| Index: sandbox/linux/seccomp/trusted_process.cc
|
| ===================================================================
|
| --- sandbox/linux/seccomp/trusted_process.cc (revision 31339)
|
| +++ sandbox/linux/seccomp/trusted_process.cc (working copy)
|
| @@ -21,7 +21,7 @@
|
| return NULL;
|
| }
|
|
|
| -void Sandbox::trustedProcess(int parentProc, int processFdPub, int sandboxFd,
|
| +void Sandbox::trustedProcess(int parentMapsFd, int processFdPub, int sandboxFd,
|
| int cloneFd, SecureMem::Args* secureArena) {
|
| std::map<long long, struct Thread> threads;
|
| SysCalls sys;
|
| @@ -99,7 +99,7 @@
|
|
|
| // Dispatch system call to handler function. Treat both exit() and clone()
|
| // specially.
|
| - if (syscallTable[header.sysnum].trustedProcess(parentProc,
|
| + if (syscallTable[header.sysnum].trustedProcess(parentMapsFd,
|
| sandboxFd,
|
| currentThread->fdPub,
|
| currentThread->fd,
|
| @@ -117,7 +117,7 @@
|
| }
|
| }
|
|
|
| -void Sandbox::initializeProtectedMap(int fd) {
|
| +int Sandbox::initializeProtectedMap(int fd) {
|
| int mapsFd;
|
| if (!getFd(fd, &mapsFd, NULL, NULL, NULL)) {
|
| maps_failure:
|
| @@ -152,8 +152,6 @@
|
| }
|
| truncated = strchr(line, '\n') == NULL;
|
| }
|
| - SysCalls sys;
|
| - NOINTR_SYS(sys.close(mapsFd));
|
|
|
| // Prevent low address memory allocations. Some buggy kernels allow those
|
| if (protectedMap_[0] < (64 << 10)) {
|
| @@ -161,9 +159,12 @@
|
| }
|
|
|
| // Let the sandbox know that we are done parsing the memory map.
|
| + SysCalls sys;
|
| if (write(sys, fd, &mapsFd, sizeof(mapsFd)) != sizeof(mapsFd)) {
|
| goto maps_failure;
|
| }
|
| +
|
| + return mapsFd;
|
| }
|
|
|
| SecureMem::Args* Sandbox::createTrustedProcess(int processFdPub, int sandboxFd,
|
| @@ -189,13 +190,6 @@
|
| syscall_mutex_ = 0x80000000;
|
|
|
|
|
| - // Hold on to a file handle in the parent's process directory. We can use
|
| - // this later to reliably tell if the parent died.
|
| - int parentProc = open("/proc/self/", O_RDONLY|O_DIRECTORY);
|
| - if (parentProc < 0) {
|
| - die("Failed to access /proc/self");
|
| - }
|
| -
|
| // Create a trusted process that can evaluate system call parameters and
|
| // decide whether a system call should execute. This process runs outside of
|
| // the seccomp sandbox. It communicates with the sandbox'd process through
|
| @@ -211,7 +205,7 @@
|
| // If we don't know the list of our open file handles, just try closing
|
| // all valid ones.
|
| for (int fd = sysconf(_SC_OPEN_MAX); --fd > 2; ) {
|
| - if (fd != parentProc && fd != sandboxFd && fd != cloneFd) {
|
| + if (fd != sandboxFd && fd != cloneFd) {
|
| close(fd);
|
| }
|
| }
|
| @@ -224,8 +218,7 @@
|
| continue;
|
| int fd = atoi(res->d_name);
|
| if (fd > 2 &&
|
| - fd != parentProc && fd != sandboxFd && fd != cloneFd &&
|
| - fd != dirfd(dir)) {
|
| + fd != sandboxFd && fd != cloneFd && fd != dirfd(dir)) {
|
| close(fd);
|
| }
|
| }
|
| @@ -241,15 +234,15 @@
|
| #endif
|
| }
|
|
|
| - initializeProtectedMap(sandboxFd);
|
| - trustedProcess(parentProc, processFdPub, sandboxFd, cloneFd, secureArena);
|
| + int parentMapsFd = initializeProtectedMap(sandboxFd);
|
| + trustedProcess(parentMapsFd, processFdPub, sandboxFd,
|
| + cloneFd, secureArena);
|
| die();
|
| }
|
|
|
| // We are still in the untrusted code. Deny access to restricted resources.
|
| mprotect(secureArena, 8192*kMaxThreads, PROT_NONE);
|
| mprotect(&syscall_mutex_, 4096, PROT_NONE);
|
| - close(parentProc);
|
| close(sandboxFd);
|
|
|
| return secureArena;
|
|
|
| Property changes on: sandbox/linux/seccomp/trusted_process.cc
|
| ___________________________________________________________________
|
| Added: svn:eol-style
|
| + LF
|
|
|
|
|
Chromium Code Reviews
Issue 371047:
Allow the seccomp sandbox to be enabled, even if the suid sandbox has... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/