| Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| index 5c4fa4224f7c2d0efbb4d203911da1286cb40fbb..51fdbd3bcb232f5ac5b970d687138570a1025409 100644
|
| --- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| +++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| @@ -23,6 +23,8 @@
|
| #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
|
| #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
|
| #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
|
| +#include "sandbox/linux/services/credentials.h"
|
| +#include "sandbox/linux/services/namespace_sandbox.h"
|
| #include "sandbox/linux/services/proc_util.h"
|
| #include "sandbox/linux/services/thread_helpers.h"
|
| #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
|
| @@ -93,24 +95,34 @@ void NaClSandbox::InitializeLayerOneSandbox() {
|
| CHECK(setuid_sandbox_client_->ChrootMe());
|
| CHECK(IsSandboxed());
|
| layer_one_enabled_ = true;
|
| + } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
|
| + CHECK(sandbox::Credentials::MoveToNewUserNS());
|
| + CHECK(sandbox::Credentials::DropFileSystemAccess());
|
| + CHECK(sandbox::Credentials::DropAllCapabilities());
|
| + CHECK(IsSandboxed());
|
| + layer_one_enabled_ = true;
|
| }
|
| }
|
|
|
| void NaClSandbox::CheckForExpectedNumberOfOpenFds() {
|
| + // We expect to have the following FDs open:
|
| + // 1-3) stdin, stdout, stderr.
|
| + // 4) The /dev/urandom FD used by base::GetUrandomFD().
|
| + // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel.
|
| + // 6) The socket for the Chrome IPC channel that's connected to the
|
| + // browser process, kPrimaryIPCChannel.
|
| + // We also have an fd for /proc (proc_fd_), but CountOpenFds excludes this.
|
| + //
|
| + // This sanity check ensures that dynamically loaded libraries don't
|
| + // leave any FDs open before we enable the sandbox.
|
| + const int kExpectedNumFds = 6;
|
| if (setuid_sandbox_client_->IsSuidSandboxChild()) {
|
| - // We expect to have the following FDs open:
|
| - // 1-3) stdin, stdout, stderr.
|
| - // 4) The /dev/urandom FD used by base::GetUrandomFD().
|
| - // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel.
|
| - // 6) The socket created by the SUID sandbox helper, used by ChrootMe().
|
| - // After ChrootMe(), this is no longer connected to anything.
|
| - // (Only present when running under the SUID sandbox.)
|
| - // 7) The socket for the Chrome IPC channel that's connected to the
|
| - // browser process, kPrimaryIPCChannel.
|
| - //
|
| - // This sanity check ensures that dynamically loaded libraries don't
|
| - // leave any FDs open before we enable the sandbox.
|
| - CHECK_EQ(7, sandbox::ProcUtil::CountOpenFds(proc_fd_.get()));
|
| + // When using the setuid sandbox, there is one additional socket used for
|
| + // ChrootMe(). After ChrootMe(), it is no longer connected to anything.
|
| + CHECK_EQ(kExpectedNumFds + 1,
|
| + sandbox::ProcUtil::CountOpenFds(proc_fd_.get()));
|
| + } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
|
| + CHECK_EQ(kExpectedNumFds, sandbox::ProcUtil::CountOpenFds(proc_fd_.get()));
|
| }
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 897723005:
Allow using the namespace sandbox in zygote host. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master