| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/zygote/zygote_linux.h" | 5 #include "content/zygote/zygote_linux.h" |
| 6 | 6 |
| 7 #include <fcntl.h> | 7 #include <fcntl.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/types.h> | 10 #include <sys/types.h> |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 42 // See http://code.google.com/p/chromium/wiki/LinuxZygote | 42 // See http://code.google.com/p/chromium/wiki/LinuxZygote |
| 43 | 43 |
| 44 namespace content { | 44 namespace content { |
| 45 | 45 |
| 46 namespace { | 46 namespace { |
| 47 | 47 |
| 48 // NOP function. See below where this handler is installed. | 48 // NOP function. See below where this handler is installed. |
| 49 void SIGCHLDHandler(int signal) { | 49 void SIGCHLDHandler(int signal) { |
| 50 } | 50 } |
| 51 | 51 |
| 52 // On Linux, when a process is the init process of a PID namespace, it cannot be | |
| 53 // terminated by signals like SIGTERM or SIGINT, since they are ignored unless | |
| 54 // we register a handler for them. In the handlers, we exit with this special | |
| 55 // exit code that GetTerminationStatus understands to mean that we were | |
| 56 // terminated by an external signal. | |
| 57 const int kKilledExitCode = 0x80; | |
| 58 const int kUnexpectedExitCode = 0x81; | |
| 59 | |
| 60 int LookUpFd(const base::GlobalDescriptors::Mapping& fd_mapping, uint32_t key) { | 52 int LookUpFd(const base::GlobalDescriptors::Mapping& fd_mapping, uint32_t key) { |
| 61 for (size_t index = 0; index < fd_mapping.size(); ++index) { | 53 for (size_t index = 0; index < fd_mapping.size(); ++index) { |
| 62 if (fd_mapping[index].key == key) | 54 if (fd_mapping[index].key == key) |
| 63 return fd_mapping[index].fd; | 55 return fd_mapping[index].fd; |
| 64 } | 56 } |
| 65 return -1; | 57 return -1; |
| 66 } | 58 } |
| 67 | 59 |
| 68 void CreatePipe(base::ScopedFD* read_pipe, base::ScopedFD* write_pipe) { | 60 void CreatePipe(base::ScopedFD* read_pipe, base::ScopedFD* write_pipe) { |
| 69 int raw_pipe[2]; | 61 int raw_pipe[2]; |
| (...skipping 239 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 309 // wait. | 301 // wait. |
| 310 *status = base::GetTerminationStatus(child, exit_code); | 302 *status = base::GetTerminationStatus(child, exit_code); |
| 311 } | 303 } |
| 312 } | 304 } |
| 313 // Successfully got a status for |real_pid|. | 305 // Successfully got a status for |real_pid|. |
| 314 if (*status != base::TERMINATION_STATUS_STILL_RUNNING) { | 306 if (*status != base::TERMINATION_STATUS_STILL_RUNNING) { |
| 315 // Time to forget about this process. | 307 // Time to forget about this process. |
| 316 process_info_map_.erase(real_pid); | 308 process_info_map_.erase(real_pid); |
| 317 } | 309 } |
| 318 | 310 |
| 319 if (WIFEXITED(*exit_code) && WEXITSTATUS(*exit_code) == kKilledExitCode) { | 311 if (WIFEXITED(*exit_code)) { |
| 320 *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED; | 312 const int exit_status = WEXITSTATUS(*exit_code); |
| 313 if (exit_status == sandbox::NamespaceSandbox::SignalExitCode(SIGINT) || |
| 314 exit_status == sandbox::NamespaceSandbox::SignalExitCode(SIGTERM)) { |
| 315 *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED; |
| 316 } |
| 321 } | 317 } |
| 322 | 318 |
| 323 return true; | 319 return true; |
| 324 } | 320 } |
| 325 | 321 |
| 326 void Zygote::HandleGetTerminationStatus(int fd, | 322 void Zygote::HandleGetTerminationStatus(int fd, |
| 327 PickleIterator iter) { | 323 PickleIterator iter) { |
| 328 bool known_dead; | 324 bool known_dead; |
| 329 base::ProcessHandle child_requested; | 325 base::ProcessHandle child_requested; |
| 330 | 326 |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 388 | 384 |
| 389 // Helpers should never return in the child process. | 385 // Helpers should never return in the child process. |
| 390 CHECK_NE(pid, 0); | 386 CHECK_NE(pid, 0); |
| 391 } else { | 387 } else { |
| 392 CreatePipe(&read_pipe, &write_pipe); | 388 CreatePipe(&read_pipe, &write_pipe); |
| 393 if (sandbox_flags_ & kSandboxLinuxPIDNS && | 389 if (sandbox_flags_ & kSandboxLinuxPIDNS && |
| 394 sandbox_flags_ & kSandboxLinuxUserNS) { | 390 sandbox_flags_ & kSandboxLinuxUserNS) { |
| 395 pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace( | 391 pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace( |
| 396 /*drop_capabilities_in_child=*/true); | 392 /*drop_capabilities_in_child=*/true); |
| 397 } else { | 393 } else { |
| 398 pid = fork(); | 394 pid = sandbox::Credentials::ForkAndDropCapabilitiesInChild(); |
| 399 } | 395 } |
| 400 } | 396 } |
| 401 | 397 |
| 402 if (pid == 0) { | 398 if (pid == 0) { |
| 403 // If the process is the init process inside a PID namespace, it must have | 399 // If the process is the init process inside a PID namespace, it must have |
| 404 // explicit signal handlers. | 400 // explicit signal handlers. |
| 405 if (getpid() == 1) { | 401 if (getpid() == 1) { |
| 406 for (const int sig : {SIGINT, SIGTERM}) { | 402 static const int kTerminationSignals[] = { |
| 403 SIGINT, SIGTERM, SIGHUP, SIGQUIT, SIGABRT, SIGPIPE, SIGUSR1, SIGUSR2}; |
| 404 for (const int sig : kTerminationSignals) { |
| 407 sandbox::NamespaceSandbox::InstallTerminationSignalHandler( | 405 sandbox::NamespaceSandbox::InstallTerminationSignalHandler( |
| 408 sig, kKilledExitCode); | 406 sig, sandbox::NamespaceSandbox::SignalExitCode(sig)); |
| 409 } | |
| 410 | |
| 411 static const int kUnexpectedSignals[] = { | |
| 412 SIGHUP, SIGQUIT, SIGABRT, SIGPIPE, SIGUSR1, SIGUSR2, | |
| 413 }; | |
| 414 for (const int sig : kUnexpectedSignals) { | |
| 415 sandbox::NamespaceSandbox::InstallTerminationSignalHandler( | |
| 416 sig, kUnexpectedExitCode); | |
| 417 } | 407 } |
| 418 } | 408 } |
| 419 | 409 |
| 420 // In the child process. | 410 // In the child process. |
| 421 write_pipe.reset(); | 411 write_pipe.reset(); |
| 422 | 412 |
| 423 // Ping the PID oracle socket so the browser can find our PID. | 413 // Ping the PID oracle socket so the browser can find our PID. |
| 424 CHECK(SendZygoteChildPing(pid_oracle.get())); | 414 CHECK(SendZygoteChildPing(pid_oracle.get())); |
| 425 | 415 |
| 426 // Now read back our real PID from the zygote. | 416 // Now read back our real PID from the zygote. |
| (...skipping 194 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 621 PickleIterator iter) { | 611 PickleIterator iter) { |
| 622 if (HANDLE_EINTR(write(fd, &sandbox_flags_, sizeof(sandbox_flags_))) != | 612 if (HANDLE_EINTR(write(fd, &sandbox_flags_, sizeof(sandbox_flags_))) != |
| 623 sizeof(sandbox_flags_)) { | 613 sizeof(sandbox_flags_)) { |
| 624 PLOG(ERROR) << "write"; | 614 PLOG(ERROR) << "write"; |
| 625 } | 615 } |
| 626 | 616 |
| 627 return false; | 617 return false; |
| 628 } | 618 } |
| 629 | 619 |
| 630 } // namespace content | 620 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1158793003:
Enable one PID namespace per process for NaCl processes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master