sandbox-bpf: more robust probe process in release mode

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <endian.h>
 #if __BYTE_ORDER == __BIG_ENDIAN
 // The BPF "struct seccomp_data" layout has to deal with storing 64bit
 // values that need to be inspected by a virtual machine that only ever
 // operates on 32bit values. The kernel developers decided how values
 // should be split into two 32bit words to achieve this goal. But at this
 // time, there is no existing BPF implementation in the kernel that uses
 // 64bit big endian values. So, all we have to go by is the consensus
 // from a discussion on LKLM. Actual implementations, if and when they
 // happen, might very well differ.
 // If this code is ever going to be used with such a kernel, you should
 // disable the "#error" and carefully test the code (e.g. run the unit
 // tests). If things don't work, search for all occurrences of __BYTE_ORDER
 // and verify that the proposed implementation agrees with what the kernel
 // actually does.
 #error Big endian operation is untested and expected to be broken
 #endif
 
+#ifndef SECCOMP_BPF_STANDALONE
+#include "base/logging.h"
+#include "base/posix/eintr_wrapper.h"
+#endif
+
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 
 namespace {
 
 void WriteFailedStderrSetupMessage(int out_fd) {
   const char* error_string = strerror(errno);
-  static const char msg[] = "Failed to set up stderr: ";
+  static const char msg[] = "You have reproduced a puzzling issue.\n"
+                            "Please, report to crbug.com/152530!\n"
+                            "Failed to set up stderr: ";
   if (HANDLE_EINTR(write(out_fd, msg, sizeof(msg)-1)) > 0 && error_string &&
       HANDLE_EINTR(write(out_fd, error_string, strlen(error_string))) > 0 &&
       HANDLE_EINTR(write(out_fd, "\n", 1))) {
   }
 }
 
 // We need to tell whether we are performing a "normal" callback, or
 // whether we were called recursively from within a UnsafeTrap() callback.
 // This is a little tricky to do, because we need to somehow get access to
 // per-thread data from within a signal context. Normal TLS storage is not
@@ skipping 100 matching lines @@
     sigprocmask(SIG_SETMASK, &oldMask, NULL);  // OK, if it fails
     SANDBOX_DIE("fork() failed unexpectedly");
   }
 
   // In the child process
   if (!pid) {
     // Test a very simple sandbox policy to verify that we can
     // successfully turn on sandboxing.
     Die::EnableSimpleExit();
 
+    errno = 0;
     if (HANDLE_EINTR(close(fds[0]))) {
+      // This call to close() has been failing in strange ways. See
+      // crbug.com/152530. So we only fail in debug mode now.
+#if !defined(NDEBUG)
       WriteFailedStderrSetupMessage(fds[1]);
       SANDBOX_DIE(NULL);
+#endif
     }
     if (HANDLE_EINTR(dup2(fds[1], 2)) != 2) {
       // Stderr could very well be a file descriptor to .xsession-errors, or
       // another file, which could be backed by a file system that could cause
       // dup2 to fail while trying to close stderr. It's important that we do
       // not fail on trying to close stderr.
       // If dup2 fails here, we will continue normally, this means that our
       // parent won't cause a fatal failure if something writes to stderr in
       // this child.
+#if !defined(NDEBUG)
+      // In DEBUG builds, we still want to get a report.
+      WriteFailedStderrSetupMessage(fds[1]);
+      SANDBOX_DIE(NULL);
+#endif
     }
     if (HANDLE_EINTR(close(fds[1]))) {
+      // This call to close() has been failing in strange ways. See
+      // crbug.com/152530. So we only fail in debug mode now.
+#if !defined(NDEBUG)
       WriteFailedStderrSetupMessage(fds[1]);
       SANDBOX_DIE(NULL);
+#endif
     }
 
     evaluators_.clear();
     setSandboxPolicy(syscallEvaluator, aux);
     setProcFd(proc_fd);
 
     // By passing "quiet=true" to "startSandboxInternal()" we suppress
     // messages for expected and benign failures (e.g. if the current
     // kernel lacks support for BPF filters).
     startSandboxInternal(true);
@@ skipping 700 matching lines @@
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
 int    Sandbox::proc_fd_                = -1;
 Sandbox::Evaluators Sandbox::evaluators_;
 Sandbox::Traps *Sandbox::traps_         = NULL;
 Sandbox::TrapIds Sandbox::trapIds_;
 ErrorCode *Sandbox::trapArray_          = NULL;
 size_t Sandbox::trapArraySize_          = 0;
   bool Sandbox::has_unsafe_traps_       = false;
 
 }  // namespace