Chromium Code Reviews Chromium Code Reviews
Issue 897723005:
Allow using the namespace sandbox in zygote host. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: content/browser/zygote_host/zygote_host_impl_linux.cc |
| diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc |
| index f9e69a2b13d80e8c68b2097a71847599530ac083..182a975a50183cec5148f2dc0dffd6ec7a1c8263 100644 |
| --- a/content/browser/zygote_host/zygote_host_impl_linux.cc |
| +++ b/content/browser/zygote_host/zygote_host_impl_linux.cc |
| @@ -38,6 +38,10 @@ |
| #include "content/public/browser/content_browser_client.h" |
| #include "content/public/common/content_switches.h" |
| #include "content/public/common/result_codes.h" |
| +#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| +#include "sandbox/linux/services/credentials.h" |
| +#include "sandbox/linux/services/namespace_sandbox.h" |
| +#include "sandbox/linux/services/namespace_utils.h" |
| #include "sandbox/linux/suid/client/setuid_sandbox_client.h" |
| #include "sandbox/linux/suid/common/sandbox.h" |
| #include "ui/base/ui_base_switches.h" |
| @@ -49,12 +53,14 @@ |
| namespace content { |
| +namespace { |
| + |
| // Receive a fixed message on fd and return the sender's PID. |
| // Returns true if the message received matches the expected message. |
| -static bool ReceiveFixedMessage(int fd, |
| - const char* expect_msg, |
| - size_t expect_len, |
| - base::ProcessId* sender_pid) { |
| +bool ReceiveFixedMessage(int fd, |
| + const char* expect_msg, |
| + size_t expect_len, |
| + base::ProcessId* sender_pid) { |
| char buf[expect_len + 1]; |
| ScopedVector<base::ScopedFD> fds_vec; |
| @@ -69,6 +75,8 @@ static bool ReceiveFixedMessage(int fd, |
| return true; |
| } |
| +} // namespace |
| + |
| // static |
| ZygoteHost* ZygoteHost::GetInstance() { |
| return ZygoteHostImpl::GetInstance(); |
| @@ -141,8 +149,9 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { |
| sandbox_binary_ = sandbox_cmd.c_str(); |
| + bool using_namespace_sandbox = ShouldUseNamespaceSandbox(); |
| // A non empty sandbox_cmd means we want a SUID sandbox. |
| - using_suid_sandbox_ = !sandbox_cmd.empty(); |
| + using_suid_sandbox_ = !sandbox_cmd.empty() && !using_namespace_sandbox; |
| // Start up the sandbox host process and get the file descriptor for the |
| // renderers to talk to it. |
| @@ -159,8 +168,12 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { |
| } |
| options.fds_to_remap = &fds_to_map; |
| - base::Process process = base::LaunchProcess(cmd_line.argv(), options); |
| + base::Process process = |
| + using_namespace_sandbox |
| + ? sandbox::NamespaceSandbox::LaunchProcess(cmd_line, options) |
| + : base::LaunchProcess(cmd_line, options); |
| CHECK(process.IsValid()) << "Failed to launch zygote process"; |
| + |
| dummy_fd.reset(); |
| if (using_suid_sandbox_) { |
| @@ -559,4 +572,30 @@ int ZygoteHostImpl::GetSandboxStatus() const { |
| return 0; |
| } |
| +bool ZygoteHostImpl::ShouldUseNamespaceSandbox() { |
| + const base::CommandLine& command_line = |
| + *base::CommandLine::ForCurrentProcess(); |
| + if (command_line.HasSwitch(switches::kNoSandbox)) { |
| + return false; |
| + } |
| + |
| + if (!command_line.HasSwitch(switches::kEnableNamespaceSandbox)) { |
| + return false; |
| + } |
| + |
| + if (!sandbox::Credentials::CanCreateProcessInNewUserNS()) { |
| + return false; |
| + } |
| + |
| + // Unlike the setuid sandbox, the namespace sandbox does not make processes |
|
jln (very slow on Chromium)
2015/02/05 00:26:56
I wonder if we shouldn't have the NS sandbox as a
rickyz (no longer on Chrome)
2015/02/05 01:42:51
Yeah, that sounds good - I switched back to using
|
| + // non-dumpable. In order to use the namespace sandbox, we must be able to use |
| + // seccomp-bpf for process isolation. |
| + if (!sandbox::SandboxBPF::SupportsSeccompSandbox( |
| + sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED)) { |
| + return false; |
| + } |
| + |
| + return true; |
| +} |
| + |
| } // namespace content |
