Start all children in their own PID namespace.

content/zygote/zygote_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/zygote/zygote_linux.h"
 
 #include <fcntl.h>
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/types.h>
@@ skipping 18 matching lines @@
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "content/common/set_process_title.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_descriptors.h"
 #include "content/public/common/result_codes.h"
 #include "content/public/common/sandbox_linux.h"
 #include "content/public/common/send_zygote_child_ping_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
 #include "ipc/ipc_channel.h"
 #include "ipc/ipc_switches.h"
+#include "sandbox/linux/services/credentials.h"
 
 #if defined(ADDRESS_SANITIZER)
 #include <sanitizer/asan_interface.h>
 #endif
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
 namespace content {
 
 namespace {
 
 // NOP function. See below where this handler is installed.
 void SIGCHLDHandler(int signal) {
 }
 
+// On Linux, when a process is the init process of a PID namespace, it cannot be
+// terminated by signals like SIGTERM or SIGINT, since they are ignored unless
+// we register a handler for them. In the handlers, we exit with this special
+// exit code that GetTerminationStatus understands to mean that we were
+// terminated by an external signal.
+const int kKilledExitCode = 0x80;
+
+void TerminationSignalHandler(int signal) {
+  // Return a special exit code so that the process is detected as terminated by
+  // a signal. We cannot terminate ourself with a signal since we may be the
+  // init process in a PID namespace.
+  _exit(kKilledExitCode);
+}
+
 int LookUpFd(const base::GlobalDescriptors::Mapping& fd_mapping, uint32_t key) {
   for (size_t index = 0; index < fd_mapping.size(); ++index) {
     if (fd_mapping[index].key == key)
       return fd_mapping[index].fd;
   }
   return -1;
 }
 
 void CreatePipe(base::ScopedFD* read_pipe, base::ScopedFD* write_pipe) {
   int raw_pipe[2];
@@ skipping 203 matching lines @@
         GetTerminationStatus(child, true /* known_dead */, &status, &exit_code);
     DCHECK(got_termination_status);
   }
   process_info_map_.erase(child);
 }
 
 bool Zygote::GetTerminationStatus(base::ProcessHandle real_pid,
                                   bool known_dead,
                                   base::TerminationStatus* status,
                                   int* exit_code) {
-
   ZygoteProcessInfo child_info;
   if (!GetProcessInfo(real_pid, &child_info)) {
-    LOG(ERROR) << "Zygote::GetTerminationStatus for unknown PID "
+    LOG(FATAL) << "Zygote::GetTerminationStatus for unknown PID "
                << real_pid;
-    NOTREACHED();
     return false;
   }
   // We know about |real_pid|.
   const base::ProcessHandle child = child_info.internal_pid;
   if (child_info.started_from_helper) {
     if (!child_info.started_from_helper->GetTerminationStatus(
             child, known_dead, status, exit_code)) {
       return false;
     }
   } else {
     // Handle the request directly.
     if (known_dead) {
       *status = base::GetKnownDeadTerminationStatus(child, exit_code);
     } else {
       // We don't know if the process is dying, so get its status but don't
       // wait.
       *status = base::GetTerminationStatus(child, exit_code);
     }
   }
   // Successfully got a status for |real_pid|.
   if (*status != base::TERMINATION_STATUS_STILL_RUNNING) {
     // Time to forget about this process.
     process_info_map_.erase(real_pid);
   }
+
+  if (WIFEXITED(*exit_code) && WEXITSTATUS(*exit_code) == kKilledExitCode) {
+    *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED;
+  }
+
   return true;
 }
 
 void Zygote::HandleGetTerminationStatus(int fd,
                                         PickleIterator iter) {
   bool known_dead;
   base::ProcessHandle child_requested;
 
   if (!iter.ReadBool(&known_dead) || !iter.ReadInt(&child_requested)) {
     LOG(WARNING) << "Error parsing GetTerminationStatus request "
@@ skipping 50 matching lines @@
     }
     std::vector<int> fds;
     fds.push_back(ipc_channel_fd);  // kBrowserFDIndex
     fds.push_back(pid_oracle.get());  // kPIDOracleFDIndex
     pid = helper->Fork(process_type, fds, channel_id);
 
     // Helpers should never return in the child process.
     CHECK_NE(pid, 0);
   } else {
     CreatePipe(&read_pipe, &write_pipe);
-    // This is roughly equivalent to a fork(). We are using ForkWithFlags mainly
-    // to give it some more diverse test coverage.
-    pid = base::ForkWithFlags(SIGCHLD, nullptr, nullptr);
+    int clone_flags = SIGCHLD;
+    if (sandbox_flags_ & kSandboxLinuxPIDNS &&
+        sandbox_flags_ & kSandboxLinuxUserNS) {
+      clone_flags |= CLONE_NEWPID;
+    }
+    pid = base::ForkWithFlags(clone_flags, nullptr, nullptr);
   }
 
   if (pid == 0) {
+    CHECK(sandbox::Credentials::DropAllCapabilities());
+
+    // If the process is the init process inside a PID namespace, it must have
+    // explicit SIGTERM and SIGINT handlers.
+    if (getpid() == 1) {
+      struct sigaction action;
+      memset(&action, 0, sizeof(action));
+      action.sa_handler = &TerminationSignalHandler;
+      PCHECK(sigaction(SIGINT, &action, nullptr) == 0);
+      PCHECK(sigaction(SIGTERM, &action, nullptr) == 0);
+    }
+
     // In the child process.
     write_pipe.reset();
 
     // Ping the PID oracle socket so the browser can find our PID.
     CHECK(SendZygoteChildPing(pid_oracle.get()));
 
     // Now read back our real PID from the zygote.
     base::ProcessId real_pid;
     if (!base::ReadFromFD(read_pipe.get(),
                           reinterpret_cast<char*>(&real_pid),
@@ skipping 191 matching lines @@
                                     PickleIterator iter) {
   if (HANDLE_EINTR(write(fd, &sandbox_flags_, sizeof(sandbox_flags_))) !=
                    sizeof(sandbox_flags_)) {
     PLOG(ERROR) << "write";
   }
 
   return false;
 }
 
 }  // namespace content