Non-SFI mode:Suid sandbox.

components/nacl/loader/nacl_helper_linux.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // A mini-zygote specifically for Native Client.
 
 #include "components/nacl/loader/nacl_helper_linux.h"
 
 #include <errno.h>
 #include <fcntl.h>
@@ skipping 57 matching lines @@
   PCHECK(0 == IGNORE_EINTR(close(pipefd[1])));
 }
 
 // The child must mimic the behavior of zygote_main_linux.cc on the child
 // side of the fork. See zygote_main_linux.cc:HandleForkRequest from
 //   if (!child) {
 void BecomeNaClLoader(base::ScopedFD browser_fd,
                       const NaClLoaderSystemInfo& system_info,
                       bool uses_nonsfi_mode,
                       nacl::NaClSandbox* nacl_sandbox) {
-#if !defined(OS_NACL_NONSFI)
-  // Currently sandbox is disabled for nacl_helper_nonsfi.
-  // TODO(hidehiko): Enable sandbox.
   DCHECK(nacl_sandbox);
-#endif
   VLOG(1) << "NaCl loader: setting up IPC descriptor";
   // Close or shutdown IPC channels that we don't need anymore.
   PCHECK(0 == IGNORE_EINTR(close(kNaClZygoteDescriptor)));
   // In Non-SFI mode, it's important to close any non-expected IPC channels.
   if (uses_nonsfi_mode) {
     // The low-level kSandboxIPCChannel is used by renderers and NaCl for
     // various operations. See the LinuxSandbox::METHOD_* methods. NaCl uses
     // LinuxSandbox::METHOD_MAKE_SHARED_MEMORY_SEGMENT in SFI mode, so this
     // should only be closed in Non-SFI mode.
     // This file descriptor is insidiously used by a number of APIs. Closing it
@@ skipping 10 matching lines @@
 #else
     nacl::nonsfi::InitializeSignalHandler();
 #endif
   }
 
   // Always ignore SIGPIPE, for consistency with other Chrome processes and
   // because some IPC code, such as sync_socket_posix.cc, requires this.
   // We do this before seccomp-bpf is initialized.
   PCHECK(signal(SIGPIPE, SIG_IGN) != SIG_ERR);
 
-#if !defined(OS_NACL_NONSFI)
-  // Currently sandbox is disabled for nacl_helper_nonsfi.
-  // TODO(hidehiko): Enable sandbox.
   // Finish layer-1 sandbox initialization and initialize the layer-2 sandbox.
   CHECK(!nacl_sandbox->HasOpenDirectory());
+#if !defined(OS_NACL_NONSFI)
+  // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
+  // TODO(hidehiko): Enable the sandbox.
   nacl_sandbox->InitializeLayerTwoSandbox(uses_nonsfi_mode);
+#endif
   nacl_sandbox->SealLayerOneSandbox();
   nacl_sandbox->CheckSandboxingStateWithPolicy();
-#endif
 
   base::GlobalDescriptors::GetInstance()->Set(kPrimaryIPCChannel,
                                               browser_fd.release());
 
   base::MessageLoopForIO main_message_loop;
 #if defined(OS_NACL_NONSFI)
   CHECK(uses_nonsfi_mode);
   nacl::nonsfi::NonSfiListener listener;
   listener.Listen();
 #else
@@ skipping 162 matching lines @@
 
 // Read a request from the Zygote from |zygote_ipc_fd| and handle it.
 // Die on EOF from |zygote_ipc_fd|.
 bool HandleZygoteRequest(int zygote_ipc_fd,
                          const NaClLoaderSystemInfo& system_info,
                          nacl::NaClSandbox* nacl_sandbox) {
   ScopedVector<base::ScopedFD> fds;
   char buf[kNaClMaxIPCMessageLength];
   const ssize_t msglen = UnixDomainSocket::RecvMsg(zygote_ipc_fd,
       &buf, sizeof(buf), &fds);
-#if !defined(OS_NACL_NONSFI)
-  // Currently sandbox is disabled for nacl_helper_nonsfi.
-  // TODO(hidehiko): Enable sandbox.
   // If the Zygote has started handling requests, we should be sandboxed via
   // the setuid sandbox.
   if (!nacl_sandbox->layer_one_enabled()) {
     LOG(ERROR) << "NaCl helper process running without a sandbox!\n"
       << "Most likely you need to configure your SUID sandbox "
       << "correctly";
   }
-#endif
   if (msglen == 0 || (msglen == -1 && errno == ECONNRESET)) {
     // EOF from the browser. Goodbye!
     _exit(0);
   }
   if (msglen < 0) {
     PLOG(ERROR) << "nacl_helper: receive from zygote failed";
     return false;
   }
 
   Pickle read_pickle(buf, msglen);
@@ skipping 133 matching lines @@
     // These are not used by nacl_helper_nonsfi.
     CheckReservedAtZero(),
     sysconf(_SC_NPROCESSORS_ONLN)
 #endif
   };
 
 #if !defined(OS_NACL_NONSFI)
   CheckRDebug(argv[0]);
 #endif
 
-#if defined(OS_NACL_NONSFI)
-  // Currently sandbox is disabled for nacl_helper_nonsfi.
-  // TODO(hidehiko): Enable sandbox.
-  scoped_ptr<nacl::NaClSandbox> nacl_sandbox;
-#else
   scoped_ptr<nacl::NaClSandbox> nacl_sandbox(new nacl::NaClSandbox);
   // Make sure that the early initialization did not start any spurious
   // threads.
 #if !defined(THREAD_SANITIZER)
   CHECK(nacl_sandbox->IsSingleThreaded());
 #endif
 
   const bool is_init_process = 1 == getpid();
   nacl_sandbox->InitializeLayerOneSandbox();
   CHECK_EQ(is_init_process, nacl_sandbox->layer_one_enabled());
-#endif  // defined(OS_NACL_NONSFI)
 
   const std::vector<int> empty;
   // Send the zygote a message to let it know we are ready to help
   if (!UnixDomainSocket::SendMsg(kNaClZygoteDescriptor,
                                  kNaClHelperStartupAck,
                                  sizeof(kNaClHelperStartupAck), empty)) {
     LOG(ERROR) << "*** send() to zygote failed";
   }
 
   // Now handle requests from the Zygote.
   while (true) {
     bool request_handled = HandleZygoteRequest(
         kNaClZygoteDescriptor, system_info, nacl_sandbox.get());
     // Do not turn this into a CHECK() without thinking about robustness
     // against malicious IPC requests.
     DCHECK(request_handled);
   }
   NOTREACHED();
 }