Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(105)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/zygote/zygote_main_linux.cc

Issue 10492006: Setuid sandbox API versioning (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: rebase on current state of tree Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « content/browser/zygote_host_impl_linux.cc ('k') | sandbox/linux/suid/linux_util.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <dlfcn.h> 5 #include <dlfcn.h>
6 #include <fcntl.h> 6 #include <fcntl.h>
7 #include <pthread.h> 7 #include <pthread.h>
8 #include <stdio.h> 8 #include <stdio.h>
9 #include <sys/socket.h> 9 #include <sys/socket.h>
10 #include <sys/stat.h> 10 #include <sys/stat.h>
(...skipping 486 matching lines...) Expand 10 before | Expand all | Expand 10 after
497 static bool EnterSandbox(bool* using_suid_sandbox, bool* has_started_new_init) { 497 static bool EnterSandbox(bool* using_suid_sandbox, bool* has_started_new_init) {
498 *using_suid_sandbox = false; 498 *using_suid_sandbox = false;
499 *has_started_new_init = false; 499 *has_started_new_init = false;
500 500
501 PreSandboxInit(); 501 PreSandboxInit();
502 SkiaFontConfigSetImplementation( 502 SkiaFontConfigSetImplementation(
503 new FontConfigIPC(Zygote::kMagicSandboxIPCDescriptor)); 503 new FontConfigIPC(Zygote::kMagicSandboxIPCDescriptor));
504 504
505 const char* const sandbox_fd_string = getenv(kSUIDSandboxVar); 505 const char* const sandbox_fd_string = getenv(kSUIDSandboxVar);
506 if (sandbox_fd_string) { 506 if (sandbox_fd_string) {
507 char* endptr;
507 // Use the SUID sandbox. This still allows the seccomp sandbox to 508 // Use the SUID sandbox. This still allows the seccomp sandbox to
508 // be enabled by the process later. 509 // be enabled by the process later.
509 *using_suid_sandbox = true; 510 *using_suid_sandbox = true;
510 511
511 char* endptr; 512 // Check if the SUID sandbox provides the correct API version.
513 const char* const sandbox_api_string =
514 getenv(base::kSandboxEnvironmentApiProvides);
515 // Assume API version 0 if no environment was found
516 long sandbox_api_num = 0;
517 if (sandbox_api_string) {
518 errno = 0;
519 sandbox_api_num = strtol(sandbox_api_string, &endptr, 10);
520 if (errno || *endptr) {
521 return false;
522 }
523 }
524
525 if (sandbox_api_num != base::kSUIDSandboxApiNumber) {
526 LOG(WARNING) << "You are using a wrong version of the setuid binary!\n"
527 "Please read "
528 "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment."
529 "\n\n";
530 }
531
532 // Get the file descriptor to signal the chroot helper.
533 errno = 0;
512 const long fd_long = strtol(sandbox_fd_string, &endptr, 10); 534 const long fd_long = strtol(sandbox_fd_string, &endptr, 10);
513 if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX) 535 if (errno || !*sandbox_fd_string || *endptr || fd_long < 0 ||
536 fd_long > INT_MAX) {
514 return false; 537 return false;
538 }
515 const int fd = fd_long; 539 const int fd = fd_long;
516 540
517 static const char kMsgChrootMe = 'C'; 541 static const char kMsgChrootMe = 'C';
518 static const char kMsgChrootSuccessful = 'O'; 542 static const char kMsgChrootSuccessful = 'O';
519 543
520 if (HANDLE_EINTR(write(fd, &kMsgChrootMe, 1)) != 1) { 544 if (HANDLE_EINTR(write(fd, &kMsgChrootMe, 1)) != 1) {
521 LOG(ERROR) << "Failed to write to chroot pipe: " << errno; 545 LOG(ERROR) << "Failed to write to chroot pipe: " << errno;
522 return false; 546 return false;
523 } 547 }
524 548
(...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after
665 } 689 }
666 } 690 }
667 #endif // SECCOMP_SANDBOX 691 #endif // SECCOMP_SANDBOX
668 692
669 Zygote zygote(sandbox_flags, forkdelegate, proc_fd_for_seccomp); 693 Zygote zygote(sandbox_flags, forkdelegate, proc_fd_for_seccomp);
670 // This function call can return multiple times, once per fork(). 694 // This function call can return multiple times, once per fork().
671 return zygote.ProcessRequests(); 695 return zygote.ProcessRequests();
672 } 696 }
673 697
674 } // namespace content 698 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/zygote_host_impl_linux.cc ('k') | sandbox/linux/suid/linux_util.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698