diff options
| author | markus@chromium.org <markus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-05-23 17:58:55 +0000 |
|---|---|---|
| committer | markus@chromium.org <markus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-05-23 17:58:55 +0000 |
| commit | 48a69110f29e0fa819401bd9bef3b6d377d6cb91 (patch) | |
| tree | a3ba00e8fa6350ba46fd29949f2b2d5261478cf2 /content/zygote | |
| parent | 9725e6e2e7779be0ce10fe42443735dac8145149 (diff) | |
| download | chromium_src-48a69110f29e0fa819401bd9bef3b6d377d6cb91.zip chromium_src-48a69110f29e0fa819401bd9bef3b6d377d6cb91.tar.gz chromium_src-48a69110f29e0fa819401bd9bef3b6d377d6cb91.tar.bz2 | |
Roll the revision of the seccomp sandbox forward. In the process, we also
fixed a missing include file in the zygote, that effectively disabled the
entire sandbox. This apparently happened recently, when the zygote code was
refactored.
BUG=n/a
TEST=SECCOMP_SANDBOX_DEBUGGING=1 ./out/Debug/chrome --enable-seccomp-sandbox, then verify that the sandbox is actually activated; it should be printing log data to the console
Review URL: https://chromiumcodereview.appspot.com/10407036
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138521 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/zygote')
| -rw-r--r-- | content/zygote/zygote_linux.cc | 14 | ||||
| -rw-r--r-- | content/zygote/zygote_main_linux.cc | 2 |
2 files changed, 9 insertions, 7 deletions
diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc index cf57999..ff50f24 100644 --- a/content/zygote/zygote_linux.cc +++ b/content/zygote/zygote_linux.cc @@ -4,6 +4,7 @@ #include "content/zygote/zygote_linux.h" +#include <fcntl.h> #include <string.h> #include <sys/socket.h> #include <sys/types.h> @@ -23,6 +24,7 @@ #include "base/logging.h" #include "base/pickle.h" #include "content/common/chrome_descriptors.h" +#include "content/common/seccomp_sandbox.h" #include "content/common/set_process_title.h" #include "content/common/unix_domain_socket_posix.h" #include "content/public/common/zygote_fork_delegate_linux.h" @@ -396,15 +398,13 @@ base::ProcessId Zygote::ReadArgsAndFork(const Pickle& pickle, if (!child_pid) { // This is the child process. #if defined(SECCOMP_SANDBOX) - if (SeccompSandboxEnabled() && proc_fd_for_seccomp_ >= 0) { - // Try to open /proc/self/maps as the seccomp sandbox needs access to it - int proc_self_maps = openat(proc_fd_for_seccomp_, "self/maps", O_RDONLY); - if (proc_self_maps >= 0) { - SeccompSandboxSetProcSelfMaps(proc_self_maps); + if (proc_fd_for_seccomp_ >= 0) { + if (process_type == switches::kRendererProcess && + SeccompSandboxEnabled()) { + SeccompSandboxSetProcFd(proc_fd_for_seccomp_); } else { - PLOG(ERROR) << "openat(/proc/self/maps)"; + close(proc_fd_for_seccomp_); } - close(proc_fd_for_seccomp_); proc_fd_for_seccomp_ = -1; } #endif diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc index 21c09c4..2cb2af1 100644 --- a/content/zygote/zygote_main_linux.cc +++ b/content/zygote/zygote_main_linux.cc @@ -669,6 +669,8 @@ bool ZygoteMain(const MainFunctionParams& params, LOG(ERROR) << "WARNING! This machine lacks support needed for the " "Seccomp sandbox. Running renderers with Seccomp " "sandboxing disabled."; + close(proc_fd_for_seccomp); + proc_fd_for_seccomp = -1; } else { VLOG(1) << "Enabling experimental Seccomp sandbox."; sandbox_flags |= kSandboxLinuxSeccomp; |