Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(36)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 371047: Allow the seccomp sandbox to be enabled, even if the suid sandbox has... (Closed)

Created:
11 years, 1 month ago by Markus (顧孟勤)
Modified:
9 years, 7 months ago
Reviewers:
agl
CC:
chromium-reviews_googlegroups.com, brettw+cc_chromium.org, darin (slow to review), jam, agl, ben+cc_chromium.org
Visibility:
Public.

Description

Allow the seccomp sandbox to be enabled, even if the suid sandbox has already put a chroot() jail around it. The only tricky part is access to /proc/self/maps, but we can safely pass in an open file descriptor. BUG=26527 Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=31372

Patch Set 1 #

Total comments: 3

Patch Set 2 : '' #

Unified diffs Side-by-side diffs Delta from patch set Stats (+182 lines, -111 lines) Patch
M chrome/browser/zygote_main_linux.cc View 1 5 chunks +37 lines, -7 lines 0 comments Download
M chrome/renderer/renderer_main_platform_delegate_linux.cc View 1 chunk +4 lines, -1 line 0 comments Download
MM sandbox/linux/seccomp/access.cc View 3 chunks +3 lines, -3 lines 0 comments Download
MM sandbox/linux/seccomp/clone.cc View 3 chunks +4 lines, -4 lines 0 comments Download
MM sandbox/linux/seccomp/exit.cc View 1 chunk +4 lines, -3 lines 0 comments Download
MM sandbox/linux/seccomp/ioctl.cc View 1 chunk +1 line, -1 line 0 comments Download
MM sandbox/linux/seccomp/ipc.cc View 5 chunks +5 lines, -5 lines 0 comments Download
MM sandbox/linux/seccomp/madvise.cc View 1 chunk +1 line, -1 line 0 comments Download
M sandbox/linux/seccomp/maps.h View 2 chunks +6 lines, -6 lines 0 comments Download
M sandbox/linux/seccomp/maps.cc View 5 chunks +9 lines, -10 lines 0 comments Download
MM sandbox/linux/seccomp/mmap.cc View 1 chunk +1 line, -1 line 0 comments Download
MM sandbox/linux/seccomp/mprotect.cc View 1 chunk +3 lines, -2 lines 0 comments Download
MM sandbox/linux/seccomp/munmap.cc View 1 chunk +1 line, -1 line 0 comments Download
MM sandbox/linux/seccomp/open.cc View 3 chunks +3 lines, -3 lines 0 comments Download
M sandbox/linux/seccomp/sandbox.h View 1 chunk +2 lines, -1 line 0 comments Download
M sandbox/linux/seccomp/sandbox.cc View 7 chunks +34 lines, -9 lines 0 comments Download
M sandbox/linux/seccomp/sandbox_impl.h View 3 chunks +19 lines, -6 lines 0 comments Download
MM sandbox/linux/seccomp/securemem.cc View 1 3 chunks +15 lines, -11 lines 0 comments Download
MM sandbox/linux/seccomp/socketcall.cc View 11 chunks +15 lines, -14 lines 0 comments Download
MM sandbox/linux/seccomp/stat.cc View 3 chunks +3 lines, -3 lines 0 comments Download
M sandbox/linux/seccomp/syscall_table.h View 1 chunk +1 line, -1 line 0 comments Download
MM sandbox/linux/seccomp/trusted_process.cc View 9 chunks +11 lines, -18 lines 0 comments Download

Messages

Total messages: 2 (0 generated)
Markus (顧孟勤)
This changelist looks more intimidating than it really is -- I hope. The bulk of ...
11 years, 1 month ago (2009-11-07 02:41:39 UTC) #1
agl
11 years, 1 month ago (2009-11-07 05:52:02 UTC) #2 
LGTM

http://codereview.chromium.org/371047/diff/1/22
File chrome/browser/zygote_main_linux.cc (right):

http://codereview.chromium.org/371047/diff/1/22#newcode16
Line 16: 
extra blank line.

http://codereview.chromium.org/371047/diff/1/22#newcode56
Line 56: static int  g_proc_fd = -1;
s/  / /

http://codereview.chromium.org/371047/diff/1/12
File sandbox/linux/seccomp/securemem.cc (right):

http://codereview.chromium.org/371047/diff/1/12#newcode27
Line 27: for (char buf;
char buf;
do {
  alive = read(parentMapsFd, &buf, 1);
} while (alive < 0 && errno == EINTR);

Powered by Google App Engine
This is Rietveld 408576698