| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <fcntl.h> | 5 #include <fcntl.h> |
| 6 #include <sys/stat.h> | 6 #include <sys/stat.h> |
| 7 #include <sys/types.h> | 7 #include <sys/types.h> |
| 8 | 8 |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/eintr_wrapper.h" | 10 #include "base/eintr_wrapper.h" |
| (...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 153 sandbox_flags |= kSandboxLinuxSUID; | 153 sandbox_flags |= kSandboxLinuxSUID; |
| 154 if (setuid_sandbox_client_->IsInNewPIDNamespace()) | 154 if (setuid_sandbox_client_->IsInNewPIDNamespace()) |
| 155 sandbox_flags |= kSandboxLinuxPIDNS; | 155 sandbox_flags |= kSandboxLinuxPIDNS; |
| 156 if (setuid_sandbox_client_->IsInNewNETNamespace()) | 156 if (setuid_sandbox_client_->IsInNewNETNamespace()) |
| 157 sandbox_flags |= kSandboxLinuxNetNS; | 157 sandbox_flags |= kSandboxLinuxNetNS; |
| 158 } | 158 } |
| 159 if (seccomp_legacy_supported() && | 159 if (seccomp_legacy_supported() && |
| 160 ShouldEnableSeccompLegacy(switches::kRendererProcess)) { | 160 ShouldEnableSeccompLegacy(switches::kRendererProcess)) { |
| 161 // We report whether the sandbox will be activated when renderers go | 161 // We report whether the sandbox will be activated when renderers go |
| 162 // through sandbox initialization. | 162 // through sandbox initialization. |
| 163 sandbox_flags |= kSandboxLinuxSeccomp; | 163 sandbox_flags |= kSandboxLinuxSeccompLegacy; |
| 164 } |
| 165 if (seccomp_bpf_supported() && |
| 166 SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) { |
| 167 // Same here, what we report is what we will do for the renderer. |
| 168 sandbox_flags |= kSandboxLinuxSeccompBpf; |
| 164 } | 169 } |
| 165 return sandbox_flags; | 170 return sandbox_flags; |
| 166 } | 171 } |
| 167 | 172 |
| 168 bool LinuxSandbox::IsSingleThreaded() const { | 173 bool LinuxSandbox::IsSingleThreaded() const { |
| 169 // TODO(jln): re-implement this properly and use our proc_fd_ if available. | 174 // TODO(jln): re-implement this properly and use our proc_fd_ if available. |
| 170 // Possibly racy, but it's ok because this is more of a debug check to catch | 175 // Possibly racy, but it's ok because this is more of a debug check to catch |
| 171 // new threaded situations arising during development. | 176 // new threaded situations arising during development. |
| 172 int num_threads = file_util::CountFilesCreatedAfter( | 177 int num_threads = file_util::CountFilesCreatedAfter( |
| 173 FilePath("/proc/self/task"), | 178 FilePath("/proc/self/task"), |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 221 return seccomp_legacy_supported_; | 226 return seccomp_legacy_supported_; |
| 222 } | 227 } |
| 223 | 228 |
| 224 bool LinuxSandbox::seccomp_bpf_supported() const { | 229 bool LinuxSandbox::seccomp_bpf_supported() const { |
| 225 CHECK(pre_initialized_); | 230 CHECK(pre_initialized_); |
| 226 return seccomp_bpf_supported_; | 231 return seccomp_bpf_supported_; |
| 227 } | 232 } |
| 228 | 233 |
| 229 } // namespace content | 234 } // namespace content |
| 230 | 235 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10829156:
Linux: add BPF sandbox status in about:sandbox (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src