Linux sandbox: change API to start the sandbox

content/zygote/zygote_main_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/zygote/zygote_main.h"
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <signal.h>
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <vector>
+
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/memory/scoped_vector.h"
 #include "base/native_library.h"
 #include "base/pickle.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/posix/unix_domain_socket_linux.h"
 #include "base/rand_util.h"
@@ skipping 68 matching lines @@
 // trigger a SIGSYS signal whose handler will crash.
 // This has been added during the investigation of https://crbug.com/415842.
 void InstallSandboxCrashTestHandler() {
   struct sigaction act = {};
   act.sa_handler = DoChrootSignalHandler;
   CHECK_EQ(0, sigemptyset(&act.sa_mask));
   act.sa_flags = 0;
 
   PCHECK(0 == sigaction(SIGUSR2, &act, NULL));
 }
+
+void CloseFds(const std::vector<int>& fds) {
+  for (const auto& it : fds) {
+    PCHECK(0 == IGNORE_EINTR(close(it)));
+  }
+}
+
 }  // namespace
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
                                         char* timezone_out,
                                         size_t timezone_out_len) {
   Pickle request;
   request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
   request.WriteString(
@@ skipping 373 matching lines @@
   }
 }
 
 // fds[0] is the read end, fds[1] is the write end.
 static void CreateSanitizerCoverageSocketPair(int fds[2]) {
   PCHECK(0 == socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds));
   PCHECK(0 == shutdown(fds[0], SHUT_WR));
   PCHECK(0 == shutdown(fds[1], SHUT_RD));
 }
 
-static pid_t ForkSanitizerCoverageHelper(int child_fd, int parent_fd,
-                                        base::ScopedFD file_fd) {
+static pid_t ForkSanitizerCoverageHelper(
+    int child_fd,
+    int parent_fd,
+    base::ScopedFD file_fd,
+    const std::vector<int>& extra_fds_to_close) {
   pid_t pid = fork();
   PCHECK(pid >= 0);
   if (pid == 0) {
     // In the child.
     PCHECK(0 == IGNORE_EINTR(close(parent_fd)));
+    CloseFds(extra_fds_to_close);
     SanitizerCoverageHelper(child_fd, file_fd.get());
     _exit(0);
   } else {
     // In the parent.
     PCHECK(0 == IGNORE_EINTR(close(child_fd)));
     return pid;
   }
 }
 
-void CloseFdPair(const int fds[2]) {
-  PCHECK(0 == IGNORE_EINTR(close(fds[0])));
-  PCHECK(0 == IGNORE_EINTR(close(fds[1])));
-}
 #endif  // defined(ADDRESS_SANITIZER)
 
 // If |is_suid_sandbox_child|, then make sure that the setuid sandbox is
 // engaged.
 static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox,
                                  bool is_suid_sandbox_child,
                                  base::Closure* post_fork_parent_callback) {
   DCHECK(linux_sandbox);
 
   ZygotePreSandboxInit();
@@ skipping 10 matching lines @@
     CHECK(EnterSuidSandbox(setuid_sandbox, post_fork_parent_callback))
         << "Failed to enter setuid sandbox";
   }
 }
 
 bool ZygoteMain(const MainFunctionParams& params,
                 ScopedVector<ZygoteForkDelegate> fork_delegates) {
   g_am_zygote_or_renderer = true;
   sandbox::InitLibcUrandomOverrides();
 
-  base::Closure *post_fork_parent_callback = NULL;
+  std::vector<int> fds_to_close_post_fork;
 
   LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
 
 #if defined(ADDRESS_SANITIZER)
   const std::string sancov_file_name =
       "zygote." + base::Uint64ToString(base::RandUint64());
   base::ScopedFD sancov_file_fd(
       __sanitizer_maybe_open_cov_file(sancov_file_name.c_str()));
   int sancov_socket_fds[2] = {-1, -1};
   CreateSanitizerCoverageSocketPair(sancov_socket_fds);
   linux_sandbox->sanitizer_args()->coverage_sandboxed = 1;
   linux_sandbox->sanitizer_args()->coverage_fd = sancov_socket_fds[1];
   linux_sandbox->sanitizer_args()->coverage_max_block_size =
       kSanitizerMaxMessageLength;
   // Zygote termination will block until the helper process exits, which will
   // not happen until the write end of the socket is closed everywhere. Make
   // sure the init process does not hold on to it.
-  base::Closure close_sancov_socket_fds =
-      base::Bind(&CloseFdPair, sancov_socket_fds);
-  post_fork_parent_callback = &close_sancov_socket_fds;
+  fds_to_close_post_fork.push_back(sancov_socket_fds[0]);
+  fds_to_close_post_fork.push_back(sancov_socket_fds[1]);
 #endif
 
   // This will pre-initialize the various sandboxes that need it.
   linux_sandbox->PreinitializeSandbox();
 
   const bool must_enable_setuid_sandbox =
       linux_sandbox->setuid_sandbox_client()->IsSuidSandboxChild();
   if (must_enable_setuid_sandbox) {
     linux_sandbox->setuid_sandbox_client()->CloseDummyFile();
 
     // Let the ZygoteHost know we're booting up.
     CHECK(UnixDomainSocket::SendMsg(kZygoteSocketPairFd,
                                     kZygoteBootMessage,
                                     sizeof(kZygoteBootMessage),
                                     std::vector<int>()));
   }
 
   VLOG(1) << "ZygoteMain: initializing " << fork_delegates.size()
           << " fork delegates";
   for (ScopedVector<ZygoteForkDelegate>::iterator i = fork_delegates.begin();
        i != fork_delegates.end();
        ++i) {
     (*i)->Init(GetSandboxFD(), must_enable_setuid_sandbox);
   }
 
+  const std::vector<int> sandbox_fds_to_close_post_fork =
+      linux_sandbox->GetFileDescriptorsToClose();
+
+  fds_to_close_post_fork.insert(fds_to_close_post_fork.end(),
+                                sandbox_fds_to_close_post_fork.begin(),
+                                sandbox_fds_to_close_post_fork.end());
+  base::Closure post_fork_parent_callback =
+      base::Bind(&CloseFds, fds_to_close_post_fork);
+
   // Turn on the first layer of the sandbox if the configuration warrants it.
   EnterLayerOneSandbox(linux_sandbox, must_enable_setuid_sandbox,
-                       post_fork_parent_callback);
+                       &post_fork_parent_callback);
 
+  // Extra children and file descriptors created that the Zygote must have
+  // knowledge of.
   std::vector<pid_t> extra_children;
   std::vector<int> extra_fds;
 
 #if defined(ADDRESS_SANITIZER)
   pid_t sancov_helper_pid = ForkSanitizerCoverageHelper(
-      sancov_socket_fds[0], sancov_socket_fds[1], sancov_file_fd.Pass());
+      sancov_socket_fds[0], sancov_socket_fds[1], sancov_file_fd.Pass(),
+      sandbox_fds_to_close_post_fork);
   // It's important that the zygote reaps the helper before dying. Otherwise,
   // the destruction of the PID namespace could kill the helper before it
   // completes its I/O tasks. |sancov_helper_pid| will exit once the last
   // renderer holding the write end of |sancov_socket_fds| closes it.
   extra_children.push_back(sancov_helper_pid);
   // Sanitizer code in the renderers will inherit the write end of the socket
   // from the zygote. We must keep it open until the very end of the zygote's
   // lifetime, even though we don't explicitly use it.
   extra_fds.push_back(sancov_socket_fds[1]);
 #endif
 
   int sandbox_flags = linux_sandbox->GetStatus();
   bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;
   CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged);
 
   Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children,
                 extra_fds);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }
 
 }  // namespace content