OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <fcntl.h> | 5 #include <fcntl.h> |
6 #include <sys/resource.h> | 6 #include <sys/resource.h> |
7 #include <sys/stat.h> | 7 #include <sys/stat.h> |
8 #include <sys/time.h> | 8 #include <sys/time.h> |
9 #include <sys/types.h> | 9 #include <sys/types.h> |
10 | 10 |
(...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
169 } | 169 } |
170 proc_fd_ = -1; | 170 proc_fd_ = -1; |
171 } | 171 } |
172 } | 172 } |
173 | 173 |
174 void LinuxSandbox::PreinitializeSandbox(const std::string& process_type) { | 174 void LinuxSandbox::PreinitializeSandbox(const std::string& process_type) { |
175 PreinitializeSandboxBegin(); | 175 PreinitializeSandboxBegin(); |
176 PreinitializeSandboxFinish(process_type); | 176 PreinitializeSandboxFinish(process_type); |
177 } | 177 } |
178 | 178 |
| 179 bool LinuxSandbox::InitializeSandbox() { |
| 180 bool seccomp_legacy_started = false; |
| 181 bool seccomp_bpf_started = false; |
| 182 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); |
| 183 const std::string process_type = |
| 184 CommandLine::ForCurrentProcess()->GetSwitchValueASCII( |
| 185 switches::kProcessType); |
| 186 |
| 187 // No matter what, it's always an error to call InitializeSandbox() after |
| 188 // threads have been created. |
| 189 if (!linux_sandbox->IsSingleThreaded()) { |
| 190 std::string error_message = "InitializeSandbox() called with multiple " |
| 191 "threads in process " + process_type; |
| 192 // TODO(jln): change this into a CHECK() once we are more comfortable it |
| 193 // does not trigger. |
| 194 LOG(ERROR) << error_message; |
| 195 return false; |
| 196 } |
| 197 |
| 198 // Attempt to limit the future size of the address space of the process. |
| 199 linux_sandbox->LimitAddressSpace(process_type); |
| 200 |
| 201 // First, try to enable seccomp-bpf. |
| 202 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); |
| 203 |
| 204 // If that fails, try to enable seccomp-legacy. |
| 205 if (!seccomp_bpf_started) { |
| 206 seccomp_legacy_started = linux_sandbox->StartSeccompLegacy(process_type); |
| 207 } |
| 208 |
| 209 return seccomp_legacy_started || seccomp_bpf_started; |
| 210 } |
| 211 |
179 int LinuxSandbox::GetStatus() const { | 212 int LinuxSandbox::GetStatus() const { |
180 CHECK(pre_initialized_); | 213 CHECK(pre_initialized_); |
181 int sandbox_flags = 0; | 214 int sandbox_flags = 0; |
182 if (setuid_sandbox_client_->IsSandboxed()) { | 215 if (setuid_sandbox_client_->IsSandboxed()) { |
183 sandbox_flags |= kSandboxLinuxSUID; | 216 sandbox_flags |= kSandboxLinuxSUID; |
184 if (setuid_sandbox_client_->IsInNewPIDNamespace()) | 217 if (setuid_sandbox_client_->IsInNewPIDNamespace()) |
185 sandbox_flags |= kSandboxLinuxPIDNS; | 218 sandbox_flags |= kSandboxLinuxPIDNS; |
186 if (setuid_sandbox_client_->IsInNewNETNamespace()) | 219 if (setuid_sandbox_client_->IsInNewNETNamespace()) |
187 sandbox_flags |= kSandboxLinuxNetNS; | 220 sandbox_flags |= kSandboxLinuxNetNS; |
188 } | 221 } |
(...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
308 bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit); | 341 bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit); |
309 bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize); | 342 bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize); |
310 return limited_as && limited_data; | 343 return limited_as && limited_data; |
311 #else | 344 #else |
312 return false; | 345 return false; |
313 #endif // !defined(ADDRESS_SANITIZER) | 346 #endif // !defined(ADDRESS_SANITIZER) |
314 } | 347 } |
315 | 348 |
316 } // namespace content | 349 } // namespace content |
317 | 350 |
OLD | NEW |