| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <dirent.h> | 5 #include <dirent.h> |
| 6 #include <fcntl.h> | 6 #include <fcntl.h> |
| 7 #include <sys/resource.h> | 7 #include <sys/resource.h> |
| 8 #include <sys/stat.h> | 8 #include <sys/stat.h> |
| 9 #include <sys/time.h> | 9 #include <sys/time.h> |
| 10 #include <sys/types.h> | 10 #include <sys/types.h> |
| (...skipping 14 matching lines...) Expand all Loading... |
| 25 #include "base/memory/singleton.h" | 25 #include "base/memory/singleton.h" |
| 26 #include "base/posix/eintr_wrapper.h" | 26 #include "base/posix/eintr_wrapper.h" |
| 27 #include "base/strings/string_number_conversions.h" | 27 #include "base/strings/string_number_conversions.h" |
| 28 #include "base/sys_info.h" | 28 #include "base/sys_info.h" |
| 29 #include "base/time/time.h" | 29 #include "base/time/time.h" |
| 30 #include "build/build_config.h" | 30 #include "build/build_config.h" |
| 31 #include "content/common/sandbox_linux/sandbox_linux.h" | 31 #include "content/common/sandbox_linux/sandbox_linux.h" |
| 32 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" | 32 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
| 33 #include "content/public/common/content_switches.h" | 33 #include "content/public/common/content_switches.h" |
| 34 #include "content/public/common/sandbox_linux.h" | 34 #include "content/public/common/sandbox_linux.h" |
| 35 #include "sandbox/linux/services/namespace_sandbox.h" |
| 35 #include "sandbox/linux/services/proc_util.h" | 36 #include "sandbox/linux/services/proc_util.h" |
| 36 #include "sandbox/linux/services/thread_helpers.h" | 37 #include "sandbox/linux/services/thread_helpers.h" |
| 37 #include "sandbox/linux/services/yama.h" | 38 #include "sandbox/linux/services/yama.h" |
| 38 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 39 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
| 39 | 40 |
| 40 #if defined(ANY_OF_AMTLU_SANITIZER) | 41 #if defined(ANY_OF_AMTLU_SANITIZER) |
| 41 #include <sanitizer/common_interface_defs.h> | 42 #include <sanitizer/common_interface_defs.h> |
| 42 #endif | 43 #endif |
| 43 | 44 |
| 44 using sandbox::Yama; | 45 using sandbox::Yama; |
| (...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 108 | 109 |
| 109 LinuxSandbox::LinuxSandbox() | 110 LinuxSandbox::LinuxSandbox() |
| 110 : proc_fd_(-1), | 111 : proc_fd_(-1), |
| 111 seccomp_bpf_started_(false), | 112 seccomp_bpf_started_(false), |
| 112 sandbox_status_flags_(kSandboxLinuxInvalid), | 113 sandbox_status_flags_(kSandboxLinuxInvalid), |
| 113 pre_initialized_(false), | 114 pre_initialized_(false), |
| 114 seccomp_bpf_supported_(false), | 115 seccomp_bpf_supported_(false), |
| 115 seccomp_bpf_with_tsync_supported_(false), | 116 seccomp_bpf_with_tsync_supported_(false), |
| 116 yama_is_enforcing_(false), | 117 yama_is_enforcing_(false), |
| 117 initialize_sandbox_ran_(false), | 118 initialize_sandbox_ran_(false), |
| 118 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) | 119 setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) { |
| 119 { | |
| 120 if (setuid_sandbox_client_ == NULL) { | 120 if (setuid_sandbox_client_ == NULL) { |
| 121 LOG(FATAL) << "Failed to instantiate the setuid sandbox client."; | 121 LOG(FATAL) << "Failed to instantiate the setuid sandbox client."; |
| 122 } | 122 } |
| 123 #if defined(ANY_OF_AMTLU_SANITIZER) | 123 #if defined(ANY_OF_AMTLU_SANITIZER) |
| 124 sanitizer_args_ = make_scoped_ptr(new __sanitizer_sandbox_arguments); | 124 sanitizer_args_ = make_scoped_ptr(new __sanitizer_sandbox_arguments); |
| 125 *sanitizer_args_ = {0}; | 125 *sanitizer_args_ = {0}; |
| 126 #endif | 126 #endif |
| 127 } | 127 } |
| 128 | 128 |
| 129 LinuxSandbox::~LinuxSandbox() { | 129 LinuxSandbox::~LinuxSandbox() { |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 206 } | 206 } |
| 207 if (kSandboxLinuxInvalid == sandbox_status_flags_) { | 207 if (kSandboxLinuxInvalid == sandbox_status_flags_) { |
| 208 // Initialize sandbox_status_flags_. | 208 // Initialize sandbox_status_flags_. |
| 209 sandbox_status_flags_ = 0; | 209 sandbox_status_flags_ = 0; |
| 210 if (setuid_sandbox_client_->IsSandboxed()) { | 210 if (setuid_sandbox_client_->IsSandboxed()) { |
| 211 sandbox_status_flags_ |= kSandboxLinuxSUID; | 211 sandbox_status_flags_ |= kSandboxLinuxSUID; |
| 212 if (setuid_sandbox_client_->IsInNewPIDNamespace()) | 212 if (setuid_sandbox_client_->IsInNewPIDNamespace()) |
| 213 sandbox_status_flags_ |= kSandboxLinuxPIDNS; | 213 sandbox_status_flags_ |= kSandboxLinuxPIDNS; |
| 214 if (setuid_sandbox_client_->IsInNewNETNamespace()) | 214 if (setuid_sandbox_client_->IsInNewNETNamespace()) |
| 215 sandbox_status_flags_ |= kSandboxLinuxNetNS; | 215 sandbox_status_flags_ |= kSandboxLinuxNetNS; |
| 216 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { |
| 217 sandbox_status_flags_ |= kSandboxLinuxUserNS; |
| 218 if (sandbox::NamespaceSandbox::InNewPidNamespace()) |
| 219 sandbox_status_flags_ |= kSandboxLinuxPIDNS; |
| 220 if (sandbox::NamespaceSandbox::InNewNetNamespace()) |
| 221 sandbox_status_flags_ |= kSandboxLinuxNetNS; |
| 216 } | 222 } |
| 217 | 223 |
| 218 // We report whether the sandbox will be activated when renderers, workers | 224 // We report whether the sandbox will be activated when renderers, workers |
| 219 // and PPAPI plugins go through sandbox initialization. | 225 // and PPAPI plugins go through sandbox initialization. |
| 220 if (seccomp_bpf_supported() && | 226 if (seccomp_bpf_supported() && |
| 221 SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) { | 227 SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) { |
| 222 sandbox_status_flags_ |= kSandboxLinuxSeccompBPF; | 228 sandbox_status_flags_ |= kSandboxLinuxSeccompBPF; |
| 223 } | 229 } |
| 224 | 230 |
| 225 if (seccomp_bpf_with_tsync_supported() && | 231 if (seccomp_bpf_with_tsync_supported() && |
| (...skipping 209 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 435 | 441 |
| 436 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { | 442 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { |
| 437 DCHECK(thread); | 443 DCHECK(thread); |
| 438 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); | 444 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); |
| 439 PCHECK(proc_self_task.is_valid()); | 445 PCHECK(proc_self_task.is_valid()); |
| 440 CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(), | 446 CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(), |
| 441 thread)); | 447 thread)); |
| 442 } | 448 } |
| 443 | 449 |
| 444 } // namespace content | 450 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 915243002:
Add namespace sandbox status to LinuxSandbox::GetStatus. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master