OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <dirent.h> | 5 #include <dirent.h> |
6 #include <fcntl.h> | 6 #include <fcntl.h> |
7 #include <sys/resource.h> | 7 #include <sys/resource.h> |
8 #include <sys/stat.h> | 8 #include <sys/stat.h> |
9 #include <sys/time.h> | 9 #include <sys/time.h> |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
(...skipping 10 matching lines...) Expand all Loading... |
21 #include "base/files/scoped_file.h" | 21 #include "base/files/scoped_file.h" |
22 #include "base/logging.h" | 22 #include "base/logging.h" |
23 #include "base/macros.h" | 23 #include "base/macros.h" |
24 #include "base/memory/scoped_ptr.h" | 24 #include "base/memory/scoped_ptr.h" |
25 #include "base/memory/singleton.h" | 25 #include "base/memory/singleton.h" |
26 #include "base/posix/eintr_wrapper.h" | 26 #include "base/posix/eintr_wrapper.h" |
27 #include "base/strings/string_number_conversions.h" | 27 #include "base/strings/string_number_conversions.h" |
28 #include "base/sys_info.h" | 28 #include "base/sys_info.h" |
29 #include "base/time/time.h" | 29 #include "base/time/time.h" |
30 #include "build/build_config.h" | 30 #include "build/build_config.h" |
| 31 #include "content/common/sandbox_linux/sandbox_debug_handling_linux.h" |
31 #include "content/common/sandbox_linux/sandbox_linux.h" | 32 #include "content/common/sandbox_linux/sandbox_linux.h" |
32 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" | 33 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
33 #include "content/public/common/content_switches.h" | 34 #include "content/public/common/content_switches.h" |
34 #include "content/public/common/sandbox_linux.h" | 35 #include "content/public/common/sandbox_linux.h" |
| 36 #include "sandbox/linux/services/credentials.h" |
35 #include "sandbox/linux/services/namespace_sandbox.h" | 37 #include "sandbox/linux/services/namespace_sandbox.h" |
36 #include "sandbox/linux/services/proc_util.h" | 38 #include "sandbox/linux/services/proc_util.h" |
37 #include "sandbox/linux/services/thread_helpers.h" | 39 #include "sandbox/linux/services/thread_helpers.h" |
38 #include "sandbox/linux/services/yama.h" | 40 #include "sandbox/linux/services/yama.h" |
39 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" | 41 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
40 | 42 |
41 #if defined(ANY_OF_AMTLU_SANITIZER) | 43 #if defined(ANY_OF_AMTLU_SANITIZER) |
42 #include <sanitizer/common_interface_defs.h> | 44 #include <sanitizer/common_interface_defs.h> |
43 #endif | 45 #endif |
44 | 46 |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
175 } | 177 } |
176 | 178 |
177 // Yama is a "global", system-level status. We assume it will not regress | 179 // Yama is a "global", system-level status. We assume it will not regress |
178 // after startup. | 180 // after startup. |
179 const int yama_status = Yama::GetStatus(); | 181 const int yama_status = Yama::GetStatus(); |
180 yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) && | 182 yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) && |
181 (yama_status & Yama::STATUS_ENFORCING); | 183 (yama_status & Yama::STATUS_ENFORCING); |
182 pre_initialized_ = true; | 184 pre_initialized_ = true; |
183 } | 185 } |
184 | 186 |
| 187 void LinuxSandbox::EngageNamespaceSandbox() { |
| 188 CHECK(pre_initialized_); |
| 189 // Check being in a new PID namespace created by the namespace sandbox and |
| 190 // being the init process. |
| 191 CHECK(sandbox::NamespaceSandbox::InNewPidNamespace()); |
| 192 const pid_t pid = getpid(); |
| 193 CHECK_EQ(1, pid); |
| 194 |
| 195 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 196 // Note: this requires SealSandbox() to be called later in this process to be |
| 197 // safe, as this class is keeping a file descriptor to /proc. |
| 198 CHECK(!HasOpenDirectories()); |
| 199 CHECK(sandbox::Credentials::DropFileSystemAccess()); |
| 200 CHECK(IsSingleThreaded()); |
| 201 CHECK(sandbox::Credentials::DropAllCapabilities()); |
| 202 |
| 203 // This needs to happen after moving to a new user NS, since doing so involves |
| 204 // writing the UID/GID map. |
| 205 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers()); |
| 206 } |
| 207 |
185 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { | 208 std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { |
186 std::vector<int> fds; | 209 std::vector<int> fds; |
187 if (proc_fd_ >= 0) { | 210 if (proc_fd_ >= 0) { |
188 fds.push_back(proc_fd_); | 211 fds.push_back(proc_fd_); |
189 } | 212 } |
190 return fds; | 213 return fds; |
191 } | 214 } |
192 | 215 |
193 bool LinuxSandbox::InitializeSandbox() { | 216 bool LinuxSandbox::InitializeSandbox() { |
194 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); | 217 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); |
(...skipping 246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
441 | 464 |
442 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { | 465 void LinuxSandbox::StopThreadAndEnsureNotCounted(base::Thread* thread) const { |
443 DCHECK(thread); | 466 DCHECK(thread); |
444 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); | 467 base::ScopedFD proc_self_task(OpenProcTaskFd(proc_fd_)); |
445 PCHECK(proc_self_task.is_valid()); | 468 PCHECK(proc_self_task.is_valid()); |
446 CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(), | 469 CHECK(sandbox::ThreadHelpers::StopThreadAndWatchProcFS(proc_self_task.get(), |
447 thread)); | 470 thread)); |
448 } | 471 } |
449 | 472 |
450 } // namespace content | 473 } // namespace content |
OLD | NEW |