| Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| index 1914116c4b3dd7f3e569e26b103428429741960f..95c02a05e8275b4b3736583a9f34c3e45180cb43 100644
|
| --- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| +++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| @@ -14,6 +14,7 @@
|
| #include "base/callback.h"
|
| #include "base/command_line.h"
|
| #include "base/compiler_specific.h"
|
| +#include "base/files/scoped_file.h"
|
| #include "base/logging.h"
|
| #include "base/memory/scoped_ptr.h"
|
| #include "base/posix/eintr_wrapper.h"
|
| @@ -21,6 +22,7 @@
|
| #include "components/nacl/common/nacl_switches.h"
|
| #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
|
| #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
|
| +#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
|
| #include "sandbox/linux/services/credentials.h"
|
| #include "sandbox/linux/services/thread_helpers.h"
|
| #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
|
| @@ -39,6 +41,15 @@ bool IsSandboxed() {
|
| return true;
|
| }
|
|
|
| +// Open a new file descriptor to /proc/self/task/ by using
|
| +// |proc_fd|.
|
| +base::ScopedFD GetProcSelfTask(int proc_fd) {
|
| + base::ScopedFD proc_self_task(HANDLE_EINTR(
|
| + openat(proc_fd, "self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)));
|
| + PCHECK(proc_self_task.is_valid());
|
| + return proc_self_task.Pass();
|
| +}
|
| +
|
| } // namespace
|
|
|
| NaClSandbox::NaClSandbox()
|
| @@ -51,6 +62,9 @@ NaClSandbox::NaClSandbox()
|
| proc_fd_.reset(
|
| HANDLE_EINTR(open("/proc", O_DIRECTORY | O_RDONLY | O_CLOEXEC)));
|
| PCHECK(proc_fd_.is_valid());
|
| + // Determine if the kernel supports seccomp-bpf and let it cache the
|
| + // result. This must be done before any sandbox is engaged.
|
| + sandbox::SandboxBPF::SupportsSeccompSandbox();
|
| }
|
|
|
| NaClSandbox::~NaClSandbox() {
|
| @@ -58,9 +72,7 @@ NaClSandbox::~NaClSandbox() {
|
|
|
| bool NaClSandbox::IsSingleThreaded() {
|
| CHECK(proc_fd_.is_valid());
|
| - base::ScopedFD proc_self_task(HANDLE_EINTR(openat(
|
| - proc_fd_.get(), "self/task/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)));
|
| - PCHECK(proc_self_task.is_valid());
|
| + base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get()));
|
| return sandbox::ThreadHelpers::IsSingleThreaded(proc_self_task.get());
|
| }
|
|
|
| @@ -114,11 +126,14 @@ void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) {
|
| CHECK(IsSingleThreaded());
|
| CheckForExpectedNumberOfOpenFds();
|
|
|
| + base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get()));
|
| +
|
| if (uses_nonsfi_mode) {
|
| - layer_two_enabled_ = nacl::nonsfi::InitializeBPFSandbox();
|
| + layer_two_enabled_ =
|
| + nacl::nonsfi::InitializeBPFSandbox(proc_self_task.Pass());
|
| layer_two_is_nonsfi_ = true;
|
| } else {
|
| - layer_two_enabled_ = nacl::InitializeBPFSandbox();
|
| + layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_self_task.Pass());
|
| }
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 733303004:
Linux sandbox: change API to start the sandbox (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master