content/zygote/zygote_main_linux.cc - Issue 868233011: Start all children in their own PID namespace.

Side by Side Diff: content/zygote/zygote_main_linux.cc

Issue 868233011: Start all children in their own PID namespace. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/zygote/zygote_main.h"	5 #include "content/zygote/zygote_main.h"

6	6

7 #include <dlfcn.h>	7 #include <dlfcn.h>

8 #include <fcntl.h>	8 #include <fcntl.h>

9 #include <pthread.h>	9 #include <pthread.h>

10 #include <signal.h>	10 #include <signal.h>

(...skipping 447 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
458 }	458 }

459	459

460 static void EnterNamespaceSandbox(base::Closure* post_fork_parent_callback) {	460 static void EnterNamespaceSandbox(base::Closure* post_fork_parent_callback) {

461 pid_t pid = getpid();	461 pid_t pid = getpid();

462 if (sandbox::NamespaceSandbox::InNewPidNamespace()) {	462 if (sandbox::NamespaceSandbox::InNewPidNamespace()) {

463 CHECK_EQ(1, pid);	463 CHECK_EQ(1, pid);

464 }	464 }

465	465

466 CHECK(sandbox::Credentials::MoveToNewUserNS());	466 CHECK(sandbox::Credentials::MoveToNewUserNS());

467 CHECK(sandbox::Credentials::DropFileSystemAccess());	467 CHECK(sandbox::Credentials::DropFileSystemAccess());

468 CHECK(sandbox::Credentials::DropAllCapabilities());	468 // We do not drop capabilities because we will use CAP_SYS_ADMIN to place each
rickyz (no longer on Chrome) 2015/02/07 05:14:03 Like I mentioned in that last change, we need CAP_ Like I mentioned in that last change, we need CAP_SYS_ADMIN in order to start children in their own PID namespaces. We should probably discuss whether the gains of isolating renderers is worth the additional attack surface of the syscalls exposed by these capabilities on the zygote. mdempsky 2015/02/09 06:28:12 Couple thoughts I have: 1. Would it be worthwhi Show quoted text On 2015/02/07 05:14:03, rickyz wrote: > Like I mentioned in that last change, we need CAP_SYS_ADMIN in order to start > children in their own PID namespaces. We should probably discuss whether the > gains of isolating renderers is worth the additional attack surface of the > syscalls exposed by these capabilities on the zygote. Couple thoughts I have: 1. Would it be worthwhile to drop everything else except for CAP_SYS_ADMIN if that's all we need? (Do we even have other capabilities?) 2. I think the init process reaper now will have unneeded capabilities too; that's probably not a risk, but might as well drop the capabilities there too so only the actual zygote process needs to reap? rickyz (no longer on Chrome) 2015/02/24 06:11:34 Done - I didn't look too much into how much attack Show quoted text On 2015/02/09 06:28:12, mdempsky wrote: > On 2015/02/07 05:14:03, rickyz wrote: > > Like I mentioned in that last change, we need CAP_SYS_ADMIN in order to start > > children in their own PID namespaces. We should probably discuss whether the > > gains of isolating renderers is worth the additional attack surface of the > > syscalls exposed by these capabilities on the zygote. > > Couple thoughts I have: > > 1. Would it be worthwhile to drop everything else except for CAP_SYS_ADMIN if > that's all we need? (Do we even have other capabilities?) Done - I didn't look too much into how much attack surface this takes away - CAP_SYS_ADMIN seems to be used as a catch-all in a lot of places. Show quoted text > 2. I think the init process reaper now will have unneeded capabilities too; > that's probably not a risk, but might as well drop the capabilities there too so > only the actual zygote process needs to reap? Done.
	469 // child process in its own PID namespace later on.

469	470

470 // This needs to happen after moving to a new user NS, since doing so involves	471 // This needs to happen after moving to a new user NS, since doing so involves

471 // writing the UID/GID map.	472 // writing the UID/GID map.

472 CHECK(MaybeSetProcessNonDumpable());	473 CHECK(MaybeSetProcessNonDumpable());

473	474

474 if (pid == 1) {	475 if (pid == 1) {

475 CHECK(CreateInitProcessReaper(post_fork_parent_callback));	476 CHECK(CreateInitProcessReaper(post_fork_parent_callback));

476 }	477 }

477 }	478 }

478	479

(...skipping 171 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
650 bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;	651 bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;

651 CHECK_EQ(using_setuid_sandbox, setuid_sandbox_engaged);	652 CHECK_EQ(using_setuid_sandbox, setuid_sandbox_engaged);

652	653

653 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children,	654 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children,

654 extra_fds);	655 extra_fds);

655 // This function call can return multiple times, once per fork().	656 // This function call can return multiple times, once per fork().

656 return zygote.ProcessRequests();	657 return zygote.ProcessRequests();

657 }	658 }

658	659

659 } // namespace content	660 } // namespace content

OLD	NEW

« no previous file with comments | « content/zygote/zygote_linux.cc ('k') | no next file » | no next file with comments »