Chromium Code Reviews Chromium Code Reviews
Issue 10843042:
Create a class for seccomp-bpf sandboxing in content. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: content/common/sandbox_seccomp_bpf_linux.cc |
| diff --git a/content/common/sandbox_init_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc |
| similarity index 83% |
| copy from content/common/sandbox_init_linux.cc |
| copy to content/common/sandbox_seccomp_bpf_linux.cc |
| index b9cafa2f2bcb702ce54b7bcf4adc97538cf0e965..f017b1fd840e0242fbc6a9840f677e648e8171a7 100644 |
| --- a/content/common/sandbox_init_linux.cc |
| +++ b/content/common/sandbox_seccomp_bpf_linux.cc |
| @@ -2,16 +2,6 @@ |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| -#include "content/common/seccomp_sandbox.h" |
| -#include "content/public/common/sandbox_init.h" |
| - |
| -#if defined(__i386__) || defined(__x86_64__) |
| - |
| -// This is an assert for GYP |
| -#if !defined(OS_LINUX) |
| - #error "Linux specific file compiled on non Linux OS!" |
| -#endif |
| - |
| #include <asm/unistd.h> |
| #include <dlfcn.h> |
| #include <errno.h> |
| @@ -29,11 +19,17 @@ |
| #include <vector> |
| #include "base/command_line.h" |
| -#include "base/file_util.h" |
| #include "base/logging.h" |
| -#include "base/time.h" |
| #include "content/common/sandbox_linux.h" |
| +#include "content/common/sandbox_seccomp_bpf_linux.h" |
| #include "content/public/common/content_switches.h" |
| + |
| +// These are the only architectures supported for now. |
| +#if defined(__i386__) || defined(__x86_64__) |
| +#define SECCOMP_BPF_SANDBOX |
| +#endif |
| + |
| +#if defined(SECCOMP_BPF_SANDBOX) |
| #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| // These are fairly new and not defined in all headers yet. |
| @@ -61,18 +57,6 @@ |
| namespace { |
| -bool IsSingleThreaded() { |
| - // Possibly racy, but it's ok because this is more of a debug check to catch |
| - // new threaded situations arising during development. |
| - int num_threads = |
| - file_util::CountFilesCreatedAfter(FilePath("/proc/self/task"), |
| - base::Time::UnixEpoch()); |
| - |
| - // We pass the test if we don't know ( == 0), because the setuid sandbox |
| - // will prevent /proc access in some contexts. |
| - return num_threads == 1 || num_threads == 0; |
| -} |
| - |
| inline bool IsChromeOS() { |
| #if defined(OS_CHROMEOS) |
| return true; |
| @@ -443,11 +427,6 @@ void WarmupPolicy(playground2::Sandbox::EvaluateSyscall policy) { |
| // Is the sandbox fully disabled for this process? |
| bool ShouldDisableBpfSandbox(const CommandLine& command_line, |
| const std::string& process_type) { |
| - if (command_line.HasSwitch(switches::kNoSandbox) || |
| - command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { |
| - return true; |
| - } |
| - |
| if (process_type == switches::kGpuProcess) { |
| // The GPU sandbox is disabled by default in ChromeOS, enabled by default on |
| // generic Linux. |
| @@ -500,33 +479,8 @@ playground2::Sandbox::EvaluateSyscall GetProcessSyscallPolicy( |
| } |
| // Initialize the seccomp-bpf sandbox. |
| -bool InitializeBpfSandbox_x86(const CommandLine& command_line, |
| - const std::string& process_type) { |
| - if (ShouldDisableBpfSandbox(command_line, process_type)) |
| - return false; |
| - |
| - // No matter what, InitializeSandbox() should always be called before threads |
| - // are started. |
| - // Note: IsSingleThreaded() will be true if /proc is not accessible! |
| - if (!IsSingleThreaded()) { |
| - std::string error_message = "InitializeSandbox() called with multiple " |
| - "threads in process " + process_type; |
| - // TODO(jln): change this into a CHECK() once we are more comfortable it |
| - // does not trigger. |
| - // On non-DEBUG build, we still log an error |
| - LOG(ERROR) << error_message; |
| - return false; |
| - } |
| - |
| - // TODO(jln): find a way for the Zygote processes under the setuid sandbox to |
| - // have a /proc fd and pass it here. |
| - // Passing -1 as the /proc fd since we have no special way to have it for |
| - // now. |
| - if (playground2::Sandbox::supportsSeccompSandbox(-1) != |
| - playground2::Sandbox::STATUS_AVAILABLE) { |
| - return false; |
| - } |
| - |
| +bool StartBpfSandbox_x86(const CommandLine& command_line, |
| + const std::string& process_type) { |
| playground2::Sandbox::EvaluateSyscall SyscallPolicy = |
| GetProcessSyscallPolicy(command_line, process_type); |
| @@ -539,37 +493,47 @@ bool InitializeBpfSandbox_x86(const CommandLine& command_line, |
| return true; |
| } |
| -} // anonymous namespace |
| +} // namespace |
| -#endif // defined(__i386__) || defined(__x86_64__) |
| +#endif // SECCOMP_BPF_SANDBOX |
| namespace content { |
| -void InitializeSandbox() { |
| -#if defined(__i386__) || defined(__x86_64__) |
| +// Is seccomp BPF globally enabled? |
| +bool SandboxSeccompBpf::IsSeccompBpfDesired() { |
| + const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| + if (!command_line.HasSwitch(switches::kNoSandbox) && |
| + !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { |
| + return true; |
| + } else { |
| + return false; |
| + } |
| +} |
| + |
| +bool SandboxSeccompBpf::SupportsSandbox() { |
| +#if defined(SECCOMP_BPF_SANDBOX) |
| + // TODO(jln): pass the savec proc_fd_ from the LinuxSandbox singleton |
|
Jorge Lucangeli Obes
2012/08/02 21:04:12
saved
jln (very slow on Chromium)
2012/08/02 21:06:57
Done.
|
| + // here. |
| + if (playground2::Sandbox::supportsSeccompSandbox(-1) == |
| + playground2::Sandbox::STATUS_AVAILABLE) { |
| + return true; |
| + } |
| +#endif |
| + return false; |
| +} |
| + |
| +bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { |
| +#if defined(SECCOMP_BPF_SANDBOX) |
| const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| - const std::string process_type = |
| - command_line.GetSwitchValueASCII(switches::kProcessType); |
| - bool seccomp_legacy_started = false; |
| - bool seccomp_bpf_started = false; |
| - |
| - // First, try to enable seccomp-legacy. |
| - seccomp_legacy_started = |
| - LinuxSandbox::GetInstance()->StartSeccompLegacy(process_type); |
| - if (seccomp_legacy_started) |
| - LogSandboxStarted("seccomp-legacy", process_type); |
| - |
| - // Then, try to enable seccomp-bpf. |
| - // If seccomp-legacy is enabled, seccomp-bpf initialization will crash |
| - // instead of failing gracefully. |
| - // TODO(markus): fix this (crbug.com/139872). |
| - if (!seccomp_legacy_started) { |
| - seccomp_bpf_started = |
| - InitializeBpfSandbox_x86(command_line, process_type); |
| + |
| + if (IsSeccompBpfDesired() && // Global switches policy. |
| + // Process-specific policy. |
| + !ShouldDisableBpfSandbox(command_line, process_type) && |
| + SupportsSandbox()) { |
| + return StartBpfSandbox_x86(command_line, process_type); |
| } |
| - if (seccomp_bpf_started) |
| - LogSandboxStarted("seccomp-bpf", process_type); |
| #endif |
| + return false; |
| } |
| } // namespace content |
