Index: components/nacl/zygote/nacl_fork_delegate_linux.cc |
diff --git a/components/nacl/zygote/nacl_fork_delegate_linux.cc b/components/nacl/zygote/nacl_fork_delegate_linux.cc |
index 6544425931f12c059a891818811b31b5a235bac0..c069bb25cffece2968bfe0f6d6ed65a24cc2c1f4 100644 |
--- a/components/nacl/zygote/nacl_fork_delegate_linux.cc |
+++ b/components/nacl/zygote/nacl_fork_delegate_linux.cc |
@@ -35,6 +35,8 @@ |
#include "components/nacl/loader/nacl_helper_linux.h" |
#include "content/public/common/content_descriptors.h" |
#include "content/public/common/content_switches.h" |
+#include "sandbox/linux/services/namespace_sandbox.h" |
+#include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
#include "sandbox/linux/suid/client/setuid_sandbox_host.h" |
#include "sandbox/linux/suid/common/sandbox.h" |
@@ -137,8 +139,7 @@ NaClForkDelegate::NaClForkDelegate(bool nonsfi_mode) |
: nonsfi_mode_(nonsfi_mode), status_(kNaClHelperUnused), fd_(-1) { |
} |
-void NaClForkDelegate::Init(const int sandboxdesc, |
- const bool enable_layer1_sandbox) { |
+void NaClForkDelegate::Init(const int sandboxdesc) { |
VLOG(1) << "NaClForkDelegate::Init()"; |
// Only launch the non-SFI helper process if non-SFI mode is enabled. |
@@ -146,6 +147,14 @@ void NaClForkDelegate::Init(const int sandboxdesc, |
return; |
} |
+ // TODO(rickyz): Make IsSuidSandboxChild a static function. |
+ scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client( |
jln (very slow on Chromium)
2015/02/06 00:37:29
I would much rather keep enable_layer1_sandbox and
rickyz (no longer on Chrome)
2015/02/06 01:53:18
Done.
|
+ sandbox::SetuidSandboxClient::Create()); |
+ const bool using_setuid_sandbox = setuid_sandbox_client->IsSuidSandboxChild(); |
+ const bool using_namespace_sandbox = |
+ sandbox::NamespaceSandbox::InNewUserNamespace(); |
+ CHECK(!(using_setuid_sandbox && using_namespace_sandbox)); |
+ |
scoped_ptr<sandbox::SetuidSandboxHost> setuid_sandbox_host( |
sandbox::SetuidSandboxHost::Create()); |
@@ -209,6 +218,7 @@ void NaClForkDelegate::Init(const int sandboxdesc, |
// Append any switches that need to be forwarded to the NaCl helper. |
static const char* kForwardSwitches[] = { |
+ switches::kAllowSandboxDebugging, |
switches::kDisableSeccompFilterSandbox, |
switches::kEnableNaClDebug, |
switches::kNaClDangerousNoSandboxNonSfi, |
@@ -239,7 +249,7 @@ void NaClForkDelegate::Init(const int sandboxdesc, |
base::LaunchOptions options; |
base::ScopedFD dummy_fd; |
- if (enable_layer1_sandbox) { |
+ if (using_setuid_sandbox) { |
// NaCl needs to keep tight control of the cmd_line, so prepend the |
// setuid sandbox wrapper manually. |
base::FilePath sandbox_path = setuid_sandbox_host->GetSandboxBinaryPath(); |
@@ -265,11 +275,16 @@ void NaClForkDelegate::Init(const int sandboxdesc, |
options.clear_environ = true; |
AddPassthroughEnvToOptions(&options); |
- if (!base::LaunchProcess(argv_to_launch, options).IsValid()) |
+ base::Process process = |
+ using_namespace_sandbox |
+ ? sandbox::NamespaceSandbox::LaunchProcess(argv_to_launch, options) |
+ : base::LaunchProcess(argv_to_launch, options); |
+ |
+ if (!process.IsValid()) |
status_ = kNaClHelperLaunchFailed; |
// parent and error cases are handled below |
- if (enable_layer1_sandbox) { |
+ if (using_setuid_sandbox) { |
// Sanity check that dummy_fd was kept alive for LaunchProcess. |
DCHECK(dummy_fd.is_valid()); |
} |