OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <dirent.h> | 5 #include <dirent.h> |
6 #include <fcntl.h> | 6 #include <fcntl.h> |
7 #include <sys/resource.h> | 7 #include <sys/resource.h> |
8 #include <sys/stat.h> | 8 #include <sys/stat.h> |
9 #include <sys/time.h> | 9 #include <sys/time.h> |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
(...skipping 168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
179 // Check being in a new PID namespace created by the namespace sandbox and | 179 // Check being in a new PID namespace created by the namespace sandbox and |
180 // being the init process. | 180 // being the init process. |
181 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace()); | 181 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace()); |
182 const pid_t pid = getpid(); | 182 const pid_t pid = getpid(); |
183 CHECK_EQ(1, pid); | 183 CHECK_EQ(1, pid); |
184 | 184 |
185 CHECK(sandbox::Credentials::MoveToNewUserNS()); | 185 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
186 // Note: this requires SealSandbox() to be called later in this process to be | 186 // Note: this requires SealSandbox() to be called later in this process to be |
187 // safe, as this class is keeping a file descriptor to /proc/. | 187 // safe, as this class is keeping a file descriptor to /proc/. |
188 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_)); | 188 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_)); |
189 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_)); | 189 |
| 190 // We do not drop CAP_SYS_ADMIN because we need it to place each child process |
| 191 // in its own PID namespace later on. |
| 192 const std::vector<sandbox::LinuxCapability> caps( |
| 193 1, sandbox::LinuxCapability::kCapSysAdmin); |
| 194 CHECK(sandbox::Credentials::SetCapabilities(proc_fd_, caps)); |
190 | 195 |
191 // This needs to happen after moving to a new user NS, since doing so involves | 196 // This needs to happen after moving to a new user NS, since doing so involves |
192 // writing the UID/GID map. | 197 // writing the UID/GID map. |
193 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers()); | 198 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers()); |
194 } | 199 } |
195 | 200 |
196 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { | 201 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { |
197 std::vector<int> fds; | 202 std::vector<int> fds; |
198 if (proc_fd_ >= 0) { | 203 if (proc_fd_ >= 0) { |
199 fds.push_back(proc_fd_); | 204 fds.push_back(proc_fd_); |
(...skipping 249 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
449 | 454 |
450 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { | 455 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { |
451 DCHECK(thread); | 456 DCHECK(thread); |
452 base::ScopedFD proc_fd(OpenProc(proc_fd_)); | 457 base::ScopedFD proc_fd(OpenProc(proc_fd_)); |
453 PCHECK(proc_fd.is_valid()); | 458 PCHECK(proc_fd.is_valid()); |
454 CHECK( | 459 CHECK( |
455 sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_fd.get(), thread)); | 460 sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_fd.get(), thread)); |
456 } | 461 } |
457 | 462 |
458 } // namespace content | 463 } // namespace content |
OLD | NEW |