Chromium Code Reviews Chromium Code Reviews
Issue 897723005:
Allow using the namespace sandbox in zygote host. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/zygote/zygote_main.h" | 5 #include "content/zygote/zygote_main.h" |
| 6 | 6 |
| 7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <pthread.h> | 9 #include <pthread.h> |
| 10 #include <signal.h> | 10 #include <signal.h> |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 32 #include "content/common/child_process_sandbox_support_impl_linux.h" | 32 #include "content/common/child_process_sandbox_support_impl_linux.h" |
| 33 #include "content/common/font_config_ipc_linux.h" | 33 #include "content/common/font_config_ipc_linux.h" |
| 34 #include "content/common/sandbox_linux/sandbox_linux.h" | 34 #include "content/common/sandbox_linux/sandbox_linux.h" |
| 35 #include "content/common/zygote_commands_linux.h" | 35 #include "content/common/zygote_commands_linux.h" |
| 36 #include "content/public/common/content_switches.h" | 36 #include "content/public/common/content_switches.h" |
| 37 #include "content/public/common/main_function_params.h" | 37 #include "content/public/common/main_function_params.h" |
| 38 #include "content/public/common/sandbox_linux.h" | 38 #include "content/public/common/sandbox_linux.h" |
| 39 #include "content/public/common/zygote_fork_delegate_linux.h" | 39 #include "content/public/common/zygote_fork_delegate_linux.h" |
| 40 #include "content/zygote/zygote_linux.h" | 40 #include "content/zygote/zygote_linux.h" |
| 41 #include "crypto/nss_util.h" | 41 #include "crypto/nss_util.h" |
| 42 #include "sandbox/linux/services/credentials.h" | |
| 42 #include "sandbox/linux/services/init_process_reaper.h" | 43 #include "sandbox/linux/services/init_process_reaper.h" |
| 43 #include "sandbox/linux/services/libc_urandom_override.h" | 44 #include "sandbox/linux/services/libc_urandom_override.h" |
| 45 #include "sandbox/linux/services/namespace_sandbox.h" | |
| 44 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 46 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
| 45 #include "third_party/icu/source/i18n/unicode/timezone.h" | 47 #include "third_party/icu/source/i18n/unicode/timezone.h" |
| 46 #include "third_party/skia/include/ports/SkFontConfigInterface.h" | 48 #include "third_party/skia/include/ports/SkFontConfigInterface.h" |
| 47 | 49 |
| 48 #if defined(OS_LINUX) | 50 #if defined(OS_LINUX) |
| 49 #include <sys/prctl.h> | 51 #include <sys/prctl.h> |
| 50 #endif | 52 #endif |
| 51 | 53 |
| 52 #if defined(USE_OPENSSL) | 54 #if defined(USE_OPENSSL) |
| 53 #include <openssl/rand.h> | 55 #include <openssl/rand.h> |
| (...skipping 409 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 463 // If sandbox debugging is allowed, install a handler for sandbox-related | 465 // If sandbox debugging is allowed, install a handler for sandbox-related |
| 464 // crash testing. | 466 // crash testing. |
| 465 InstallSandboxCrashTestHandler(); | 467 InstallSandboxCrashTestHandler(); |
| 466 } | 468 } |
| 467 | 469 |
| 468 #endif | 470 #endif |
| 469 | 471 |
| 470 return true; | 472 return true; |
| 471 } | 473 } |
| 472 | 474 |
| 475 static void EnterNamespaceSandbox(base::Closure* post_fork_parent_callback) { | |
| 476 pid_t pid = getpid(); | |
| 477 if (sandbox::NamespaceSandbox::InNewPidNamespace()) { | |
| 478 CHECK_EQ(1, pid); | |
| 479 } | |
| 480 | |
| 481 CHECK(sandbox::Credentials::MoveToNewUserNS()); | |
| 482 CHECK(sandbox::Credentials::DropFileSystemAccess()); | |
| 483 // We do not drop capabilities because we will use CAP_SYS_ADMIN to place | |
| 484 // each child process in its own PID namespace later on (this is not yet | |
| 485 // implemented). | |
| 486 | |
| 487 if (pid == 1) { | |
| 488 CHECK(CreateInitProcessReaper(post_fork_parent_callback)); | |
| 489 } | |
| 490 } | |
| 491 | |
| 473 #if defined(ADDRESS_SANITIZER) | 492 #if defined(ADDRESS_SANITIZER) |
| 474 const size_t kSanitizerMaxMessageLength = 1 * 1024 * 1024; | 493 const size_t kSanitizerMaxMessageLength = 1 * 1024 * 1024; |
| 475 | 494 |
| 476 // A helper process which collects code coverage data from the renderers over a | 495 // A helper process which collects code coverage data from the renderers over a |
| 477 // socket and dumps it to a file. See http://crbug.com/336212 for discussion. | 496 // socket and dumps it to a file. See http://crbug.com/336212 for discussion. |
| 478 static void SanitizerCoverageHelper(int socket_fd, int file_fd) { | 497 static void SanitizerCoverageHelper(int socket_fd, int file_fd) { |
| 479 scoped_ptr<char[]> buffer(new char[kSanitizerMaxMessageLength]); | 498 scoped_ptr<char[]> buffer(new char[kSanitizerMaxMessageLength]); |
| 480 while (true) { | 499 while (true) { |
| 481 ssize_t received_size = HANDLE_EINTR( | 500 ssize_t received_size = HANDLE_EINTR( |
| 482 recv(socket_fd, buffer.get(), kSanitizerMaxMessageLength, 0)); | 501 recv(socket_fd, buffer.get(), kSanitizerMaxMessageLength, 0)); |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 539 #if !defined(THREAD_SANITIZER) | 558 #if !defined(THREAD_SANITIZER) |
| 540 DCHECK(linux_sandbox->IsSingleThreaded()); | 559 DCHECK(linux_sandbox->IsSingleThreaded()); |
| 541 #endif | 560 #endif |
| 542 | 561 |
| 543 sandbox::SetuidSandboxClient* setuid_sandbox = | 562 sandbox::SetuidSandboxClient* setuid_sandbox = |
| 544 linux_sandbox->setuid_sandbox_client(); | 563 linux_sandbox->setuid_sandbox_client(); |
| 545 | 564 |
| 546 if (is_suid_sandbox_child) { | 565 if (is_suid_sandbox_child) { |
| 547 CHECK(EnterSuidSandbox(setuid_sandbox, post_fork_parent_callback)) | 566 CHECK(EnterSuidSandbox(setuid_sandbox, post_fork_parent_callback)) |
| 548 << "Failed to enter setuid sandbox"; | 567 << "Failed to enter setuid sandbox"; |
| 568 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { | |
| 569 EnterNamespaceSandbox(post_fork_parent_callback); | |
| 549 } | 570 } |
| 550 } | 571 } |
| 551 | 572 |
| 552 bool ZygoteMain(const MainFunctionParams& params, | 573 bool ZygoteMain(const MainFunctionParams& params, |
| 553 ScopedVector<ZygoteForkDelegate> fork_delegates) { | 574 ScopedVector<ZygoteForkDelegate> fork_delegates) { |
| 554 g_am_zygote_or_renderer = true; | 575 g_am_zygote_or_renderer = true; |
| 555 sandbox::InitLibcUrandomOverrides(); | 576 sandbox::InitLibcUrandomOverrides(); |
| 556 | 577 |
| 557 std::vector<int> fds_to_close_post_fork; | 578 std::vector<int> fds_to_close_post_fork; |
| 558 | 579 |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 593 kZygoteBootMessage, | 614 kZygoteBootMessage, |
| 594 sizeof(kZygoteBootMessage), | 615 sizeof(kZygoteBootMessage), |
| 595 std::vector<int>())); | 616 std::vector<int>())); |
| 596 } | 617 } |
| 597 | 618 |
| 598 VLOG(1) << "ZygoteMain: initializing " << fork_delegates.size() | 619 VLOG(1) << "ZygoteMain: initializing " << fork_delegates.size() |
| 599 << " fork delegates"; | 620 << " fork delegates"; |
| 600 for (ScopedVector<ZygoteForkDelegate>::iterator i = fork_delegates.begin(); | 621 for (ScopedVector<ZygoteForkDelegate>::iterator i = fork_delegates.begin(); |
| 601 i != fork_delegates.end(); | 622 i != fork_delegates.end(); |
| 602 ++i) { | 623 ++i) { |
| 603 (*i)->Init(GetSandboxFD(), must_enable_setuid_sandbox); | 624 (*i)->Init(GetSandboxFD(), must_enable_setuid_sandbox); |
|
jln (very slow on Chromium)
2015/02/05 05:44:15
This means NaCl won't have a setuid sandbox.
| |
| 604 } | 625 } |
| 605 | 626 |
| 606 const std::vector<int> sandbox_fds_to_close_post_fork = | 627 const std::vector<int> sandbox_fds_to_close_post_fork = |
| 607 linux_sandbox->GetFileDescriptorsToClose(); | 628 linux_sandbox->GetFileDescriptorsToClose(); |
| 608 | 629 |
| 609 fds_to_close_post_fork.insert(fds_to_close_post_fork.end(), | 630 fds_to_close_post_fork.insert(fds_to_close_post_fork.end(), |
| 610 sandbox_fds_to_close_post_fork.begin(), | 631 sandbox_fds_to_close_post_fork.begin(), |
| 611 sandbox_fds_to_close_post_fork.end()); | 632 sandbox_fds_to_close_post_fork.end()); |
| 612 base::Closure post_fork_parent_callback = | 633 base::Closure post_fork_parent_callback = |
| 613 base::Bind(&CloseFds, fds_to_close_post_fork); | 634 base::Bind(&CloseFds, fds_to_close_post_fork); |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 640 bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID; | 661 bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID; |
| 641 CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged); | 662 CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged); |
| 642 | 663 |
| 643 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children, | 664 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children, |
| 644 extra_fds); | 665 extra_fds); |
| 645 // This function call can return multiple times, once per fork(). | 666 // This function call can return multiple times, once per fork(). |
| 646 return zygote.ProcessRequests(); | 667 return zygote.ProcessRequests(); |
| 647 } | 668 } |
| 648 | 669 |
| 649 } // namespace content | 670 } // namespace content |
| OLD | NEW |
