Namespace sandbox: add important security checks

content/common/sandbox_linux/sandbox_linux.h

Index: content/common/sandbox_linux/sandbox_linux.h
diff --git a/content/common/sandbox_linux/sandbox_linux.h b/content/common/sandbox_linux/sandbox_linux.h
index b3a0d6df94675e00a61f400db5d74e0e3472cf89..010c44a4bfb48612d352e1a0cde4a23feebaa31a 100644
--- a/content/common/sandbox_linux/sandbox_linux.h
+++ b/content/common/sandbox_linux/sandbox_linux.h
@@ -29,6 +29,14 @@ namespace content {
 
 // A singleton class to represent and change our sandboxing state for the
 // three main Linux sandboxes.
+// The sandboxing model allows using two layers of sandboxing. The first layer
+// can be implement either with unprivileged namespaces or with the setuid

[rickyz (no longer on Chrome), 2015/02/11 22:59:56]

nit: implemented

[jln (very slow on Chromium), 2015/02/11 23:13:06]

Done.

+// sandbox. This class provides a way to engage the namespace sandbox, but does
+// not deal with the legacy setuid sandbox directly.
+// The second layer is mainly based on seccomp-bpf and is engaged with
+// InitializeSandbox(). InitializeSandbox() is also responsible for "sealing"
+// the first layer of sandboxing. That is, InitializeSandbox must always be
+// called to have any meaningful sandboxing at all.
 class LinuxSandbox {
  public:
   // This is a list of sandbox IPC methods which the renderer may send to the
@@ -58,14 +66,22 @@ class LinuxSandbox {
   // a fork().
   void PreinitializeSandbox();
 
+  // Check that the current process is the init process of a new PID
+  // namespace and then proceed to drop access to the file system by using
+  // a new unprivileged namespace. This is a layer-1 sandbox.
+  // This requires "sealing" the sandbox later to be effective by calling

[rickyz (no longer on Chrome), 2015/02/11 22:59:56]

Maybe: In order for this sandbox to be effective, it must be "sealed" by calling
InitializeSandbox().

[jln (very slow on Chromium), 2015/02/11 23:13:06]

Done.

+  // InitializeSandbox().
+  void EngageNamespaceSandbox();
+
   // Return a list of file descriptors to close if PreinitializeSandbox() ran
   // but InitializeSandbox() won't. Avoid using.
   // TODO(jln): get rid of this hack.
   std::vector<int> GetFileDescriptorsToClose();
 
-  // Initialize the sandbox with the given pre-built configuration. Currently
-  // seccomp-bpf and address space limitations (the setuid sandbox works
-  // differently and is set-up in the Zygote). This will instantiate the
+  // Seal the layer-1 sandbox and initialize the layer-2 sandbox with the given
+  // pre-built configuration.
+  // Currently seccomp-bpf and address space limitations (the setuid sandbox

[rickyz (no longer on Chrome), 2015/02/11 22:59:56]

I'm a little confused by this comment and also can't quite parse the next
sentence - not clear what "the given pre-built configuration" refers to.

[jln (very slow on Chromium), 2015/02/11 23:13:06]

Ooch, this comment was a mess. Hopefully it's better now.

+  // works differently and is set-up in the Zygote). This will instantiate the
   // LinuxSandbox singleton if it doesn't already exist.
   // This function should only be called without any thread running.
   static bool InitializeSandbox();