Chromium Code Reviews Chromium Code Reviews
Issue 888903004:
Non-SFI mode:Suid sandbox. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc |
| diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc |
| index 9fd81bcfae958dd44beee4ba363bbb604060917e..78106db75a774c58724c0f1abcc11f69989a9067 100644 |
| --- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc |
| +++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc |
| @@ -30,10 +30,13 @@ |
| #include "sandbox/linux/services/credentials.h" |
| #include "sandbox/linux/services/namespace_sandbox.h" |
| #include "sandbox/linux/services/proc_util.h" |
| -#include "sandbox/linux/services/resource_limits.h" |
| #include "sandbox/linux/services/thread_helpers.h" |
| #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
| +#if !defined(OS_NACL_NONSFI) |
| +#include "sandbox/linux/services/resource_limits.h" |
| +#endif |
| + |
| namespace nacl { |
| namespace { |
| @@ -63,6 +66,10 @@ bool MaybeSetProcessNonDumpable() { |
| return prctl(PR_GET_DUMPABLE) == 0; |
| } |
| +#if !defined(OS_NACL_NONSFI) |
| +// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. |
| +// This function is used only in InitializeLayerTwoSandbox(). |
| +// TODO(hidehiko): Enable the sandbox. |
| void RestrictAddressSpaceUsage() { |
| #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ |
| defined(THREAD_SANITIZER) |
| @@ -93,6 +100,7 @@ void RestrictAddressSpaceUsage() { |
| #endif |
| CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit)); |
| } |
| +#endif // !OS_NACL_NONSFI |
| } // namespace |
| @@ -137,6 +145,9 @@ void NaClSandbox::InitializeLayerOneSandbox() { |
| CHECK(MaybeSetProcessNonDumpable()); |
| CHECK(IsSandboxed()); |
| layer_one_enabled_ = true; |
| +#if !defined(OS_NACL_NONSFI) |
| + // Currently namespace sandbox is not yet supported on nacl_helper_nonsfi. |
|
Mark Seaborn
2015/03/04 19:32:50
It's odd putting the comment inside the previous i
hidehiko
2015/03/05 05:26:53
Done.
|
| + // TODO(hidehiko): Enable the sandbox. |
| } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { |
| CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| // This relies on SealLayerOneSandbox() to be called later since this |
| @@ -145,9 +156,15 @@ void NaClSandbox::InitializeLayerOneSandbox() { |
| CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get())); |
| CHECK(IsSandboxed()); |
| layer_one_enabled_ = true; |
| +#endif // !OS_NACL_NONSFI |
| } |
| } |
| +#if !defined(OS_NACL_NONSFI) |
| +// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. |
| +// TODO(hidehiko): Enable the sandbox. |
| +// Note that CheckForExpectedNumberOfOpenFds() is just referred from |
| +// InitializeLayerTwoSandbox(). Enable them at once. |
|
Mark Seaborn
2015/03/04 19:32:50
Nit: "Enable them at once" -> "We can enable them
hidehiko
2015/03/05 05:26:53
Great to know. Thanks!
|
| void NaClSandbox::CheckForExpectedNumberOfOpenFds() { |
| // We expect to have the following FDs open: |
| // 1-3) stdin, stdout, stderr. |
| @@ -188,6 +205,7 @@ void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { |
| layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_fd_.Pass()); |
| } |
| } |
| +#endif // OS_NACL_NONSFI |
| void NaClSandbox::SealLayerOneSandbox() { |
| if (proc_fd_.is_valid() && !layer_two_enabled_) { |
| @@ -219,6 +237,9 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() { |
| LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg; |
| } |
| +#if !defined(OS_NACL_NONSFI) |
| + // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi. |
| + // TODO(hidehiko): Enable the sandbox. |
| if (!layer_two_enabled_) { |
| static const char kNoBpfMsg[] = |
| "The seccomp-bpf sandbox is not engaged for NaCl:"; |
| @@ -227,6 +248,7 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() { |
| else |
| LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; |
| } |
| +#endif |
| } |
| } // namespace nacl |
