| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 6 | 6 |
| 7 // Some headers on Android are missing cdefs: crbug.com/172337. | 7 // Some headers on Android are missing cdefs: crbug.com/172337. |
| 8 // (We can't use OS_ANDROID here since build_config.h is not included). | 8 // (We can't use OS_ANDROID here since build_config.h is not included). |
| 9 #if defined(ANDROID) | 9 #if defined(ANDROID) |
| 10 #include <sys/cdefs.h> | 10 #include <sys/cdefs.h> |
| (...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 112 if (sandbox_has_started_) { | 112 if (sandbox_has_started_) { |
| 113 SANDBOX_DIE( | 113 SANDBOX_DIE( |
| 114 "Cannot repeatedly start sandbox. Create a separate Sandbox " | 114 "Cannot repeatedly start sandbox. Create a separate Sandbox " |
| 115 "object instead."); | 115 "object instead."); |
| 116 return false; | 116 return false; |
| 117 } | 117 } |
| 118 | 118 |
| 119 const bool supports_tsync = KernelSupportsSeccompTsync(); | 119 const bool supports_tsync = KernelSupportsSeccompTsync(); |
| 120 | 120 |
| 121 if (seccomp_level == SeccompLevel::SINGLE_THREADED) { | 121 if (seccomp_level == SeccompLevel::SINGLE_THREADED) { |
| 122 if (!IsSingleThreaded(proc_task_fd_.get())) { | 122 // Wait for /proc/self/task/ to update if needed and assert the |
| 123 SANDBOX_DIE("Cannot start sandbox; process is already multi-threaded"); | 123 // process is single threaded. |
| 124 return false; | 124 ThreadHelpers::AssertSingleThreaded(proc_task_fd_.get()); |
| 125 } | |
| 126 } else if (seccomp_level == SeccompLevel::MULTI_THREADED) { | 125 } else if (seccomp_level == SeccompLevel::MULTI_THREADED) { |
| 127 if (IsSingleThreaded(proc_task_fd_.get())) { | 126 if (IsSingleThreaded(proc_task_fd_.get())) { |
| 128 SANDBOX_DIE("Cannot start sandbox; " | 127 SANDBOX_DIE("Cannot start sandbox; " |
| 129 "process may be single-threaded when reported as not"); | 128 "process may be single-threaded when reported as not"); |
| 130 return false; | 129 return false; |
| 131 } | 130 } |
| 132 if (!supports_tsync) { | 131 if (!supports_tsync) { |
| 133 SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing " | 132 SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing " |
| 134 "filters for a threadgroup"); | 133 "filters for a threadgroup"); |
| 135 return false; | 134 return false; |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 242 } else { | 241 } else { |
| 243 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { | 242 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { |
| 244 SANDBOX_DIE("Kernel refuses to turn on BPF filters"); | 243 SANDBOX_DIE("Kernel refuses to turn on BPF filters"); |
| 245 } | 244 } |
| 246 } | 245 } |
| 247 | 246 |
| 248 sandbox_has_started_ = true; | 247 sandbox_has_started_ = true; |
| 249 } | 248 } |
| 250 | 249 |
| 251 } // namespace sandbox | 250 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 893993004:
Linux sandbox: Provide AssertSingleThreaded() helper (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master