Start all children in their own PID namespace.

content/zygote/zygote_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/zygote/zygote_linux.h"
 
 #include <fcntl.h>
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/types.h>
@@ skipping 18 matching lines @@
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "content/common/set_process_title.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_descriptors.h"
 #include "content/public/common/result_codes.h"
 #include "content/public/common/sandbox_linux.h"
 #include "content/public/common/send_zygote_child_ping_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
 #include "ipc/ipc_channel.h"
 #include "ipc/ipc_switches.h"
+#include "sandbox/linux/services/credentials.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
 namespace content {
 
 namespace {
 
 // NOP function. See below where this handler is installed.
 void SIGCHLDHandler(int signal) {
 }
 
+// On Linux, when a process is the init process of a PID namespace, it cannot be
+// terminated by signals like SIGTERM or SIGINT, since they are ignored unless
+// we register a handler for them. In the handlers, we exit with this special
+// exit code that GetTerminationStatus understands to mean that we were
+// terminated by an external signal.
+const int kKilledExitCode = 0x80;
+const int kUnexpectedExitCode = 0x81;
+
 int LookUpFd(const base::GlobalDescriptors::Mapping& fd_mapping, uint32_t key) {
   for (size_t index = 0; index < fd_mapping.size(); ++index) {
     if (fd_mapping[index].key == key)
       return fd_mapping[index].fd;
   }
   return -1;
 }
 
 void CreatePipe(base::ScopedFD* read_pipe, base::ScopedFD* write_pipe) {
   int raw_pipe[2];
@@ skipping 208 matching lines @@
         GetTerminationStatus(child, true /* known_dead */, &status, &exit_code);
     DCHECK(got_termination_status);
   }
   process_info_map_.erase(child);
 }
 
 bool Zygote::GetTerminationStatus(base::ProcessHandle real_pid,
                                   bool known_dead,
                                   base::TerminationStatus* status,
                                   int* exit_code) {
-
   ZygoteProcessInfo child_info;
   if (!GetProcessInfo(real_pid, &child_info)) {
-    LOG(ERROR) << "Zygote::GetTerminationStatus for unknown PID "
+    LOG(FATAL) << "Zygote::GetTerminationStatus for unknown PID "
                << real_pid;
-    NOTREACHED();

[jln (very slow on Chromium), 2015/03/24 22:03:34]

NOTREACHED() crash is debug-only.

I think it could be ok to move to LOG(FATAL), but it should be done as a
separate CL in this case.

[rickyz (no longer on Chrome), 2015/03/25 22:47:46]

Done.

     return false;
   }
   // We know about |real_pid|.
   const base::ProcessHandle child = child_info.internal_pid;
   if (child_info.started_from_helper) {
     if (!child_info.started_from_helper->GetTerminationStatus(
             child, known_dead, status, exit_code)) {
       return false;
     }
   } else {
     // Handle the request directly.
     if (known_dead) {
       *status = base::GetKnownDeadTerminationStatus(child, exit_code);
     } else {
       // We don't know if the process is dying, so get its status but don't
       // wait.
       *status = base::GetTerminationStatus(child, exit_code);
     }
   }
   // Successfully got a status for |real_pid|.
   if (*status != base::TERMINATION_STATUS_STILL_RUNNING) {
     // Time to forget about this process.
     process_info_map_.erase(real_pid);
   }
+
+  if (WIFEXITED(*exit_code) && WEXITSTATUS(*exit_code) == kKilledExitCode) {
+    *status = base::TERMINATION_STATUS_PROCESS_WAS_KILLED;
+  }
+
   return true;
 }
 
 void Zygote::HandleGetTerminationStatus(int fd,
                                         PickleIterator iter) {
   bool known_dead;
   base::ProcessHandle child_requested;
 
   if (!iter.ReadBool(&known_dead) || !iter.ReadInt(&child_requested)) {
     LOG(WARNING) << "Error parsing GetTerminationStatus request "
@@ skipping 50 matching lines @@
     }
     std::vector<int> fds;
     fds.push_back(ipc_channel_fd);  // kBrowserFDIndex
     fds.push_back(pid_oracle.get());  // kPIDOracleFDIndex
     pid = helper->Fork(process_type, fds, channel_id);
 
     // Helpers should never return in the child process.
     CHECK_NE(pid, 0);
   } else {
     CreatePipe(&read_pipe, &write_pipe);
-    // This is roughly equivalent to a fork(). We are using ForkWithFlags mainly
-    // to give it some more diverse test coverage.
-    pid = base::ForkWithFlags(SIGCHLD, nullptr, nullptr);
+    if (sandbox_flags_ & kSandboxLinuxPIDNS &&
+        sandbox_flags_ & kSandboxLinuxUserNS) {
+      pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace();
+    } else {
+      pid = fork();
+    }
   }
 
   if (pid == 0) {
+    if (sandbox::Credentials::HasAnyCapability()) {
+      CHECK(sandbox::Credentials::DropAllCapabilities(

[jln (very slow on Chromium), 2015/03/25 02:09:13]

We'll need an API to drop all capabilities only on the current thread only
anyways.

How about:

Add: DropAllCapabilitiesOnCurrentThread() API, which doesn't check for threads
in /proc. Add some warning about this being a subtle / advanced API.

In ForkInNewPidNamespace(), call DropAllCapabilitiesOnCurrentThread() in the
child (safe since we just forked).

Of course, DropAllCapabilities() will internally simply perform the
single-threaded check and then call DropAllCapabilitiesOnCurrentThread().

This feels a bit odd, but seems like the right thing to do. At least
DropAllCapabilitiesOnCurrentThread() calls should be rare and easily auditable.

[rickyz (no longer on Chrome), 2015/03/25 22:47:46]

Good idea, done. I made it drop capabilities based on an argument to keep in
flexible (in case someone wants to create nested pid namespaces, for example).

+          LinuxSandbox::GetInstance()->proc_fd()));
+    }
+
+    // If the process is the init process inside a PID namespace, it must have
+    // explicit signal handlers.
+    if (getpid() == 1) {
+      for (const int sig : {SIGINT, SIGTERM}) {
+        sandbox::NamespaceSandbox::InstallTerminationSignalHandler(
+            sig, kKilledExitCode);
+      }
+
+      static const int kUnexpectedSignals[] = {
+          SIGHUP, SIGQUIT, SIGABRT, SIGPIPE, SIGUSR1, SIGUSR2,
+      };
+      for (const int sig : kUnexpectedSignals) {
+        sandbox::NamespaceSandbox::InstallTerminationSignalHandler(
+            sig, kUnexpectedExitCode);
+      }
+    }
+
     // In the child process.
     write_pipe.reset();
 
     // Ping the PID oracle socket so the browser can find our PID.
     CHECK(SendZygoteChildPing(pid_oracle.get()));
 
     // Now read back our real PID from the zygote.
     base::ProcessId real_pid;
     if (!base::ReadFromFD(read_pipe.get(),
                           reinterpret_cast<char*>(&real_pid),
@@ skipping 191 matching lines @@
                                     PickleIterator iter) {
   if (HANDLE_EINTR(write(fd, &sandbox_flags_, sizeof(sandbox_flags_))) !=
                    sizeof(sandbox_flags_)) {
     PLOG(ERROR) << "write";
   }
 
   return false;
 }
 
 }  // namespace content