Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(91)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_linux.cc

Issue 13814027: Linux: make current InitializeSandbox() private. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Remove sandbox_init_linux.cc Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « content/common/sandbox_linux.h ('k') | content/content_common.gypi » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <fcntl.h> 5 #include <fcntl.h>
6 #include <sys/resource.h> 6 #include <sys/resource.h>
7 #include <sys/stat.h> 7 #include <sys/stat.h>
8 #include <sys/time.h> 8 #include <sys/time.h>
9 #include <sys/types.h> 9 #include <sys/types.h>
10 10
(...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after
169 } 169 }
170 proc_fd_ = -1; 170 proc_fd_ = -1;
171 } 171 }
172 } 172 }
173 173
174 void LinuxSandbox::PreinitializeSandbox(const std::string& process_type) { 174 void LinuxSandbox::PreinitializeSandbox(const std::string& process_type) {
175 PreinitializeSandboxBegin(); 175 PreinitializeSandboxBegin();
176 PreinitializeSandboxFinish(process_type); 176 PreinitializeSandboxFinish(process_type);
177 } 177 }
178 178
179 bool LinuxSandbox::InitializeSandbox() {
180 bool seccomp_legacy_started = false;
181 bool seccomp_bpf_started = false;
182 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
183 const std::string process_type =
184 CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
185 switches::kProcessType);
186
187 // No matter what, it's always an error to call InitializeSandbox() after
188 // threads have been created.
189 if (!linux_sandbox->IsSingleThreaded()) {
190 std::string error_message = "InitializeSandbox() called with multiple "
191 "threads in process " + process_type;
192 // TODO(jln): change this into a CHECK() once we are more comfortable it
193 // does not trigger.
194 LOG(ERROR) << error_message;
195 return false;
196 }
197
198 // Attempt to limit the future size of the address space of the process.
199 linux_sandbox->LimitAddressSpace(process_type);
200
201 // First, try to enable seccomp-bpf.
202 seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type);
203
204 // If that fails, try to enable seccomp-legacy.
205 if (!seccomp_bpf_started) {
206 seccomp_legacy_started = linux_sandbox->StartSeccompLegacy(process_type);
207 }
208
209 return seccomp_legacy_started || seccomp_bpf_started;
210 }
211
179 int LinuxSandbox::GetStatus() const { 212 int LinuxSandbox::GetStatus() const {
180 CHECK(pre_initialized_); 213 CHECK(pre_initialized_);
181 int sandbox_flags = 0; 214 int sandbox_flags = 0;
182 if (setuid_sandbox_client_->IsSandboxed()) { 215 if (setuid_sandbox_client_->IsSandboxed()) {
183 sandbox_flags |= kSandboxLinuxSUID; 216 sandbox_flags |= kSandboxLinuxSUID;
184 if (setuid_sandbox_client_->IsInNewPIDNamespace()) 217 if (setuid_sandbox_client_->IsInNewPIDNamespace())
185 sandbox_flags |= kSandboxLinuxPIDNS; 218 sandbox_flags |= kSandboxLinuxPIDNS;
186 if (setuid_sandbox_client_->IsInNewNETNamespace()) 219 if (setuid_sandbox_client_->IsInNewNETNamespace())
187 sandbox_flags |= kSandboxLinuxNetNS; 220 sandbox_flags |= kSandboxLinuxNetNS;
188 } 221 }
(...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after
308 bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit); 341 bool limited_as = AddResourceLimit(RLIMIT_AS, address_space_limit);
309 bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize); 342 bool limited_data = AddResourceLimit(RLIMIT_DATA, kNewDataSegmentMaxSize);
310 return limited_as && limited_data; 343 return limited_as && limited_data;
311 #else 344 #else
312 return false; 345 return false;
313 #endif // !defined(ADDRESS_SANITIZER) 346 #endif // !defined(ADDRESS_SANITIZER)
314 } 347 }
315 348
316 } // namespace content 349 } // namespace content
317 350
OLDNEW
« no previous file with comments | « content/common/sandbox_linux.h ('k') | content/content_common.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698