diff options
| author | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-18 15:25:55 +0000 |
|---|---|---|
| committer | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-18 15:25:55 +0000 |
| commit | aeaf937b8a02b0a9b1c79e0e2f1d5f407313264c (patch) | |
| tree | 8c9978289be80a397c02e3f6a0bc8b69e2833cfa /chrome/browser/zygote_host_linux.cc | |
| parent | ecbf10d164fd0a5e622a466044400e0feca4aa1d (diff) | |
| download | chromium_src-aeaf937b8a02b0a9b1c79e0e2f1d5f407313264c.zip chromium_src-aeaf937b8a02b0a9b1c79e0e2f1d5f407313264c.tar.gz chromium_src-aeaf937b8a02b0a9b1c79e0e2f1d5f407313264c.tar.bz2 | |
linux: enable seccomp sandbox by default
This is an experiment. Hopefully it will flush out problems.
Use --disable-seccomp-sandbox to turn it off.
BUG=36133
Review URL: http://codereview.chromium.org/647017
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39358 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/zygote_host_linux.cc')
| -rw-r--r-- | chrome/browser/zygote_host_linux.cc | 45 |
1 files changed, 2 insertions, 43 deletions
diff --git a/chrome/browser/zygote_host_linux.cc b/chrome/browser/zygote_host_linux.cc index 3b6a160..aa5d8ca 100644 --- a/chrome/browser/zygote_host_linux.cc +++ b/chrome/browser/zygote_host_linux.cc @@ -24,29 +24,6 @@ #include "chrome/common/chrome_switches.h" #include "chrome/common/process_watcher.h" -#include "sandbox/linux/suid/suid_unsafe_environment_variables.h" - -static void SaveSUIDUnsafeEnvironmentVariables() { - // The ELF loader will clear many environment variables so we save them to - // different names here so that the SUID sandbox can resolve them for the - // renderer. - - for (unsigned i = 0; kSUIDUnsafeEnvironmentVariables[i]; ++i) { - const char* const envvar = kSUIDUnsafeEnvironmentVariables[i]; - char* const saved_envvar = SandboxSavedEnvironmentVariable(envvar); - if (!saved_envvar) - continue; - - const char* const value = getenv(envvar); - if (value) - setenv(saved_envvar, value, 1 /* overwrite */); - else - unsetenv(saved_envvar); - - free(saved_envvar); - } -} - ZygoteHost::ZygoteHost() : pid_(-1), init_(false), @@ -97,29 +74,11 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) { browser_command_line.GetSwitchValueASCII( switches::kEnableLogging)); } - if (browser_command_line.HasSwitch(switches::kEnableSeccompSandbox)) { - cmd_line.AppendSwitch(switches::kEnableSeccompSandbox); + if (browser_command_line.HasSwitch(switches::kDisableSeccompSandbox)) { + cmd_line.AppendSwitch(switches::kDisableSeccompSandbox); } sandbox_binary_ = sandbox_cmd.c_str(); - struct stat st; - - if (!sandbox_cmd.empty() && stat(sandbox_binary_.c_str(), &st) == 0) { - if (access(sandbox_binary_.c_str(), X_OK) == 0 && - (st.st_uid == 0) && - (st.st_mode & S_ISUID) && - (st.st_mode & S_IXOTH)) { - using_suid_sandbox_ = true; - cmd_line.PrependWrapper(ASCIIToWide(sandbox_binary_.c_str())); - - SaveSUIDUnsafeEnvironmentVariables(); - } else { - LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " - "configured correctly. Rather than run without sandboxing " - "I'm aborting now. You need to make sure that " - << sandbox_binary_ << " is mode 4755 and owned by root."; - } - } // Start up the sandbox host process and get the file descriptor for the // renderers to talk to it. |