NaCl Linux: use own setuid sandbox instance

NaCl now uses its own instance of the setuid sandbox. In particular, NaCl
is now running in its own PID namespace (which is a sub-space of the Zygote
PID namespace).
Moreover, the NaCl helper is responsible for getting chrooted, instead of
relying on a shared FS view (via CLONE_FS) with the Zygote.

This CL also ensures consistency between the setuid sandbox status as
reported in about:sandbox and NaCl's setuid sandbox status.

Before, the process tree looks like this:

__browser
____chrome-sandbox [X, fs_state1]
______init [pid_ns1, fs_state1]
________zygote [pid_ns1, fs_state1]
________nacl_helper [pid_ns1, fs_state1]

  -- "X" means same as parent.

After:

__browser
____chrome-sandbox [X , fs_state1]
______init [pid_ns1, fs_state1]
________zygote         [pid_ns1, fs_state1]
________chrome-sandbox [pid_ns1, fs_state2]
__________nacl_helper  [pid_ns2, fs_state2] (nacl_helper doubles as init(1) in pid_ns2).

The main change is to make nacl_fork_delegate_linux.cc launch nacl_helper via
chrome-sandbox instead trying to share the view of the file system with the Zygote
via CLONE_FS.  It uses SetuidSandboxClient to help with this.

Then change nacl_helper_linux.cc to tell (via IPC) chrome-sandbox to enable
the sandbox, and add some more sanity checks.

BUG=358733
R=mseaborn@chromium.org, piman@chromium.org

Review URL: https://codereview.chromium.org/239803003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@264372 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 12 insertions, 13 deletions

diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
index bb43b05..0ec9b43 100644
--- a/content/zygote/zygote_main_linux.cc
+++ b/content/zygote/zygote_main_linux.cc
@@ -59,15 +59,6 @@
 
 namespace content {
 
-namespace {
-
-void InitializeForkDelegate(ZygoteForkDelegate* forkdelegate) {
-  DCHECK(forkdelegate);
-  forkdelegate->Init(GetSandboxFD());
-}
-
-}  // namespace
-
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
@@ -437,7 +428,10 @@ static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox) {
   return true;
 }
 
-static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox) {
+// If |is_suid_sandbox_child|, then make sure that the setuid sandbox is
+// engaged.
+static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox,
+                                 bool is_suid_sandbox_child) {
   DCHECK(linux_sandbox);
 
   ZygotePreSandboxInit();
@@ -450,7 +444,7 @@ static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox) {
   sandbox::SetuidSandboxClient* setuid_sandbox =
       linux_sandbox->setuid_sandbox_client();
 
-  if (setuid_sandbox->IsSuidSandboxChild()) {
+  if (is_suid_sandbox_child) {
     CHECK(EnterSuidSandbox(setuid_sandbox)) << "Failed to enter setuid sandbox";
   }
 }
@@ -464,17 +458,22 @@ bool ZygoteMain(const MainFunctionParams& params,
   // This will pre-initialize the various sandboxes that need it.
   linux_sandbox->PreinitializeSandbox();
 
+  const bool must_enable_setuid_sandbox =
+      linux_sandbox->setuid_sandbox_client()->IsSuidSandboxChild();
+
   if (forkdelegate != NULL) {
     VLOG(1) << "ZygoteMain: initializing fork delegate";
-    InitializeForkDelegate(forkdelegate);
+    forkdelegate->Init(GetSandboxFD(), must_enable_setuid_sandbox);
   } else {
     VLOG(1) << "ZygoteMain: fork delegate is NULL";
   }
 
   // Turn on the first layer of the sandbox if the configuration warrants it.
-  EnterLayerOneSandbox(linux_sandbox);
+  EnterLayerOneSandbox(linux_sandbox, must_enable_setuid_sandbox);
 
   int sandbox_flags = linux_sandbox->GetStatus();
+  bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;
+  CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged);
 
   Zygote zygote(sandbox_flags, forkdelegate);
   // This function call can return multiple times, once per fork().