Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(110)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/zygote/zygote_main_linux.cc

Issue 912593003: Add extra check that the namespace sandbox is engaged. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/zygote/zygote_main.h" 5 #include "content/zygote/zygote_main.h"
6 6
7 #include <dlfcn.h> 7 #include <dlfcn.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <pthread.h> 9 #include <pthread.h>
10 #include <signal.h> 10 #include <signal.h>
(...skipping 628 matching lines...) Expand 10 before | Expand all | Expand 10 after
639 // the destruction of the PID namespace could kill the helper before it 639 // the destruction of the PID namespace could kill the helper before it
640 // completes its I/O tasks. |sancov_helper_pid| will exit once the last 640 // completes its I/O tasks. |sancov_helper_pid| will exit once the last
641 // renderer holding the write end of |sancov_socket_fds| closes it. 641 // renderer holding the write end of |sancov_socket_fds| closes it.
642 extra_children.push_back(sancov_helper_pid); 642 extra_children.push_back(sancov_helper_pid);
643 // Sanitizer code in the renderers will inherit the write end of the socket 643 // Sanitizer code in the renderers will inherit the write end of the socket
644 // from the zygote. We must keep it open until the very end of the zygote's 644 // from the zygote. We must keep it open until the very end of the zygote's
645 // lifetime, even though we don't explicitly use it. 645 // lifetime, even though we don't explicitly use it.
646 extra_fds.push_back(sancov_socket_fds[1]); 646 extra_fds.push_back(sancov_socket_fds[1]);
647 #endif 647 #endif
648 648
649 int sandbox_flags = linux_sandbox->GetStatus(); 649 const int sandbox_flags = linux_sandbox->GetStatus();
650 bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID; 650
651 const bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;
651 CHECK_EQ(using_setuid_sandbox, setuid_sandbox_engaged); 652 CHECK_EQ(using_setuid_sandbox, setuid_sandbox_engaged);
652 653
654 const bool namespace_sandbox_engaged = sandbox_flags & kSandboxLinuxUserNS;
655 CHECK_EQ(using_namespace_sandbox, namespace_sandbox_engaged);
656
653 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children, 657 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children,
654 extra_fds); 658 extra_fds);
655 // This function call can return multiple times, once per fork(). 659 // This function call can return multiple times, once per fork().
656 return zygote.ProcessRequests(); 660 return zygote.ProcessRequests();
657 } 661 }
658 662
659 } // namespace content 663 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698