Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1793)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/sandbox_linux/sandbox_linux.cc

Issue 189093005: Linux Sandbox: show Yama status in about:sandbox (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/common/sandbox_linux/sandbox_linux.h ('k') | content/public/common/sandbox_linux.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/sandbox_linux/sandbox_linux.cc
diff --git a/content/common/sandbox_linux/sandbox_linux.cc b/content/common/sandbox_linux/sandbox_linux.cc
index a30e41c416581d872f18bf2fabaac1cea33b9e31..1cc21c340f61919073d4ed718b0654af0d9ccfbf 100644
--- a/content/common/sandbox_linux/sandbox_linux.cc
+++ b/content/common/sandbox_linux/sandbox_linux.cc
@@ -28,8 +28,11 @@
#include "content/public/common/sandbox_linux.h"
#include "sandbox/linux/services/credentials.h"
#include "sandbox/linux/services/thread_helpers.h"
+#include "sandbox/linux/services/yama.h"
#include "sandbox/linux/suid/client/setuid_sandbox_client.h"
+using sandbox::Yama;
+
namespace {
struct FDCloser {
@@ -104,6 +107,7 @@ LinuxSandbox::LinuxSandbox()
sandbox_status_flags_(kSandboxLinuxInvalid),
pre_initialized_(false),
seccomp_bpf_supported_(false),
+ yama_is_enforcing_(false),
setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
if (setuid_sandbox_client_ == NULL) {
LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
@@ -130,7 +134,7 @@ void LinuxSandbox::PreinitializeSandbox() {
#if defined(ADDRESS_SANITIZER) && defined(OS_LINUX)
// ASan needs to open some resources before the sandbox is enabled.
// This should not fork, not launch threads, not open a directory.
- __sanitizer_sandbox_on_notify(/*reserved*/NULL);
+ __sanitizer_sandbox_on_notify(/*reserved*/ NULL);
#endif
#if !defined(NDEBUG)
@@ -147,6 +151,12 @@ void LinuxSandbox::PreinitializeSandbox() {
seccomp_bpf_supported_ = true;
}
}
+
+ // Yama is a "global", system-level status. We assume it will not regress
+ // after startup.
+ const int yama_status = Yama::GetStatus();
+ yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) &&
+ (yama_status & Yama::STATUS_ENFORCING);
pre_initialized_ = true;
}
@@ -179,6 +189,10 @@ int LinuxSandbox::GetStatus() {
SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) {
sandbox_status_flags_ |= kSandboxLinuxSeccompBPF;
}
+
+ if (yama_is_enforcing_) {
+ sandbox_status_flags_ |= kSandboxLinuxYama;
+ }
}
return sandbox_status_flags_;
« no previous file with comments | « content/common/sandbox_linux/sandbox_linux.h ('k') | content/public/common/sandbox_linux.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698