Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc |
diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc |
index 869658f9f8b4eddec6efdd545b89c966626b0440..79f4f7783a136981a8b1ef600f78340e6058eebd 100644 |
--- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc |
+++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc |
@@ -142,7 +142,13 @@ void NaClSandbox::InitializeLayerOneSandbox() { |
// This relies on SealLayerOneSandbox() to be called later since this |
// class is keeping a file descriptor to /proc/. |
jln (very slow on Chromium)
2015/05/28 09:02:33
Doesn't this comment apply to both the setuid sand
rickyz (no longer on Chrome)
2015/05/29 23:16:39
Yeah, removed this comment, it made more sense in
|
CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get())); |
- CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get())); |
+ |
+ // We do not drop CAP_SYS_ADMIN because we need it to place each child |
+ // process in its own PID namespace later on. |
jln (very slow on Chromium)
2015/05/28 09:02:33
This is unfortunate. This should be dropped as par
|
+ std::vector<sandbox::Credentials::Capability> caps; |
+ caps.push_back(sandbox::Credentials::Capability::SYS_ADMIN); |
+ CHECK(sandbox::Credentials::SetCapabilities(proc_fd_.get(), caps)); |
+ |
CHECK(IsSandboxed()); |
layer_one_enabled_ = true; |
} |