content/zygote/zygote_main_linux.cc - Issue 11231021: Zygote: Initialize NSS fully

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: content/zygote/zygote_main_linux.cc

Issue 11231021: Zygote: Initialize NSS fully (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: rebase Created 8 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <dlfcn.h>	5 #include <dlfcn.h>

6 #include <fcntl.h>	6 #include <fcntl.h>

7 #include <pthread.h>	7 #include <pthread.h>

8 #include <stdio.h>	8 #include <stdio.h>

9 #include <sys/socket.h>	9 #include <sys/socket.h>

10 #include <sys/stat.h>	10 #include <sys/stat.h>

(...skipping 472 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
483 }	483 }

484	484

485 if (setuid_sandbox->IsInNewPIDNamespace() && !has_started_new_init) {	485 if (setuid_sandbox->IsInNewPIDNamespace() && !has_started_new_init) {

486 LOG(ERROR) << "The SUID sandbox created a new PID namespace but Zygote "	486 LOG(ERROR) << "The SUID sandbox created a new PID namespace but Zygote "

487 "is not the init process. Please, make sure the SUID "	487 "is not the init process. Please, make sure the SUID "

488 "binary is up to date.";	488 "binary is up to date.";

489 }	489 }

490	490

491 int sandbox_flags = linux_sandbox->GetStatus();	491 int sandbox_flags = linux_sandbox->GetStatus();

492	492

	493 #if defined(USE_NSS)

	494 // Initialize NSS. We don't want to do this pre-sandbox because it's not well

	495 // defined what venues of attacks it could create.

	496 //

	497 // In addition to the benfit of doing this initialization only once, (it will

	498 // be inherited), this is a good warm-up before we enable our next layer of

	499 // sandbox, e.g. seccomp-bpf.

	500

	501 // We will soon fork, but we haven't loaded any security module.

	502 crypto::DisableNSSForkCheck();

	503 // The setuid sandbox would prevent opening user security modules anyway,

	504 // but it's more correct to tell NSS to not do it.

	505 // Loading user security modules would have security implications.

	506 crypto::ForceNSSNoDBInit();

	507 // Initialize NSS, every child process will benefit from it.

	508 crypto::EnsureNSSInit();

	509 #endif

	510

493 Zygote zygote(sandbox_flags, forkdelegate);	511 Zygote zygote(sandbox_flags, forkdelegate);

494 // This function call can return multiple times, once per fork().	512 // This function call can return multiple times, once per fork().

495 return zygote.ProcessRequests();	513 return zygote.ProcessRequests();

496 }	514 }

497	515

498 } // namespace content	516 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »