OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // A mini-zygote specifically for Native Client. | 5 // A mini-zygote specifically for Native Client. |
6 | 6 |
7 #include "components/nacl/loader/nacl_helper_linux.h" | 7 #include "components/nacl/loader/nacl_helper_linux.h" |
8 | 8 |
9 #include <errno.h> | 9 #include <errno.h> |
10 #include <fcntl.h> | 10 #include <fcntl.h> |
(...skipping 18 matching lines...) Expand all Loading... |
29 #include "base/posix/eintr_wrapper.h" | 29 #include "base/posix/eintr_wrapper.h" |
30 #include "base/posix/global_descriptors.h" | 30 #include "base/posix/global_descriptors.h" |
31 #include "base/posix/unix_domain_socket_linux.h" | 31 #include "base/posix/unix_domain_socket_linux.h" |
32 #include "base/process/kill.h" | 32 #include "base/process/kill.h" |
33 #include "base/process/process_handle.h" | 33 #include "base/process/process_handle.h" |
34 #include "base/rand_util.h" | 34 #include "base/rand_util.h" |
35 #include "build/build_config.h" | 35 #include "build/build_config.h" |
36 #include "components/nacl/common/nacl_switches.h" | 36 #include "components/nacl/common/nacl_switches.h" |
37 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" | 37 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" |
38 #include "content/public/common/content_descriptors.h" | 38 #include "content/public/common/content_descriptors.h" |
| 39 #include "content/public/common/mojo_channel_switches.h" |
39 #include "content/public/common/send_zygote_child_ping_linux.h" | 40 #include "content/public/common/send_zygote_child_ping_linux.h" |
40 #include "content/public/common/zygote_fork_delegate_linux.h" | 41 #include "content/public/common/zygote_fork_delegate_linux.h" |
41 #include "ipc/ipc_descriptors.h" | 42 #include "ipc/ipc_descriptors.h" |
42 #include "ipc/ipc_switches.h" | 43 #include "ipc/ipc_switches.h" |
43 #include "sandbox/linux/services/credentials.h" | 44 #include "sandbox/linux/services/credentials.h" |
44 #include "sandbox/linux/services/namespace_sandbox.h" | 45 #include "sandbox/linux/services/namespace_sandbox.h" |
45 | 46 |
46 #if defined(OS_NACL_NONSFI) | 47 #if defined(OS_NACL_NONSFI) |
47 #include "components/nacl/loader/nonsfi/nonsfi_listener.h" | 48 #include "components/nacl/loader/nonsfi/nonsfi_listener.h" |
48 #include "native_client/src/public/nonsfi/irt_exception_handling.h" | 49 #include "native_client/src/public/nonsfi/irt_exception_handling.h" |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
108 // because some IPC code, such as sync_socket_posix.cc, requires this. | 109 // because some IPC code, such as sync_socket_posix.cc, requires this. |
109 // We do this before seccomp-bpf is initialized. | 110 // We do this before seccomp-bpf is initialized. |
110 PCHECK(signal(SIGPIPE, SIG_IGN) != SIG_ERR); | 111 PCHECK(signal(SIGPIPE, SIG_IGN) != SIG_ERR); |
111 | 112 |
112 // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox. | 113 // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox. |
113 CHECK(!nacl_sandbox->HasOpenDirectory()); | 114 CHECK(!nacl_sandbox->HasOpenDirectory()); |
114 nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode); | 115 nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode); |
115 nacl_sandbox->SealLayerOneSandbox(); | 116 nacl_sandbox->SealLayerOneSandbox(); |
116 nacl_sandbox->CheckSandboxingStateWithPolicy(); | 117 nacl_sandbox->CheckSandboxingStateWithPolicy(); |
117 | 118 |
118 base::GlobalDescriptors::GetInstance()->Set(kPrimaryIPCChannel, | 119 base::GlobalDescriptors::GetInstance()->Set(kMojoIPCChannel, |
119 browser_fd.release()); | 120 browser_fd.release()); |
120 | 121 |
121 base::MessageLoopForIO main_message_loop; | 122 base::MessageLoopForIO main_message_loop; |
122 #if defined(OS_NACL_NONSFI) | 123 #if defined(OS_NACL_NONSFI) |
123 CHECK(uses_nonsfi_mode); | 124 CHECK(uses_nonsfi_mode); |
124 nacl::nonsfi::NonSfiListener listener; | 125 nacl::nonsfi::NonSfiListener listener; |
125 listener.Listen(); | 126 listener.Listen(); |
126 #else | 127 #else |
127 CHECK(!uses_nonsfi_mode); | 128 CHECK(!uses_nonsfi_mode); |
128 NaClListener listener; | 129 NaClListener listener; |
(...skipping 12 matching lines...) Expand all Loading... |
141 const std::string& channel_id) { | 142 const std::string& channel_id) { |
142 DCHECK(child_fds.size() > | 143 DCHECK(child_fds.size() > |
143 std::max(content::ZygoteForkDelegate::kPIDOracleFDIndex, | 144 std::max(content::ZygoteForkDelegate::kPIDOracleFDIndex, |
144 content::ZygoteForkDelegate::kBrowserFDIndex)); | 145 content::ZygoteForkDelegate::kBrowserFDIndex)); |
145 | 146 |
146 // Ping the PID oracle socket. | 147 // Ping the PID oracle socket. |
147 CHECK(content::SendZygoteChildPing( | 148 CHECK(content::SendZygoteChildPing( |
148 child_fds[content::ZygoteForkDelegate::kPIDOracleFDIndex].get())); | 149 child_fds[content::ZygoteForkDelegate::kPIDOracleFDIndex].get())); |
149 | 150 |
150 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII( | 151 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII( |
151 switches::kProcessChannelID, channel_id); | 152 switches::kMojoChannelToken, channel_id); |
152 | 153 |
153 // Save the browser socket and close the rest. | 154 // Save the browser socket and close the rest. |
154 base::ScopedFD browser_fd( | 155 base::ScopedFD browser_fd( |
155 std::move(child_fds[content::ZygoteForkDelegate::kBrowserFDIndex])); | 156 std::move(child_fds[content::ZygoteForkDelegate::kBrowserFDIndex])); |
156 child_fds.clear(); | 157 child_fds.clear(); |
157 | 158 |
158 BecomeNaClLoader(std::move(browser_fd), system_info, uses_nonsfi_mode, | 159 BecomeNaClLoader(std::move(browser_fd), system_info, uses_nonsfi_mode, |
159 nacl_sandbox); | 160 nacl_sandbox); |
160 _exit(1); | 161 _exit(1); |
161 } | 162 } |
(...skipping 301 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
463 // Now handle requests from the Zygote. | 464 // Now handle requests from the Zygote. |
464 while (true) { | 465 while (true) { |
465 bool request_handled = HandleZygoteRequest( | 466 bool request_handled = HandleZygoteRequest( |
466 kNaClZygoteDescriptor, system_info, nacl_sandbox.get()); | 467 kNaClZygoteDescriptor, system_info, nacl_sandbox.get()); |
467 // Do not turn this into a CHECK() without thinking about robustness | 468 // Do not turn this into a CHECK() without thinking about robustness |
468 // against malicious IPC requests. | 469 // against malicious IPC requests. |
469 DCHECK(request_handled); | 470 DCHECK(request_handled); |
470 } | 471 } |
471 NOTREACHED(); | 472 NOTREACHED(); |
472 } | 473 } |
OLD | NEW |