For now, this consists of closing proc_fd_.
   void SealSandbox();
   // GetStatus() makes promises as to how the sandbox will behave. This
   // checks that no promises have been broken.
   void CheckForBrokenPromises(const std::string& process_type);
+  // Stop |thread| and make sure it does not appear in /proc/self/tasks/
+  // anymore.
+  void StopThreadAndEnsureNotCounted(base::Thread* thread) const;
 
   // A file descriptor to /proc. It's dangerous to have it around as it could
   // allow for sandbox bypasses. It needs to be closed before we consider
   // ourselves sandboxed.
   int proc_fd_;
   bool seccomp_bpf_started_;
   // The value returned by GetStatus(). Gets computed once and then cached.
   int sandbox_status_flags_;
   // Did PreinitializeSandbox() run?
   bool pre_initialized_;
   bool seccomp_bpf_supported_;  // Accurate if pre_initialized_.
   scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;
 
   ~LinuxSandbox();
   DISALLOW_IMPLICIT_CONSTRUCTORS(LinuxSandbox);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_