content/zygote/zygote_linux.cc - Issue 1158793003: Enable one PID namespace per process for NaCl processes.

Unified Diff: content/zygote/zygote_linux.cc

Issue 1158793003: Enable one PID namespace per process for NaCl processes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Respond to comments. Created 5 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('k') | sandbox/linux/services/credentials.h » ('j') | sandbox/linux/services/namespace_sandbox.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: content/zygote/zygote_linux.cc

diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc

index 5a84dec6db9f48d43b4a5d743b87e8b95b55ce8f..27e86cfd37164210ef520766ab3053dc793673d1 100644

--- a/content/zygote/zygote_linux.cc

+++ b/content/zygote/zygote_linux.cc

@@ -49,14 +49,6 @@ namespace {

void SIGCHLDHandler(int signal) {

}

-// On Linux, when a process is the init process of a PID namespace, it cannot be

-// terminated by signals like SIGTERM or SIGINT, since they are ignored unless

-// we register a handler for them. In the handlers, we exit with this special

-// exit code that GetTerminationStatus understands to mean that we were

-// terminated by an external signal.

-const int kKilledExitCode = 0x80;

-const int kUnexpectedExitCode = 0x81;

int LookUpFd(const base::GlobalDescriptors::Mapping& fd_mapping, uint32_t key) {

for (size_t index = 0; index < fd_mapping.size(); ++index) {

if (fd_mapping[index].key == key)

@@ -316,8 +308,12 @@ bool Zygote::GetTerminationStatus(base::ProcessHandle real_pid,

process_info_map_.erase(real_pid);

}

- if (WIFEXITED(*exit_code) && WEXITSTATUS(*exit_code) == kKilledExitCode) {

- *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED;

+ if (WIFEXITED(*exit_code)) {

+ const int exit_status = WEXITSTATUS(*exit_code);

+ if (exit_status == sandbox::NamespaceSandbox::SignalExitCode(SIGINT) ||

+ exit_status == sandbox::NamespaceSandbox::SignalExitCode(SIGTERM)) {

+ *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED;

+ }

}

return true;

@@ -395,7 +391,7 @@ int Zygote::ForkWithRealPid(const std::string& process_type,

pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace(

/*drop_capabilities_in_child=*/true);

} else {

- pid = fork();

+ pid = sandbox::Credentials::ForkAndDropCapabilitiesInChild();

}

@@ -403,17 +399,11 @@ int Zygote::ForkWithRealPid(const std::string& process_type,

// If the process is the init process inside a PID namespace, it must have

// explicit signal handlers.

if (getpid() == 1) {

- for (const int sig : {SIGINT, SIGTERM}) {

- sandbox::NamespaceSandbox::InstallTerminationSignalHandler(

- sig, kKilledExitCode);

- }

- static const int kUnexpectedSignals[] = {

- SIGHUP, SIGQUIT, SIGABRT, SIGPIPE, SIGUSR1, SIGUSR2,

- };

- for (const int sig : kUnexpectedSignals) {

+ static const int kTerminationSignals[] = {

+ SIGINT, SIGTERM, SIGHUP, SIGQUIT, SIGABRT, SIGPIPE, SIGUSR1, SIGUSR2};

+ for (const int sig : kTerminationSignals) {

sandbox::NamespaceSandbox::InstallTerminationSignalHandler(

- sig, kUnexpectedExitCode);

+ sig, sandbox::NamespaceSandbox::SignalExitCode(sig));

}