Linux sandbox: change API to start the sandbox

content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "build/build_config.h"
 #include "content/public/common/content_switches.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 
 #if defined(USE_SECCOMP_BPF)
 
+#include "base/files/scoped_file.h"
+#include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h"
 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h"
 #include "content/common/sandbox_linux/bpf_ppapi_policy_linux.h"
 #include "content/common/sandbox_linux/bpf_renderer_policy_linux.h"
 #include "content/common/sandbox_linux/bpf_utility_policy_linux.h"
 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
@@ skipping 20 matching lines @@
 #error "Seccomp-bpf disabled on supported architecture!"
 #endif  // !defined(ARCH_CPU_ARM64)
 
 #endif  //
 
 namespace content {
 
 #if defined(USE_SECCOMP_BPF)
 namespace {
 
-void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy);
+void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy,
+                            base::ScopedFD proc_task_fd);
 
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
 #else
   return false;
 #endif
 }
 
 inline bool IsArchitectureArm() {
@@ skipping 64 matching lines @@
     // We should never allow the creation of netlink sockets.
     syscall_ret = socket(AF_NETLINK, SOCK_DGRAM, 0);
     CHECK_EQ(-1, syscall_ret);
     CHECK_EQ(EPERM, errno);
 #endif  // !defined(NDEBUG)
   }
 }
 
 
 // This function takes ownership of |policy|.
-void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy) {
+void StartSandboxWithPolicy(sandbox::bpf_dsl::Policy* policy,
+                            base::ScopedFD proc_task_fd) {
   // Starting the sandbox is a one-way operation. The kernel doesn't allow
   // us to unload a sandbox policy after it has been started. Nonetheless,
   // in order to make the use of the "Sandbox" object easier, we allow for
   // the object to be destroyed after the sandbox has been started. Note that
   // doing so does not stop the sandbox.
   SandboxBPF sandbox;
   sandbox.SetSandboxPolicy(policy);
+
+  sandbox.set_proc_task_fd(proc_task_fd.release());
   CHECK(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
 }
 
 // nacl_helper needs to be tiny and includes only part of content/
 // in its dependencies. Make sure to not link things that are not needed.
 #if !defined(IN_NACL_HELPER)
 scoped_ptr<SandboxBPFBasePolicy> GetGpuProcessSandbox() {
   const base::CommandLine& command_line =
       *base::CommandLine::ForCurrentProcess();
   bool allow_sysv_shm = false;
   if (command_line.HasSwitch(switches::kGpuSandboxAllowSysVShm)) {
     DCHECK(IsArchitectureArm());
     allow_sysv_shm = true;
   }
 
   if (IsChromeOS() && IsArchitectureArm()) {
     return scoped_ptr<SandboxBPFBasePolicy>(
         new CrosArmGpuProcessPolicy(allow_sysv_shm));
   } else {
     bool allow_mincore = command_line.HasSwitch(switches::kUseGL) &&
                          command_line.GetSwitchValueASCII(switches::kUseGL) ==
                              gfx::kGLImplementationEGLName;
     return scoped_ptr<SandboxBPFBasePolicy>(
         new GpuProcessPolicy(allow_mincore));
   }
 }
 
 // Initialize the seccomp-bpf sandbox.
 bool StartBPFSandbox(const base::CommandLine& command_line,
-                     const std::string& process_type) {
+                     const std::string& process_type,
+                     base::ScopedFD proc_task_fd) {
   scoped_ptr<SandboxBPFBasePolicy> policy;
 
   if (process_type == switches::kGpuProcess) {
     policy.reset(GetGpuProcessSandbox().release());
   } else if (process_type == switches::kRendererProcess) {
     policy.reset(new RendererProcessPolicy);
   } else if (process_type == switches::kPpapiPluginProcess) {
     policy.reset(new PpapiProcessPolicy);
   } else if (process_type == switches::kUtilityProcess) {
     policy.reset(new UtilityProcessPolicy);
   } else {
     NOTREACHED();
     policy.reset(new AllowAllPolicy);
   }
 
   CHECK(policy->PreSandboxHook());
-  StartSandboxWithPolicy(policy.release());
+  StartSandboxWithPolicy(policy.release(), proc_task_fd.Pass());
 
   RunSandboxSanityChecks(process_type);
   return true;
 }
 #else  // defined(IN_NACL_HELPER)
 bool StartBPFSandbox(const base::CommandLine& command_line,
                      const std::string& process_type) {
   NOTREACHED();
   // Avoid -Wunused-function with no-op code.
   ignore_result(IsChromeOS);
@@ skipping 27 matching lines @@
   if (process_type == switches::kGpuProcess)
     return !command_line.HasSwitch(switches::kDisableGpuSandbox);
 
   return true;
 #endif  // USE_SECCOMP_BPF
   return false;
 }
 
 bool SandboxSeccompBPF::SupportsSandbox() {
 #if defined(USE_SECCOMP_BPF)
-  // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton
-  // here.
   SandboxBPF::SandboxStatus bpf_sandbox_status =
-      SandboxBPF::SupportsSeccompSandbox(-1);
-  // Kernel support is what we are interested in here. Other status
-  // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support.
-  // We make this a negative check, since if there is a bug, we would rather
-  // "fail closed" (expect a sandbox to be available and try to start it).
-  if (bpf_sandbox_status != SandboxBPF::STATUS_UNSUPPORTED) {
+      SandboxBPF::SupportsSeccompSandbox();
+  if (bpf_sandbox_status == SandboxBPF::STATUS_AVAILABLE) {
     return true;
   }
 #endif
   return false;
 }
 
-bool SandboxSeccompBPF::StartSandbox(const std::string& process_type) {
+bool SandboxSeccompBPF::StartSandbox(const std::string& process_type,
+                                     base::ScopedFD proc_task_fd) {
 #if defined(USE_SECCOMP_BPF)
   const base::CommandLine& command_line =
       *base::CommandLine::ForCurrentProcess();
 
   if (IsSeccompBPFDesired() &&  // Global switches policy.
       ShouldEnableSeccompBPF(process_type) &&  // Process-specific policy.
       SupportsSandbox()) {
     // If the kernel supports the sandbox, and if the command line says we
     // should enable it, enable it or die.
-    bool started_sandbox = StartBPFSandbox(command_line, process_type);
+    bool started_sandbox =
+        StartBPFSandbox(command_line, process_type, proc_task_fd.Pass());
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
 bool SandboxSeccompBPF::StartSandboxWithExternalPolicy(
-    scoped_ptr<sandbox::bpf_dsl::Policy> policy) {
+    scoped_ptr<sandbox::bpf_dsl::Policy> policy,
+    base::ScopedFD proc_task_fd) {
 #if defined(USE_SECCOMP_BPF)
   if (IsSeccompBPFDesired() && SupportsSandbox()) {
     CHECK(policy);
-    StartSandboxWithPolicy(policy.release());
+    StartSandboxWithPolicy(policy.release(), proc_task_fd.Pass());
     return true;
   }
 #endif  // defined(USE_SECCOMP_BPF)
   return false;
 }
 
 scoped_ptr<sandbox::bpf_dsl::Policy> SandboxSeccompBPF::GetBaselinePolicy() {
 #if defined(USE_SECCOMP_BPF)
   return scoped_ptr<sandbox::bpf_dsl::Policy>(new BaselinePolicy);
 #else
   return scoped_ptr<sandbox::bpf_dsl::Policy>();
 #endif  // defined(USE_SECCOMP_BPF)
 }
 
 }  // namespace content