Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(82)

Side by Side Diff: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc

Issue 1158793003: Enable one PID namespace per process for NaCl processes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Respond to comments. Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <sys/prctl.h> 9 #include <sys/prctl.h>
10 #include <sys/stat.h> 10 #include <sys/stat.h>
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after
132 // the setuid sandbox model. 132 // the setuid sandbox model.
133 CHECK(!HasOpenDirectory()); 133 CHECK(!HasOpenDirectory());
134 134
135 // Get sandboxed. 135 // Get sandboxed.
136 CHECK(setuid_sandbox_client_->ChrootMe()); 136 CHECK(setuid_sandbox_client_->ChrootMe());
137 CHECK(MaybeSetProcessNonDumpable()); 137 CHECK(MaybeSetProcessNonDumpable());
138 CHECK(IsSandboxed()); 138 CHECK(IsSandboxed());
139 layer_one_enabled_ = true; 139 layer_one_enabled_ = true;
140 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { 140 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
141 CHECK(sandbox::Credentials::MoveToNewUserNS()); 141 CHECK(sandbox::Credentials::MoveToNewUserNS());
142 // This relies on SealLayerOneSandbox() to be called later since this
143 // class is keeping a file descriptor to /proc/.
144 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get())); 142 CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get()));
145 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get())); 143
144 // We do not drop CAP_SYS_ADMIN because we need it to place each child
145 // process in its own PID namespace later on.
146 std::vector<sandbox::Credentials::Capability> caps;
147 caps.push_back(sandbox::Credentials::Capability::SYS_ADMIN);
148 CHECK(sandbox::Credentials::SetCapabilities(proc_fd_.get(), caps));
149
146 CHECK(IsSandboxed()); 150 CHECK(IsSandboxed());
147 layer_one_enabled_ = true; 151 layer_one_enabled_ = true;
148 } 152 }
149 } 153 }
150 154
151 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { 155 void NaClSandbox::CheckForExpectedNumberOfOpenFds() {
152 // We expect to have the following FDs open: 156 // We expect to have the following FDs open:
153 // 1-3) stdin, stdout, stderr. 157 // 1-3) stdin, stdout, stderr.
154 // 4) The /dev/urandom FD used by base::GetUrandomFD(). 158 // 4) The /dev/urandom FD used by base::GetUrandomFD().
155 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel. 159 // 5) A dummy pipe FD used to overwrite kSandboxIPCChannel.
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after
235 static const char kNoBpfMsg[] = 239 static const char kNoBpfMsg[] =
236 "The seccomp-bpf sandbox is not engaged for NaCl:"; 240 "The seccomp-bpf sandbox is not engaged for NaCl:";
237 if (can_be_no_sandbox) 241 if (can_be_no_sandbox)
238 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; 242 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg;
239 else 243 else
240 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; 244 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;
241 } 245 }
242 } 246 }
243 247
244 } // namespace nacl 248 } // namespace nacl
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698