components/nacl/zygote/nacl_fork_delegate_linux.cc - Issue 196793023: Add seccomp sandbox for non-SFI NaCl

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: components/nacl/zygote/nacl_fork_delegate_linux.cc

Issue 196793023: Add seccomp sandbox for non-SFI NaCl (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: components/nacl/zygote/nacl_fork_delegate_linux.cc

diff --git a/components/nacl/zygote/nacl_fork_delegate_linux.cc b/components/nacl/zygote/nacl_fork_delegate_linux.cc

index 1b9c7af7765f0a855966baba96b32765784c6f3f..c4f78143094e991183eccdd42faf717f4b9566e1 100644

--- a/components/nacl/zygote/nacl_fork_delegate_linux.cc

+++ b/components/nacl/zygote/nacl_fork_delegate_linux.cc

@@ -106,7 +106,8 @@ bool SendIPCRequestAndReadReply(int ipc_channel,

NaClForkDelegate::NaClForkDelegate()

: status_(kNaClHelperUnused),

- fd_(-1) {}

+ fd_(-1),

+ uses_nonsfi_(false) {}

void NaClForkDelegate::Init(const int sandboxdesc) {

VLOG(1) << "NaClForkDelegate::Init()";

@@ -252,8 +253,17 @@ bool NaClForkDelegate::CanHelp(const std::string& process_type,

std::string* uma_name,

int* uma_sample,

int* uma_boundary_value) {

- if (process_type != switches::kNaClLoaderProcess)

+ if (process_type != switches::kNaClLoaderProcess &&

+ process_type != switches::kNaClNonSfiLoaderProcess)

return false;

+ // We decide whether we will use SFI mode or non-SFI for the next

+ // run based on the process type here.

+ // TODO(hamaji): Have two helpers in content::Zygote and each

+ // NaClForkDelegate should focus on a single mode. This must be done

+ // when we split the helper binary for non-SFI mode from

+ // nacl_helper. Once this has been done, we can remove this check

+ // and uses_nonsfi_ field.

+ uses_nonsfi_ = process_type == switches::kNaClNonSfiLoaderProcess;

hamaji 2014/03/14 12:46:23 This would be probably the most doubtful change in

*uma_name = "NaCl.Client.Helper.StateOnFork";

*uma_sample = status_;

*uma_boundary_value = kNaClHelperStatusBoundary;

@@ -273,6 +283,10 @@ pid_t NaClForkDelegate::Fork(const std::vector<int>& fds) {

// First, send a remote fork request.

Pickle write_pickle;

write_pickle.WriteInt(nacl::kNaClForkRequest);

+ // Tell nacl_helper whether it should use SFI mode or non-SFI mode.

+ // TODO(hamaji): Remove this once we have splitted nacl_helper into

+ // two helper binaries. See the comment in CanHelp as well.

+ write_pickle.WriteBool(uses_nonsfi_);

char reply_buf[kNaClMaxIPCMessageLength];

ssize_t reply_size = 0;

« components/nacl/loader/nacl_sandbox_linux.cc ('K') | « components/nacl/zygote/nacl_fork_delegate_linux.h ('k') | no next file » | no next file with comments »