| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_H_ | |
| 6 #define CONTENT_COMMON_SANDBOX_LINUX_H_ | |
| 7 | |
| 8 #include <string> | |
| 9 | |
| 10 #include "base/basictypes.h" | |
| 11 #include "base/memory/scoped_ptr.h" | |
| 12 #include "content/public/common/sandbox_linux.h" | |
| 13 | |
| 14 template <typename T> struct DefaultSingletonTraits; | |
| 15 namespace sandbox { class SetuidSandboxClient; } | |
| 16 | |
| 17 namespace content { | |
| 18 | |
| 19 // A singleton class to represent and change our sandboxing state for the | |
| 20 // three main Linux sandboxes. | |
| 21 class LinuxSandbox { | |
| 22 public: | |
| 23 // This is a list of sandbox IPC methods which the renderer may send to the | |
| 24 // sandbox host. See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC | |
| 25 // This isn't the full list, values < 32 are reserved for methods called from | |
| 26 // Skia. | |
| 27 enum LinuxSandboxIPCMethods { | |
| 28 METHOD_GET_FONT_FAMILY_FOR_CHAR = 32, | |
| 29 METHOD_LOCALTIME = 33, | |
| 30 METHOD_GET_CHILD_WITH_INODE = 34, | |
| 31 METHOD_GET_STYLE_FOR_STRIKE = 35, | |
| 32 METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36, | |
| 33 METHOD_MATCH_WITH_FALLBACK = 37, | |
| 34 }; | |
| 35 | |
| 36 // Get our singleton instance. | |
| 37 static LinuxSandbox* GetInstance(); | |
| 38 | |
| 39 // Do some initialization that can only be done before any of the sandboxes | |
| 40 // are enabled. If using the setuid sandbox, this should be called manually | |
| 41 // before the setuid sandbox is engaged. | |
| 42 void PreinitializeSandbox(); | |
| 43 | |
| 44 // Initialize the sandbox with the given pre-built configuration. Currently | |
| 45 // seccomp-bpf and address space limitations (the setuid sandbox works | |
| 46 // differently and is set-up in the Zygote). This will instantiate the | |
| 47 // LinuxSandbox singleton if it doesn't already exist. | |
| 48 static bool InitializeSandbox(); | |
| 49 | |
| 50 // Returns the Status of the renderers' sandbox. Can only be queried after | |
| 51 // going through PreinitializeSandbox(). This is a bitmask and uses the | |
| 52 // constants defined in "enum LinuxSandboxStatus". Since the status needs to | |
| 53 // be provided before the sandboxes are actually started, this returns what | |
| 54 // will actually happen once the various Start* functions are called from | |
| 55 // inside a renderer. | |
| 56 int GetStatus() const; | |
| 57 // Returns true if the current process is single-threaded or if the number | |
| 58 // of threads cannot be determined. | |
| 59 bool IsSingleThreaded() const; | |
| 60 // Did we start Seccomp BPF? | |
| 61 bool seccomp_bpf_started() const; | |
| 62 | |
| 63 // Simple accessor for our instance of the setuid sandbox. Will never return | |
| 64 // NULL. | |
| 65 // There is no StartSetuidSandbox(), the SetuidSandboxClient instance should | |
| 66 // be used directly. | |
| 67 sandbox::SetuidSandboxClient* setuid_sandbox_client() const; | |
| 68 | |
| 69 // Check the policy and eventually start the seccomp-bpf sandbox. This should | |
| 70 // never be called with threads started. If we detect that threads have | |
| 71 // started we will crash. | |
| 72 bool StartSeccompBPF(const std::string& process_type); | |
| 73 | |
| 74 // Limit the address space of the current process (and its children). | |
| 75 // to make some vulnerabilities harder to exploit. | |
| 76 bool LimitAddressSpace(const std::string& process_type); | |
| 77 | |
| 78 private: | |
| 79 friend struct DefaultSingletonTraits<LinuxSandbox>; | |
| 80 | |
| 81 // We must have been pre_initialized_ before using this. | |
| 82 bool seccomp_bpf_supported() const; | |
| 83 // Returns true if it can be determined that the current process has open | |
| 84 // directories that are not managed by the LinuxSandbox class. This would | |
| 85 // be a vulnerability as it would allow to bypass the setuid sandbox. | |
| 86 bool HasOpenDirectories(); | |
| 87 // The last part of the initialization is to make sure any temporary "hole" | |
| 88 // in the sandbox is closed. For now, this consists of closing proc_fd_. | |
| 89 void SealSandbox(); | |
| 90 | |
| 91 // A file descriptor to /proc. It's dangerous to have it around as it could | |
| 92 // allow for sandbox bypasses. It needs to be closed before we consider | |
| 93 // ourselves sandboxed. | |
| 94 int proc_fd_; | |
| 95 bool seccomp_bpf_started_; | |
| 96 // Did PreinitializeSandbox() run? | |
| 97 bool pre_initialized_; | |
| 98 bool seccomp_bpf_supported_; // Accurate if pre_initialized_. | |
| 99 scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_; | |
| 100 | |
| 101 ~LinuxSandbox(); | |
| 102 DISALLOW_IMPLICIT_CONSTRUCTORS(LinuxSandbox); | |
| 103 }; | |
| 104 | |
| 105 } // namespace content | |
| 106 | |
| 107 #endif // CONTENT_COMMON_SANDBOX_LINUX_H_ | |
| 108 | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 99133015:
Linux Sandbox: split the GPU policies to their own file. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src