Allow using the namespace sandbox in zygote host.

content/browser/zygote_host/zygote_host_impl_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/zygote_host/zygote_host_impl_linux.h"
 
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ skipping 20 matching lines @@
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/time.h"
 #include "content/browser/renderer_host/render_sandbox_host_linux.h"
 #include "content/common/child_process_sandbox_support_impl_linux.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/result_codes.h"
+#include "sandbox/linux/services/credentials.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
+#include "sandbox/linux/services/namespace_utils.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_host.h"
 #include "sandbox/linux/suid/common/sandbox.h"
 #include "ui/base/ui_base_switches.h"
 #include "ui/gfx/switches.h"
 
 #if defined(USE_TCMALLOC)
 #include "third_party/tcmalloc/chromium/src/gperftools/heap-profiler.h"
 #endif
 
 namespace content {
 
+namespace {
+
 // Receive a fixed message on fd and return the sender's PID.
 // Returns true if the message received matches the expected message.
-static bool ReceiveFixedMessage(int fd,
-                                const char* expect_msg,
-                                size_t expect_len,
-                                base::ProcessId* sender_pid) {
+bool ReceiveFixedMessage(int fd,
+                         const char* expect_msg,
+                         size_t expect_len,
+                         base::ProcessId* sender_pid) {
   char buf[expect_len + 1];
   ScopedVector<base::ScopedFD> fds_vec;
 
   const ssize_t len = UnixDomainSocket::RecvMsgWithPid(
       fd, buf, sizeof(buf), &fds_vec, sender_pid);
   if (static_cast<size_t>(len) != expect_len)
     return false;
   if (memcmp(buf, expect_msg, expect_len) != 0)
     return false;
   if (!fds_vec.empty())
     return false;
   return true;
 }
 
+}  // namespace
+
 // static
 ZygoteHost* ZygoteHost::GetInstance() {
   return ZygoteHostImpl::GetInstance();
 }
 
 ZygoteHostImpl::ZygoteHostImpl()
     : control_fd_(-1),
       control_lock_(),
       pid_(-1),
       init_(false),
-      using_suid_sandbox_(false),
+      use_suid_sandbox_for_adj_oom_score_(false),
       sandbox_binary_(),
       have_read_sandbox_status_word_(false),
       sandbox_status_(0),
       child_tracking_lock_(),
       list_of_running_zygote_children_(),
       should_teardown_after_last_child_exits_(false) {}
 
 ZygoteHostImpl::~ZygoteHostImpl() { TearDown(); }
 
 // static
@@ skipping 41 matching lines @@
     switches::kV,
     switches::kVModule,
   };
   cmd_line.CopySwitchesFrom(browser_command_line, kForwardSwitches,
                             arraysize(kForwardSwitches));
 
   GetContentClient()->browser()->AppendExtraCommandLineSwitches(&cmd_line, -1);
 
   sandbox_binary_ = sandbox_cmd.c_str();
 
+  const bool using_namespace_sandbox = ShouldUseNamespaceSandbox();
   // A non empty sandbox_cmd means we want a SUID sandbox.
-  using_suid_sandbox_ = !sandbox_cmd.empty();
+  const bool using_suid_sandbox =
+      !sandbox_cmd.empty() && !using_namespace_sandbox;
+
+  // Use the SUID sandbox for adjusting OOM scores when we are using the setuid
+  // or namespace sandbox. This is needed beacuse the processes are
+  // non-dumpable, so /proc/pid/oom_score_adj can only be written by root.
+  use_suid_sandbox_for_adj_oom_score_ =
+      using_namespace_sandbox || using_suid_sandbox;
 
   // Start up the sandbox host process and get the file descriptor for the
   // renderers to talk to it.
   const int sfd = RenderSandboxHostLinux::GetInstance()->GetRendererSocket();
   fds_to_map.push_back(std::make_pair(sfd, GetSandboxFD()));
 
   base::ScopedFD dummy_fd;
-  if (using_suid_sandbox_) {
+  if (using_suid_sandbox) {
     scoped_ptr<sandbox::SetuidSandboxHost> sandbox_host(
         sandbox::SetuidSandboxHost::Create());
     sandbox_host->PrependWrapper(&cmd_line);
     sandbox_host->SetupLaunchOptions(&options, &fds_to_map, &dummy_fd);
     sandbox_host->SetupLaunchEnvironment();
   }
 
   options.fds_to_remap = &fds_to_map;
-  base::Process process = base::LaunchProcess(cmd_line.argv(), options);
+  base::Process process =
+      using_namespace_sandbox
+          ? sandbox::NamespaceSandbox::LaunchProcess(cmd_line, options)
+          : base::LaunchProcess(cmd_line, options);
   CHECK(process.IsValid()) << "Failed to launch zygote process";
+
   dummy_fd.reset();
 
-  if (using_suid_sandbox_) {
+  if (using_suid_sandbox) {
     // The SUID sandbox will execute the zygote in a new PID namespace, and
     // the main zygote process will then fork from there.  Watch now our
     // elaborate dance to find and validate the zygote's PID.
 
     // First we receive a message from the zygote boot process.
     base::ProcessId boot_pid;
     CHECK(ReceiveFixedMessage(
         fds[0], kZygoteBootMessage, sizeof(kZygoteBootMessage), &boot_pid));
 
     // Within the PID namespace, the zygote boot process thinks it's PID 1,
@@ skipping 274 matching lines @@
   if (!selinux_valid) {
     const base::FilePath kSelinuxPath("/selinux");
     base::FileEnumerator en(kSelinuxPath, false, base::FileEnumerator::FILES);
     bool has_selinux_files = !en.Next().empty();
 
     selinux = access(kSelinuxPath.value().c_str(), X_OK) == 0 &&
               has_selinux_files;
     selinux_valid = true;
   }
 
-  if (using_suid_sandbox_ && !selinux) {
+  if (use_suid_sandbox_for_adj_oom_score_ && !selinux) {
 #if defined(USE_TCMALLOC)
     // If heap profiling is running, these processes are not exiting, at least
     // on ChromeOS. The easiest thing to do is not launch them when profiling.
     // TODO(stevenjb): Investigate further and fix.
     if (IsHeapProfilerRunning())
       return;
 #endif
     std::vector<std::string> adj_oom_score_cmdline;
     adj_oom_score_cmdline.push_back(sandbox_binary_);
     adj_oom_score_cmdline.push_back(sandbox::kAdjustOOMScoreSwitch);
     adj_oom_score_cmdline.push_back(base::Int64ToString(pid));
     adj_oom_score_cmdline.push_back(base::IntToString(score));
 
     base::Process sandbox_helper_process;
     base::LaunchOptions options;
 
     // sandbox_helper_process is a setuid binary.
     options.allow_new_privs = true;
 
     sandbox_helper_process =
         base::LaunchProcess(adj_oom_score_cmdline, options);
     if (sandbox_helper_process.IsValid())
       base::EnsureProcessGetsReaped(sandbox_helper_process.Pid());
-  } else if (!using_suid_sandbox_) {
+  } else if (!use_suid_sandbox_for_adj_oom_score_) {
     if (!base::AdjustOOMScore(pid, score))
       PLOG(ERROR) << "Failed to adjust OOM score of renderer with pid " << pid;
   }
 }
 #endif
 
 void ZygoteHostImpl::EnsureProcessTerminated(pid_t process) {
   DCHECK(init_);
   Pickle pickle;
 
@@ skipping 56 matching lines @@
 pid_t ZygoteHostImpl::GetPid() const {
   return pid_;
 }
 
 int ZygoteHostImpl::GetSandboxStatus() const {
   if (have_read_sandbox_status_word_)
     return sandbox_status_;
   return 0;
 }
 
+bool ZygoteHostImpl::ShouldUseNamespaceSandbox() {
+  const base::CommandLine& command_line =
+      *base::CommandLine::ForCurrentProcess();
+  if (command_line.HasSwitch(switches::kNoSandbox)) {
+    return false;
+  }
+
+  if (!command_line.HasSwitch(switches::kEnableNamespaceSandbox)) {
+    return false;
+  }
+
+  if (!sandbox::Credentials::CanCreateProcessInNewUserNS()) {
+    return false;
+  }
+
+  return true;
+}
+
 }  // namespace content