content/zygote/zygote_main_linux.cc - Issue 11231021: Zygote: Initialize NSS fully

Side by Side Diff: content/zygote/zygote_main_linux.cc

Issue 11231021: Zygote: Initialize NSS fully (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 8 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <dlfcn.h>	5 #include <dlfcn.h>

6 #include <fcntl.h>	6 #include <fcntl.h>

7 #include <pthread.h>	7 #include <pthread.h>

8 #include <stdio.h>	8 #include <stdio.h>

9 #include <sys/socket.h>	9 #include <sys/socket.h>

10 #include <sys/stat.h>	10 #include <sys/stat.h>

(...skipping 472 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
483 }	483 }

484	484

485 if (setuid_sandbox->IsInNewPIDNamespace() && !has_started_new_init) {	485 if (setuid_sandbox->IsInNewPIDNamespace() && !has_started_new_init) {

486 LOG(ERROR) << "The SUID sandbox created a new PID namespace but Zygote "	486 LOG(ERROR) << "The SUID sandbox created a new PID namespace but Zygote "

487 "is not the init process. Please, make sure the SUID "	487 "is not the init process. Please, make sure the SUID "

488 "binary is up to date.";	488 "binary is up to date.";

489 }	489 }

490	490

491 int sandbox_flags = linux_sandbox->GetStatus();	491 int sandbox_flags = linux_sandbox->GetStatus();

492	492

	493 #if defined(USE_NSS)

	494 // Do some extra NSS initialization. We don't want to do this pre-sandbox
	wtc 2012/10/23 18:52:28 Nit: change "Do some extra NSS initialization" to Nit: change "Do some extra NSS initialization" to "Initialize NSS". The word "extra" seems to imply an incremental initialization, but crypto::EnsureNSSInit() fully initializes NSS. jln (very slow on Chromium) 2012/10/23 19:06:50 Done. Show quoted text On 2012/10/23 18:52:28, wtc wrote: > > Nit: change "Do some extra NSS initialization" to > "Initialize NSS". The word "extra" seems to imply an > incremental initialization, but crypto::EnsureNSSInit() > fully initializes NSS. Done.
	495 // because it's not well defined what venues of attacks it could create.

	496 //

	497 // In addition to the benfit of doing this initialization only once, (it

	498 // will be inherited), this is a good warm-up before we enable our next layer

	499 // of sandbox, e.g. seccomp-bpf.
	wtc 2012/10/23 18:52:28 In general a multithreaded program on Unix should In general a multithreaded program on Unix should avoid forking without doing exec(). I guess zygote calls fork() without calling exec()? jln (very slow on Chromium) 2012/10/23 19:06:50 Yes, but we don't have threads at this point. If w Show quoted text On 2012/10/23 18:52:28, wtc wrote: > > In general a multithreaded program on Unix should avoid > forking without doing exec(). I guess zygote calls fork() > without calling exec()? Yes, but we don't have threads at this point. If we had thread, it would be a major issue.
	500

	501 // We will soon fork, but we haven't loaded any security module.

	502 crypto::DisableNSSForkCheck();
	wtc 2012/10/23 18:52:28 I am not familiar with what it takes to make NSS w I am not familiar with what it takes to make NSS work correctly across a fork() call. I remember it is supported, with two modes (the "PKCS #11 compliant" mode which does the fork check and the original mode). I would avoid initializing NSS before forking. Here is a NSS bug query for all bugs that mention "fork" in the summary: https://bugzilla.mozilla.org/buglist.cgi?list_id=4755732;short_desc_type=allw... jln (very slow on Chromium) 2012/10/23 19:06:50 I think that is the most important part. If you an Show quoted text On 2012/10/23 18:52:28, wtc wrote: > > I am not familiar with what it takes to make NSS work correctly > across a fork() call. I remember it is supported, with two > modes (the "PKCS #11 compliant" mode which does the fork > check and the original mode). I would avoid initializing NSS > before forking. > > Here is a NSS bug query for all bugs that mention "fork" in > the summary: > https://bugzilla.mozilla.org/buglist.cgi?list_id=4755732;short_desc_type=allw... I think that is the most important part. If you and Ryan can't be comfortable with this, then unfortunately we should switch to a model where we initialize NSS in the renderer / PPAPI process, but before we enable the sandbox.
	503 // The setuid sandbox would prevent opening user security modules anyway,

	504 // but it's more correct to tell NSS to not do it.

	505 // Loading user security modules would have security implications.

	506 crypto::ForceNSSNoDBInit();

	507 // Initialize NSS, every child process will benefit from it.

	508 crypto::EnsureNSSInit();

	509 #endif

	510

493 Zygote zygote(sandbox_flags, forkdelegate);	511 Zygote zygote(sandbox_flags, forkdelegate);

494 // This function call can return multiple times, once per fork().	512 // This function call can return multiple times, once per fork().

495 return zygote.ProcessRequests();	513 return zygote.ProcessRequests();

496 }	514 }

497	515

498 } // namespace content	516 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »