Index: content/zygote/zygote_main_linux.cc |
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc |
index 96fac2194377a0f6c43b9ba22c4ff0b8b74b5480..b9dfdcabfb6f730fcd280318c6b502572a8a6e29 100644 |
--- a/content/zygote/zygote_main_linux.cc |
+++ b/content/zygote/zygote_main_linux.cc |
@@ -40,6 +40,7 @@ |
#include "content/public/common/zygote_fork_delegate_linux.h" |
#include "content/zygote/zygote_linux.h" |
#include "crypto/nss_util.h" |
+#include "sandbox/linux/services/credentials.h" |
#include "sandbox/linux/services/init_process_reaper.h" |
#include "sandbox/linux/services/libc_urandom_override.h" |
#include "sandbox/linux/services/namespace_sandbox.h" |
@@ -80,6 +81,11 @@ void CloseFds(const std::vector<int>& fds) { |
} |
} |
+void RunTwoClosures(const base::Closure* first, const base::Closure* second) { |
+ first->Run(); |
+ second->Run(); |
+} |
+ |
} // namespace |
// See http://code.google.com/p/chromium/wiki/LinuxZygote |
@@ -407,12 +413,20 @@ static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox, |
return true; |
} |
+static void DropAllCapabilities(int proc_fd) { |
+ CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd)); |
+} |
+ |
static void EnterNamespaceSandbox(LinuxSandbox* linux_sandbox, |
base::Closure* post_fork_parent_callback) { |
linux_sandbox->EngageNamespaceSandbox(); |
if (getpid() == 1) { |
- CHECK(CreateInitProcessReaper(post_fork_parent_callback)); |
+ base::Closure drop_all_caps_callback = |
+ base::Bind(&DropAllCapabilities, linux_sandbox->proc_fd()); |
+ base::Closure callback = base::Bind( |
+ &RunTwoClosures, &drop_all_caps_callback, post_fork_parent_callback); |
+ CHECK(CreateInitProcessReaper(&callback)); |
} |
} |