Chromium Code Reviews Chromium Code Reviews
Issue 868233011:
Start all children in their own PID namespace. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: content/zygote/zygote_main_linux.cc |
| diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc |
| index efbfdb02d87eb2a37b477fca668b0405fbcf148d..c5f60c15e3ed5f318b45ca5ce2e1787cb17ac768 100644 |
| --- a/content/zygote/zygote_main_linux.cc |
| +++ b/content/zygote/zygote_main_linux.cc |
| @@ -40,6 +40,7 @@ |
| #include "content/public/common/zygote_fork_delegate_linux.h" |
| #include "content/zygote/zygote_linux.h" |
| #include "crypto/nss_util.h" |
| +#include "sandbox/linux/services/credentials.h" |
| #include "sandbox/linux/services/init_process_reaper.h" |
| #include "sandbox/linux/services/libc_urandom_override.h" |
| #include "sandbox/linux/services/namespace_sandbox.h" |
| @@ -406,12 +407,21 @@ static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox, |
| return true; |
| } |
| +static void DropAllCapabilities(int proc_fd, base::Closure* done) { |
|
jln (very slow on Chromium)
2015/02/25 21:32:48
DropAllCapabilitiesAndRun()
jln (very slow on Chromium)
2015/02/25 21:32:49
I don't think there is a way in base:: to make a c
rickyz (no longer on Chrome)
2015/03/21 01:35:31
Done.
|
| + LOG(ERROR) << "proc_fd: " << proc_fd; |
|
jln (very slow on Chromium)
2015/02/25 21:32:48
oops
rickyz (no longer on Chrome)
2015/03/21 01:35:31
Done.
|
| + CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd)); |
| + done->Run(); |
| +} |
| + |
| static void EnterNamespaceSandbox(LinuxSandbox* linux_sandbox, |
| base::Closure* post_fork_parent_callback) { |
| linux_sandbox->EngageNamespaceSandbox(); |
| if (getpid() == 1) { |
| - CHECK(CreateInitProcessReaper(post_fork_parent_callback)); |
| + base::Closure callback = |
| + base::Bind(&DropAllCapabilities, linux_sandbox->proc_fd(), |
| + post_fork_parent_callback); |
| + CHECK(CreateInitProcessReaper(&callback)); |
| } |
| } |
