Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(455)

Side by Side Diff: sandbox/linux/services/credentials.cc

Issue 2842033002: Linux sandbox: handle ENOSPC clone failure (Closed)
Patch Set: Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/services/credentials.h" 5 #include "sandbox/linux/services/credentials.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <limits.h> 8 #include <limits.h>
9 #include <signal.h> 9 #include <signal.h>
10 #include <stddef.h> 10 #include <stddef.h>
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after
125 PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); 125 PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid);
126 126
127 return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; 127 return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess;
128 } 128 }
129 129
130 // CHECK() that an attempt to move to a new user namespace raised an expected 130 // CHECK() that an attempt to move to a new user namespace raised an expected
131 // errno. 131 // errno.
132 void CheckCloneNewUserErrno(int error) { 132 void CheckCloneNewUserErrno(int error) {
133 // EPERM can happen if already in a chroot. EUSERS if too many nested 133 // EPERM can happen if already in a chroot. EUSERS if too many nested
134 // namespaces are used. EINVAL for kernels that don't support the feature. 134 // namespaces are used. EINVAL for kernels that don't support the feature.
135 // Valgrind will ENOSYS unshare(). 135 // Valgrind will ENOSYS unshare(). ENOSPC can occur when the system has
136 // reached its maximum configured number of user namespaces.
136 PCHECK(error == EPERM || error == EUSERS || error == EINVAL || 137 PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
137 error == ENOSYS); 138 error == ENOSYS || error == ENOSPC);
138 } 139 }
139 140
140 // Converts a Capability to the corresponding Linux CAP_XXX value. 141 // Converts a Capability to the corresponding Linux CAP_XXX value.
141 int CapabilityToKernelValue(Credentials::Capability cap) { 142 int CapabilityToKernelValue(Credentials::Capability cap) {
142 switch (cap) { 143 switch (cap) {
143 case Credentials::Capability::SYS_CHROOT: 144 case Credentials::Capability::SYS_CHROOT:
144 return CAP_SYS_CHROOT; 145 return CAP_SYS_CHROOT;
145 case Credentials::Capability::SYS_ADMIN: 146 case Credentials::Capability::SYS_ADMIN:
146 return CAP_SYS_ADMIN; 147 return CAP_SYS_ADMIN;
147 } 148 }
(...skipping 199 matching lines...) Expand 10 before | Expand all | Expand 10 after
347 if (pid != 0) { 348 if (pid != 0) {
348 return pid; 349 return pid;
349 } 350 }
350 351
351 // Since we just forked, we are single threaded. 352 // Since we just forked, we are single threaded.
352 PCHECK(DropAllCapabilitiesOnCurrentThread()); 353 PCHECK(DropAllCapabilitiesOnCurrentThread());
353 return 0; 354 return 0;
354 } 355 }
355 356
356 } // namespace sandbox. 357 } // namespace sandbox.
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698