Chromium Code Reviews Chromium Code Reviews
Issue 915823002:
Namespace sandbox: add important security checks (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" | 5 #include "components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <sys/prctl.h> | 9 #include <sys/prctl.h> |
| 10 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| (...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 108 // the setuid sandbox model. | 108 // the setuid sandbox model. |
| 109 CHECK(!HasOpenDirectory()); | 109 CHECK(!HasOpenDirectory()); |
| 110 | 110 |
| 111 // Get sandboxed. | 111 // Get sandboxed. |
| 112 CHECK(setuid_sandbox_client_->ChrootMe()); | 112 CHECK(setuid_sandbox_client_->ChrootMe()); |
| 113 CHECK(MaybeSetProcessNonDumpable()); | 113 CHECK(MaybeSetProcessNonDumpable()); |
| 114 CHECK(IsSandboxed()); | 114 CHECK(IsSandboxed()); |
| 115 layer_one_enabled_ = true; | 115 layer_one_enabled_ = true; |
| 116 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { | 116 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) { |
| 117 CHECK(sandbox::Credentials::MoveToNewUserNS()); | 117 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 118 // This relies on SealLayerOneSandbox() to be called later. | |
| 119 CHECK(!HasOpenDirectory()); | |
|
mdempsky
2015/02/12 03:07:14
This matches the ordering under IsSuidSandboxChild
jln (very slow on Chromium)
2015/02/12 03:25:28
We actually also do that as part of the "sealing".
| |
| 118 CHECK(sandbox::Credentials::DropFileSystemAccess()); | 120 CHECK(sandbox::Credentials::DropFileSystemAccess()); |
| 121 CHECK(IsSingleThreaded()); | |
| 119 CHECK(sandbox::Credentials::DropAllCapabilities()); | 122 CHECK(sandbox::Credentials::DropAllCapabilities()); |
| 120 CHECK(IsSandboxed()); | 123 CHECK(IsSandboxed()); |
| 121 layer_one_enabled_ = true; | 124 layer_one_enabled_ = true; |
| 122 } | 125 } |
| 123 } | 126 } |
| 124 | 127 |
| 125 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { | 128 void NaClSandbox::CheckForExpectedNumberOfOpenFds() { |
| 126 // We expect to have the following FDs open: | 129 // We expect to have the following FDs open: |
| 127 // 1-3) stdin, stdout, stderr. | 130 // 1-3) stdin, stdout, stderr. |
| 128 // 4) The /dev/urandom FD used by base::GetUrandomFD(). | 131 // 4) The /dev/urandom FD used by base::GetUrandomFD(). |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 195 static const char kNoBpfMsg[] = | 198 static const char kNoBpfMsg[] = |
| 196 "The seccomp-bpf sandbox is not engaged for NaCl:"; | 199 "The seccomp-bpf sandbox is not engaged for NaCl:"; |
| 197 if (can_be_no_sandbox) | 200 if (can_be_no_sandbox) |
| 198 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; | 201 LOG(ERROR) << kNoBpfMsg << kItIsDangerousMsg; |
| 199 else | 202 else |
| 200 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; | 203 LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg; |
| 201 } | 204 } |
| 202 } | 205 } |
| 203 | 206 |
| 204 } // namespace nacl | 207 } // namespace nacl |
| OLD | NEW |
