Have Zygote fork a init-like process if required

content/zygote/zygote_main_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <stdio.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ skipping 13 matching lines @@
 #include "base/rand_util.h"
 #include "base/rand_util_c.h"
 #include "base/sys_info.h"
 #include "build/build_config.h"
 #include "crypto/nss_util.h"
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "content/common/sandbox_methods_linux.h"
 #include "content/common/seccomp_sandbox.h"
 #include "content/common/unix_domain_socket_posix.h"
+#include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/main_function_params.h"
 #include "content/public/common/sandbox_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
 #include "content/zygote/zygote_linux.h"
 #include "skia/ext/SkFontHost_fontconfig_control.h"
 #include "unicode/timezone.h"
 
 #if defined(OS_LINUX)
 #include <sys/epoll.h>
@@ skipping 390 matching lines @@
   // It's possible that another hypothetical crypto stack would not require
   // pre-sandbox init, but more likely this is just a build configuration error.
   #error Which SSL library are you using?
 #endif
 
   // Ensure access to the Pepper plugins before the sandbox is turned on.
   PepperPluginRegistry::PreloadModules();
 }
 
 #if !defined(CHROMIUM_SELINUX)
+// Do nothing here
+static void SIGCHLDHandler(int signal) {
+}
+
+// The current process will become a process reaper like init.
+// We fork a child that will continue normally, when it dies, we can safely
+// exit.
+// We need to be careful we close the magic kZygoteIdFd properly in the parent
+// before this function returns.
+static bool CreateInitProcessReaper() {
+  int sync_fds[2];
+  // We want to use send, so we can't use a pipe
+  if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sync_fds)) {

[Markus (顧孟勤), 2012/05/21 23:57:00]

On general principles, I would have used SOCK_STREAM|SOCK_CLOEXEC instead of
SOCK_DGRAM. But it probably doesn't matter much in this case.

[jln (very slow on Chromium), 2012/05/22 00:36:43]

I didn't know socketpair supported that. Thanks! I won't use it though, because
it's supported only since 2.6.27.

+    LOG(ERROR) << "Failed to create socketpair";
+    return false;
+  }
+
+  // We use normal fork, not the ForkDelegate in this case since we are not a
+  // true Zygote yet.
+  pid_t child_pid = fork();
+  if (child_pid == -1) {
+    (void) HANDLE_EINTR(close(sync_fds[0]));
+    (void) HANDLE_EINTR(close(sync_fds[1]));
+    return false;
+  }
+  if (child_pid) {
+    // We are the parent, assuming the role of an init process.
+    (void) HANDLE_EINTR(close(sync_fds[0]));
+    shutdown(sync_fds[1], SHUT_RD);
+    // This "magic" socket must only appear in one process.
+    (void) HANDLE_EINTR(close(content::kZygoteIdFd));
+    // Tell the child to continue
+    int written = HANDLE_EINTR(send(sync_fds[1], "C", 1, MSG_NOSIGNAL));
+    CHECK(written == 1);

[Markus (顧孟勤), 2012/05/21 23:57:00]

I typically prefer to put the actual function call into the CHECK(), as it
results in more informative error messages. But that might be personal
preference.

[jln (very slow on Chromium), 2012/05/22 00:36:43]

Done.

+
+    // The disposition for SIGCHLD cannot be SIG_IGN or wait() will only return
+    // once all of our childs are dead. Since we're init we need to reap childs
+    // as they come.
+    struct sigaction action;
+    memset(&action, 0, sizeof(action));
+    action.sa_handler = &SIGCHLDHandler;
+    CHECK(sigaction(SIGCHLD, &action, NULL) == 0);

[Markus (顧孟勤), 2012/05/21 23:57:00]

You should set up the signal handler prior to writing to your socketpair.
Otherwise, there is a small race condition where your lack of a signal handler
could kill you.

[jln (very slow on Chromium), 2012/05/22 00:36:43]

Done.

+
+    for (;;) {
+      // Loop until we have reaped our one natural child
+      pid_t reaped_child;
+      siginfo_t reaped_child_info;
+      int exit_code = 0;

[Markus (顧孟勤), 2012/05/21 23:57:00]

I'd probably move this variable into the block where it actually is used.

[jln (very slow on Chromium), 2012/05/22 00:36:43]

Done.

+      reaped_child =

[Markus (顧孟勤), 2012/05/21 23:57:00]

This is C++. You can define and use a variable on the same line.

[jln (very slow on Chromium), 2012/05/22 00:36:43]

Done.

+        HANDLE_EINTR(waitid(P_ALL, 0, &reaped_child_info, WEXITED));
+      if (reaped_child == -1)
+        _exit(1);
+      if (reaped_child_info.si_pid == child_pid) {
+        // We're done waiting
+        if (reaped_child_info.si_code == CLD_EXITED) {
+          exit_code = reaped_child_info.si_status;
+        }
+        // Exit with the same exit code as our parent. This is most likely
+        // useless. _exit with 0 if we got signaled.
+        _exit(exit_code);
+      }
+    }
+  } else {
+    // The child needs to wait for the parent to close kZygoteIdFd to avoid a
+    // race condition
+    (void) HANDLE_EINTR(close(sync_fds[1]));
+    shutdown(sync_fds[0], SHUT_WR);
+    char should_continue = '\0';
+    (void) HANDLE_EINTR(read(sync_fds[0], &should_continue, 1));

[Markus (顧孟勤), 2012/05/21 23:57:00]

I would have checked the return code of read(), but that's just me. Your code is
likely just as fine.

[jln (very slow on Chromium), 2012/05/22 00:36:43]

Done.

+    if (should_continue != 'C')
+      return false;
+    else
+      return true;
+  }
+}
+
 // This will set the *using_suid_sandbox variable to true if the SUID sandbox
 // is enabled. This does not necessarily exclude other types of sandboxing.
 static bool EnterSandbox(bool* using_suid_sandbox) {
   *using_suid_sandbox = false;
 
   PreSandboxInit();
   SkiaFontConfigSetImplementation(
       new FontConfigIPC(Zygote::kMagicSandboxIPCDescriptor));
 
   const char* const sandbox_fd_string = getenv(kSUIDSandboxVar);
@@ skipping 23 matching lines @@
     if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) {
       LOG(ERROR) << "Failed to read from chroot pipe: " << errno;
       return false;
     }
 
     if (reply != kMsgChrootSuccessful) {
       LOG(ERROR) << "Error code reply from chroot helper";
       return false;
     }
 
+    if (getpid() == 1) {
+      // The setuid sandbox has created a new PID namespace and we need
+      // to assume the role of init.
+      if (!CreateInitProcessReaper()) {
+        LOG(ERROR) << "Error creating an init process to reap zombies";
+        return false;
+      }
+    }
+
 #if !defined(OS_OPENBSD)
     // Previously, we required that the binary be non-readable. This causes the
     // kernel to mark the process as non-dumpable at startup. The thinking was
     // that, although we were putting the renderers into a PID namespace (with
     // the SUID sandbox), they would nonetheless be in the /same/ PID
     // namespace. So they could ptrace each other unless they were non-dumpable.
     //
     // If the binary was readable, then there would be a window between process
     // startup and the point where we set the non-dumpable flag in which a
     // compromised renderer could ptrace attach.
@@ skipping 95 matching lines @@
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote(sandbox_flags, forkdelegate, proc_fd_for_seccomp);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }
 
 }  // namespace content