| Index: content/common/sandbox_seccomp_bpf_linux.cc
|
| diff --git a/content/common/sandbox_init_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc
|
| similarity index 83%
|
| copy from content/common/sandbox_init_linux.cc
|
| copy to content/common/sandbox_seccomp_bpf_linux.cc
|
| index b9cafa2f2bcb702ce54b7bcf4adc97538cf0e965..3468413c11d920679b9e059024a2eca2da320ea4 100644
|
| --- a/content/common/sandbox_init_linux.cc
|
| +++ b/content/common/sandbox_seccomp_bpf_linux.cc
|
| @@ -2,16 +2,6 @@
|
| // Use of this source code is governed by a BSD-style license that can be
|
| // found in the LICENSE file.
|
|
|
| -#include "content/common/seccomp_sandbox.h"
|
| -#include "content/public/common/sandbox_init.h"
|
| -
|
| -#if defined(__i386__) || defined(__x86_64__)
|
| -
|
| -// This is an assert for GYP
|
| -#if !defined(OS_LINUX)
|
| - #error "Linux specific file compiled on non Linux OS!"
|
| -#endif
|
| -
|
| #include <asm/unistd.h>
|
| #include <dlfcn.h>
|
| #include <errno.h>
|
| @@ -29,11 +19,17 @@
|
| #include <vector>
|
|
|
| #include "base/command_line.h"
|
| -#include "base/file_util.h"
|
| #include "base/logging.h"
|
| -#include "base/time.h"
|
| #include "content/common/sandbox_linux.h"
|
| +#include "content/common/sandbox_seccomp_bpf_linux.h"
|
| #include "content/public/common/content_switches.h"
|
| +
|
| +// These are the only architectures supported for now.
|
| +#if defined(__i386__) || defined(__x86_64__)
|
| +#define SECCOMP_BPF_SANDBOX
|
| +#endif
|
| +
|
| +#if defined(SECCOMP_BPF_SANDBOX)
|
| #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
|
|
|
| // These are fairly new and not defined in all headers yet.
|
| @@ -61,18 +57,6 @@
|
|
|
| namespace {
|
|
|
| -bool IsSingleThreaded() {
|
| - // Possibly racy, but it's ok because this is more of a debug check to catch
|
| - // new threaded situations arising during development.
|
| - int num_threads =
|
| - file_util::CountFilesCreatedAfter(FilePath("/proc/self/task"),
|
| - base::Time::UnixEpoch());
|
| -
|
| - // We pass the test if we don't know ( == 0), because the setuid sandbox
|
| - // will prevent /proc access in some contexts.
|
| - return num_threads == 1 || num_threads == 0;
|
| -}
|
| -
|
| inline bool IsChromeOS() {
|
| #if defined(OS_CHROMEOS)
|
| return true;
|
| @@ -443,11 +427,6 @@ void WarmupPolicy(playground2::Sandbox::EvaluateSyscall policy) {
|
| // Is the sandbox fully disabled for this process?
|
| bool ShouldDisableBpfSandbox(const CommandLine& command_line,
|
| const std::string& process_type) {
|
| - if (command_line.HasSwitch(switches::kNoSandbox) ||
|
| - command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) {
|
| - return true;
|
| - }
|
| -
|
| if (process_type == switches::kGpuProcess) {
|
| // The GPU sandbox is disabled by default in ChromeOS, enabled by default on
|
| // generic Linux.
|
| @@ -500,33 +479,8 @@ playground2::Sandbox::EvaluateSyscall GetProcessSyscallPolicy(
|
| }
|
|
|
| // Initialize the seccomp-bpf sandbox.
|
| -bool InitializeBpfSandbox_x86(const CommandLine& command_line,
|
| - const std::string& process_type) {
|
| - if (ShouldDisableBpfSandbox(command_line, process_type))
|
| - return false;
|
| -
|
| - // No matter what, InitializeSandbox() should always be called before threads
|
| - // are started.
|
| - // Note: IsSingleThreaded() will be true if /proc is not accessible!
|
| - if (!IsSingleThreaded()) {
|
| - std::string error_message = "InitializeSandbox() called with multiple "
|
| - "threads in process " + process_type;
|
| - // TODO(jln): change this into a CHECK() once we are more comfortable it
|
| - // does not trigger.
|
| - // On non-DEBUG build, we still log an error
|
| - LOG(ERROR) << error_message;
|
| - return false;
|
| - }
|
| -
|
| - // TODO(jln): find a way for the Zygote processes under the setuid sandbox to
|
| - // have a /proc fd and pass it here.
|
| - // Passing -1 as the /proc fd since we have no special way to have it for
|
| - // now.
|
| - if (playground2::Sandbox::supportsSeccompSandbox(-1) !=
|
| - playground2::Sandbox::STATUS_AVAILABLE) {
|
| - return false;
|
| - }
|
| -
|
| +bool StartBpfSandbox_x86(const CommandLine& command_line,
|
| + const std::string& process_type) {
|
| playground2::Sandbox::EvaluateSyscall SyscallPolicy =
|
| GetProcessSyscallPolicy(command_line, process_type);
|
|
|
| @@ -539,37 +493,47 @@ bool InitializeBpfSandbox_x86(const CommandLine& command_line,
|
| return true;
|
| }
|
|
|
| -} // anonymous namespace
|
| +} // namespace
|
|
|
| -#endif // defined(__i386__) || defined(__x86_64__)
|
| +#endif // SECCOMP_BPF_SANDBOX
|
|
|
| namespace content {
|
|
|
| -void InitializeSandbox() {
|
| -#if defined(__i386__) || defined(__x86_64__)
|
| +// Is seccomp BPF globally enabled?
|
| +bool SandboxSeccompBpf::IsSeccompBpfDesired() {
|
| + const CommandLine& command_line = *CommandLine::ForCurrentProcess();
|
| + if (!command_line.HasSwitch(switches::kNoSandbox) &&
|
| + !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) {
|
| + return true;
|
| + } else {
|
| + return false;
|
| + }
|
| +}
|
| +
|
| +bool SandboxSeccompBpf::SupportsSandbox() {
|
| +#if defined(SECCOMP_BPF_SANDBOX)
|
| + // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton
|
| + // here.
|
| + if (playground2::Sandbox::supportsSeccompSandbox(-1) ==
|
| + playground2::Sandbox::STATUS_AVAILABLE) {
|
| + return true;
|
| + }
|
| +#endif
|
| + return false;
|
| +}
|
| +
|
| +bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) {
|
| +#if defined(SECCOMP_BPF_SANDBOX)
|
| const CommandLine& command_line = *CommandLine::ForCurrentProcess();
|
| - const std::string process_type =
|
| - command_line.GetSwitchValueASCII(switches::kProcessType);
|
| - bool seccomp_legacy_started = false;
|
| - bool seccomp_bpf_started = false;
|
| -
|
| - // First, try to enable seccomp-legacy.
|
| - seccomp_legacy_started =
|
| - LinuxSandbox::GetInstance()->StartSeccompLegacy(process_type);
|
| - if (seccomp_legacy_started)
|
| - LogSandboxStarted("seccomp-legacy", process_type);
|
| -
|
| - // Then, try to enable seccomp-bpf.
|
| - // If seccomp-legacy is enabled, seccomp-bpf initialization will crash
|
| - // instead of failing gracefully.
|
| - // TODO(markus): fix this (crbug.com/139872).
|
| - if (!seccomp_legacy_started) {
|
| - seccomp_bpf_started =
|
| - InitializeBpfSandbox_x86(command_line, process_type);
|
| +
|
| + if (IsSeccompBpfDesired() && // Global switches policy.
|
| + // Process-specific policy.
|
| + !ShouldDisableBpfSandbox(command_line, process_type) &&
|
| + SupportsSandbox()) {
|
| + return StartBpfSandbox_x86(command_line, process_type);
|
| }
|
| - if (seccomp_bpf_started)
|
| - LogSandboxStarted("seccomp-bpf", process_type);
|
| #endif
|
| + return false;
|
| }
|
|
|
| } // namespace content
|
|
|
Chromium Code Reviews
Issue 10843042:
Create a class for seccomp-bpf sandboxing in content. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src