Allow using the namespace sandbox in zygote host.

content/browser/zygote_host/zygote_host_impl_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/zygote_host/zygote_host_impl_linux.h"
 
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ skipping 20 matching lines @@
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/time.h"
 #include "content/browser/renderer_host/render_sandbox_host_linux.h"
 #include "content/common/child_process_sandbox_support_impl_linux.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/result_codes.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/services/credentials.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
+#include "sandbox/linux/services/namespace_utils.h"
 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
 #include "sandbox/linux/suid/common/sandbox.h"
 #include "ui/base/ui_base_switches.h"
 #include "ui/gfx/switches.h"
 
 #if defined(USE_TCMALLOC)
 #include "third_party/tcmalloc/chromium/src/gperftools/heap-profiler.h"
 #endif
 
 namespace content {
 
+namespace {
+
 // Receive a fixed message on fd and return the sender's PID.
 // Returns true if the message received matches the expected message.
-static bool ReceiveFixedMessage(int fd,
-                                const char* expect_msg,
-                                size_t expect_len,
-                                base::ProcessId* sender_pid) {
+bool ReceiveFixedMessage(int fd,
+                         const char* expect_msg,
+                         size_t expect_len,
+                         base::ProcessId* sender_pid) {
   char buf[expect_len + 1];
   ScopedVector<base::ScopedFD> fds_vec;
 
   const ssize_t len = UnixDomainSocket::RecvMsgWithPid(
       fd, buf, sizeof(buf), &fds_vec, sender_pid);
   if (static_cast<size_t>(len) != expect_len)
     return false;
   if (memcmp(buf, expect_msg, expect_len) != 0)
     return false;
   if (!fds_vec.empty())
     return false;
   return true;
 }
 
+}  // namespace
+
 // static
 ZygoteHost* ZygoteHost::GetInstance() {
   return ZygoteHostImpl::GetInstance();
 }
 
 ZygoteHostImpl::ZygoteHostImpl()
     : control_fd_(-1),
       control_lock_(),
       pid_(-1),
       init_(false),
@@ skipping 52 matching lines @@
     switches::kV,
     switches::kVModule,
   };
   cmd_line.CopySwitchesFrom(browser_command_line, kForwardSwitches,
                             arraysize(kForwardSwitches));
 
   GetContentClient()->browser()->AppendExtraCommandLineSwitches(&cmd_line, -1);
 
   sandbox_binary_ = sandbox_cmd.c_str();
 
+  bool using_namespace_sandbox = ShouldUseNamespaceSandbox();
   // A non empty sandbox_cmd means we want a SUID sandbox.
-  using_suid_sandbox_ = !sandbox_cmd.empty();
+  using_suid_sandbox_ = !sandbox_cmd.empty() && !using_namespace_sandbox;
 
   // Start up the sandbox host process and get the file descriptor for the
   // renderers to talk to it.
   const int sfd = RenderSandboxHostLinux::GetInstance()->GetRendererSocket();
   fds_to_map.push_back(std::make_pair(sfd, GetSandboxFD()));
 
   base::ScopedFD dummy_fd;
   if (using_suid_sandbox_) {
     scoped_ptr<sandbox::SetuidSandboxClient>
         sandbox_client(sandbox::SetuidSandboxClient::Create());
     sandbox_client->PrependWrapper(&cmd_line);
     sandbox_client->SetupLaunchOptions(&options, &fds_to_map, &dummy_fd);
     sandbox_client->SetupLaunchEnvironment();
   }
 
   options.fds_to_remap = &fds_to_map;
-  base::Process process = base::LaunchProcess(cmd_line.argv(), options);
+  base::Process process =
+      using_namespace_sandbox
+          ? sandbox::NamespaceSandbox::LaunchProcess(cmd_line, options)
+          : base::LaunchProcess(cmd_line, options);
   CHECK(process.IsValid()) << "Failed to launch zygote process";
+
   dummy_fd.reset();
 
   if (using_suid_sandbox_) {
     // The SUID sandbox will execute the zygote in a new PID namespace, and
     // the main zygote process will then fork from there.  Watch now our
     // elaborate dance to find and validate the zygote's PID.
 
     // First we receive a message from the zygote boot process.
     base::ProcessId boot_pid;
     CHECK(ReceiveFixedMessage(
@@ skipping 378 matching lines @@
 pid_t ZygoteHostImpl::GetPid() const {
   return pid_;
 }
 
 int ZygoteHostImpl::GetSandboxStatus() const {
   if (have_read_sandbox_status_word_)
     return sandbox_status_;
   return 0;
 }
 
+bool ZygoteHostImpl::ShouldUseNamespaceSandbox() {
+  const base::CommandLine& command_line =
+      *base::CommandLine::ForCurrentProcess();
+  if (command_line.HasSwitch(switches::kNoSandbox)) {
+    return false;
+  }
+
+  if (!command_line.HasSwitch(switches::kEnableNamespaceSandbox)) {
+    return false;
+  }
+
+  if (!sandbox::Credentials::CanCreateProcessInNewUserNS()) {
+    return false;
+  }
+
+  // Unlike the setuid sandbox, the namespace sandbox does not make processes

[jln (very slow on Chromium), 2015/02/05 00:26:56]

I wonder if we shouldn't have the NS sandbox as a drop-in replacement for the
setuid sandbox. i.e. let's make processes non-dumpable as well (it should just
work, as long as the setuid binary is still there..)

We can drop that later after careful consideration as a cool new feature. But
maybe only if Yama is present.

[rickyz (no longer on Chrome), 2015/02/05 01:42:51]

Yeah, that sounds good - I switched back to using the suid sandbox for writing
OOM scores and re-added the non-dumpability (and removed the seccomp-bpf
requirement as we discussed).

+  // non-dumpable. In order to use the namespace sandbox, we must be able to use
+  // seccomp-bpf for process isolation.
+  if (!sandbox::SandboxBPF::SupportsSeccompSandbox(
+          sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED)) {
+    return false;
+  }
+
+  return true;
+}
+
 }  // namespace content