Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(11)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/zygote/zygote_linux.cc

Issue 1158793003: Enable one PID namespace per process for NaCl processes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Enable PID namespace per process for nonsfi newlib NaCl as well. Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('k') | sandbox/linux/services/credentials.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/zygote/zygote_linux.cc
diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc
index 59a14c1c9ef3f12102a581125d1ff584598048b4..0a333e38843bf6b76d297efd1d63368b36b90b92 100644
--- a/content/zygote/zygote_linux.cc
+++ b/content/zygote/zygote_linux.cc
@@ -49,14 +49,6 @@ namespace {
void SIGCHLDHandler(int signal) {
}
-// On Linux, when a process is the init process of a PID namespace, it cannot be
-// terminated by signals like SIGTERM or SIGINT, since they are ignored unless
-// we register a handler for them. In the handlers, we exit with this special
-// exit code that GetTerminationStatus understands to mean that we were
-// terminated by an external signal.
-const int kKilledExitCode = 0x80;
-const int kUnexpectedExitCode = 0x81;
-
int LookUpFd(const base::GlobalDescriptors::Mapping& fd_mapping, uint32_t key) {
for (size_t index = 0; index < fd_mapping.size(); ++index) {
if (fd_mapping[index].key == key)
@@ -316,8 +308,12 @@ bool Zygote::GetTerminationStatus(base::ProcessHandle real_pid,
process_info_map_.erase(real_pid);
}
- if (WIFEXITED(*exit_code) && WEXITSTATUS(*exit_code) == kKilledExitCode) {
- *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED;
+ if (WIFEXITED(*exit_code)) {
+ const int exit_status = WEXITSTATUS(*exit_code);
+ if (exit_status == sandbox::NamespaceSandbox::SignalExitCode(SIGINT) ||
+ exit_status == sandbox::NamespaceSandbox::SignalExitCode(SIGTERM)) {
+ *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED;
+ }
}
return true;
@@ -394,7 +390,7 @@ int Zygote::ForkWithRealPid(const std::string& process_type,
pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace(
/*drop_capabilities_in_child=*/true);
} else {
- pid = fork();
+ pid = sandbox::Credentials::ForkAndDropCapabilitiesInChild();
}
}
@@ -402,17 +398,11 @@ int Zygote::ForkWithRealPid(const std::string& process_type,
// If the process is the init process inside a PID namespace, it must have
// explicit signal handlers.
if (getpid() == 1) {
- for (const int sig : {SIGINT, SIGTERM}) {
- sandbox::NamespaceSandbox::InstallTerminationSignalHandler(
- sig, kKilledExitCode);
- }
-
- static const int kUnexpectedSignals[] = {
- SIGHUP, SIGQUIT, SIGABRT, SIGPIPE, SIGUSR1, SIGUSR2,
- };
- for (const int sig : kUnexpectedSignals) {
+ static const int kTerminationSignals[] = {
+ SIGINT, SIGTERM, SIGHUP, SIGQUIT, SIGABRT, SIGPIPE, SIGUSR1, SIGUSR2};
+ for (const int sig : kTerminationSignals) {
sandbox::NamespaceSandbox::InstallTerminationSignalHandler(
- sig, kUnexpectedExitCode);
+ sig, sandbox::NamespaceSandbox::SignalExitCode(sig));
}
}
« no previous file with comments | « components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('k') | sandbox/linux/services/credentials.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698