Add seccomp sandbox for non-SFI NaCl

components/nacl/zygote/nacl_fork_delegate_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/zygote/nacl_fork_delegate_linux.h"
 
 #include <signal.h>
 #include <stdlib.h>
 #include <sys/resource.h>
 #include <sys/socket.h>
@@ skipping 88 matching lines @@
     return false;
   }
   *reply_size = msg_len;
   return true;
 }
 
 }  // namespace.
 
 NaClForkDelegate::NaClForkDelegate()
     : status_(kNaClHelperUnused),
-      fd_(-1) {}
+      fd_(-1),
+      uses_nonsfi_(false) {}
 
 void NaClForkDelegate::Init(const int sandboxdesc) {
   VLOG(1) << "NaClForkDelegate::Init()";
   int fds[2];
 
   // For communications between the NaCl loader process and
   // the SUID sandbox.
   int nacl_sandbox_descriptor =
       base::GlobalDescriptors::kBaseDescriptor + kSandboxIPCChannel;
   // Confirm a hard-wired assumption.
@@ skipping 125 matching lines @@
   if (status_ == kNaClHelperSuccess) {
     if (IGNORE_EINTR(close(fd_)) != 0)
       LOG(ERROR) << "close(fd_) failed";
   }
 }
 
 bool NaClForkDelegate::CanHelp(const std::string& process_type,
                                std::string* uma_name,
                                int* uma_sample,
                                int* uma_boundary_value) {
-  if (process_type != switches::kNaClLoaderProcess)
+  if (process_type != switches::kNaClLoaderProcess &&
+      process_type != switches::kNaClNonSfiLoaderProcess)
     return false;
+  // We decide whether we will use SFI mode or non-SFI for the next
+  // run based on the process type here.
+  // TODO(hamaji): Have two helpers in content::Zygote and each
+  // NaClForkDelegate should focus on a single mode. This must be done
+  // when we split the helper binary for non-SFI mode from
+  // nacl_helper. Once this has been done, we can remove this check
+  // and uses_nonsfi_ field.
+  uses_nonsfi_ = process_type == switches::kNaClNonSfiLoaderProcess;

[hamaji, 2014/03/14 12:46:23]

This would be probably the most doubtful change in this patch except for seccomp
changes. I think Zygote process sequentially calls Fork after CanHelp so this
should be fine.

Another solution would be add process_type argument to NaClForkDelegate::Fork. I
didn't do this as we will probably add one more NaClForkDelegate instance to
Zygote class and NaClForkDelegate::Fork won't need process_type.

   *uma_name = "NaCl.Client.Helper.StateOnFork";
   *uma_sample = status_;
   *uma_boundary_value = kNaClHelperStatusBoundary;
   return true;
 }
 
 pid_t NaClForkDelegate::Fork(const std::vector<int>& fds) {
   VLOG(1) << "NaClForkDelegate::Fork";
 
   DCHECK(fds.size() == kNumPassedFDs);
 
   if (status_ != kNaClHelperSuccess) {
     LOG(ERROR) << "Cannot launch NaCl process: nacl_helper failed to start";
     return -1;
   }
 
   // First, send a remote fork request.
   Pickle write_pickle;
   write_pickle.WriteInt(nacl::kNaClForkRequest);
+  // Tell nacl_helper whether it should use SFI mode or non-SFI mode.
+  // TODO(hamaji): Remove this once we have splitted nacl_helper into
+  // two helper binaries. See the comment in CanHelp as well.
+  write_pickle.WriteBool(uses_nonsfi_);
 
   char reply_buf[kNaClMaxIPCMessageLength];
   ssize_t reply_size = 0;
   bool got_reply =
       SendIPCRequestAndReadReply(fd_, fds, write_pickle,
                                  reply_buf, sizeof(reply_buf), &reply_size);
   if (!got_reply) {
     LOG(ERROR) << "Could not perform remote fork.";
     return -1;
   }
@@ skipping 56 matching lines @@
   int remote_exit_code;
   if (!iter.ReadInt(&remote_exit_code)) {
     LOG(ERROR) << "GetTerminationStatus: pickle failed";
     return false;
   }
 
   *status = static_cast<base::TerminationStatus>(termination_status);
   *exit_code = remote_exit_code;
   return true;
 }