Chromium Code Reviews Chromium Code Reviews
Issue 196793023:
Add seccomp sandbox for non-SFI NaCl (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: components/nacl/loader/nacl_helper_linux.cc |
| diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc |
| index c8139bf25ecaa557b0627d5179e7a696ad58bcf1..33bd65ff71401e317294625f7ef5202faee3799a 100644 |
| --- a/components/nacl/loader/nacl_helper_linux.cc |
| +++ b/components/nacl/loader/nacl_helper_linux.cc |
| @@ -47,15 +47,24 @@ struct NaClLoaderSystemInfo { |
| // side of the fork. See zygote_main_linux.cc:HandleForkRequest from |
| // if (!child) { |
| void BecomeNaClLoader(const std::vector<int>& child_fds, |
| - const NaClLoaderSystemInfo& system_info) { |
| + const NaClLoaderSystemInfo& system_info, |
| + bool uses_nonsfi) { |
| VLOG(1) << "NaCl loader: setting up IPC descriptor"; |
| // don't need zygote FD any more |
|
jln (very slow on Chromium)
2014/03/20 00:54:53
We need to refactor a bunch of this logic, but in
hamaji
2014/03/24 15:56:37
Done. However, this essentially disables --no-sand
|
| if (IGNORE_EINTR(close(kNaClZygoteDescriptor)) != 0) |
| LOG(ERROR) << "close(kNaClZygoteDescriptor) failed."; |
| - bool sandbox_initialized = InitializeBPFSandbox(); |
| + bool sandbox_initialized = false; |
|
jln (very slow on Chromium)
2014/03/20 00:54:53
rename to bpf_sandbox_initialized.
hamaji
2014/03/24 15:56:37
Done.
|
| + if (uses_nonsfi) |
| + sandbox_initialized = InitializeBPFSandboxForNonSfi(); |
| + else |
| + sandbox_initialized = InitializeBPFSandbox(); |
| if (!sandbox_initialized) { |
| LOG(ERROR) << "Could not initialize NaCl's second " |
| << "layer sandbox (seccomp-bpf)."; |
| + // We really depend on seccomp sandbox for non-SFI mode. We do not |
| + // run any program without seccomp sandbox. |
| + if (uses_nonsfi) |
| + _exit(1); |
| } |
| base::GlobalDescriptors::GetInstance()->Set( |
| kPrimaryIPCChannel, |
| @@ -71,7 +80,8 @@ void BecomeNaClLoader(const std::vector<int>& child_fds, |
| // Start the NaCl loader in a child created by the NaCl loader Zygote. |
| void ChildNaClLoaderInit(const std::vector<int>& child_fds, |
| - const NaClLoaderSystemInfo& system_info) { |
| + const NaClLoaderSystemInfo& system_info, |
| + bool uses_nonsfi) { |
| const int parent_fd = child_fds[content::ZygoteForkDelegate::kParentFDIndex]; |
| const int dummy_fd = child_fds[content::ZygoteForkDelegate::kDummyFDIndex]; |
| bool validack = false; |
| @@ -103,7 +113,7 @@ void ChildNaClLoaderInit(const std::vector<int>& child_fds, |
| if (IGNORE_EINTR(close(parent_fd)) != 0) |
| LOG(ERROR) << "close(parent_fd) failed"; |
| if (validack) { |
| - BecomeNaClLoader(child_fds, system_info); |
| + BecomeNaClLoader(child_fds, system_info, uses_nonsfi); |
| } else { |
| LOG(ERROR) << "Failed to synch with zygote"; |
| } |
| @@ -115,7 +125,14 @@ void ChildNaClLoaderInit(const std::vector<int>& child_fds, |
| // content/browser/zygote_main_linux.cc:ForkWithRealPid() |
| bool HandleForkRequest(const std::vector<int>& child_fds, |
| const NaClLoaderSystemInfo& system_info, |
| + PickleIterator* input_iter, |
| Pickle* output_pickle) { |
| + bool uses_nonsfi; |
| + if (!input_iter->ReadBool(&uses_nonsfi)) { |
| + LOG(ERROR) << "Could not read uses_nonsfi status"; |
| + return false; |
| + } |
| + |
| if (content::ZygoteForkDelegate::kNumPassedFDs != child_fds.size()) { |
| LOG(ERROR) << "nacl_helper: unexpected number of fds, got " |
| << child_fds.size(); |
| @@ -129,7 +146,7 @@ bool HandleForkRequest(const std::vector<int>& child_fds, |
| } |
| if (child_pid == 0) { |
| - ChildNaClLoaderInit(child_fds, system_info); |
| + ChildNaClLoaderInit(child_fds, system_info, uses_nonsfi); |
| NOTREACHED(); |
| } |
| @@ -201,6 +218,7 @@ bool HonorRequestAndReply(int reply_fd, |
| switch (command_type) { |
| case nacl::kNaClForkRequest: |
| have_to_reply = HandleForkRequest(attached_fds, system_info, |
| + input_iter, |
| &write_pickle); |
| break; |
| case nacl::kNaClGetTerminationStatusRequest: |
