Index: content/zygote/zygote_main_linux.cc |
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc |
index d1bd8cc076f44cef02f51a3033507e49a43b722e..c0c0ad1acf467b09832f7015f3a2b36e41a966cb 100644 |
--- a/content/zygote/zygote_main_linux.cc |
+++ b/content/zygote/zygote_main_linux.cc |
@@ -465,7 +465,8 @@ static void EnterNamespaceSandbox(base::Closure* post_fork_parent_callback) { |
CHECK(sandbox::Credentials::MoveToNewUserNS()); |
CHECK(sandbox::Credentials::DropFileSystemAccess()); |
- CHECK(sandbox::Credentials::DropAllCapabilities()); |
rickyz (no longer on Chrome)
2015/02/07 05:14:03
Like I mentioned in that last change, we need CAP_
mdempsky
2015/02/09 06:28:12
Couple thoughts I have:
1. Would it be worthwhi
rickyz (no longer on Chrome)
2015/02/24 06:11:34
Done - I didn't look too much into how much attack
|
+ // We do not drop capabilities because we will use CAP_SYS_ADMIN to place each |
+ // child process in its own PID namespace later on. |
// This needs to happen after moving to a new user NS, since doing so involves |
// writing the UID/GID map. |