NaCl: Add sanity check for number of open FDs at startup

sandbox/linux/services/credentials.cc

Index: sandbox/linux/services/credentials.cc
diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
index 51a535d47992d72fc110f1ab20569b4e893b51a4..ec38082beff8574e18f61de4fb080d242da5d337 100644
--- a/sandbox/linux/services/credentials.cc
+++ b/sandbox/linux/services/credentials.cc
@@ -173,6 +173,34 @@ Credentials::Credentials() {
 Credentials::~Credentials() {
 }
 
+int Credentials::CountOpenFds(int proc_fd) {

[jln (very slow on Chromium), 2014/05/07 23:08:24]

You could please add a unit test?

Nothing fancy required. sandboxing tests are guaranteed monothreaded, so
counting fds, creating a pipe and asserting count + 2 is fine.

[Mark Seaborn, 2014/05/09 22:02:31]

Done.

+  int proc_self_fd = openat(proc_fd, "self/fd", O_DIRECTORY | O_RDONLY);

[jln (very slow on Chromium), 2014/05/07 23:08:24]

Could you DCHECK_LE(0, proc_fd); ?

Or feel free to  mimic the API offered by HasOpenDirectory() and allow -1 for
ease of use outside of sandboxing.

[Mark Seaborn, 2014/05/09 22:02:31]

Done.
I had started doing that before I sent the change for review, but I didn't want
the error handling path (which does "If not available, guess false"), and I
realised I didn't need to allow -1 anyway.

+  PCHECK(0 <= proc_self_fd);
+
+  // Ownership of proc_self_fd is transferred here, it must not be closed
+  // or modified afterwards except via dir.
+  ScopedDIR dir(fdopendir(proc_self_fd));
+  CHECK(dir);
+
+  int count = 0;
+  struct dirent e;
+  struct dirent* de;
+  while (!readdir_r(dir.get(), &e, &de) && de) {
+    if (strcmp(e.d_name, ".") == 0 || strcmp(e.d_name, "..") == 0) {
+      continue;
+    }
+
+    int fd_num;
+    CHECK(base::StringToInt(e.d_name, &fd_num));
+    if (fd_num == proc_fd || fd_num == proc_self_fd) {
+      continue;
+    }
+
+    ++count;
+  }
+  return count;
+}
+
 bool Credentials::HasOpenDirectory(int proc_fd) {
   int proc_self_fd = -1;
   if (proc_fd >= 0) {