Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1912)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/zygote/zygote_main_linux.cc

Issue 10492006: Setuid sandbox API versioning (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« base/linux_util.h ('K') | « content/browser/zygote_host_impl_linux.cc ('k') | sandbox/linux/suid/linux_util.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/zygote/zygote_main_linux.cc
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
index 5673f091d0b987866bf446753e1f3af1160ca456..abf95a32a48e823c9284ddda8b9eb2459611e978 100644
--- a/content/zygote/zygote_main_linux.cc
+++ b/content/zygote/zygote_main_linux.cc
@@ -529,14 +529,38 @@ static bool EnterSandbox(bool* using_suid_sandbox, bool* has_started_new_init) {
const char* const sandbox_fd_string = getenv(kSUIDSandboxVar);
if (sandbox_fd_string) {
+ char* endptr;
// Use the SUID sandbox. This still allows the seccomp sandbox to
// be enabled by the process later.
*using_suid_sandbox = true;
- char* endptr;
+ // Check if the SUID sandbox provides the correct API version.
Brad Chen 2012/06/02 15:57:03 Are you adding these checks only for sandbox use i
jln (very slow on Chromium) 2012/06/04 19:26:23 Ohh yes, both. Well, in official builds it's unlik
+ const char* const sandbox_api_string =
+ getenv(base::kSandboxEnvironmentApiProvides);
+ // Assume API version 0 if no environment was found
+ long sandbox_api_num = 0;
+ if (sandbox_api_string) {
+ errno = 0;
+ sandbox_api_num = strtol(sandbox_api_string, &endptr, 10);
+ if (errno || *endptr) {
+ return false;
+ }
+ }
+
+ if (sandbox_api_num != base::kSUIDSandboxApiNumber) {
+ LOG(WARNING) << "You are using a wrong version of the setuid binary!\n"
+ "Please read "
+ "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment."
Brad Chen 2012/06/02 15:57:03 Should this doc be updated to document the version
jln (very slow on Chromium) 2012/06/04 19:26:23 Yes, good point. I'll do it when this lands.
+ "\n\n";
+ }
+
+ // Get the file descriptor to signal the chroot helper.
+ errno = 0;
const long fd_long = strtol(sandbox_fd_string, &endptr, 10);
- if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX)
+ if (errno || !*sandbox_fd_string || *endptr || fd_long < 0 ||
+ fd_long > INT_MAX) {
return false;
+ }
const int fd = fd_long;
static const char kMsgChrootMe = 'C';
« base/linux_util.h ('K') | « content/browser/zygote_host_impl_linux.cc ('k') | sandbox/linux/suid/linux_util.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698