| OLD | NEW |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <stdint.h> | 9 #include <stdint.h> |
| 10 #include <sys/prctl.h> | 10 #include <sys/prctl.h> |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 return sandbox::ThreadHelpers::IsSingleThreaded(proc_fd_.get()); | 117 return sandbox::ThreadHelpers::IsSingleThreaded(proc_fd_.get()); |
| 118 } | 118 } |
| 119 | 119 |
| 120 bool NaClSandbox::HasOpenDirectory() { | 120 bool NaClSandbox::HasOpenDirectory() { |
| 121 CHECK(proc_fd_.is_valid()); | 121 CHECK(proc_fd_.is_valid()); |
| 122 return sandbox::ProcUtil::HasOpenDirectory(proc_fd_.get()); | 122 return sandbox::ProcUtil::HasOpenDirectory(proc_fd_.get()); |
| 123 } | 123 } |
| 124 | 124 |
| 125 void NaClSandbox::InitializeLayerOneSandbox() { | 125 void NaClSandbox::InitializeLayerOneSandbox() { |
| 126 // Check that IsSandboxed() works. We should not be sandboxed at this point. | 126 // Check that IsSandboxed() works. We should not be sandboxed at this point. |
| 127 CHECK(!IsSandboxed()) << "Unexpectedly sandboxed!"; | 127 // Unexpectedly sandboxed! |
| 128 CHECK(!IsSandboxed()); |
| 128 | 129 |
| 129 if (setuid_sandbox_client_->IsSuidSandboxChild()) { | 130 if (setuid_sandbox_client_->IsSuidSandboxChild()) { |
| 130 setuid_sandbox_client_->CloseDummyFile(); | 131 setuid_sandbox_client_->CloseDummyFile(); |
| 131 | 132 |
| 132 // Make sure that no directory file descriptor is open, as it would bypass | 133 // Make sure that no directory file descriptor is open, as it would bypass |
| 133 // the setuid sandbox model. | 134 // the setuid sandbox model. |
| 134 CHECK(!HasOpenDirectory()); | 135 CHECK(!HasOpenDirectory()); |
| 135 | 136 |
| 136 // Get sandboxed. | 137 // Get sandboxed. |
| 137 CHECK(setuid_sandbox_client_->ChrootMe()); | 138 CHECK(setuid_sandbox_client_->ChrootMe()); |
| (...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 238 static const char kNoBpfMsg[] = | 239 static const char kNoBpfMsg[] = |
| 239 "The seccomp-bpf sandbox is not engaged for NaCl:"; | 240 "The seccomp-bpf sandbox is not engaged for NaCl:"; |
| 240 if (can_be_no_sandbox) | 241 if (can_be_no_sandbox) |
| 241 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; | 242 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; |
| 242 else | 243 else |
| 243 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; | 244 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; |
| 244 } | 245 } |
| 245 } | 246 } |
| 246 | 247 |
| 247 } // namespace nacl | 248 } // namespace nacl |
| OLD | NEW |