components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc - Issue 1158793003: Enable one PID namespace per process for NaCl processes.

Side by Side Diff: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc

Issue 1158793003: Enable one PID namespace per process for NaCl processes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Get rid of kDefaultExitCode. Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"	5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"

6	6

7 #include <errno.h>	7 #include <errno.h>

8 #include <fcntl.h>	8 #include <fcntl.h>

9 #include <sys/prctl.h>	9 #include <sys/prctl.h>

10 #include <sys/stat.h>	10 #include <sys/stat.h>

(...skipping 122 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
133 CHECK(!HasOpenDirectory());	133 CHECK(!HasOpenDirectory());

134	134

135 // Get sandboxed.	135 // Get sandboxed.

136 CHECK(setuid_sandbox_client_->ChrootMe());	136 CHECK(setuid_sandbox_client_->ChrootMe());

137 CHECK(MaybeSetProcessNonDumpable());	137 CHECK(MaybeSetProcessNonDumpable());

138 CHECK(IsSandboxed());	138 CHECK(IsSandboxed());

139 layer_one_enabled_ = true;	139 layer_one_enabled_ = true;

140 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {	140 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {

141 CHECK(sandbox::Credentials::MoveToNewUserNS());	141 CHECK(sandbox::Credentials::MoveToNewUserNS());

142 // This relies on SealLayerOneSandbox() to be called later since this	142 // This relies on SealLayerOneSandbox() to be called later since this

143 // class is keeping a file descriptor to /proc/.	143 // class is keeping a file descriptor to /proc/.
	jln (very slow on Chromium) 2015/05/28 09:02:33 Doesn't this comment apply to both the setuid sand Doesn't this comment apply to both the setuid sandbox case and the userNS case? rickyz (no longer on Chrome) 2015/05/29 23:16:39 Yeah, removed this comment, it made more sense in Show quoted text On 2015/05/28 09:02:33, jln (OOO til. Jun 7th) wrote: > Doesn't this comment apply to both the setuid sandbox case and the userNS case? Yeah, removed this comment, it made more sense in the place I copy/pasted it from.
144 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get()));	144 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get()));

145 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get()));	145

	146 // We do not drop CAP_SYS_ADMIN because we need it to place each child

	147 // process in its own PID namespace later on.
	jln (very slow on Chromium) 2015/05/28 09:02:33 This is unfortunate. This should be dropped as par This is unfortunate. This should be dropped as part of a mandatory mechanism like SealLayerOneSandbox. Except that the layer 2 sandbox will prevent us from doing it. Perhaps do it as part of engaging the layer 2 sandbox? (And also as part of SealLayerOneSandbox when layer 2 is not engaged). We need to be careful to make all of this clear and not look like spaghetti.
	148 std::vector<sandbox::Credentials::Capability> caps;

	149 caps.push_back(sandbox::Credentials::Capability::SYS_ADMIN);

	150 CHECK(sandbox::Credentials::SetCapabilities(proc_fd_.get(), caps));

	151

146 CHECK(IsSandboxed());	152 CHECK(IsSandboxed());

147 layer_one_enabled_ = true;	153 layer_one_enabled_ = true;

148 }	154 }

149 }	155 }

150	156

151 void NaClSandbox::CheckForExpectedNumberOfOpenFds() {	157 void NaClSandbox::CheckForExpectedNumberOfOpenFds() {

152 // We expect to have the following FDs open:	158 // We expect to have the following FDs open:

153 // 1-3) stdin, stdout, stderr.	159 // 1-3) stdin, stdout, stderr.

154 // 4) The /dev/urandom FD used by base::GetUrandomFD().	160 // 4) The /dev/urandom FD used by base::GetUrandomFD().

155 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel.	161 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel.

(...skipping 79 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
235 static const char kNoBpfMsg[] =	241 static const char kNoBpfMsg[] =

236 "The seccomp-bpf sandbox is not engaged for NaCl:";	242 "The seccomp-bpf sandbox is not engaged for NaCl:";

237 if (can_be_no_sandbox)	243 if (can_be_no_sandbox)

238 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg;	244 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg;

239 else	245 else

240 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;	246 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;

241 }	247 }

242 }	248 }

243	249

244 } // namespace nacl	250 } // namespace nacl

OLD	NEW

« components/nacl/loader/nacl_helper_linux.cc ('K') | « components/nacl/loader/nacl_helper_linux.cc ('k') | content/zygote/zygote_linux.cc » ('j') | content/zygote/zygote_linux.cc » ('J')