Chromium Code Reviews Chromium Code Reviews
Issue 10082040:
Unify the sandboxed vs. unsandboxed code paths more, for two reasons: (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/zygote_host_impl_linux.h" | 5 #include "content/browser/zygote_host_impl_linux.h" |
| 6 | 6 |
| 7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <pthread.h> | 9 #include <pthread.h> |
| 10 #include <stdio.h> | 10 #include <stdio.h> |
| (...skipping 836 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 847 // pre-sandbox init, but more likely this is just a build configuration error. | 847 // pre-sandbox init, but more likely this is just a build configuration error. |
| 848 #error Which SSL library are you using? | 848 #error Which SSL library are you using? |
| 849 #endif | 849 #endif |
| 850 | 850 |
| 851 // Ensure access to the Pepper plugins before the sandbox is turned on. | 851 // Ensure access to the Pepper plugins before the sandbox is turned on. |
| 852 PepperPluginRegistry::PreloadModules(); | 852 PepperPluginRegistry::PreloadModules(); |
| 853 } | 853 } |
| 854 | 854 |
| 855 #if !defined(CHROMIUM_SELINUX) | 855 #if !defined(CHROMIUM_SELINUX) |
| 856 static bool EnterSandbox() { | 856 static bool EnterSandbox() { |
| 857 PreSandboxInit(); | |
| 858 SkiaFontConfigSetImplementation( | |
| 859 new FontConfigIPC(kMagicSandboxIPCDescriptor)); | |
| 860 | |
|
Jorge Lucangeli Obes
2012/04/16 19:59:28
So this will do the pre-sandbox init even if the S
| |
| 857 // The SUID sandbox sets this environment variable to a file descriptor | 861 // The SUID sandbox sets this environment variable to a file descriptor |
| 858 // over which we can signal that we have completed our startup and can be | 862 // over which we can signal that we have completed our startup and can be |
| 859 // chrooted. | 863 // chrooted. |
| 860 const char* const sandbox_fd_string = getenv("SBX_D"); | 864 const char* const sandbox_fd_string = getenv("SBX_D"); |
| 861 | 865 |
| 862 if (sandbox_fd_string) { | 866 if (sandbox_fd_string) { |
| 863 // Use the SUID sandbox. This still allows the seccomp sandbox to | 867 // Use the SUID sandbox. This still allows the seccomp sandbox to |
| 864 // be enabled by the process later. | 868 // be enabled by the process later. |
| 865 g_suid_sandbox_active = true; | 869 g_suid_sandbox_active = true; |
| 866 | 870 |
| 867 char* endptr; | 871 char* endptr; |
| 868 const long fd_long = strtol(sandbox_fd_string, &endptr, 10); | 872 const long fd_long = strtol(sandbox_fd_string, &endptr, 10); |
| 869 if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX) | 873 if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX) |
| 870 return false; | 874 return false; |
| 871 const int fd = fd_long; | 875 const int fd = fd_long; |
| 872 | 876 |
| 873 PreSandboxInit(); | |
| 874 | |
| 875 static const char kMsgChrootMe = 'C'; | 877 static const char kMsgChrootMe = 'C'; |
| 876 static const char kMsgChrootSuccessful = 'O'; | 878 static const char kMsgChrootSuccessful = 'O'; |
| 877 | 879 |
| 878 if (HANDLE_EINTR(write(fd, &kMsgChrootMe, 1)) != 1) { | 880 if (HANDLE_EINTR(write(fd, &kMsgChrootMe, 1)) != 1) { |
| 879 LOG(ERROR) << "Failed to write to chroot pipe: " << errno; | 881 LOG(ERROR) << "Failed to write to chroot pipe: " << errno; |
| 880 return false; | 882 return false; |
| 881 } | 883 } |
| 882 | 884 |
| 883 // We need to reap the chroot helper process in any event: | 885 // We need to reap the chroot helper process in any event: |
| 884 wait(NULL); | 886 wait(NULL); |
| 885 | 887 |
| 886 char reply; | 888 char reply; |
| 887 if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) { | 889 if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) { |
| 888 LOG(ERROR) << "Failed to read from chroot pipe: " << errno; | 890 LOG(ERROR) << "Failed to read from chroot pipe: " << errno; |
| 889 return false; | 891 return false; |
| 890 } | 892 } |
| 891 | 893 |
| 892 if (reply != kMsgChrootSuccessful) { | 894 if (reply != kMsgChrootSuccessful) { |
| 893 LOG(ERROR) << "Error code reply from chroot helper"; | 895 LOG(ERROR) << "Error code reply from chroot helper"; |
| 894 return false; | 896 return false; |
| 895 } | 897 } |
| 896 | 898 |
| 897 SkiaFontConfigSetImplementation( | |
| 898 new FontConfigIPC(kMagicSandboxIPCDescriptor)); | |
| 899 | |
| 900 #if !defined(OS_OPENBSD) | 899 #if !defined(OS_OPENBSD) |
| 901 // Previously, we required that the binary be non-readable. This causes the | 900 // Previously, we required that the binary be non-readable. This causes the |
| 902 // kernel to mark the process as non-dumpable at startup. The thinking was | 901 // kernel to mark the process as non-dumpable at startup. The thinking was |
| 903 // that, although we were putting the renderers into a PID namespace (with | 902 // that, although we were putting the renderers into a PID namespace (with |
| 904 // the SUID sandbox), they would nonetheless be in the /same/ PID | 903 // the SUID sandbox), they would nonetheless be in the /same/ PID |
| 905 // namespace. So they could ptrace each other unless they were non-dumpable. | 904 // namespace. So they could ptrace each other unless they were non-dumpable. |
| 906 // | 905 // |
| 907 // If the binary was readable, then there would be a window between process | 906 // If the binary was readable, then there would be a window between process |
| 908 // startup and the point where we set the non-dumpable flag in which a | 907 // startup and the point where we set the non-dumpable flag in which a |
| 909 // compromised renderer could ptrace attach. | 908 // compromised renderer could ptrace attach. |
| 910 // | 909 // |
| 911 // However, now that we have a zygote model, only the (trusted) zygote | 910 // However, now that we have a zygote model, only the (trusted) zygote |
| 912 // exists at this point and we can set the non-dumpable flag which is | 911 // exists at this point and we can set the non-dumpable flag which is |
| 913 // inherited by all our renderer children. | 912 // inherited by all our renderer children. |
| 914 // | 913 // |
| 915 // Note: a non-dumpable process can't be debugged. To debug sandbox-related | 914 // Note: a non-dumpable process can't be debugged. To debug sandbox-related |
| 916 // issues, one can specify --allow-sandbox-debugging to let the process be | 915 // issues, one can specify --allow-sandbox-debugging to let the process be |
| 917 // dumpable. | 916 // dumpable. |
| 918 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 917 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 919 if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) { | 918 if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) { |
| 920 prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); | 919 prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); |
| 921 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) { | 920 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) { |
| 922 LOG(ERROR) << "Failed to set non-dumpable flag"; | 921 LOG(ERROR) << "Failed to set non-dumpable flag"; |
| 923 return false; | 922 return false; |
| 924 } | 923 } |
| 925 } | 924 } |
| 926 #endif | 925 #endif |
| 927 #if defined(SECCOMP_SANDBOX) | |
| 928 } else if (SeccompSandboxEnabled()) { | |
| 929 PreSandboxInit(); | |
| 930 SkiaFontConfigSetImplementation( | |
| 931 new FontConfigIPC(kMagicSandboxIPCDescriptor)); | |
| 932 #endif | |
| 933 } else { | |
| 934 SkiaFontConfigUseDirectImplementation(); | |
| 935 } | 926 } |
| 936 | 927 |
| 937 return true; | 928 return true; |
| 938 } | 929 } |
| 939 #else // CHROMIUM_SELINUX | 930 #else // CHROMIUM_SELINUX |
| 940 | 931 |
| 941 static bool EnterSandbox() { | 932 static bool EnterSandbox() { |
| 942 PreSandboxInit(); | 933 PreSandboxInit(); |
| 943 SkiaFontConfigSetImplementation( | 934 SkiaFontConfigSetImplementation( |
| 944 new FontConfigIPC(kMagicSandboxIPCDescriptor)); | 935 new FontConfigIPC(kMagicSandboxIPCDescriptor)); |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1007 VLOG(1) << "Enabling experimental Seccomp sandbox."; | 998 VLOG(1) << "Enabling experimental Seccomp sandbox."; |
| 1008 sandbox_flags |= ZygoteHostImpl::kSandboxSeccomp; | 999 sandbox_flags |= ZygoteHostImpl::kSandboxSeccomp; |
| 1009 } | 1000 } |
| 1010 } | 1001 } |
| 1011 #endif // SECCOMP_SANDBOX | 1002 #endif // SECCOMP_SANDBOX |
| 1012 | 1003 |
| 1013 Zygote zygote(sandbox_flags, forkdelegate); | 1004 Zygote zygote(sandbox_flags, forkdelegate); |
| 1014 // This function call can return multiple times, once per fork(). | 1005 // This function call can return multiple times, once per fork(). |
| 1015 return zygote.ProcessRequests(); | 1006 return zygote.ProcessRequests(); |
| 1016 } | 1007 } |
| OLD | NEW |
