OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef SANDBOX_LINUX_SERVICES_NAMESPACE_SANDBOX_H_ | |
6 #define SANDBOX_LINUX_SERVICES_NAMESPACE_SANDBOX_H_ | |
7 | |
8 #include "base/files/scoped_file.h" | |
9 #include "base/process/launch.h" | |
10 #include "base/process/process_handle.h" | |
11 #include "sandbox/sandbox_export.h" | |
12 | |
13 namespace sandbox { | |
14 | |
15 // Helper class for starting a process inside a new user, PID, and network | |
16 // namespace. Before using a namespace sandbox, check for namespaces support | |
17 // using Credentials::CanCreateProcessInNewUserNS. | |
18 // | |
19 // A typical use for "A" launching a sandboxed process "B" would be: | |
20 // 1. A sets up a command line for process B. | |
21 // 2. A calls SetupLaunchOptions which sets up the a pipe for communicating with | |
22 // the child. | |
23 // 3. A launches B with base::LaunchProcess. | |
24 // 4. A calls PrepareSandboxedProcess, at which point B begins running. | |
25 // 5. B should be prepared to assume the role of init(1). In particular, apart | |
26 // from SIGKILL and SIGSTOP, B cannot receive any signal for which it does | |
27 // not have an explicit signal handler registered. | |
28 // If B dies, all the processes in the namespace will die. | |
29 // B can fork() and the parent can assume the role of init(1), by using | |
30 // CreateInitProcessReaper(). | |
31 // 6. B chroots using Credentials::MoveToNewUserNS() and | |
32 // Credentials::DropFileSystemAccess(). | |
33 // | |
34 // An instance of this class may only be used once. | |
35 class SANDBOX_EXPORT NamespaceSandbox { | |
36 public: | |
37 NamespaceSandbox(); | |
38 ~NamespaceSandbox(); | |
39 | |
40 // Setup the launch options for the sandboxed process. The caller is | |
41 // responsible for setting options->fds_to_remap = fds_to_remap. | |
42 void SetupLaunchOptions(base::LaunchOptions* options, | |
jln (very slow on Chromium)
2015/01/28 02:34:39
Maybe mention again that CanCreateProcessInNewUser
jln (very slow on Chromium)
2015/01/28 02:34:39
We should at least claim ownership of options. Tha
rickyz (no longer on Chrome)
2015/01/29 00:57:48
For now, I went with embedding the LaunchOptions i
rickyz (no longer on Chrome)
2015/01/29 01:02:48
Oops, missed this one, added a comment to Launch.
| |
43 base::FileHandleMappingVector* fds_to_remap); | |
44 | |
45 // Prepares the child process before it execs the new program. This adds an | |
46 // identity mapping for the uid and gid inside the user namespace, then | |
47 // signals the child to exec the new program. | |
48 void PrepareSandboxedProcess(base::ProcessId pid); | |
49 | |
50 // Returns whether the namespace sandbox created a new user, PID, and network | |
51 // namespace. In particular, InNewUserNamespace should return true iff the | |
52 // process was started via this class. | |
53 static bool InNewUserNamespace(); | |
54 static bool InNewPidNamespace(); | |
55 static bool InNewNetNamespace(); | |
56 | |
57 private: | |
58 class ReadFromPipeDelegate : public base::LaunchOptions::PreExecDelegate { | |
jln (very slow on Chromium)
2015/01/28 02:34:39
It's an edge case, but I would split to its own fi
rickyz (no longer on Chrome)
2015/01/29 00:57:48
This became unnecessary after the last refactoring
| |
59 public: | |
60 ReadFromPipeDelegate(); | |
61 ~ReadFromPipeDelegate() override; | |
62 void RunAsyncSafe() override; | |
63 void set_fd(int fd); | |
64 | |
65 private: | |
66 int fd_; | |
jln (very slow on Chromium)
2015/01/28 02:34:39
ReadFromPipeDelegate should own this file descript
rickyz (no longer on Chrome)
2015/01/29 00:57:48
I didn't want to make the delegate own the fd beca
| |
67 DISALLOW_COPY_AND_ASSIGN(ReadFromPipeDelegate); | |
68 }; | |
69 // Pipe fds used to communicate with the child process. | |
70 base::ScopedFD read_fd_; | |
71 base::ScopedFD write_fd_; | |
72 | |
73 ReadFromPipeDelegate read_from_pipe_delegate_; | |
74 }; | |
75 | |
76 } // namespace sandbox | |
77 | |
78 #endif // SANDBOX_LINUX_SERVICES_NAMESPACE_SANDBOX_H_ | |
OLD | NEW |