Non-SFI mode:Suid sandbox.

components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ skipping 78 matching lines @@
     // the setuid sandbox model.
     CHECK(!HasOpenDirectory());
 
     // Get sandboxed.
     CHECK(setuid_sandbox_client_->ChrootMe());
     CHECK(IsSandboxed());
     layer_one_enabled_ = true;
   }
 }
 
+#if !defined(OS_NACL_NONSFI)
+// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
+// TODO(hidehiko): Enable the sandbox.
 void NaClSandbox::CheckForExpectedNumberOfOpenFds() {

[Mark Seaborn, 2015/02/06 20:15:03]

Technically, CheckForExpectedNumberOfOpenFds() isn't part of the layer-two
(seccomp) sandbox.  This check is useful when we only have the layer-one (SUID)
sandbox enabled too.

Does CheckForExpectedNumberOfOpenFds() fail at run-time in nacl_helper_nonsfi,
or does it fail to link?  Maybe you could say in the comment which of the two
applies.

[hidehiko, 2015/03/02 19:16:25]

No, but it is only called from InitializeLayerTwoSandbox() so I exclude it.
Ditto for above methods. (Note that some of above methods contains PNaCl
toolchian unsupported code. I'll address it later).

   if (setuid_sandbox_client_->IsSuidSandboxChild()) {
     // We expect to have the following FDs open:
     //  1-3) stdin, stdout, stderr.
     //  4) The /dev/urandom FD used by base::GetUrandomFD().
     //  5) A dummy pipe FD used to overwrite kSandboxIPCChannel.
     //  6) The socket created by the SUID sandbox helper, used by ChrootMe().
     //     After ChrootMe(), this is no longer connected to anything.
     //     (Only present when running under the SUID sandbox.)
     //  7) The socket for the Chrome IPC channel that's connected to the
     //     browser process, kPrimaryIPCChannel.
@@ skipping 14 matching lines @@
   base::ScopedFD proc_self_task(GetProcSelfTask(proc_fd_.get()));
 
   if (uses_nonsfi_mode) {
     layer_two_enabled_ =
         nacl::nonsfi::InitializeBPFSandbox(proc_self_task.Pass());
     layer_two_is_nonsfi_ = true;
   } else {
     layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_self_task.Pass());
   }
 }
+#endif  // OS_NACL_NONSFI
 
 void NaClSandbox::SealLayerOneSandbox() {
   if (!layer_two_enabled_) {
     // If nothing prevents us, check that there is no superfluous directory
     // open.
     CHECK(!HasOpenDirectory());
   }
   proc_fd_.reset();
   layer_one_sealed_ = true;
 }
@@ skipping 11 matching lines @@
 
   if (!layer_one_enabled_ || !layer_one_sealed_) {
     static const char kNoSuidMsg[] =
         "The SUID sandbox is not engaged for NaCl:";
     if (can_be_no_sandbox)
       LOG(ERROR) << kNoSuidMsg << kItIsDangerousMsg;
     else
       LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg;
   }
 
+#if !defined(OS_NACL_NONSFI)
+  // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
+  // TODO(hidehiko): Enable the sandbox.
   if (!layer_two_enabled_) {
     static const char kNoBpfMsg[] =
         "The seccomp-bpf sandbox is not engaged for NaCl:";
     if (can_be_no_sandbox)
       LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg;
     else
       LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;
   }
+#endif
 }
 
 }  // namespace nacl