Setuid sandbox: exit(2) on SIGABRT

sandbox/linux/suid/sandbox.c

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox
 
 #include "common/sandbox.h"
 
 #define _GNU_SOURCE
 #include <asm/unistd.h>
@@ skipping 40 matching lines @@
   va_list ap;
   va_start(ap, msg);
 
   vfprintf(stderr, msg, ap);
   fprintf(stderr, ": %s\n", strerror(errno));
   fflush(stderr);
   va_end(ap);
   _exit(1);
 }
 
+static void ExitWithErrorSignalhandler(int signal) {

[Jorge Lucangeli Obes, 2014/02/14 01:39:57]

Cap in "Handler"?

[jln (very slow on Chromium), 2014/02/14 01:45:14]

Done.

+  const char msg[] = "\nThe setuid sandbox got signaled, exiting.\n";
+  write(2, msg, sizeof(msg) - 1);
+  _exit(1);
+}
+
 // We will chroot() to the helper's /proc/self directory. Anything there will
 // not exist anymore if we make sure to wait() for the helper.
 //
 // /proc/self/fdinfo or /proc/self/fd are especially safe and will be empty
 // even if the helper survives as a zombie.
 //
 // There is very little reason to use fdinfo/ instead of fd/ but we are
 // paranoid. fdinfo/ only exists since 2.6.22 so we allow fallback to fd/
 #define SAFE_DIR "/proc/self/fdinfo"
 #define SAFE_DIR2 "/proc/self/fd"
@@ skipping 117 matching lines @@
   }
 
   return true;
 }
 
 // Block until child_pid exits, then exit. Try to preserve the exit code.
 static void WaitForChildAndExit(pid_t child_pid) {
   int exit_code = -1;
   siginfo_t reaped_child_info;
 
+  // Don't "Core" on SIGABRT. SIGABRT is sent by the Chrome OS session manager

[Jorge Lucangeli Obes, 2014/02/14 01:39:57]

No caps in "core"?

[jln (very slow on Chromium), 2014/02/14 01:45:14]

I wanted to use the official POSIX actions "Term, Ign, Core etc."

+  // when things are hanging.

[Jorge Lucangeli Obes, 2014/02/14 01:39:57]

This is not entirely true. SIGFPE is sent when the browser process is hung.
SIGABRT is sent when SIGTERM or SIGFPE did not manage to kill the entire process
group.

[jln (very slow on Chromium), 2014/02/14 01:45:14]

No, SIGTERM is only sent to the browser process nowadays. I don't want to add
too much details, I thought "when things are hanging" was an accurate
description for SIGABRT :)

+  // Here, the current process is going to waitid() and _exit(), so there is no
+  // point in generating a crash report. The child process is the one
+  // blocking us.
+  if (signal(SIGABRT, ExitWithErrorSignalhandler) == SIG_ERR) {
+    FatalError("Failed to change signal handler");
+  }
+
   int wait_ret =
     HANDLE_EINTR(waitid(P_PID, child_pid, &reaped_child_info, WEXITED));
 
   if (!wait_ret && reaped_child_info.si_pid == child_pid) {
     if (reaped_child_info.si_code == CLD_EXITED) {
       exit_code = reaped_child_info.si_status;
     } else {
       // Exit with code 0 if the child got signaled.
       exit_code = 0;
     }
@@ skipping 267 matching lines @@
   if (!DropRoot())
     return 1;
   if (!SetupChildEnvironment())
     return 1;
 
   execv(argv[1], &argv[1]);
   FatalError("execv failed");
 
   return 1;
 }