Namespace sandbox: add important security checks

content/common/sandbox_linux/sandbox_linux.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
 
 #include <string>
 #include <vector>
 
@@ skipping 11 matching lines @@
 template <typename T> struct DefaultSingletonTraits;
 namespace base {
 class Thread;
 }
 namespace sandbox { class SetuidSandboxClient; }
 
 namespace content {
 
 // A singleton class to represent and change our sandboxing state for the
 // three main Linux sandboxes.
+// The sandboxing model allows using two layers of sandboxing. The first layer
+// can be implemented either with unprivileged namespaces or with the setuid
+// sandbox. This class provides a way to engage the namespace sandbox, but does
+// not deal with the legacy setuid sandbox directly.
+// The second layer is mainly based on seccomp-bpf and is engaged with
+// InitializeSandbox(). InitializeSandbox() is also responsible for "sealing"
+// the first layer of sandboxing. That is, InitializeSandbox must always be
+// called to have any meaningful sandboxing at all.
 class LinuxSandbox {
  public:
   // This is a list of sandbox IPC methods which the renderer may send to the
   // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
   // This isn't the full list, values < 32 are reserved for methods called from
   // Skia.
   enum LinuxSandboxIPCMethods {
     METHOD_GET_FALLBACK_FONT_FOR_CHAR = 32,
     METHOD_LOCALTIME = 33,
     DEPRECATED_METHOD_GET_CHILD_WITH_INODE = 34,
     METHOD_GET_STYLE_FOR_STRIKE = 35,
     METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36,
     METHOD_MATCH_WITH_FALLBACK = 37,
   };
 
   // Get our singleton instance.
   static LinuxSandbox* GetInstance();
 
   // Do some initialization that can only be done before any of the sandboxes
   // are enabled. If using the setuid sandbox, this should be called manually
   // before the setuid sandbox is engaged.
   // Security: When this runs, it is imperative that either InitializeSandbox()
   // runs as well or that all file descriptors returned in
   // GetFileDescriptorsToClose() get closed.
   // Otherwise file descriptors that bypass the security of the setuid sandbox
   // would be kept open. One must be particularly careful if a process performs
   // a fork().
   void PreinitializeSandbox();
 
+  // Check that the current process is the init process of a new PID
+  // namespace and then proceed to drop access to the file system by using
+  // a new unprivileged namespace. This is a layer-1 sandbox.
+  // In order for this sandbox to be effective, it must be "sealed" by calling
+  // InitializeSandbox().
+  void EngageNamespaceSandbox();
+
   // Return a list of file descriptors to close if PreinitializeSandbox() ran
   // but InitializeSandbox() won't. Avoid using.
   // TODO(jln): get rid of this hack.
   std::vector<int> GetFileDescriptorsToClose();
 
-  // Initialize the sandbox with the given pre-built configuration. Currently
-  // seccomp-bpf and address space limitations (the setuid sandbox works
-  // differently and is set-up in the Zygote). This will instantiate the
-  // LinuxSandbox singleton if it doesn't already exist.
+  // Seal an eventual layer-1 sandbox and initialize the layer-2 sandbox with
+  // an adequate policy depending on the process type and command line
+  // arguments.
+  // Currently the layer-2 sandbox is composed of seccomp-bpf and address space
+  // limitations. This will instantiate the LinuxSandbox singleton if it
+  // doesn't already exist.
   // This function should only be called without any thread running.
   static bool InitializeSandbox();
 
   // Stop |thread| in a way that can be trusted by the sandbox.
   static void StopThread(base::Thread* thread);
 
   // Returns the status of the renderer, worker and ppapi sandbox. Can only
   // be queried after going through PreinitializeSandbox(). This is a bitmask
   // and uses the constants defined in "enum LinuxSandboxStatus". Since the
   // status needs to be provided before the sandboxes are actually started,
@@ skipping 71 matching lines @@
 #if defined(ANY_OF_AMTLU_SANITIZER)
   scoped_ptr<__sanitizer_sandbox_arguments> sanitizer_args_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(LinuxSandbox);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_