Allow using the namespace sandbox in zygote host.

components/nacl/zygote/nacl_fork_delegate_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/zygote/nacl_fork_delegate_linux.h"
 
 #include <signal.h>
 #include <stdlib.h>
 #include <sys/resource.h>
 #include <sys/socket.h>
@@ skipping 17 matching lines @@
 #include "base/process/launch.h"
 #include "base/strings/string_split.h"
 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
 #include "build/build_config.h"
 #include "components/nacl/common/nacl_nonsfi_util.h"
 #include "components/nacl/common/nacl_paths.h"
 #include "components/nacl/common/nacl_switches.h"
 #include "components/nacl/loader/nacl_helper_linux.h"
 #include "content/public/common/content_descriptors.h"
 #include "content/public/common/content_switches.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
+#include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_host.h"
 #include "sandbox/linux/suid/common/sandbox.h"
 
 namespace {
 
 // Note these need to match up with their counterparts in nacl_helper_linux.c
 // and nacl_helper_bootstrap_linux.c.
 const char kNaClHelperReservedAtZero[] =
     "--reserved_at_zero=0xXXXXXXXXXXXXXXXX";
 const char kNaClHelperRDebug[] = "--r_debug=0xXXXXXXXXXXXXXXXX";
@@ skipping 82 matching lines @@
 void AddNaClZygoteForkDelegates(
     ScopedVector<content::ZygoteForkDelegate>* delegates) {
   delegates->push_back(new NaClForkDelegate(false /* nonsfi_mode */));
   delegates->push_back(new NaClForkDelegate(true /* nonsfi_mode */));
 }
 
 NaClForkDelegate::NaClForkDelegate(bool nonsfi_mode)
     : nonsfi_mode_(nonsfi_mode), status_(kNaClHelperUnused), fd_(-1) {
 }
 
-void NaClForkDelegate::Init(const int sandboxdesc,
-                            const bool enable_layer1_sandbox) {
+void NaClForkDelegate::Init(const int sandboxdesc, bool enable_layer1_sandbox) {

[jln (very slow on Chromium), 2015/02/06 02:17:03]

Why not const? (again it's for paranoia on making sure about:sandbox and status
reporting matches the real status of sandboxes).

[rickyz (no longer on Chrome), 2015/02/06 03:01:02]

Oops, it was lost in my revert, fixed.

   VLOG(1) << "NaClForkDelegate::Init()";
 
   // Only launch the non-SFI helper process if non-SFI mode is enabled.
   if (nonsfi_mode_ && !IsNonSFIModeEnabled()) {
     return;
   }
 
+  // TODO(rickyz): Make IsSuidSandboxChild a static function.
+  scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client(
+      sandbox::SetuidSandboxClient::Create());
+  const bool using_setuid_sandbox = setuid_sandbox_client->IsSuidSandboxChild();
+  const bool using_namespace_sandbox =
+      sandbox::NamespaceSandbox::InNewUserNamespace();
+
+  CHECK(!(using_setuid_sandbox && using_namespace_sandbox));
+  if (enable_layer1_sandbox) {
+    CHECK(using_setuid_sandbox || using_namespace_sandbox);
+  }
+
   scoped_ptr<sandbox::SetuidSandboxHost> setuid_sandbox_host(
       sandbox::SetuidSandboxHost::Create());
 
   // For communications between the NaCl loader process and
   // the SUID sandbox.
   int nacl_sandbox_descriptor =
       base::GlobalDescriptors::kBaseDescriptor + kSandboxIPCChannel;
   // Confirm a hard-wired assumption.
   DCHECK_EQ(sandboxdesc, nacl_sandbox_descriptor);
 
@@ skipping 43 matching lines @@
     base::CommandLine::StringVector argv_to_launch;
     {
       base::CommandLine cmd_line(base::CommandLine::NO_PROGRAM);
       if (use_nacl_bootstrap)
         cmd_line.SetProgram(helper_bootstrap_exe);
       else
         cmd_line.SetProgram(helper_exe);
 
       // Append any switches that need to be forwarded to the NaCl helper.
       static const char* kForwardSwitches[] = {
+        switches::kAllowSandboxDebugging,
         switches::kDisableSeccompFilterSandbox,
         switches::kEnableNaClDebug,
         switches::kNaClDangerousNoSandboxNonSfi,
         switches::kNoSandbox,
       };
       const base::CommandLine& current_cmd_line =
           *base::CommandLine::ForCurrentProcess();
       cmd_line.CopySwitchesFrom(current_cmd_line, kForwardSwitches,
                                 arraysize(kForwardSwitches));
 
@@ skipping 10 matching lines @@
       bootstrap_prepend.push_back(kNaClHelperReservedAtZero);
       bootstrap_prepend.push_back(kNaClHelperRDebug);
       argv_to_launch.insert(argv_to_launch.begin() + 1,
                             bootstrap_prepend.begin(),
                             bootstrap_prepend.end());
     }
 
     base::LaunchOptions options;
 
     base::ScopedFD dummy_fd;
-    if (enable_layer1_sandbox) {
+    if (using_setuid_sandbox) {
       // NaCl needs to keep tight control of the cmd_line, so prepend the
       // setuid sandbox wrapper manually.
       base::FilePath sandbox_path = setuid_sandbox_host->GetSandboxBinaryPath();
       argv_to_launch.insert(argv_to_launch.begin(), sandbox_path.value());
       setuid_sandbox_host->SetupLaunchOptions(&options, &fds_to_map, &dummy_fd);
       setuid_sandbox_host->SetupLaunchEnvironment();
     }
 
     options.fds_to_remap = &fds_to_map;
 
     // The NaCl processes spawned may need to exceed the ambient soft limit
     // on RLIMIT_AS to allocate the untrusted address space and its guard
     // regions.  The nacl_helper itself cannot just raise its own limit,
     // because the existing limit may prevent the initial exec of
     // nacl_helper_bootstrap from succeeding, with its large address space
     // reservation.
     std::vector<int> max_these_limits;
     max_these_limits.push_back(RLIMIT_AS);
     options.maximize_rlimits = &max_these_limits;
 
     // To avoid information leaks in Non-SFI mode, clear the environment for
     // the NaCl Helper process.
     options.clear_environ = true;
     AddPassthroughEnvToOptions(&options);
 
-    if (!base::LaunchProcess(argv_to_launch, options).IsValid())
+    base::Process process =
+        using_namespace_sandbox
+            ? sandbox::NamespaceSandbox::LaunchProcess(argv_to_launch, options)
+            : base::LaunchProcess(argv_to_launch, options);
+
+    if (!process.IsValid())
       status_ = kNaClHelperLaunchFailed;
     // parent and error cases are handled below
 
-    if (enable_layer1_sandbox) {
+    if (using_setuid_sandbox) {
       // Sanity check that dummy_fd was kept alive for LaunchProcess.
       DCHECK(dummy_fd.is_valid());
     }
   }
   if (IGNORE_EINTR(close(fds[1])) != 0)
     LOG(ERROR) << "close(fds[1]) failed";
   if (status_ == kNaClHelperUnused) {
     const ssize_t kExpectedLength = strlen(kNaClHelperStartupAck);
     char buf[kExpectedLength];
 
@@ skipping 152 matching lines @@
   pass_through_vars.push_back(kNaClVerbosity);
   pass_through_vars.push_back(sandbox::kSandboxEnvironmentApiRequest);
   for (size_t i = 0; i < pass_through_vars.size(); ++i) {
     std::string temp;
     if (env->GetVar(pass_through_vars[i].c_str(), &temp))
       options->environ[pass_through_vars[i]] = temp;
   }
 }
 
 }  // namespace nacl