Refactor the setuid sandbox client code to its own class.

sandbox/linux/suid/sandbox.c

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox
 
-#include "sandbox.h"
+#include "common/sandbox.h"
 
 #define _GNU_SOURCE
 #include <asm/unistd.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
 #include <sched.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/prctl.h>
 #include <sys/resource.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/vfs.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include "linux_util.h"
 #include "process_util.h"
-#include "suid_unsafe_environment_variables.h"
+#include "common/suid_unsafe_environment_variables.h"
 
 #if !defined(CLONE_NEWPID)
 #define CLONE_NEWPID 0x20000000
 #endif
 #if !defined(CLONE_NEWNET)
 #define CLONE_NEWNET 0x40000000
 #endif
 
-static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D";
-static const char kSandboxHelperPidEnvironmentVarName[] = "SBX_HELPER_PID";
-
-// Should be kept in sync with base/linux_util.h
-static const long kSUIDSandboxApiNumber = 1;
-static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ";
-static const char kSandboxEnvironmentApiProvides[] = "SBX_CHROME_API_PRV";
-
-// This number must be kept in sync with common/zygote_commands_linux.h
-static const int kZygoteIdFd = 7;
-
-// These are the magic byte values which the sandboxed process uses to request
-// that it be chrooted.
-static const char kMsgChrootMe = 'C';
-static const char kMsgChrootSuccessful = 'O';
-
 static bool DropRoot();
 
 #define HANDLE_EINTR(x) TEMP_FAILURE_RETRY(x)
 
 static void FatalError(const char *msg, ...)
     __attribute__((noreturn, format(printf, 1, 2)));
 
 static void FatalError(const char *msg, ...) {
   va_list ap;
   va_start(ap, msg);
@@ skipping 204 matching lines @@
 
       // Wait for the parent to confirm it closed kZygoteIdFd before we
       // continue
       char should_continue;
       if (HANDLE_EINTR(read(sync_fds[0], &should_continue, 1)) != 1)
         FatalError("Read on socketpair");
       if (close(sync_fds[0]))
         FatalError("close");
 
       if (kCloneExtraFlags[i] & CLONE_NEWPID) {
-        setenv("SBX_PID_NS", "", 1 /* overwrite */);
+        setenv(kSandboxPIDNSEnvironmentVarName, "", 1 /* overwrite */);
       } else {
-        unsetenv("SBX_PID_NS");
+        unsetenv(kSandboxPIDNSEnvironmentVarName);
       }
 
       if (kCloneExtraFlags[i] & CLONE_NEWNET) {
-        setenv("SBX_NET_NS", "", 1 /* overwrite */);
+        setenv(kSandboxNETNSEnvironmentVarName, "", 1 /* overwrite */);
       } else {
-        unsetenv("SBX_NET_NS");
+        unsetenv(kSandboxNETNSEnvironmentVarName);
       }
 
       break;
     }
 
     if (errno != EINVAL) {
       perror("Failed to move to new PID namespace");
       return false;
     }
   }
@@ skipping 187 matching lines @@
   if (!DropRoot())
     return 1;
   if (!SetupChildEnvironment())
     return 1;
 
   execv(argv[1], &argv[1]);
   FatalError("execv failed");
 
   return 1;
 }