| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <sys/prctl.h> | 9 #include <sys/prctl.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 132 // the setuid sandbox model. | 132 // the setuid sandbox model. |
| 133 CHECK(!HasOpenDirectory()); | 133 CHECK(!HasOpenDirectory()); |
| 134 | 134 |
| 135 // Get sandboxed. | 135 // Get sandboxed. |
| 136 CHECK(setuid_sandbox_client_->ChrootMe()); | 136 CHECK(setuid_sandbox_client_->ChrootMe()); |
| 137 CHECK(MaybeSetProcessNonDumpable()); | 137 CHECK(MaybeSetProcessNonDumpable()); |
| 138 CHECK(IsSandboxed()); | 138 CHECK(IsSandboxed()); |
| 139 layer_one_enabled_ = true; | 139 layer_one_enabled_ = true; |
| 140 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { | 140 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { |
| 141 CHECK(sandbox::Credentials::MoveToNewUserNS()); | 141 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 142 // This relies on SealLayerOneSandbox() to be called later since this | |
| 143 // class is keeping a file descriptor to /proc/. | |
| 144 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get())); | 142 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get())); |
| 145 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get())); | 143 |
| 144 // We do not drop CAP_SYS_ADMIN because we need it to place each child |
| 145 // process in its own PID namespace later on. |
| 146 std::vector<sandbox::Credentials::Capability> caps; |
| 147 caps.push_back(sandbox::Credentials::Capability::SYS_ADMIN); |
| 148 CHECK(sandbox::Credentials::SetCapabilities(proc_fd_.get(), caps)); |
| 149 |
| 146 CHECK(IsSandboxed()); | 150 CHECK(IsSandboxed()); |
| 147 layer_one_enabled_ = true; | 151 layer_one_enabled_ = true; |
| 148 } | 152 } |
| 149 } | 153 } |
| 150 | 154 |
| 151 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { | 155 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { |
| 152 // We expect to have the following FDs open: | 156 // We expect to have the following FDs open: |
| 153 // 1-3) stdin, stdout, stderr. | 157 // 1-3) stdin, stdout, stderr. |
| 154 // 4) The /dev/urandom FD used by base::GetUrandomFD(). | 158 // 4) The /dev/urandom FD used by base::GetUrandomFD(). |
| 155 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. | 159 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 235 static const char kNoBpfMsg[] = | 239 static const char kNoBpfMsg[] = |
| 236 "The seccomp-bpf sandbox is not engaged for NaCl:"; | 240 "The seccomp-bpf sandbox is not engaged for NaCl:"; |
| 237 if (can_be_no_sandbox) | 241 if (can_be_no_sandbox) |
| 238 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; | 242 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; |
| 239 else | 243 else |
| 240 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; | 244 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; |
| 241 } | 245 } |
| 242 } | 246 } |
| 243 | 247 |
| 244 } // namespace nacl | 248 } // namespace nacl |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1158793003:
Enable one PID namespace per process for NaCl processes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master