Linux: initialize the sandbox in the utility process.

Linux: initialize the sandbox in the utility process.

We initialize the new Linux sandbox in the utility process. We don't
have a useful policy for this process at the moment, so we only apply
a basic blacklist of system calls.

BUG=93109
Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=155087

[jln (very slow on Chromium), 2012-08-31 23:34:33]

This will only effectively blacklist ptrace et al. at the moment, but it's a
step towards at least having every process go through InitializeSandbox() on
Linux.

[Jorge Lucangeli Obes, 2012-08-31 23:36:59]

On 2012/08/31 23:34:33, Julien Tinnes wrote:
> This will only effectively blacklist ptrace et al. at the moment, but it's a
> step towards at least having every process go through InitializeSandbox() on
> Linux.

jln: we have to tread more carefully with the utility process, since some of the
incarnations are not spawned from the zygote, because they need FS to unpack
extensions. For now though, BlacklistPtrace seems OK.

[Markus (顧孟勤), 2012-08-31 23:39:58]

The ptrace() policy is fine in general, but I am not sure I am the appropriate
person to review this CL. I don't know enough about the utility process to make
an educated decision.

[jln (very slow on Chromium), 2012-08-31 23:40:14]

On 2012/08/31 23:36:59, Jorge Lucangeli Obes wrote:
> On 2012/08/31 23:34:33, Julien Tinnes wrote:
> > This will only effectively blacklist ptrace et al. at the moment, but it's a
> > step towards at least having every process go through InitializeSandbox() on
> > Linux.
> 
> jln: we have to tread more carefully with the utility process, since some of
the
> incarnations are not spawned from the zygote, because they need FS to unpack
> extensions. For now though, BlacklistPtrace seems OK.

Yep, I know, it looks like this might become the big user of the open() broker
:)

Matt is out ATM, but I'll talk with him to get a sense of what's needed. As far
as I can tell so far we'll need to broker out FS access, probably a lot more
than open.

It's nice to get all the process types go through InitializeSandbox() in any
case, though.

[Matt Perry, 2012-09-05 22:28:34]

I don't know much about the sandbox, but as long as extension unpacking (and
other uses of the utility process - see
http://code.google.com/searchframe#OAMlx_jo-ck/src/chrome/utility/chrome_cont...
) still work, this LGTM.

[jln (very slow on Chromium), 2012-09-05 22:50:49]

On 2012/09/05 22:28:34, Matt Perry wrote:
> I don't know much about the sandbox, but as long as extension unpacking (and
> other uses of the utility process - see
>
http://code.google.com/searchframe#OAMlx_jo-ck/src/chrome/utility/chrome_cont...
> ) still work, this LGTM.

Yeah, presently we'll only prevent to use the ptrace() API, which you most
likely don't need. We should chat and try to actually write a proper sandbox for
the utility process. It's not trivial, but I think it's needed.

Julien

[commit-bot: I haz the power, 2012-09-05 22:57:40]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/jln@chromium.org/10920057/1

[commit-bot: I haz the power, 2012-09-06 01:21:09]

Change committed as 155087