Allow using the namespace sandbox in zygote host.

components/nacl/zygote/nacl_fork_delegate_linux.cc

Index: components/nacl/zygote/nacl_fork_delegate_linux.cc
diff --git a/components/nacl/zygote/nacl_fork_delegate_linux.cc b/components/nacl/zygote/nacl_fork_delegate_linux.cc
index 6544425931f12c059a891818811b31b5a235bac0..c069bb25cffece2968bfe0f6d6ed65a24cc2c1f4 100644
--- a/components/nacl/zygote/nacl_fork_delegate_linux.cc
+++ b/components/nacl/zygote/nacl_fork_delegate_linux.cc
@@ -35,6 +35,8 @@
 #include "components/nacl/loader/nacl_helper_linux.h"
 #include "content/public/common/content_descriptors.h"
 #include "content/public/common/content_switches.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
+#include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_host.h"
 #include "sandbox/linux/suid/common/sandbox.h"
 
@@ -137,8 +139,7 @@ NaClForkDelegate::NaClForkDelegate(bool nonsfi_mode)
     : nonsfi_mode_(nonsfi_mode), status_(kNaClHelperUnused), fd_(-1) {
 }
 
-void NaClForkDelegate::Init(const int sandboxdesc,
-                            const bool enable_layer1_sandbox) {
+void NaClForkDelegate::Init(const int sandboxdesc) {
   VLOG(1) << "NaClForkDelegate::Init()";
 
   // Only launch the non-SFI helper process if non-SFI mode is enabled.
@@ -146,6 +147,14 @@ void NaClForkDelegate::Init(const int sandboxdesc,
     return;
   }
 
+  // TODO(rickyz): Make IsSuidSandboxChild a static function.
+  scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client(

[jln (very slow on Chromium), 2015/02/06 00:37:29]

I would much rather keep enable_layer1_sandbox and check that if it's true then
using_setuid_sandbox OR using_namespace_sandbox is true.

I'm worried about the environment getting lost (it's surprisingly easy given all
the fork()/exec() and the convoluted loigic).

[rickyz (no longer on Chrome), 2015/02/06 01:53:18]

Done.

+      sandbox::SetuidSandboxClient::Create());
+  const bool using_setuid_sandbox = setuid_sandbox_client->IsSuidSandboxChild();
+  const bool using_namespace_sandbox =
+      sandbox::NamespaceSandbox::InNewUserNamespace();
+  CHECK(!(using_setuid_sandbox && using_namespace_sandbox));
+
   scoped_ptr<sandbox::SetuidSandboxHost> setuid_sandbox_host(
       sandbox::SetuidSandboxHost::Create());
 
@@ -209,6 +218,7 @@ void NaClForkDelegate::Init(const int sandboxdesc,
 
       // Append any switches that need to be forwarded to the NaCl helper.
       static const char* kForwardSwitches[] = {
+        switches::kAllowSandboxDebugging,
         switches::kDisableSeccompFilterSandbox,
         switches::kEnableNaClDebug,
         switches::kNaClDangerousNoSandboxNonSfi,
@@ -239,7 +249,7 @@ void NaClForkDelegate::Init(const int sandboxdesc,
     base::LaunchOptions options;
 
     base::ScopedFD dummy_fd;
-    if (enable_layer1_sandbox) {
+    if (using_setuid_sandbox) {
       // NaCl needs to keep tight control of the cmd_line, so prepend the
       // setuid sandbox wrapper manually.
       base::FilePath sandbox_path = setuid_sandbox_host->GetSandboxBinaryPath();
@@ -265,11 +275,16 @@ void NaClForkDelegate::Init(const int sandboxdesc,
     options.clear_environ = true;
     AddPassthroughEnvToOptions(&options);
 
-    if (!base::LaunchProcess(argv_to_launch, options).IsValid())
+    base::Process process =
+        using_namespace_sandbox
+            ? sandbox::NamespaceSandbox::LaunchProcess(argv_to_launch, options)
+            : base::LaunchProcess(argv_to_launch, options);
+
+    if (!process.IsValid())
       status_ = kNaClHelperLaunchFailed;
     // parent and error cases are handled below
 
-    if (enable_layer1_sandbox) {
+    if (using_setuid_sandbox) {
       // Sanity check that dummy_fd was kept alive for LaunchProcess.
       DCHECK(dummy_fd.is_valid());
     }