diff options
| author | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-30 19:47:41 +0000 |
|---|---|---|
| committer | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-30 19:47:41 +0000 |
| commit | 39c4e1a8b2343b3883a098a8e0d21fb8bd3204cf (patch) | |
| tree | 456e767833a5abfca7ab89ba2e66c8935cfab1f7 | |
| parent | 3cd488a822976fd97aeb7e5237e483100a24fa12 (diff) | |
| download | chromium_src-39c4e1a8b2343b3883a098a8e0d21fb8bd3204cf.zip chromium_src-39c4e1a8b2343b3883a098a8e0d21fb8bd3204cf.tar.gz chromium_src-39c4e1a8b2343b3883a098a8e0d21fb8bd3204cf.tar.bz2 | |
linux: enable seccomp sandbox by default
It seems the best way to keep the seccomp sandbox working is to have
everyone's development environment have it on by default. So we turn
on the seccomp sandbox, but only for non-official builds.
If the build-time flag is set: --disable-seccomp-sandbox turns it off.
If the build-time flag is *not* set: --enable-seccomp-sandbox turns it on.
BUG=36133
Review URL: http://codereview.chromium.org/1558003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43122 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | build/common.gypi | 7 | ||||
| -rw-r--r-- | chrome/browser/renderer_host/browser_render_process_host.cc | 4 | ||||
| -rw-r--r-- | chrome/browser/zygote_host_linux.cc | 8 | ||||
| -rw-r--r-- | chrome/browser/zygote_main_linux.cc | 10 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.cc | 25 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.h | 9 | ||||
| -rw-r--r-- | chrome/renderer/renderer_main_platform_delegate_linux.cc | 5 | ||||
| -rw-r--r-- | chrome/test/nacl/nacl_test.cc | 6 |
8 files changed, 57 insertions, 17 deletions
diff --git a/build/common.gypi b/build/common.gypi index 3b8f20e..2d0902a 100644 --- a/build/common.gypi +++ b/build/common.gypi @@ -208,6 +208,10 @@ # Disable TCMalloc's heapchecker. 'linux_use_heapchecker%': 0, + # Turn on seccomp sandbox by default. + # (Note: this is disabled for official builds.) + 'linux_use_seccomp_sandbox%': 1, + # Set to select the Title Case versions of strings in GRD files. 'use_titlecase_in_grd_files%': 0, @@ -957,6 +961,9 @@ 'cflags': [ '-gstabs' ], 'defines': ['USE_LINUX_BREAKPAD'], }], + ['linux_use_seccomp_sandbox==1 and buildtype!="Official"', { + 'defines': ['USE_SECCOMP_SANDBOX'], + }], ['library=="shared_library"', { # When building with shared libraries, remove the visiblity-hiding # flag. diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc index 1c700b8..88cf631 100644 --- a/chrome/browser/renderer_host/browser_render_process_host.cc +++ b/chrome/browser/renderer_host/browser_render_process_host.cc @@ -500,7 +500,11 @@ void BrowserRenderProcessHost::PropagateBrowserCommandLineToRenderer( switches::kRendererStartupDialog, switches::kNoSandbox, switches::kTestSandbox, +#if defined(USE_SECCOMP_SANDBOX) + switches::kDisableSeccompSandbox, +#else switches::kEnableSeccompSandbox, +#endif #if !defined (GOOGLE_CHROME_BUILD) // These are unsupported and not fully tested modes, so don't enable them // for official Google Chrome builds. diff --git a/chrome/browser/zygote_host_linux.cc b/chrome/browser/zygote_host_linux.cc index 96506bb..cdeda42 100644 --- a/chrome/browser/zygote_host_linux.cc +++ b/chrome/browser/zygote_host_linux.cc @@ -103,9 +103,13 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) { browser_command_line.GetSwitchValueASCII( switches::kUserDataDir)); } - if (browser_command_line.HasSwitch(switches::kEnableSeccompSandbox)) { +#if defined(USE_SECCOMP_SANDBOX) + if (browser_command_line.HasSwitch(switches::kDisableSeccompSandbox)) + cmd_line.AppendSwitch(switches::kDisableSeccompSandbox); +#else + if (browser_command_line.HasSwitch(switches::kEnableSeccompSandbox)) cmd_line.AppendSwitch(switches::kEnableSeccompSandbox); - } +#endif sandbox_binary_ = sandbox_cmd.c_str(); struct stat st; diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc index 7d877bd..793c855 100644 --- a/chrome/browser/zygote_main_linux.cc +++ b/chrome/browser/zygote_main_linux.cc @@ -509,8 +509,7 @@ static bool EnterSandbox() { // chrooted. const char* const sandbox_fd_string = getenv("SBX_D"); - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (switches::SeccompSandboxEnabled()) { PreSandboxInit(); SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor); } else if (sandbox_fd_string) { // Use the SUID sandbox. @@ -618,8 +617,7 @@ bool ZygoteMain(const MainFunctionParams& params) { // The seccomp sandbox needs access to files in /proc, which might be denied // after one of the other sandboxes have been started. So, obtain a suitable // file handle in advance. - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (switches::SeccompSandboxEnabled()) { g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY); if (g_proc_fd < 0) { LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp " @@ -639,9 +637,7 @@ bool ZygoteMain(const MainFunctionParams& params) { // The seccomp sandbox will be turned on when the renderers start. But we can // already check if sufficient support is available so that we only need to // print one error message for the entire browser session. - if (g_proc_fd >= 0 && - CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (g_proc_fd >= 0 && switches::SeccompSandboxEnabled()) { if (!SupportsSeccompSandbox(g_proc_fd)) { // There are a good number of users who cannot use the seccomp sandbox // (e.g. because their distribution does not enable seccomp mode by diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc index acd11af..a9a9b42 100644 --- a/chrome/common/chrome_switches.cc +++ b/chrome/common/chrome_switches.cc @@ -5,6 +5,7 @@ #include "chrome/common/chrome_switches.h" #include "base/base_switches.h" +#include "base/command_line.h" namespace switches { @@ -287,9 +288,6 @@ const char kEnablePrivacyBlacklists[] = "enable-privacy-blacklists"; // http://b/issue?id=1432077 is fixed. const char kEnableRendererAccessibility[] = "enable-renderer-accessibility"; -// Enable the seccomp sandbox (Linux only) -const char kEnableSeccompSandbox[] = "enable-seccomp-sandbox"; - // Enables StatsTable, logging statistics to a global named shared memory table. const char kEnableStatsTable[] = "enable-stats-table"; @@ -883,6 +881,27 @@ const char kInvalidateSyncLogin[] = "invalidate-sync-login"; const char kInvalidateSyncXmppLogin[] = "invalidate-sync-xmpp-login"; #endif +// USE_SECCOMP_SANDBOX controls whether the seccomp sandbox is opt-in or -out. +// TODO(evan): unify all of these once we turn the seccomp sandbox always +// on. Also remove the #include of command_line.h above. +#if defined(USE_SECCOMP_SANDBOX) +// Disable the seccomp sandbox (Linux only) +const char kDisableSeccompSandbox[] = "disable-seccomp-sandbox"; +#else +// Enable the seccomp sandbox (Linux only) +const char kEnableSeccompSandbox[] = "enable-seccomp-sandbox"; +#endif + +bool SeccompSandboxEnabled() { +#if defined(USE_SECCOMP_SANDBOX) + return !CommandLine::ForCurrentProcess()->HasSwitch( + switches::kDisableSeccompSandbox); +#else + return CommandLine::ForCurrentProcess()->HasSwitch( + switches::kEnableSeccompSandbox); +#endif +} + // ----------------------------------------------------------------------------- // DO NOT ADD YOUR CRAP TO THE BOTTOM OF THIS FILE. // diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h index a6ff6dac..c2b50bf 100644 --- a/chrome/common/chrome_switches.h +++ b/chrome/common/chrome_switches.h @@ -97,7 +97,6 @@ extern const char kEnableNaCl[]; extern const char kEnableNativeWebWorkers[]; extern const char kEnablePrivacyBlacklists[]; extern const char kEnableRendererAccessibility[]; -extern const char kEnableSeccompSandbox[]; extern const char kEnableStatsTable[]; extern const char kEnableSync[]; extern const char kEnableSyncAutofill[]; @@ -268,6 +267,14 @@ extern const char kInvalidateSyncXmppLogin[]; extern const char kRendererCheckFalseTest[]; #endif +#if defined(USE_SECCOMP_SANDBOX) +extern const char kDisableSeccompSandbox[]; +#else +extern const char kEnableSeccompSandbox[]; +#endif +// Return true if the switches indicate the seccomp sandbox is enabled. +bool SeccompSandboxEnabled(); + // DON'T ADD RANDOM STUFF HERE. Put it in the main section above in // alphabetical order, or in one of the ifdefs (also in order in each section). diff --git a/chrome/renderer/renderer_main_platform_delegate_linux.cc b/chrome/renderer/renderer_main_platform_delegate_linux.cc index bce15dd..98b0aca 100644 --- a/chrome/renderer/renderer_main_platform_delegate_linux.cc +++ b/chrome/renderer/renderer_main_platform_delegate_linux.cc @@ -40,11 +40,8 @@ bool RendererMainPlatformDelegate::EnableSandbox() { // N.b. SupportsSeccompSandbox() returns a cached result, as we already // called it earlier in the zygote. Thus, it is OK for us to not pass in // a file descriptor for "/proc". - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox) && - SupportsSeccompSandbox(-1)) { + if (switches::SeccompSandboxEnabled() && SupportsSeccompSandbox(-1)) StartSeccompSandbox(); - } #endif return true; } diff --git a/chrome/test/nacl/nacl_test.cc b/chrome/test/nacl/nacl_test.cc index 1560484..456cc1d 100644 --- a/chrome/test/nacl/nacl_test.cc +++ b/chrome/test/nacl/nacl_test.cc @@ -57,8 +57,14 @@ const FilePath::CharType kServerHtmlFileName[] = NaClTest::NaClTest() : UITest() { launch_arguments_.AppendSwitch(switches::kEnableNaCl); + + // Currently we disable some of the sandboxes. See: + // Make NaCl work in Chromium's Linux seccomp sandbox and the Mac sandbox + // http://code.google.com/p/nativeclient/issues/detail?id=344 #if defined(OS_MACOSX) launch_arguments_.AppendSwitch(switches::kNoSandbox); +#elif defined(OS_LINUX) && defined(USE_SECCOMP_SANDBOX) + launch_arguments_.AppendSwitch(switches::kDisableSeccompSandbox); #endif } |