Linux sandbox: change API to start the sandbox

sandbox/linux/seccomp-bpf/sandbox_bpf.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
 #define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
 
 #include <stdint.h>
 
 #include "base/compiler_specific.h"
@@ skipping 41 matching lines @@
   //       irreversible state changes to the runtime environment. These changes
   //       stay in effect even after the destructor has been run.
   SandboxBPF();
   ~SandboxBPF();
 
   // Checks whether a particular system call number is valid on the current
   // architecture. E.g. on ARM there's a non-contiguous range of private
   // system calls.
   static bool IsValidSyscallNumber(int sysnum);
 
-  // There are a lot of reasons why the Seccomp sandbox might not be available.
-  // This could be because the kernel does not support Seccomp mode, or it
-  // could be because another sandbox is already active.
-  // "proc_fd" should be a file descriptor for "/proc", or -1 if not
-  // provided by the caller.
-  static SandboxStatus SupportsSeccompSandbox(int proc_fd);
+  // Detect if the kernel supports the seccomp sandbox. The result of calling
+  // this function will be cached. The first time this function is called, the
+  // running process must be unsandboxed (able to use /proc) and monothreaded.
+  static SandboxStatus SupportsSeccompSandbox();
 
   // Determines if the kernel has support for the seccomp() system call to
   // synchronize BPF filters across a thread group.
   static SandboxStatus SupportsSeccompThreadFilterSynchronization();
 
-  // The sandbox needs to be able to access files in "/proc/self". If this
+  // The sandbox needs to be able to access files in "/proc/self/tasks/". If

[Jorge Lucangeli Obes, 2014/11/24 23:48:33]

Ditto task.

[jln (very slow on Chromium), 2014/11/25 01:30:48]

Done.

+  // this
   // directory is not accessible when "startSandbox()" gets called, the caller
-  // can provide an already opened file descriptor by calling "set_proc_fd()".
-  // The sandbox becomes the new owner of this file descriptor and will
-  // eventually close it when "StartSandbox()" executes.
-  void set_proc_fd(int proc_fd);
+  // must provide an already opened file descriptor by calling
+  // "set_proc_task_fd()".  The sandbox becomes the new owner of this file
+  // descriptor and will eventually close it when "StartSandbox()" executes.
+  void set_proc_task_fd(int proc_task_fd);
 
   // Set the BPF policy as |policy|. Ownership of |policy| is transfered here
   // to the sandbox object.
   void SetSandboxPolicy(bpf_dsl::Policy* policy);
 
   // UnsafeTraps require some syscalls to always be allowed.
   // This helper function returns true for these calls.
   static bool IsRequiredForUnsafeTrap(int sysno);
 
   // From within an UnsafeTrap() it is often useful to be able to execute
@@ skipping 26 matching lines @@
   // Typically, AssembleFilter() is only used by unit tests and by sandbox
   // internals. It should not be used by production code.
   // For performance reasons, we normally only run the assembled BPF program
   // through the verifier, iff the program was built in debug mode.
   // But by setting "force_verification", the caller can request that the
   // verifier is run unconditionally. This is useful for unittests.
   scoped_ptr<CodeGen::Program> AssembleFilter(bool force_verification);
 
  private:
   // Get a file descriptor pointing to "/proc", if currently available.
-  int proc_fd() { return proc_fd_; }
+  int proc_task_fd() { return proc_task_fd_; }
 
   // Creates a subprocess and runs "code_in_sandbox" inside of the specified
   // policy. The caller has to make sure that "this" has not yet been
   // initialized with any other policies.
   bool RunFunctionInPolicy(void (*code_in_sandbox)(),
                            scoped_ptr<bpf_dsl::Policy> policy);
 
   // Performs a couple of sanity checks to verify that the kernel supports the
   // features that we need for successful sandboxing.
   // The caller has to make sure that "this" has not yet been initialized with
   // any other policies.
   bool KernelSupportSeccompBPF();
 
   // Assembles and installs a filter based on the policy that has previously
   // been configured with SetSandboxPolicy().
   void InstallFilter(bool must_sync_threads);
 
   // Verify the correctness of a compiled program by comparing it against the
   // current policy. This function should only ever be called by unit tests and
   // by the sandbox internals. It should not be used by production code.
   void VerifyProgram(const CodeGen::Program& program);
 
   static SandboxStatus status_;
 
   bool quiet_;
-  int proc_fd_;
+  int proc_task_fd_;
   bool sandbox_has_started_;
   scoped_ptr<bpf_dsl::Policy> policy_;
 
   DISALLOW_COPY_AND_ASSIGN(SandboxBPF);
 };
 
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__