Chromium Code Reviews Chromium Code Reviews
Issue 250773003:
NaCl Linux: create NaClSandbox class (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h |
| diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..a581f3304d889e3ab447694de95ee9dddd896f40 |
| --- /dev/null |
| +++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h |
| @@ -0,0 +1,76 @@ |
| +// Copyright 2014 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#ifndef COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_ |
| +#define COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_ |
| + |
| +#include "base/files/scoped_file.h" |
| +#include "base/macros.h" |
| + |
| +namespace nacl { |
| + |
| +// NaClSandbox supports two independant layers of sandboxing. |
|
Mark Seaborn
2014/04/29 00:28:22
"independent"
jln (very slow on Chromium)
2014/04/29 01:28:32
Done.
|
| +// layer-1 uses a chroot. It requires both InitializeLayerOneSandbox() and |
| +// SealLayerOneSandbox() to have been called to be enforcing. |
| +// layer-2 uses seccomp-bpf. It requires the layer-1 sandbox to not yet be |
| +// sealed when being engaged. |
| +// For the layer-1 sandbox to work, the current process must be a child of |
| +// the setuid sandbox. InitializeLayerOneSandbox() can only be called once |
| +// per instance of the setuid sandbox. |
| +// |
| +// A typical use case of this class would be: |
| +// 1. Load libraries and do some pre-initialization |
| +// 2. InitializeLayerOneSandbox(); |
| +// 3. Do some more initializations (it ok to fork() here). |
|
Mark Seaborn
2014/04/29 00:28:22
Missing "is" ("it is OK")
jln (very slow on Chromium)
2014/04/29 01:28:32
Done.
|
| +// 4. CHECK(!HasOpenDirectory)); |
| +// (This check is not strictly necessary, as the only possibility for a |
| +// new directory descriptor to exist after (2) has been called is via IPC). |
|
Mark Seaborn
2014/04/29 00:28:22
Nit: ".)"
jln (very slow on Chromium)
2014/04/29 01:28:32
Done.
|
| +// 5. InitializeLayerTwoSandbox(); |
| +// 6. SealLayerOneSandbox(); |
| +// 7. CheckSandboxingStateWithPolicy(); |
| +class NaClSandbox { |
| + public: |
| + NaClSandbox(); |
| + ~NaClSandbox(); |
| + |
| + // This API will only work if the layer-1 sandbox is not sealed and the |
| + // layer-2 sandbox is not engaged. |
| + bool IsSingleThreaded(); |
| + // Check whether the current process owns any directory file descriptor. This |
|
Mark Seaborn
2014/04/29 00:28:22
Nit: "descriptors" plural
jln (very slow on Chromium)
2014/04/29 01:28:32
Done.
|
| + // will ignore any directory file descriptor owned by this object (i.e. those |
| + // that will be closed after SealLayerOneSandbox() is called. |
|
Mark Seaborn
2014/04/29 00:28:22
Missing ")"
jln (very slow on Chromium)
2014/04/29 01:28:32
Done.
|
| + // This API will only work if the layer-1 sandbox is not sealed and the |
| + // layer-2 sandbox is not engaged. |
| + bool HasOpenDirectory(); |
| + // Will attempt to initialize the layer-1 sandbox, depending on flags and the |
| + // environment. It can only succeed if the current process is a child of the |
| + // setuid sandbox. |
| + void InitializeLayerOneSandbox(); |
| + // Will attempt to initialize the layer-2 sandbox, depending on flags and the |
| + // environment. |uses_nonsfi_mode| describes which seccomp-bpf policy is |
| + // appropriate. |
| + void InitializeLayerTwoSandbox(bool uses_nonsfi_mode); |
| + // Seal the layer-one sandbox, making it enforcing. |
|
Mark Seaborn
2014/04/29 00:28:22
Nit: "layer-1" for consistency
jln (very slow on Chromium)
2014/04/29 01:28:32
Done.
|
| + void SealLayerOneSandbox(); |
| + // Check that the current sandboxing state matches the level of sandboxing |
| + // expected for NaCl in the current configuration. Crash if it does not. |
| + void CheckSandboxingStateWithPolicy(); |
| + |
| + bool layer_one_enabled() { return layer_one_enabled_; } |
| + bool layer_two_enabled() { return layer_two_enabled_; } |
| + |
| + private: |
| + bool layer_one_enabled_; |
| + bool layer_one_sealed_; |
| + bool layer_two_enabled_; |
| + bool layer_two_is_non_sfi_; |
|
Mark Seaborn
2014/04/29 00:28:22
Can you make this "nonsfi" for consistency with ex
jln (very slow on Chromium)
2014/04/29 01:28:32
Done.
|
| + // |proc_fd_| must be released before the layer-1 sandbox is considered |
| + // enforcing. |
| + base::ScopedFD proc_fd_; |
| + DISALLOW_COPY_AND_ASSIGN(NaClSandbox); |
| +}; |
| + |
| +} // namespace nacl |
| + |
| +#endif // COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_ |
