Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1394)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/sandbox_linux/sandbox_linux.cc

Issue 915823002: Namespace sandbox: add important security checks (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Address comments. Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('K') | « content/common/sandbox_linux/sandbox_linux.h ('k') | content/content_common.gypi » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/sandbox_linux/sandbox_linux.cc
diff --git a/content/common/sandbox_linux/sandbox_linux.cc b/content/common/sandbox_linux/sandbox_linux.cc
index 480b2654f3df2bf79eea18923bfbcbee6c262002..29bbaa523678edc940f9a2b2ff71a5dbf431ddd1 100644
--- a/content/common/sandbox_linux/sandbox_linux.cc
+++ b/content/common/sandbox_linux/sandbox_linux.cc
@@ -28,10 +28,13 @@
#include "base/sys_info.h"
#include "base/time/time.h"
#include "build/build_config.h"
+#include "content/common/sandbox_linux/sandbox_debug_handling_linux.h"
#include "content/common/sandbox_linux/sandbox_linux.h"
#include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
#include "content/public/common/content_switches.h"
#include "content/public/common/sandbox_linux.h"
+#include "sandbox/linux/services/credentials.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
#include "sandbox/linux/services/proc_util.h"
#include "sandbox/linux/services/thread_helpers.h"
#include "sandbox/linux/services/yama.h"
@@ -182,6 +185,27 @@ void LinuxSandbox::PreinitializeSandbox() {
pre_initialized_ = true;
}
+void LinuxSandbox::EngageNamespaceSandbox() {
+ CHECK(pre_initialized_);
+ // Check being in a new PID namespace created by the namespace sandbox and
+ // being the init process.
+ CHECK(sandbox::NamespaceSandbox::InNewPidNamespace());
+ const pid_t pid = getpid();
+ CHECK_EQ(1, pid);
+
+ CHECK(sandbox::Credentials::MoveToNewUserNS());
+ // Note: this requires SealSandbox() to be called later in this process to be
+ // safe, as this class is keeping a file descriptor to /proc.
+ CHECK(!HasOpenDirectories());
+ CHECK(sandbox::Credentials::DropFileSystemAccess());
+ CHECK(IsSingleThreaded());
+ CHECK(sandbox::Credentials::DropAllCapabilities());
+
+ // This needs to happen after moving to a new user NS, since doing so involves
+ // writing the UID/GID map.
+ CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers());
+}
+
std::vector<int> LinuxSandbox::GetFileDescriptorsToClose() {
std::vector<int> fds;
if (proc_fd_ >= 0) {
« components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc ('K') | « content/common/sandbox_linux/sandbox_linux.h ('k') | content/content_common.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698