Add namespace sandbox class.

sandbox/linux/services/namespace_sandbox.cc

Index: sandbox/linux/services/namespace_sandbox.cc
diff --git a/sandbox/linux/services/namespace_sandbox.cc b/sandbox/linux/services/namespace_sandbox.cc
new file mode 100644
index 0000000000000000000000000000000000000000..97b5cd7d489629048c0a6933f9988fda2b18c231
--- /dev/null
+++ b/sandbox/linux/services/namespace_sandbox.cc
@@ -0,0 +1,113 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/services/namespace_sandbox.h"
+
+#include <sched.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <string>
+#include <utility>
+
+#include "base/command_line.h"
+#include "base/environment.h"
+#include "base/files/scoped_file.h"
+#include "base/logging.h"
+#include "base/posix/eintr_wrapper.h"
+#include "base/process/launch.h"
+#include "base/process/process.h"
+#include "sandbox/linux/services/namespace_utils.h"
+
+namespace sandbox {
+
+namespace {
+
+class WriteUidGidMapDelegate : public base::LaunchOptions::PreExecDelegate {
+ public:
+  explicit WriteUidGidMapDelegate() : uid_(getuid()), gid_(getgid()) {}

[jln (very slow on Chromium), 2015/02/03 01:14:30]

You can remove "explicit"

[rickyz (no longer on Chrome), 2015/02/03 01:27:22]

Done.

+
+  ~WriteUidGidMapDelegate() override {}
+
+  void RunAsyncSafe() override {
+    RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/uid_map", uid_));
+    RAW_CHECK(NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid_));
+  }
+
+ private:
+  uid_t uid_;
+  gid_t gid_;
+  DISALLOW_COPY_AND_ASSIGN(WriteUidGidMapDelegate);
+};
+
+void SetEnvironForNamespaceType(base::EnvironmentMap* environ,
+                                base::NativeEnvironmentString env_var,
+                                bool value) {
+  // An empty string causes the env var to be unset in the child process.
+  (*environ)[env_var] = value ? "1" : "";
+}
+
+const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS";
+const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS";
+const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS";
+
+}  // namespace
+
+NamespaceSandbox::NamespaceSandbox() : launch_called_(false) {
+}
+
+NamespaceSandbox::~NamespaceSandbox() {
+}
+
+base::Process NamespaceSandbox::Launch(const base::CommandLine& cmdline) {
+  CHECK(!launch_called_) << "NamespaceSandbox may only be used once.";
+  launch_called_ = true;
+
+  int clone_flags = 0;
+  int ns_types[] = {CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET};
+  for (const int ns_type : ns_types) {
+    if (NamespaceUtils::KernelSupportsUnprivilegedNamespace(ns_type)) {
+      clone_flags |= ns_type;
+    }
+  }
+  CHECK(clone_flags & CLONE_NEWUSER);
+
+  // These fields may not be modified by the caller.
+  CHECK(launch_options_.pre_exec_delegate == nullptr);
+  CHECK_EQ(0, launch_options_.clone_flags);
+
+  WriteUidGidMapDelegate write_uid_gid_map_delegate;
+  launch_options_.pre_exec_delegate = &write_uid_gid_map_delegate;
+  launch_options_.clone_flags = clone_flags;
+
+  const std::pair<int, const char*> clone_flag_environ[] = {
+      std::make_pair(CLONE_NEWUSER, kSandboxUSERNSEnvironmentVarName),
+      std::make_pair(CLONE_NEWPID, kSandboxPIDNSEnvironmentVarName),
+      std::make_pair(CLONE_NEWNET, kSandboxNETNSEnvironmentVarName),
+  };
+
+  base::EnvironmentMap* environ = &launch_options_.environ;
+  for (const auto& entry : clone_flag_environ) {
+    const int flag = entry.first;
+    const char* environ_name = entry.second;
+    SetEnvironForNamespaceType(environ, environ_name, clone_flags & flag);
+  }
+
+  return base::LaunchProcess(cmdline, launch_options_);
+}
+
+bool NamespaceSandbox::InNewUserNamespace() {
+  return getenv(kSandboxUSERNSEnvironmentVarName) != nullptr;
+}
+
+bool NamespaceSandbox::InNewPidNamespace() {
+  return getenv(kSandboxPIDNSEnvironmentVarName) != nullptr;
+}
+
+bool NamespaceSandbox::InNewNetNamespace() {
+  return getenv(kSandboxNETNSEnvironmentVarName) != nullptr;
+}
+
+}  // namespace sandbox