Start all children in their own PID namespace.

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <errno.h>
 #include <signal.h>
 #include <stdio.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/files/file_path.h"

[jln (very slow on Chromium), 2015/03/25 23:47:50]

#include "build/build_config.h"

[rickyz (no longer on Chrome), 2015/03/26 00:09:37]

Is this actually needed? I think THREAD_SANITIZER is set via the command line
(in common.gyp)

 #include "base/files/file_util.h"
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/process/launch.h"
 #include "base/template_util.h"
 #include "base/third_party/valgrind/valgrind.h"
 #include "build/build_config.h"
 #include "sandbox/linux/services/namespace_utils.h"
 #include "sandbox/linux/services/proc_util.h"
 #include "sandbox/linux/services/syscall_wrappers.h"
@@ skipping 90 matching lines @@
     case LinuxCapability::kCapSysAdmin:
       return CAP_SYS_ADMIN;
   }
 
   LOG(FATAL) << "Invalid LinuxCapability: " << static_cast<int>(cap);
   return 0;
 }
 
 }  // namespace.
 
+// static
 bool Credentials::DropAllCapabilities(int proc_fd) {
   if (!SetCapabilities(proc_fd, std::vector<LinuxCapability>())) {
     return false;
   }
 
   CHECK(!HasAnyCapability());
   return true;
 }
 
+// static
 bool Credentials::DropAllCapabilities() {
   base::ScopedFD proc_fd(ProcUtil::OpenProc());
   return Credentials::DropAllCapabilities(proc_fd.get());
 }
 
 // static
-bool Credentials::SetCapabilities(int proc_fd,
-                                  const std::vector<LinuxCapability>& caps) {
-  DCHECK_LE(0, proc_fd);
+bool Credentials::DropAllCapabilitiesOnCurrentThread() {
+  return SetCapabilitiesOnCurrentThread(std::vector<LinuxCapability>());
+}
 
-#if !defined(THREAD_SANITIZER)
-  // With TSAN, accept to break the security model as it is a testing
-  // configuration.
-  CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));
-#endif
-
+// static
+bool Credentials::SetCapabilitiesOnCurrentThread(
+    const std::vector<LinuxCapability>& caps) {
   struct cap_hdr hdr = {};
   hdr.version = _LINUX_CAPABILITY_VERSION_3;
   struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
 
   // Initially, cap has no capability flags set. Enable the effective and
   // permitted flags only for the requested capabilities.
   for (const LinuxCapability cap : caps) {
     const int cap_num = LinuxCapabilityToKernelValue(cap);
     const size_t index = CAP_TO_INDEX(cap_num);
     const uint32_t mask = CAP_TO_MASK(cap_num);
     data[index].effective |= mask;
     data[index].permitted |= mask;
   }
 
   return sys_capset(&hdr, data) == 0;
 }
 
+// static
+bool Credentials::SetCapabilities(int proc_fd,
+                                  const std::vector<LinuxCapability>& caps) {
+  DCHECK_LE(0, proc_fd);
+
+#if !defined(THREAD_SANITIZER)
+  // With TSAN, accept to break the security model as it is a testing
+  // configuration.
+  CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));
+#endif
+
+  return SetCapabilitiesOnCurrentThread(caps);
+}
+
 bool Credentials::HasAnyCapability() {
   struct cap_hdr hdr = {};
   hdr.version = _LINUX_CAPABILITY_VERSION_3;
   struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
 
   PCHECK(sys_capget(&hdr, data) == 0);
 
   for (size_t i = 0; i < arraysize(data); ++i) {
     if (data[i].effective || data[i].permitted || data[i].inheritable) {
       return true;
@@ skipping 95 matching lines @@
   CHECK_LE(0, proc_fd);
 
   CHECK(ChrootToSafeEmptyDir());
   CHECK(!base::DirectoryExists(base::FilePath("/proc")));
   CHECK(!ProcUtil::HasOpenDirectory(proc_fd));
   // We never let this function fail.
   return true;
 }
 
 }  // namespace sandbox.