Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(291)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/services/credentials.cc

Issue 2357393003: Add check for file system access to the sandbox. (Closed)
Patch Set: Fix IsSandboxed() check when loading flash player. Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/services/credentials.h ('k') | sandbox/linux/services/credentials_unittest.cc » ('j') | sandbox/linux/services/credentials_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/services/credentials.h" 5 #include "sandbox/linux/services/credentials.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <limits.h> 8 #include <limits.h>
9 #include <signal.h> 9 #include <signal.h>
10 #include <stddef.h> 10 #include <stddef.h>
(...skipping 297 matching lines...) Expand 10 before | Expand all | Expand 10 after
308 PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid)); 308 PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid));
309 PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid)); 309 PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid));
310 DCHECK(GetRESIds(NULL, NULL)); 310 DCHECK(GetRESIds(NULL, NULL));
311 return true; 311 return true;
312 } 312 }
313 313
314 bool Credentials::DropFileSystemAccess(int proc_fd) { 314 bool Credentials::DropFileSystemAccess(int proc_fd) {
315 CHECK_LE(0, proc_fd); 315 CHECK_LE(0, proc_fd);
316 316
317 CHECK(ChrootToSafeEmptyDir()); 317 CHECK(ChrootToSafeEmptyDir());
318 CHECK(!base::DirectoryExists(base::FilePath("/proc"))); 318 CHECK(!base::DirectoryExists(base::FilePath("/proc")));
rickyz (no longer on Chrome) 2016/09/23 23:40:20 Mind replacing this line with CHECK(!HasFileSystem
Greg K 2016/09/26 20:22:12 Done.
319 CHECK(!ProcUtil::HasOpenDirectory(proc_fd)); 319 CHECK(!ProcUtil::HasOpenDirectory(proc_fd));
320 // We never let this function fail. 320 // We never let this function fail.
321 return true; 321 return true;
322 } 322 }
323 323
324 bool Credentials::HasFileSystemAccess() {
325 return base::DirectoryExists(base::FilePath("/proc"));
326 }
327
324 pid_t Credentials::ForkAndDropCapabilitiesInChild() { 328 pid_t Credentials::ForkAndDropCapabilitiesInChild() {
325 pid_t pid = fork(); 329 pid_t pid = fork();
326 if (pid != 0) { 330 if (pid != 0) {
327 return pid; 331 return pid;
328 } 332 }
329 333
330 // Since we just forked, we are single threaded. 334 // Since we just forked, we are single threaded.
331 PCHECK(DropAllCapabilitiesOnCurrentThread()); 335 PCHECK(DropAllCapabilitiesOnCurrentThread());
332 return 0; 336 return 0;
333 } 337 }
334 338
335 } // namespace sandbox. 339 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/services/credentials.h ('k') | sandbox/linux/services/credentials_unittest.cc » ('j') | sandbox/linux/services/credentials_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698