linux: enable seccomp sandbox by default

This is an experiment.  Hopefully it will flush out problems.
Use --disable-seccomp-sandbox to turn it off.

BUG=36133

Review URL: http://codereview.chromium.org/647017

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39358 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 15 insertions, 57 deletions

diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc
index 6e18eee..47d8f0d 100644
--- a/chrome/browser/renderer_host/browser_render_process_host.cc
+++ b/chrome/browser/renderer_host/browser_render_process_host.cc
@@ -493,7 +493,7 @@ void BrowserRenderProcessHost::PropagateBrowserCommandLineToRenderer(
     switches::kRendererStartupDialog,
     switches::kNoSandbox,
     switches::kTestSandbox,
-    switches::kEnableSeccompSandbox,
+    switches::kDisableSeccompSandbox,
 #if !defined (GOOGLE_CHROME_BUILD)
     // These are unsupported and not fully tested modes, so don't enable them
     // for official Google Chrome builds.
diff --git a/chrome/browser/zygote_host_linux.cc b/chrome/browser/zygote_host_linux.cc
index 3b6a160..aa5d8ca 100644
--- a/chrome/browser/zygote_host_linux.cc
+++ b/chrome/browser/zygote_host_linux.cc
@@ -24,29 +24,6 @@
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/process_watcher.h"
 
-#include "sandbox/linux/suid/suid_unsafe_environment_variables.h"
-
-static void SaveSUIDUnsafeEnvironmentVariables() {
-  // The ELF loader will clear many environment variables so we save them to
-  // different names here so that the SUID sandbox can resolve them for the
-  // renderer.
-
-  for (unsigned i = 0; kSUIDUnsafeEnvironmentVariables[i]; ++i) {
-    const char* const envvar = kSUIDUnsafeEnvironmentVariables[i];
-    char* const saved_envvar = SandboxSavedEnvironmentVariable(envvar);
-    if (!saved_envvar)
-      continue;
-
-    const char* const value = getenv(envvar);
-    if (value)
-      setenv(saved_envvar, value, 1 /* overwrite */);
-    else
-      unsetenv(saved_envvar);
-
-    free(saved_envvar);
-  }
-}
-
 ZygoteHost::ZygoteHost()
     : pid_(-1),
       init_(false),
@@ -97,29 +74,11 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) {
                                    browser_command_line.GetSwitchValueASCII(
                                        switches::kEnableLogging));
   }
-  if (browser_command_line.HasSwitch(switches::kEnableSeccompSandbox)) {
-    cmd_line.AppendSwitch(switches::kEnableSeccompSandbox);
+  if (browser_command_line.HasSwitch(switches::kDisableSeccompSandbox)) {
+    cmd_line.AppendSwitch(switches::kDisableSeccompSandbox);
   }
 
   sandbox_binary_ = sandbox_cmd.c_str();
-  struct stat st;
-
-  if (!sandbox_cmd.empty() && stat(sandbox_binary_.c_str(), &st) == 0) {
-    if (access(sandbox_binary_.c_str(), X_OK) == 0 &&
-        (st.st_uid == 0) &&
-        (st.st_mode & S_ISUID) &&
-        (st.st_mode & S_IXOTH)) {
-      using_suid_sandbox_ = true;
-      cmd_line.PrependWrapper(ASCIIToWide(sandbox_binary_.c_str()));
-
-      SaveSUIDUnsafeEnvironmentVariables();
-    } else {
-      LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "
-                    "configured correctly. Rather than run without sandboxing "
-                    "I'm aborting now. You need to make sure that "
-                 << sandbox_binary_ << " is mode 4755 and owned by root.";
-    }
-  }
 
   // Start up the sandbox host process and get the file descriptor for the
   // renderers to talk to it.
diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc
index 009ba00d..a526d97 100644
--- a/chrome/browser/zygote_main_linux.cc
+++ b/chrome/browser/zygote_main_linux.cc
@@ -607,8 +607,8 @@ bool ZygoteMain(const MainFunctionParams& params) {
   // The seccomp sandbox needs access to files in /proc, which might be denied
   // after one of the other sandboxes have been started. So, obtain a suitable
   // file handle in advance.
-  if (CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompSandbox)) {
+  if (!CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableSeccompSandbox)) {
     g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY);
     if (g_proc_fd < 0) {
       LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp "
@@ -629,16 +629,16 @@ bool ZygoteMain(const MainFunctionParams& params) {
   // already check if sufficient support is available so that we only need to
   // print one error message for the entire browser session.
   if (g_proc_fd >= 0 &&
-      CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompSandbox)) {
+      !CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableSeccompSandbox)) {
     if (!SupportsSeccompSandbox(g_proc_fd)) {
       // There are a good number of users who cannot use the seccomp sandbox
       // (e.g. because their distribution does not enable seccomp mode by
       // default). While we would prefer to deny execution in this case, it
       // seems more realistic to continue in degraded mode.
-      LOG(ERROR) << "WARNING! This machine lacks support needed for the "
-                    "Seccomp sandbox. Running renderers with Seccomp "
-                    "sandboxing disabled.";
+      LOG(FATAL) << "WARNING! This machine lacks support needed for the "
+                    "Seccomp sandbox. Please report your system specs on "
+                    "http://code.google.com/p/chromium/issues/detail?id=36133";
     } else {
       LOG(INFO) << "Enabling experimental Seccomp sandbox.";
     }
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index 0f41903..76ea9e6 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -266,8 +266,8 @@ const char kEnablePrivacyBlacklists[]       = "enable-privacy-blacklists";
 // http://b/issue?id=1432077 is fixed.
 const char kEnableRendererAccessibility[]   = "enable-renderer-accessibility";
 
-// Enable the seccomp sandbox (Linux only)
-const char kEnableSeccompSandbox[]          = "enable-seccomp-sandbox";
+// Disable the seccomp sandbox (Linux only)
+const char kDisableSeccompSandbox[]         = "disable-seccomp-sandbox";
 
 // Enable session storage.  Still buggy.
 const char kEnableSessionStorage[]          = "enable-session-storage";
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index e311e1a..7829834 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -93,7 +93,7 @@ extern const char kEnableNaClOnMac[];
 extern const char kEnableNewAutoFill[];
 extern const char kEnablePrivacyBlacklists[];
 extern const char kEnableRendererAccessibility[];
-extern const char kEnableSeccompSandbox[];
+extern const char kDisableSeccompSandbox[];
 extern const char kEnableSessionStorage[];
 extern const char kEnableStatsTable[];
 extern const char kEnableSync[];
diff --git a/chrome/renderer/renderer_main_platform_delegate_linux.cc b/chrome/renderer/renderer_main_platform_delegate_linux.cc
index bce15dd..2ab392a 100644
--- a/chrome/renderer/renderer_main_platform_delegate_linux.cc
+++ b/chrome/renderer/renderer_main_platform_delegate_linux.cc
@@ -40,9 +40,8 @@ bool RendererMainPlatformDelegate::EnableSandbox() {
   // N.b. SupportsSeccompSandbox() returns a cached result, as we already
   // called it earlier in the zygote. Thus, it is OK for us to not pass in
   // a file descriptor for "/proc".
-  if (CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompSandbox) &&
-      SupportsSeccompSandbox(-1)) {
+  if (!CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableSeccompSandbox)) {
     StartSeccompSandbox();
   }
 #endif