Index: content/common/sandbox_linux/sandbox_linux.cc |
diff --git a/content/common/sandbox_linux/sandbox_linux.cc b/content/common/sandbox_linux/sandbox_linux.cc |
index 480b2654f3df2bf79eea18923bfbcbee6c262002..ed51786db1606ec645251376a7daa86bf8404bfe 100644 |
--- a/content/common/sandbox_linux/sandbox_linux.cc |
+++ b/content/common/sandbox_linux/sandbox_linux.cc |
@@ -28,10 +28,13 @@ |
#include "base/sys_info.h" |
#include "base/time/time.h" |
#include "build/build_config.h" |
+#include "content/common/sandbox_linux/sandbox_debug_handling_linux.h" |
#include "content/common/sandbox_linux/sandbox_linux.h" |
#include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
#include "content/public/common/content_switches.h" |
#include "content/public/common/sandbox_linux.h" |
+#include "sandbox/linux/services/credentials.h" |
+#include "sandbox/linux/services/namespace_sandbox.h" |
#include "sandbox/linux/services/proc_util.h" |
#include "sandbox/linux/services/thread_helpers.h" |
#include "sandbox/linux/services/yama.h" |
@@ -182,6 +185,27 @@ void LinuxSandbox::PreinitializeSandbox() { |
pre_initialized_ = true; |
} |
+void LinuxSandbox::EngageNamespaceSandbox() { |
+ CHECK(pre_initialized_); |
+ // Check being in a new PID namespace created by the namespace sandbox and |
+ // being the init process. |
+ CHECK(sandbox::NamespaceSandbox::InNewPidNamespace()); |
+ const pid_t pid = getpid(); |
+ CHECK_EQ(1, pid); |
+ |
+ CHECK(sandbox::Credentials::MoveToNewUserNS()); |
+ // Note: this requires SealSandbox() to be called later in this process to be |
+ // safe, as this class is purposedly keeping a file descriptor to /proc. |
rickyz (no longer on Chrome)
2015/02/11 22:59:56
nit: purposely (or just remove if you prefer)
jln (very slow on Chromium)
2015/02/11 23:13:06
Done.
|
+ CHECK(!HasOpenDirectories()); |
+ CHECK(sandbox::Credentials::DropFileSystemAccess()); |
+ CHECK(IsSingleThreaded()); |
+ CHECK(sandbox::Credentials::DropAllCapabilities()); |
+ |
+ // This needs to happen after moving to a new user NS, since doing so involves |
+ // writing the UID/GID map. |
+ CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers()); |
+} |
+ |
std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() { |
std::vector<int> fds; |
if (proc_fd_ >= 0) { |