Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(9)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_init_linux.cc

Issue 10534049: Disable the seccomp filter GPU process sandbox by default on Chrome OS. (Closed) Base URL: http://git.chromium.org/chromium/src.git@master
Patch Set: Change flag name, move GPU info check to gpu_main.cc Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | content/gpu/gpu_main.cc » ('j') | content/gpu/gpu_main.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/public/common/sandbox_init.h" 5 #include "content/public/common/sandbox_init.h"
6 6
7 #if defined(OS_LINUX) && defined(__x86_64__) 7 #if defined(OS_LINUX) && defined(__x86_64__)
8 8
9 #include <asm/unistd.h> 9 #include <asm/unistd.h>
10 #include <errno.h> 10 #include <errno.h>
(...skipping 370 matching lines...) Expand 10 before | Expand all | Expand 10 after
381 PLOG_IF(FATAL, ret != 0) << "prctl(PR_SET_NO_NEW_PRIVS) failed"; 381 PLOG_IF(FATAL, ret != 0) << "prctl(PR_SET_NO_NEW_PRIVS) failed";
382 382
383 struct sock_fprog fprog; 383 struct sock_fprog fprog;
384 fprog.len = program.size(); 384 fprog.len = program.size();
385 fprog.filter = const_cast<struct sock_filter*>(&program[0]); 385 fprog.filter = const_cast<struct sock_filter*>(&program[0]);
386 386
387 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog, 0, 0); 387 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog, 0, 0);
388 PLOG_IF(FATAL, ret != 0) << "Failed to install filter."; 388 PLOG_IF(FATAL, ret != 0) << "Failed to install filter.";
389 } 389 }
390 390
391 static bool ShouldEnableGPUSandbox() {
392 #if defined(OS_CHROMEOS)
393 const CommandLine& command_line = *CommandLine::ForCurrentProcess();
394 return command_line.HasSwitch(switches::kEnableGPUSandbox);
395 #else
396 return true;
Chris Evans 2012/06/08 07:13:57 return !command_line.HasSwitch(kDisable) -- see be
Jorge Lucangeli Obes 2012/06/11 20:23:04 Done.
397 #endif
398 }
399
391 } // anonymous namespace 400 } // anonymous namespace
392 401
393 namespace content { 402 namespace content {
394 403
395 void InitializeSandbox() { 404 void InitializeSandbox() {
396 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 405 const CommandLine& command_line = *CommandLine::ForCurrentProcess();
397 if (command_line.HasSwitch(switches::kNoSandbox) || 406 if (command_line.HasSwitch(switches::kNoSandbox) ||
398 command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) 407 command_line.HasSwitch(switches::kDisableSeccompFilterSandbox))
399 return; 408 return;
400 409
401 std::string process_type = 410 std::string process_type =
402 command_line.GetSwitchValueASCII(switches::kProcessType); 411 command_line.GetSwitchValueASCII(switches::kProcessType);
403 if (process_type == switches::kGpuProcess && 412 if (process_type == switches::kGpuProcess &&
404 command_line.HasSwitch(switches::kDisableGpuSandbox)) 413 command_line.HasSwitch(switches::kDisableGpuSandbox))
Chris Evans 2012/06/08 07:13:57 Do it here (see below :P ) Keep your separate func
405 return; 414 return;
406 415
407 if (!CanUseSeccompFilters()) 416 if (!CanUseSeccompFilters())
408 return; 417 return;
409 418
410 CheckSingleThreaded(); 419 CheckSingleThreaded();
411 420
412 std::vector<struct sock_filter> program; 421 std::vector<struct sock_filter> program;
413 EmitPreamble(&program); 422 EmitPreamble(&program);
414 423
415 if (process_type == switches::kGpuProcess) { 424 if (process_type == switches::kGpuProcess &&
425 ShouldEnableGPUSandbox()) {
Chris Evans 2012/06/08 07:13:57 You want to do it above, otherwise you'll crash in
Jorge Lucangeli Obes 2012/06/11 20:23:04 Done.
416 ApplyGPUPolicy(&program); 426 ApplyGPUPolicy(&program);
417 EmitTrap(&program); // Default deny. 427 EmitTrap(&program); // Default deny.
418 } else if (process_type == switches::kPpapiPluginProcess) { 428 } else if (process_type == switches::kPpapiPluginProcess) {
419 ApplyFlashPolicy(&program); 429 ApplyFlashPolicy(&program);
420 EmitTrap(&program); // Default deny. 430 EmitTrap(&program); // Default deny.
421 } else if (process_type == switches::kRendererProcess || 431 } else if (process_type == switches::kRendererProcess ||
422 process_type == switches::kWorkerProcess) { 432 process_type == switches::kWorkerProcess) {
423 ApplyNoPtracePolicy(&program); 433 ApplyNoPtracePolicy(&program);
424 EmitAllow(&program); // Default permit. 434 EmitAllow(&program); // Default permit.
425 } else { 435 } else {
426 NOTREACHED(); 436 NOTREACHED();
427 } 437 }
428 438
429 InstallSIGSYSHandler(); 439 InstallSIGSYSHandler();
430 InstallFilter(program); 440 InstallFilter(program);
431 } 441 }
432 442
433 } // namespace content 443 } // namespace content
434 444
435 #else 445 #else
436 446
437 namespace content { 447 namespace content {
438 448
439 void InitializeSandbox() { 449 void InitializeSandbox() {
440 } 450 }
441 451
442 } // namespace content 452 } // namespace content
443 453
444 #endif 454 #endif
445
OLDNEW
« no previous file with comments | « no previous file | content/gpu/gpu_main.cc » ('j') | content/gpu/gpu_main.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698