Issue 14411008: Linux sandbox: more paranoid checks

Issue 14411008: Linux sandbox: more paranoid checks (Closed)

Created:
7 years, 7 months ago by jln (very slow on Chromium)

Modified:
7 years, 7 months ago

Reviewers:
palmer, Jorge Lucangeli Obes

CC:
chromium-reviews, joi+watch-content_chromium.org, darin-cc_chromium.org, jam, jln+watch_chromium.org, Markus (顧孟勤)

Base URL:
svn://svn.chromium.org/chrome/trunk/src

Visibility:
Public.

More Reviews

Description

Linux sandbox: more paranoid checks at initialization We're worried that InitializeSandbox() will be called multithreaded, so we make sure to keep a file descriptor to /proc around, in Debug mode, to be able to count threads. Now that seccomp-legacy has been removed, we also simplify the code around pre-initialization. BUG=162334 NOTRY=true Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=197520

Patch Set 1 : #

Patch Set 2 : Don't assume that DCHECK will only trigger in debug mode. #

Total comments: 10

Patch Set 3 : Address comments #

Total comments: 14

Patch Set 4 : Address nits. #

Created: 7 years, 7 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+77 lines, -66 lines)			Patch
M	content/common/sandbox_linux.h	View	1 2 3	4 chunks	+19 lines, -23 lines	0 comments	Download
M	content/common/sandbox_linux.cc	View	1 2	8 chunks	+57 lines, -36 lines	0 comments	Download
M	content/zygote/zygote_linux.cc	View		1 chunk	+0 lines, -3 lines	0 comments	Download
M	content/zygote/zygote_main_linux.cc	View		1 chunk	+1 line, -4 lines	0 comments	Download

Messages

Total messages: 11 (0 generated)

Expand Messages | Collapse Messages

jln (very slow on Chromium)

Jorge: do you mind taking a look ? Markus: please rubberstamp once Jorge is done ...

7 years, 7 months ago (2013-04-30 00:10:30 UTC) #1

Jorge Lucangeli Obes

https://chromiumcodereview.appspot.com/14411008/diff/16001/content/common/sandbox_linux.cc File content/common/sandbox_linux.cc (right): https://chromiumcodereview.appspot.com/14411008/diff/16001/content/common/sandbox_linux.cc#newcode130 content/common/sandbox_linux.cc:130: DCHECK(false) << error_message; So you're doing both the DCHECK ...

7 years, 7 months ago (2013-04-30 17:30:26 UTC) #2

jln (very slow on Chromium)

Thanks, PTAL! https://chromiumcodereview.appspot.com/14411008/diff/16001/content/common/sandbox_linux.cc File content/common/sandbox_linux.cc (right): https://chromiumcodereview.appspot.com/14411008/diff/16001/content/common/sandbox_linux.cc#newcode130 content/common/sandbox_linux.cc:130: DCHECK(false) << error_message; On 2013/04/30 17:30:27, Jorge ...

7 years, 7 months ago (2013-04-30 18:35:20 UTC) #3

palmer

Some nits and some pontification. https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/sandbox_linux.cc File content/common/sandbox_linux.cc (right): https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/sandbox_linux.cc#newcode266 content/common/sandbox_linux.cc:266: if (proc_fd_ >= 0) ...

7 years, 7 months ago (2013-04-30 21:21:59 UTC) #5

jln (very slow on Chromium)

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/sandbox_linux.cc File content/common/sandbox_linux.cc (right): https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/sandbox_linux.cc#newcode266 content/common/sandbox_linux.cc:266: if (proc_fd_ >= 0) { On 2013/04/30 21:21:59, Chromium ...

7 years, 7 months ago (2013-04-30 22:09:50 UTC) #6

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
File content/common/sandbox_linux.cc (right):

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
content/common/sandbox_linux.cc:266: if (proc_fd_ >= 0) {
On 2013/04/30 21:21:59, Chromium Palmer wrote:
> Using proc_fd_ < 0 as a signal to express whether or not the descriptor is
> closed is a bit shaky to me. The single source of truth about a descriptor's
> state is in the kernel; I would just unconditionally close(proc_fd_) and then
> CHECK(0 == ret || EBADF == errno). (I.e. we are happy to tolerate failure due
to
> EBADF — descriptor already closed — but not other failures.)

No, this would not be correct. We can't close an arbitrary file descriptor, it
could have been re-allocated to anything else.

-1 is guaranteed to never be a valid descriptor, moreover we only close in one
place (SealSandbox()), so it's easy to guarantee that a closed fd will be set to
-1. In addition, even if there was a bug around this, the CHECK would probably
catch it at some point.

(Also it's the common pattern that we use everywhere in Linux-related code)

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
File content/common/sandbox_linux.h (right):

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
content/common/sandbox_linux.h:40: // is enabled. If using the setuid sandbox,
this should be called manually
On 2013/04/30 21:21:59, Chromium Palmer wrote:
> Typo: "are enabled".

Done.

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
content/common/sandbox_linux.h:52: // constants defined in "enum
LinuxSandboxStatus". Since the status needs to
On 2013/04/30 21:21:59, Chromium Palmer wrote:
> It would therefore be better to declare this function as returning a
> LinuxSandboxStatus instead of int.

No, unfortunately it has to return an int. It's a bitmask of values in
LinuxSandboxStatus, not an element of LinuxSandboxStatus.

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
content/common/sandbox_linux.h:57: // Is the current process single threaded?
Will return "true" if it cannot be
On 2013/04/30 21:21:59, Chromium Palmer wrote:
> NIT: Blank lines between each declaration.

Vertical space is only required between different section. I already put a
little bit too much vertical whitespace in this class imho.

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
content/common/sandbox_linux.h:57: // Is the current process single threaded?
Will return "true" if it cannot be
On 2013/04/30 21:21:59, Chromium Palmer wrote:
> NIT: Simplify this documentation:
> 
> Returns true if the process is single-threaded, or if the number of threads
> cannot be determined.

Done.

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
content/common/sandbox_linux.h:70: // never be called with threads started. If
we detect that thread have
On 2013/04/30 21:21:59, Chromium Palmer wrote:
> Typo: "...detect that threads have..."

Done.

https://chromiumcodereview.appspot.com/14411008/diff/21001/content/common/san...
content/common/sandbox_linux.h:87: int proc_fd_;  // A file descriptor to /proc.
It's dangerous to have it
On 2013/04/30 21:21:59, Chromium Palmer wrote:
> NIT: Put multi-line documentation above the declaration.

Done.

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/jln@chromium.org/14411008/30001

7 years, 7 months ago (2013-04-30 22:33:26 UTC) #9

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/jln@chromium.org/14411008/30001

7 years, 7 months ago (2013-04-30 23:49:19 UTC) #10

Message was sent while issue was closed.

Change committed as 197520

Expand Messages | Collapse Messages