diff options
| author | hclam@google.com <hclam@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-03-17 23:49:21 +0000 |
|---|---|---|
| committer | hclam@google.com <hclam@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-03-17 23:49:21 +0000 |
| commit | f6a67b42c830927c8d4b12a6f66e3ce9e53115b3 (patch) | |
| tree | f6641100344856c1e9223fa8b14673b713c0ff7a /base | |
| parent | afed077a7dd20c92ba83b5ab49c4cd00760cd732 (diff) | |
| download | chromium_src-f6a67b42c830927c8d4b12a6f66e3ce9e53115b3.zip chromium_src-f6a67b42c830927c8d4b12a6f66e3ce9e53115b3.tar.gz chromium_src-f6a67b42c830927c8d4b12a6f66e3ce9e53115b3.tar.bz2 | |
Load additional NSS library files in zygote main if remoting is enabled
Instead of initializing NSS before the sandbox is engaged this loads the
necessary additional libraries for NSS to function properly. This allows
initializing NSS after sandbox is closed and solve the security problem
of loading NSS early.
BUG=None
TEST=None
Review URL: http://codereview.chromium.org/6672034
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@78633 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'base')
| -rw-r--r-- | base/nss_util.cc | 45 | ||||
| -rw-r--r-- | base/nss_util.h | 9 |
2 files changed, 54 insertions, 0 deletions
diff --git a/base/nss_util.cc b/base/nss_util.cc index e4d1762..3229149 100644 --- a/base/nss_util.cc +++ b/base/nss_util.cc @@ -18,10 +18,14 @@ #include <sys/vfs.h> #endif +#include <vector> + #include "base/environment.h" +#include "base/file_path.h" #include "base/file_util.h" #include "base/lazy_instance.h" #include "base/logging.h" +#include "base/native_library.h" #include "base/scoped_ptr.h" #include "base/stringprintf.h" #include "base/threading/thread_restrictions.h" @@ -402,6 +406,47 @@ void DisableNSSForkCheck() { env->SetVar("NSS_STRICT_NOFORK", "DISABLED"); } +void LoadNSSLibraries() { + // Some NSS libraries are linked dynamically so load them here. +#if defined(USE_NSS) + // Try to search for multiple directories to load the libraries. + std::vector<FilePath> paths; + + // Use relative path to Search PATH for the library files. + paths.push_back(FilePath()); + + // For Debian derivaties NSS libraries are located here. + paths.push_back(FilePath("/usr/lib/nss")); + + // A list of library files to load. + std::vector<std::string> libs; + libs.push_back("libsoftokn3.so"); + libs.push_back("libfreebl3.so"); + + // For each combination of library file and path, check for existence and + // then load. + size_t loaded = 0; + for (size_t i = 0; i < libs.size(); ++i) { + for (size_t j = 0; j < paths.size(); ++j) { + FilePath path = paths[j].Append(libs[i]); + if (file_util::PathExists(path)) { + NativeLibrary lib = base::LoadNativeLibrary(path); + if (lib) { + ++loaded; + break; + } + } + } + } + + if (loaded == libs.size()) { + VLOG(3) << "NSS libraries loaded."; + } else { + LOG(WARNING) << "Failed to load NSS libraries."; + } +#endif +} + bool CheckNSSVersion(const char* version) { return !!NSS_VersionCheck(version); } diff --git a/base/nss_util.h b/base/nss_util.h index 5502b08..4be12ce 100644 --- a/base/nss_util.h +++ b/base/nss_util.h @@ -65,6 +65,15 @@ void ForceNSSNoDBInit(); // WARNING: Use this with caution. void DisableNSSForkCheck(); +// Load NSS library files. This function has no effect on Mac and Windows. +// This loads the necessary NSS library files so that NSS can be initialized +// after loading additional library files is disallowed, for example when the +// sandbox is active. +// +// Note that this does not load libnssckbi.so which contains the root +// certificates. +void LoadNSSLibraries(); + // Check if the current NSS version is greater than or equals to |version|. // A sample version string is "3.12.3". bool CheckNSSVersion(const char* version); |