Linux sandbox: change API to start the sandbox

content/common/sandbox_linux/sandbox_linux.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_
 
 #include <string>
+#include <vector>
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/common/sandbox_linux.h"
 
 #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
     defined(THREAD_SANITIZER) || defined(LEAK_SANITIZER) || \
     defined(UNDEFINED_SANITIZER)
 #include <sanitizer/common_interface_defs.h>
 #define ANY_OF_AMTLU_SANITIZER 1
@@ skipping 23 matching lines @@
     METHOD_MAKE_SHARED_MEMORY_SEGMENT = 36,
     METHOD_MATCH_WITH_FALLBACK = 37,
   };
 
   // Get our singleton instance.
   static LinuxSandbox* GetInstance();
 
   // Do some initialization that can only be done before any of the sandboxes
   // are enabled. If using the setuid sandbox, this should be called manually
   // before the setuid sandbox is engaged.
+  // Security: When this runs, it is imperative that either InitializeSandbox()
+  // runs as well or that all file descriptors returned in
+  // GetFileDescriptorsToClose() get closed.
+  // Otherwise file descriptors that bypass the security of the setuid sandbox
+  // would be kept open. One must be particularly careful if a process performs
+  // a fork().
   void PreinitializeSandbox();
 
+  // Return a list of file descriptors to close if PreinitializeSandbox() ran
+  // but InitializeSandbox() won't. Avoid using.
+  // TODO(jln): get rid of this hack.
+  std::vector<int> GetFileDescriptorsToClose();
+
   // Initialize the sandbox with the given pre-built configuration. Currently
   // seccomp-bpf and address space limitations (the setuid sandbox works
   // differently and is set-up in the Zygote). This will instantiate the
   // LinuxSandbox singleton if it doesn't already exist.
   // This function should only be called without any thread running.
   static bool InitializeSandbox();
 
   // Stop |thread| in a way that can be trusted by the sandbox.
   static void StopThread(base::Thread* thread);
 
@@ skipping 61 matching lines @@
   // allow for sandbox bypasses. It needs to be closed before we consider
   // ourselves sandboxed.
   int proc_fd_;
   bool seccomp_bpf_started_;
   // The value returned by GetStatus(). Gets computed once and then cached.
   int sandbox_status_flags_;
   // Did PreinitializeSandbox() run?
   bool pre_initialized_;
   bool seccomp_bpf_supported_;  // Accurate if pre_initialized_.
   bool yama_is_enforcing_;  // Accurate if pre_initialized_.
+  bool initialize_sandbox_ran_;  // InitializeSandbox() was called.
   scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;
 #if defined(ANY_OF_AMTLU_SANITIZER)
   scoped_ptr<__sanitizer_sandbox_arguments> sanitizer_args_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(LinuxSandbox);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_LINUX_H_