Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(313)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc

Issue 837083002: Linux Sandbox: move init processes to new session id. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | content/zygote/zygote_main_linux.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <sys/stat.h> 9 #include <sys/stat.h>
10 #include <sys/types.h> 10 #include <sys/types.h>
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after
83 CHECK(!IsSandboxed()) << "Unexpectedly sandboxed!"; 83 CHECK(!IsSandboxed()) << "Unexpectedly sandboxed!";
84 84
85 if (setuid_sandbox_client_->IsSuidSandboxChild()) { 85 if (setuid_sandbox_client_->IsSuidSandboxChild()) {
86 setuid_sandbox_client_->CloseDummyFile(); 86 setuid_sandbox_client_->CloseDummyFile();
87 87
88 // Make sure that no directory file descriptor is open, as it would bypass 88 // Make sure that no directory file descriptor is open, as it would bypass
89 // the setuid sandbox model. 89 // the setuid sandbox model.
90 CHECK(!HasOpenDirectory()); 90 CHECK(!HasOpenDirectory());
91 91
92 // Get sandboxed. 92 // Get sandboxed.
93 CHECK(setuid_sandbox_client_->CreateNewSession());
93 CHECK(setuid_sandbox_client_->ChrootMe()); 94 CHECK(setuid_sandbox_client_->ChrootMe());
94 CHECK(IsSandboxed()); 95 CHECK(IsSandboxed());
95 layer_one_enabled_ = true; 96 layer_one_enabled_ = true;
96 } 97 }
97 } 98 }
98 99
99 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { 100 void NaClSandbox::CheckForExpectedNumberOfOpenFds() {
100 if (setuid_sandbox_client_->IsSuidSandboxChild()) { 101 if (setuid_sandbox_client_->IsSuidSandboxChild()) {
101 // We expect to have the following FDs open: 102 // We expect to have the following FDs open:
102 // 1-3) stdin, stdout, stderr. 103 // 1-3) stdin, stdout, stderr.
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after
166 static const char kNoBpfMsg[] = 167 static const char kNoBpfMsg[] =
167 "The seccomp-bpf sandbox is not engaged for NaCl:"; 168 "The seccomp-bpf sandbox is not engaged for NaCl:";
168 if (can_be_no_sandbox) 169 if (can_be_no_sandbox)
169 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; 170 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg;
170 else 171 else
171 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; 172 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;
172 } 173 }
173 } 174 }
174 175
175 } // namespace nacl 176 } // namespace nacl
OLDNEW
« no previous file with comments | « no previous file | content/zygote/zygote_main_linux.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698