diff options
| author | joel@chromium.org <joel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-11-18 04:13:33 +0000 |
|---|---|---|
| committer | joel@chromium.org <joel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-11-18 04:13:33 +0000 |
| commit | 8015de3d3d692d1bbe4f3f2c46b20a5156639d32 (patch) | |
| tree | 2517ac2fa2113615d795aa480cf308d39ca9bfb9 /chrome/browser | |
| parent | 07daa864e47774c556796ebd0839f77e60e20d06 (diff) | |
| download | chromium_src-8015de3d3d692d1bbe4f3f2c46b20a5156639d32.zip chromium_src-8015de3d3d692d1bbe4f3f2c46b20a5156639d32.tar.gz chromium_src-8015de3d3d692d1bbe4f3f2c46b20a5156639d32.tar.bz2 | |
Hide seccomp sandbox calls from non-x86 machines
The seccomp sandbox is not built on ARM as it contains x86 specific code.
However, there are a pair of calls to seccomp sandbox functions in the zygote
initialisation, this hides those calls behind the ARCH_CPU_X86_FAMILY define.
Without this the ARM build does not link.
Review URL: http://codereview.chromium.org/402009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32278 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser')
| -rw-r--r-- | chrome/browser/zygote_main_linux.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc index b0f668f..82740b8 100644 --- a/chrome/browser/zygote_main_linux.cc +++ b/chrome/browser/zygote_main_linux.cc @@ -30,6 +30,7 @@ #include "base/scoped_ptr.h" #include "base/sys_info.h" #include "base/unix_domain_socket_posix.h" +#include "build/build_config.h" #include "chrome/browser/zygote_host_linux.h" #include "chrome/common/chrome_descriptors.h" @@ -237,6 +238,7 @@ class Zygote { child = fork(); if (!child) { +#if defined(ARCH_CPU_X86_FAMILY) // Try to open /proc/self/maps as the seccomp sandbox needs access to it if (g_proc_fd >= 0) { int proc_self_maps = openat(g_proc_fd, "self/maps", O_RDONLY); @@ -246,6 +248,7 @@ class Zygote { close(g_proc_fd); g_proc_fd = -1; } +#endif close(kBrowserDescriptor); // our socket from the browser close(kZygoteIdDescriptor); // another socket from the browser @@ -596,6 +599,7 @@ bool ZygoteMain(const MainFunctionParams& params) { g_am_zygote_or_renderer = true; #endif +#if defined(ARCH_CPU_X86_FAMILY) // The seccomp sandbox needs access to files in /proc, which might be denied // after one of the other sandboxes have been started. So, obtain a suitable // file handle in advance. @@ -607,6 +611,7 @@ bool ZygoteMain(const MainFunctionParams& params) { "sandboxing."; } } +#endif // ARCH_CPU_X86_FAMILY // Turn on the SELinux or SUID sandbox if (!EnterSandbox()) { @@ -615,6 +620,7 @@ bool ZygoteMain(const MainFunctionParams& params) { return false; } +#if defined(ARCH_CPU_X86_FAMILY) // The seccomp sandbox will be turned on when the renderers start. But we can // already check if sufficient support is available so that we only need to // print one error message for the entire browser session. @@ -633,6 +639,7 @@ bool ZygoteMain(const MainFunctionParams& params) { LOG(INFO) << "Enabling experimental Seccomp sandbox."; } } +#endif // ARCH_CPU_X86_FAMILY Zygote zygote; return zygote.ProcessRequests(); |