OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // A mini-zygote specifically for Native Client. | 5 // A mini-zygote specifically for Native Client. |
6 | 6 |
7 #include "components/nacl/loader/nacl_helper_linux.h" | 7 #include "components/nacl/loader/nacl_helper_linux.h" |
8 | 8 |
9 #include <errno.h> | 9 #include <errno.h> |
10 #include <fcntl.h> | 10 #include <fcntl.h> |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
84 // it with a dummy. | 84 // it with a dummy. |
85 const int sandbox_ipc_channel = | 85 const int sandbox_ipc_channel = |
86 base::GlobalDescriptors::kBaseDescriptor + kSandboxIPCChannel; | 86 base::GlobalDescriptors::kBaseDescriptor + kSandboxIPCChannel; |
87 | 87 |
88 ReplaceFDWithDummy(sandbox_ipc_channel); | 88 ReplaceFDWithDummy(sandbox_ipc_channel); |
89 | 89 |
90 // Install crash signal handlers before disallowing system calls. | 90 // Install crash signal handlers before disallowing system calls. |
91 nacl::nonsfi::InitializeSignalHandler(); | 91 nacl::nonsfi::InitializeSignalHandler(); |
92 } | 92 } |
93 | 93 |
| 94 // Always ignore SIGPIPE, for consistency with other Chrome processes and |
| 95 // because some IPC code, such as sync_socket_posix.cc, requires this. |
| 96 // We do this before seccomp-bpf is initialized. |
| 97 PCHECK(signal(SIGPIPE, SIG_IGN) != SIG_ERR); |
| 98 |
94 // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox. | 99 // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox. |
95 CHECK(!nacl_sandbox->HasOpenDirectory()); | 100 CHECK(!nacl_sandbox->HasOpenDirectory()); |
96 nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode); | 101 nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode); |
97 nacl_sandbox->SealLayerOneSandbox(); | 102 nacl_sandbox->SealLayerOneSandbox(); |
98 nacl_sandbox->CheckSandboxingStateWithPolicy(); | 103 nacl_sandbox->CheckSandboxingStateWithPolicy(); |
99 | 104 |
100 base::GlobalDescriptors::GetInstance()->Set(kPrimaryIPCChannel, | 105 base::GlobalDescriptors::GetInstance()->Set(kPrimaryIPCChannel, |
101 browser_fd.release()); | 106 browser_fd.release()); |
102 | 107 |
103 base::MessageLoopForIO main_message_loop; | 108 base::MessageLoopForIO main_message_loop; |
(...skipping 329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
433 // Now handle requests from the Zygote. | 438 // Now handle requests from the Zygote. |
434 while (true) { | 439 while (true) { |
435 bool request_handled = HandleZygoteRequest( | 440 bool request_handled = HandleZygoteRequest( |
436 kNaClZygoteDescriptor, system_info, nacl_sandbox.get()); | 441 kNaClZygoteDescriptor, system_info, nacl_sandbox.get()); |
437 // Do not turn this into a CHECK() without thinking about robustness | 442 // Do not turn this into a CHECK() without thinking about robustness |
438 // against malicious IPC requests. | 443 // against malicious IPC requests. |
439 DCHECK(request_handled); | 444 DCHECK(request_handled); |
440 } | 445 } |
441 NOTREACHED(); | 446 NOTREACHED(); |
442 } | 447 } |
OLD | NEW |