OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <dirent.h> | 5 #include <dirent.h> |
6 #include <fcntl.h> | 6 #include <fcntl.h> |
7 #include <sys/resource.h> | 7 #include <sys/resource.h> |
8 #include <sys/stat.h> | 8 #include <sys/stat.h> |
9 #include <sys/time.h> | 9 #include <sys/time.h> |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
(...skipping 10 matching lines...) Expand all Loading... | |
21 #include "base/files/scoped_file.h" | 21 #include "base/files/scoped_file.h" |
22 #include "base/logging.h" | 22 #include "base/logging.h" |
23 #include "base/macros.h" | 23 #include "base/macros.h" |
24 #include "base/memory/scoped_ptr.h" | 24 #include "base/memory/scoped_ptr.h" |
25 #include "base/memory/singleton.h" | 25 #include "base/memory/singleton.h" |
26 #include "base/posix/eintr_wrapper.h" | 26 #include "base/posix/eintr_wrapper.h" |
27 #include "base/strings/string_number_conversions.h" | 27 #include "base/strings/string_number_conversions.h" |
28 #include "base/sys_info.h" | 28 #include "base/sys_info.h" |
29 #include "base/time/time.h" | 29 #include "base/time/time.h" |
30 #include "build/build_config.h" | 30 #include "build/build_config.h" |
31 #include "content/common/sandbox_linux/sandbox_debug_handling_linux.h" | |
31 #include "content/common/sandbox_linux/sandbox_linux.h" | 32 #include "content/common/sandbox_linux/sandbox_linux.h" |
32 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" | 33 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
33 #include "content/public/common/content_switches.h" | 34 #include "content/public/common/content_switches.h" |
34 #include "content/public/common/sandbox_linux.h" | 35 #include "content/public/common/sandbox_linux.h" |
36 #include "sandbox/linux/services/credentials.h" | |
37 #include "sandbox/linux/services/namespace_sandbox.h" | |
35 #include "sandbox/linux/services/proc_util.h" | 38 #include "sandbox/linux/services/proc_util.h" |
36 #include "sandbox/linux/services/thread_helpers.h" | 39 #include "sandbox/linux/services/thread_helpers.h" |
37 #include "sandbox/linux/services/yama.h" | 40 #include "sandbox/linux/services/yama.h" |
38 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 41 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
39 | 42 |
40 #if defined(ANY_OF_AMTLU_SANITIZER) | 43 #if defined(ANY_OF_AMTLU_SANITIZER) |
41 #include <sanitizer/common_interface_defs.h> | 44 #include <sanitizer/common_interface_defs.h> |
42 #endif | 45 #endif |
43 | 46 |
44 using sandbox::Yama; | 47 using sandbox::Yama; |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
175 } | 178 } |
176 | 179 |
177 // Yama is a "global", system-level status. We assume it will not regress | 180 // Yama is a "global", system-level status. We assume it will not regress |
178 // after startup. | 181 // after startup. |
179 const int yama_status = Yama::GetStatus(); | 182 const int yama_status = Yama::GetStatus(); |
180 yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) && | 183 yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) && |
181 (yama_status & Yama::STATUS_ENFORCING); | 184 (yama_status & Yama::STATUS_ENFORCING); |
182 pre_initialized_ = true; | 185 pre_initialized_ = true; |
183 } | 186 } |
184 | 187 |
188 void LinuxSandbox::EngageNamespaceSandbox() { | |
189 CHECK(pre_initialized_); | |
190 // Check being in a new PID namespace created by the namespace sandbox and | |
191 // being the init process. | |
192 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace()); | |
193 const pid_t pid = getpid(); | |
194 CHECK_EQ(1, pid); | |
195 | |
196 CHECK(sandbox::Credentials::MoveToNewUserNS()); | |
197 // Note: this requires SealSandbox() to be called later in this process to be | |
198 // safe, as this class is purposedly keeping a file descriptor to /proc. | |
rickyz (no longer on Chrome)
2015/02/11 22:59:56
nit: purposely (or just remove if you prefer)
jln (very slow on Chromium)
2015/02/11 23:13:06
Done.
| |
199 CHECK(!HasOpenDirectories()); | |
200 CHECK(sandbox::Credentials::DropFileSystemAccess()); | |
201 CHECK(IsSingleThreaded()); | |
202 CHECK(sandbox::Credentials::DropAllCapabilities()); | |
203 | |
204 // This needs to happen after moving to a new user NS, since doing so involves | |
205 // writing the UID/GID map. | |
206 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers()); | |
207 } | |
208 | |
185 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { | 209 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { |
186 std::vector<int> fds; | 210 std::vector<int> fds; |
187 if (proc_fd_ >= 0) { | 211 if (proc_fd_ >= 0) { |
188 fds.push_back(proc_fd_); | 212 fds.push_back(proc_fd_); |
189 } | 213 } |
190 return fds; | 214 return fds; |
191 } | 215 } |
192 | 216 |
193 bool LinuxSandbox::InitializeSandbox() { | 217 bool LinuxSandbox::InitializeSandbox() { |
194 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); | 218 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); |
(...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
435 | 459 |
436 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { | 460 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { |
437 DCHECK(thread); | 461 DCHECK(thread); |
438 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); | 462 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); |
439 PCHECK(proc_self_task.is_valid()); | 463 PCHECK(proc_self_task.is_valid()); |
440 CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(), | 464 CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(), |
441 thread)); | 465 thread)); |
442 } | 466 } |
443 | 467 |
444 } // namespace content | 468 } // namespace content |
OLD | NEW |