Move the Linux zygote stuff into its own per-process directory.

The zygote is really a separate process and doesn't belong in the browser
subdirectory. I separated out the common constants used for communication into
content/[public/]/common so the zygote code doesn't depend on browser.

This leaves zygote_main_linux alone in its own directory. I'm going to be doing
some more refactoring and probably adding a new file or two here. This does
not yet add a new build target for the zygot process.

BUG=
TEST=

Review URL: https://chromiumcodereview.appspot.com/10388013

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@135891 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 1017 insertions, 0 deletions

diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
new file mode 100644
index 0000000..6a72e95
--- /dev/null
+++ b/content/zygote/zygote_main_linux.cc
@@ -0,0 +1,1017 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <dlfcn.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include "base/basictypes.h"
+#include "base/command_line.h"
+#include "base/debug/trace_event.h"
+#include "base/eintr_wrapper.h"
+#include "base/file_path.h"
+#include "base/file_util.h"
+#include "base/global_descriptors_posix.h"
+#include "base/hash_tables.h"
+#include "base/linux_util.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/pickle.h"
+#include "base/process_util.h"
+#include "base/rand_util.h"
+#include "base/rand_util_c.h"
+#include "base/sys_info.h"
+#include "build/build_config.h"
+#include "crypto/nss_util.h"
+#include "content/common/chrome_descriptors.h"
+#include "content/common/font_config_ipc_linux.h"
+#include "content/common/pepper_plugin_registry.h"
+#include "content/common/sandbox_methods_linux.h"
+#include "content/common/seccomp_sandbox.h"
+#include "content/common/set_process_title.h"
+#include "content/common/unix_domain_socket_posix.h"
+#include "content/common/zygote_commands_linux.h"
+#include "content/public/common/content_switches.h"
+#include "content/public/common/main_function_params.h"
+#include "content/public/common/result_codes.h"
+#include "content/public/common/sandbox_linux.h"
+#include "content/public/common/zygote_fork_delegate_linux.h"
+#include "skia/ext/SkFontHost_fontconfig_control.h"
+#include "unicode/timezone.h"
+#include "ipc/ipc_channel.h"
+#include "ipc/ipc_switches.h"
+
+#if defined(OS_LINUX)
+#include <sys/epoll.h>
+#include <sys/prctl.h>
+#include <sys/signal.h>
+#else
+#include <signal.h>
+#endif
+
+#if defined(CHROMIUM_SELINUX)
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#endif
+
+namespace content {
+
+// http://code.google.com/p/chromium/wiki/LinuxZygote
+
+static const int kBrowserDescriptor = 3;
+static const int kMagicSandboxIPCDescriptor = 5;
+static const int kZygoteIdDescriptor = 7;
+static bool g_suid_sandbox_active = false;
+
+static const char kUrandomDevPath[] = "/dev/urandom";
+
+#if defined(SECCOMP_SANDBOX)
+static int g_proc_fd = -1;
+#endif
+
+#if defined(CHROMIUM_SELINUX)
+static void SELinuxTransitionToTypeOrDie(const char* type) {
+  security_context_t security_context;
+  if (getcon(&security_context))
+    LOG(FATAL) << "Cannot get SELinux context";
+
+  context_t context = context_new(security_context);
+  context_type_set(context, type);
+  const int r = setcon(context_str(context));
+  context_free(context);
+  freecon(security_context);
+
+  if (r) {
+    LOG(FATAL) << "dynamic transition to type '" << type << "' failed. "
+                  "(this binary has been built with SELinux support, but maybe "
+                  "the policies haven't been loaded into the kernel?)";
+  }
+}
+#endif  // CHROMIUM_SELINUX
+
+// This is the object which implements the zygote. The ZygoteMain function,
+// which is called from ChromeMain, simply constructs one of these objects and
+// runs it.
+class Zygote {
+ public:
+  Zygote(int sandbox_flags, ZygoteForkDelegate* helper)
+      : sandbox_flags_(sandbox_flags),
+        helper_(helper),
+        initial_uma_sample_(0),
+        initial_uma_boundary_value_(0) {
+    if (helper_)
+      helper_->InitialUMA(&initial_uma_name_,
+                          &initial_uma_sample_,
+                          &initial_uma_boundary_value_);
+  }
+
+  bool ProcessRequests() {
+    // A SOCK_SEQPACKET socket is installed in fd 3. We get commands from the
+    // browser on it.
+    // A SOCK_DGRAM is installed in fd 5. This is the sandbox IPC channel.
+    // See http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
+
+    // We need to accept SIGCHLD, even though our handler is a no-op because
+    // otherwise we cannot wait on children. (According to POSIX 2001.)
+    struct sigaction action;
+    memset(&action, 0, sizeof(action));
+    action.sa_handler = SIGCHLDHandler;
+    CHECK(sigaction(SIGCHLD, &action, NULL) == 0);
+
+    if (g_suid_sandbox_active) {
+      // Let the ZygoteHost know we are ready to go.
+      // The receiving code is in content/browser/zygote_host_linux.cc.
+      std::vector<int> empty;
+      bool r = UnixDomainSocket::SendMsg(kBrowserDescriptor,
+                                         kZygoteHelloMessage,
+                                         sizeof(kZygoteHelloMessage), empty);
+#if defined(OS_CHROMEOS)
+      LOG_IF(WARNING, !r) << "Sending zygote magic failed";
+      // Exit normally on chromeos because session manager may send SIGTERM
+      // right after the process starts and it may fail to send zygote magic
+      // number to browser process.
+      if (!r)
+        _exit(RESULT_CODE_NORMAL_EXIT);
+#else
+      CHECK(r) << "Sending zygote magic failed";
+#endif
+    }
+
+    for (;;) {
+      // This function call can return multiple times, once per fork().
+      if (HandleRequestFromBrowser(kBrowserDescriptor))
+        return true;
+    }
+  }
+
+ private:
+  // See comment below, where sigaction is called.
+  static void SIGCHLDHandler(int signal) { }
+
+  // ---------------------------------------------------------------------------
+  // Requests from the browser...
+
+  // Read and process a request from the browser. Returns true if we are in a
+  // new process and thus need to unwind back into ChromeMain.
+  bool HandleRequestFromBrowser(int fd) {
+    std::vector<int> fds;
+    static const unsigned kMaxMessageLength = 2048;
+    char buf[kMaxMessageLength];
+    const ssize_t len = UnixDomainSocket::RecvMsg(fd, buf, sizeof(buf), &fds);
+
+    if (len == 0 || (len == -1 && errno == ECONNRESET)) {
+      // EOF from the browser. We should die.
+      _exit(0);
+      return false;
+    }
+
+    if (len == -1) {
+      PLOG(ERROR) << "Error reading message from browser";
+      return false;
+    }
+
+    Pickle pickle(buf, len);
+    PickleIterator iter(pickle);
+
+    int kind;
+    if (pickle.ReadInt(&iter, &kind)) {
+      switch (kind) {
+        case kZygoteCommandFork:
+          // This function call can return multiple times, once per fork().
+          return HandleForkRequest(fd, pickle, iter, fds);
+
+        case kZygoteCommandReap:
+          if (!fds.empty())
+            break;
+          HandleReapRequest(fd, pickle, iter);
+          return false;
+        case kZygoteCommandGetTerminationStatus:
+          if (!fds.empty())
+            break;
+          HandleGetTerminationStatus(fd, pickle, iter);
+          return false;
+        case kZygoteCommandGetSandboxStatus:
+          HandleGetSandboxStatus(fd, pickle, iter);
+          return false;
+        default:
+          NOTREACHED();
+          break;
+      }
+    }
+
+    LOG(WARNING) << "Error parsing message from browser";
+    for (std::vector<int>::const_iterator
+         i = fds.begin(); i != fds.end(); ++i)
+      close(*i);
+    return false;
+  }
+
+  void HandleReapRequest(int fd, const Pickle& pickle, PickleIterator iter) {
+    base::ProcessId child;
+    base::ProcessId actual_child;
+
+    if (!pickle.ReadInt(&iter, &child)) {
+      LOG(WARNING) << "Error parsing reap request from browser";
+      return;
+    }
+
+    if (g_suid_sandbox_active) {
+      actual_child = real_pids_to_sandbox_pids[child];
+      if (!actual_child)
+        return;
+      real_pids_to_sandbox_pids.erase(child);
+    } else {
+      actual_child = child;
+    }
+
+    base::EnsureProcessTerminated(actual_child);
+  }
+
+  void HandleGetTerminationStatus(int fd,
+                                  const Pickle& pickle,
+                                  PickleIterator iter) {
+    base::ProcessHandle child;
+
+    if (!pickle.ReadInt(&iter, &child)) {
+      LOG(WARNING) << "Error parsing GetTerminationStatus request "
+                   << "from browser";
+      return;
+    }
+
+    base::TerminationStatus status;
+    int exit_code;
+    if (g_suid_sandbox_active)
+      child = real_pids_to_sandbox_pids[child];
+    if (child) {
+      status = base::GetTerminationStatus(child, &exit_code);
+    } else {
+      // Assume that if we can't find the child in the sandbox, then
+      // it terminated normally.
+      status = base::TERMINATION_STATUS_NORMAL_TERMINATION;
+      exit_code = RESULT_CODE_NORMAL_EXIT;
+    }
+
+    Pickle write_pickle;
+    write_pickle.WriteInt(static_cast<int>(status));
+    write_pickle.WriteInt(exit_code);
+    ssize_t written =
+        HANDLE_EINTR(write(fd, write_pickle.data(), write_pickle.size()));
+    if (written != static_cast<ssize_t>(write_pickle.size()))
+      PLOG(ERROR) << "write";
+  }
+
+  // This is equivalent to fork(), except that, when using the SUID
+  // sandbox, it returns the real PID of the child process as it
+  // appears outside the sandbox, rather than returning the PID inside
+  // the sandbox. Optionally, it fills in uma_name et al with a report
+  // the helper wants to make via UMA_HISTOGRAM_ENUMERATION.
+  int ForkWithRealPid(const std::string& process_type, std::vector<int>& fds,
+                      const std::string& channel_switch,
+                      std::string* uma_name,
+                      int* uma_sample, int* uma_boundary_value) {
+    const bool use_helper = (helper_ && helper_->CanHelp(process_type,
+                                                         uma_name,
+                                                         uma_sample,
+                                                         uma_boundary_value));
+    if (!(use_helper || g_suid_sandbox_active)) {
+      return fork();
+    }
+
+    int dummy_fd;
+    ino_t dummy_inode;
+    int pipe_fds[2] = { -1, -1 };
+    base::ProcessId pid = 0;
+
+    dummy_fd = socket(PF_UNIX, SOCK_DGRAM, 0);
+    if (dummy_fd < 0) {
+      LOG(ERROR) << "Failed to create dummy FD";
+      goto error;
+    }
+    if (!base::FileDescriptorGetInode(&dummy_inode, dummy_fd)) {
+      LOG(ERROR) << "Failed to get inode for dummy FD";
+      goto error;
+    }
+    if (pipe(pipe_fds) != 0) {
+      LOG(ERROR) << "Failed to create pipe";
+      goto error;
+    }
+
+    if (use_helper) {
+      fds.push_back(dummy_fd);
+      fds.push_back(pipe_fds[0]);
+      pid = helper_->Fork(fds);
+    } else {
+      pid = fork();
+    }
+    if (pid < 0) {
+      goto error;
+    } else if (pid == 0) {
+      // In the child process.
+      close(pipe_fds[1]);
+      base::ProcessId real_pid;
+      // Wait until the parent process has discovered our PID.  We
+      // should not fork any child processes (which the seccomp
+      // sandbox does) until then, because that can interfere with the
+      // parent's discovery of our PID.
+      if (!file_util::ReadFromFD(pipe_fds[0],
+                                 reinterpret_cast<char*>(&real_pid),
+                                 sizeof(real_pid))) {
+        LOG(FATAL) << "Failed to synchronise with parent zygote process";
+      }
+      if (real_pid <= 0) {
+        LOG(FATAL) << "Invalid pid from parent zygote";
+      }
+#if defined(OS_LINUX)
+      // Sandboxed processes need to send the global, non-namespaced PID when
+      // setting up an IPC channel to their parent.
+      IPC::Channel::SetGlobalPid(real_pid);
+      // Force the real PID so chrome event data have a PID that corresponds
+      // to system trace event data.
+      base::debug::TraceLog::GetInstance()->SetProcessID(
+          static_cast<int>(real_pid));
+#endif
+      close(pipe_fds[0]);
+      close(dummy_fd);
+      return 0;
+    } else {
+      // In the parent process.
+      close(dummy_fd);
+      dummy_fd = -1;
+      close(pipe_fds[0]);
+      pipe_fds[0] = -1;
+      base::ProcessId real_pid;
+      if (g_suid_sandbox_active) {
+        uint8_t reply_buf[512];
+        Pickle request;
+        request.WriteInt(LinuxSandbox::METHOD_GET_CHILD_WITH_INODE);
+        request.WriteUInt64(dummy_inode);
+
+        const ssize_t r = UnixDomainSocket::SendRecvMsg(
+            kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL,
+            request);
+        if (r == -1) {
+          LOG(ERROR) << "Failed to get child process's real PID";
+          goto error;
+        }
+
+        Pickle reply(reinterpret_cast<char*>(reply_buf), r);
+        PickleIterator iter(reply);
+        if (!reply.ReadInt(&iter, &real_pid))
+          goto error;
+        if (real_pid <= 0) {
+          // METHOD_GET_CHILD_WITH_INODE failed. Did the child die already?
+          LOG(ERROR) << "METHOD_GET_CHILD_WITH_INODE failed";
+          goto error;
+        }
+        real_pids_to_sandbox_pids[real_pid] = pid;
+      }
+      if (use_helper) {
+        real_pid = pid;
+        if (!helper_->AckChild(pipe_fds[1], channel_switch)) {
+          LOG(ERROR) << "Failed to synchronise with zygote fork helper";
+          goto error;
+        }
+      } else {
+        int written =
+            HANDLE_EINTR(write(pipe_fds[1], &real_pid, sizeof(real_pid)));
+        if (written != sizeof(real_pid)) {
+          LOG(ERROR) << "Failed to synchronise with child process";
+          goto error;
+        }
+      }
+      close(pipe_fds[1]);
+      return real_pid;
+    }
+
+   error:
+    if (pid > 0) {
+      if (waitpid(pid, NULL, WNOHANG) == -1)
+        LOG(ERROR) << "Failed to wait for process";
+    }
+    if (dummy_fd >= 0)
+      close(dummy_fd);
+    if (pipe_fds[0] >= 0)
+      close(pipe_fds[0]);
+    if (pipe_fds[1] >= 0)
+      close(pipe_fds[1]);
+    return -1;
+  }
+
+  // Unpacks process type and arguments from |pickle| and forks a new process.
+  // Returns -1 on error, otherwise returns twice, returning 0 to the child
+  // process and the child process ID to the parent process, like fork().
+  base::ProcessId ReadArgsAndFork(const Pickle& pickle,
+                                  PickleIterator iter,
+                                  std::vector<int>& fds,
+                                  std::string* uma_name,
+                                  int* uma_sample,
+                                  int* uma_boundary_value) {
+    std::vector<std::string> args;
+    int argc = 0;
+    int numfds = 0;
+    base::GlobalDescriptors::Mapping mapping;
+    std::string process_type;
+    std::string channel_id;
+    const std::string channel_id_prefix = std::string("--")
+        + switches::kProcessChannelID + std::string("=");
+
+    if (!pickle.ReadString(&iter, &process_type))
+      return -1;
+    if (!pickle.ReadInt(&iter, &argc))
+      return -1;
+
+    for (int i = 0; i < argc; ++i) {
+      std::string arg;
+      if (!pickle.ReadString(&iter, &arg))
+        return -1;
+      args.push_back(arg);
+      if (arg.compare(0, channel_id_prefix.length(), channel_id_prefix) == 0)
+        channel_id = arg;
+    }
+
+    if (!pickle.ReadInt(&iter, &numfds))
+      return -1;
+    if (numfds != static_cast<int>(fds.size()))
+      return -1;
+
+    for (int i = 0; i < numfds; ++i) {
+      base::GlobalDescriptors::Key key;
+      if (!pickle.ReadUInt32(&iter, &key))
+        return -1;
+      mapping.push_back(std::make_pair(key, fds[i]));
+    }
+
+    mapping.push_back(std::make_pair(
+        static_cast<uint32_t>(kSandboxIPCChannel), kMagicSandboxIPCDescriptor));
+
+    // Returns twice, once per process.
+    base::ProcessId child_pid = ForkWithRealPid(process_type, fds, channel_id,
+                                                uma_name, uma_sample,
+                                                uma_boundary_value);
+    if (!child_pid) {
+      // This is the child process.
+#if defined(SECCOMP_SANDBOX)
+      if (SeccompSandboxEnabled() && g_proc_fd >= 0) {
+        // Try to open /proc/self/maps as the seccomp sandbox needs access to it
+        int proc_self_maps = openat(g_proc_fd, "self/maps", O_RDONLY);
+        if (proc_self_maps >= 0) {
+          SeccompSandboxSetProcSelfMaps(proc_self_maps);
+        } else {
+          PLOG(ERROR) << "openat(/proc/self/maps)";
+        }
+        close(g_proc_fd);
+        g_proc_fd = -1;
+      }
+#endif
+
+      close(kBrowserDescriptor);  // our socket from the browser
+      if (g_suid_sandbox_active)
+        close(kZygoteIdDescriptor);  // another socket from the browser
+      base::GlobalDescriptors::GetInstance()->Reset(mapping);
+
+#if defined(CHROMIUM_SELINUX)
+      SELinuxTransitionToTypeOrDie("chromium_renderer_t");
+#endif
+
+      // Reset the process-wide command line to our new command line.
+      CommandLine::Reset();
+      CommandLine::Init(0, NULL);
+      CommandLine::ForCurrentProcess()->InitFromArgv(args);
+
+      // Update the process title. The argv was already cached by the call to
+      // SetProcessTitleFromCommandLine in ChromeMain, so we can pass NULL here
+      // (we don't have the original argv at this point).
+      SetProcessTitleFromCommandLine(NULL);
+    } else if (child_pid < 0) {
+      LOG(ERROR) << "Zygote could not fork: process_type " << process_type
+          << " numfds " << numfds << " child_pid " << child_pid;
+    }
+    return child_pid;
+  }
+
+  // Handle a 'fork' request from the browser: this means that the browser
+  // wishes to start a new renderer.  Returns true if we are in a new process,
+  // otherwise writes the child_pid back to the browser via |fd|.  Writes a
+  // child_pid of -1 on error.
+  bool HandleForkRequest(int fd, const Pickle& pickle,
+                         PickleIterator iter, std::vector<int>& fds) {
+    std::string uma_name;
+    int uma_sample;
+    int uma_boundary_value;
+    base::ProcessId child_pid = ReadArgsAndFork(pickle, iter, fds,
+                                                &uma_name, &uma_sample,
+                                                &uma_boundary_value);
+    if (child_pid == 0)
+      return true;
+    for (std::vector<int>::const_iterator
+         i = fds.begin(); i != fds.end(); ++i)
+      close(*i);
+    if (uma_name.empty()) {
+      // There is no UMA report from this particular fork.
+      // Use the initial UMA report if any, and clear that record for next time.
+      // Note the swap method here is the efficient way to do this, since
+      // we know uma_name is empty.
+      uma_name.swap(initial_uma_name_);
+      uma_sample = initial_uma_sample_;
+      uma_boundary_value = initial_uma_boundary_value_;
+    }
+    // Must always send reply, as ZygoteHost blocks while waiting for it.
+    Pickle reply_pickle;
+    reply_pickle.WriteInt(child_pid);
+    reply_pickle.WriteString(uma_name);
+    if (!uma_name.empty()) {
+      reply_pickle.WriteInt(uma_sample);
+      reply_pickle.WriteInt(uma_boundary_value);
+    }
+    if (HANDLE_EINTR(write(fd, reply_pickle.data(), reply_pickle.size())) !=
+        static_cast<ssize_t> (reply_pickle.size()))
+      PLOG(ERROR) << "write";
+    return false;
+  }
+
+  bool HandleGetSandboxStatus(int fd,
+                              const Pickle& pickle,
+                              PickleIterator iter) {
+    if (HANDLE_EINTR(write(fd, &sandbox_flags_, sizeof(sandbox_flags_))) !=
+                     sizeof(sandbox_flags_)) {
+      PLOG(ERROR) << "write";
+    }
+
+    return false;
+  }
+
+  // In the SUID sandbox, we try to use a new PID namespace. Thus the PIDs
+  // fork() returns are not the real PIDs, so we need to map the Real PIDS
+  // into the sandbox PID namespace.
+  typedef base::hash_map<base::ProcessHandle, base::ProcessHandle> ProcessMap;
+  ProcessMap real_pids_to_sandbox_pids;
+
+  const int sandbox_flags_;
+  ZygoteForkDelegate* helper_;
+
+  // These might be set by helper_->InitialUMA.  They supply a UMA
+  // enumeration sample we should report on the first fork.
+  std::string initial_uma_name_;
+  int initial_uma_sample_;
+  int initial_uma_boundary_value_;
+};
+
+// With SELinux we can carve out a precise sandbox, so we don't have to play
+// with intercepting libc calls.
+#if !defined(CHROMIUM_SELINUX)
+
+static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
+                                        char* timezone_out,
+                                        size_t timezone_out_len) {
+  Pickle request;
+  request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
+  request.WriteString(
+      std::string(reinterpret_cast<char*>(&input), sizeof(input)));
+
+  uint8_t reply_buf[512];
+  const ssize_t r = UnixDomainSocket::SendRecvMsg(
+      kMagicSandboxIPCDescriptor, reply_buf, sizeof(reply_buf), NULL, request);
+  if (r == -1) {
+    memset(output, 0, sizeof(struct tm));
+    return;
+  }
+
+  Pickle reply(reinterpret_cast<char*>(reply_buf), r);
+  PickleIterator iter(reply);
+  std::string result, timezone;
+  if (!reply.ReadString(&iter, &result) ||
+      !reply.ReadString(&iter, &timezone) ||
+      result.size() != sizeof(struct tm)) {
+    memset(output, 0, sizeof(struct tm));
+    return;
+  }
+
+  memcpy(output, result.data(), sizeof(struct tm));
+  if (timezone_out_len) {
+    const size_t copy_len = std::min(timezone_out_len - 1, timezone.size());
+    memcpy(timezone_out, timezone.data(), copy_len);
+    timezone_out[copy_len] = 0;
+    output->tm_zone = timezone_out;
+  } else {
+    output->tm_zone = NULL;
+  }
+}
+
+static bool g_am_zygote_or_renderer = false;
+
+// Sandbox interception of libc calls.
+//
+// Because we are running in a sandbox certain libc calls will fail (localtime
+// being the motivating example - it needs to read /etc/localtime). We need to
+// intercept these calls and proxy them to the browser. However, these calls
+// may come from us or from our libraries. In some cases we can't just change
+// our code.
+//
+// It's for these cases that we have the following setup:
+//
+// We define global functions for those functions which we wish to override.
+// Since we will be first in the dynamic resolution order, the dynamic linker
+// will point callers to our versions of these functions. However, we have the
+// same binary for both the browser and the renderers, which means that our
+// overrides will apply in the browser too.
+//
+// The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
+// renderer process. It's set in ZygoteMain and inherited by the renderers when
+// they fork. (This means that it'll be incorrect for global constructor
+// functions and before ZygoteMain is called - beware).
+//
+// Our replacement functions can check this global and either proxy
+// the call to the browser over the sandbox IPC
+// (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
+// dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
+// current module.
+//
+// Other avenues:
+//
+// Our first attempt involved some assembly to patch the GOT of the current
+// module. This worked, but was platform specific and doesn't catch the case
+// where a library makes a call rather than current module.
+//
+// We also considered patching the function in place, but this would again by
+// platform specific and the above technique seems to work well enough.
+
+typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
+typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
+                                         struct tm* result);
+typedef FILE* (*FopenFunction)(const char* path, const char* mode);
+typedef int (*XstatFunction)(int version, const char *path, struct stat *buf);
+typedef int (*Xstat64Function)(int version, const char *path,
+                               struct stat64 *buf);
+
+static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
+static LocaltimeFunction g_libc_localtime;
+static LocaltimeRFunction g_libc_localtime_r;
+
+static pthread_once_t g_libc_file_io_funcs_guard = PTHREAD_ONCE_INIT;
+static FopenFunction g_libc_fopen;
+static FopenFunction g_libc_fopen64;
+static XstatFunction g_libc_xstat;
+static Xstat64Function g_libc_xstat64;
+
+static void InitLibcLocaltimeFunctions() {
+  g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
+      dlsym(RTLD_NEXT, "localtime"));
+  g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
+      dlsym(RTLD_NEXT, "localtime_r"));
+
+  if (!g_libc_localtime || !g_libc_localtime_r) {
+    // http://code.google.com/p/chromium/issues/detail?id=16800
+    //
+    // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
+    // it with a version which doesn't work. In this case we'll get a NULL
+    // result. There's not a lot we can do at this point, so we just bodge it!
+    LOG(ERROR) << "Your system is broken: dlsym doesn't work! This has been "
+                  "reported to be caused by Nvidia's libGL. You should expect"
+                  " time related functions to misbehave. "
+                  "http://code.google.com/p/chromium/issues/detail?id=16800";
+  }
+
+  if (!g_libc_localtime)
+    g_libc_localtime = gmtime;
+  if (!g_libc_localtime_r)
+    g_libc_localtime_r = gmtime_r;
+}
+
+struct tm* localtime(const time_t* timep) {
+  if (g_am_zygote_or_renderer) {
+    static struct tm time_struct;
+    static char timezone_string[64];
+    ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
+                                sizeof(timezone_string));
+    return &time_struct;
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
+                             InitLibcLocaltimeFunctions));
+    return g_libc_localtime(timep);
+  }
+}
+
+struct tm* localtime_r(const time_t* timep, struct tm* result) {
+  if (g_am_zygote_or_renderer) {
+    ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
+    return result;
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
+                             InitLibcLocaltimeFunctions));
+    return g_libc_localtime_r(timep, result);
+  }
+}
+
+// TODO(sergeyu): Currently this code doesn't work properly under ASAN
+// - it crashes content_unittests. Make sure it works properly and
+// enable it here. http://crbug.com/123263
+#if !defined(ADDRESS_SANITIZER)
+
+static void InitLibcFileIOFunctions() {
+  g_libc_fopen = reinterpret_cast<FopenFunction>(
+      dlsym(RTLD_NEXT, "fopen"));
+  g_libc_fopen64 = reinterpret_cast<FopenFunction>(
+      dlsym(RTLD_NEXT, "fopen64"));
+
+  if (!g_libc_fopen) {
+    LOG(FATAL) << "Failed to get fopen() from libc.";
+  } else if (!g_libc_fopen64) {
+#if !defined(OS_OPENBSD) && !defined(OS_FREEBSD)
+    LOG(WARNING) << "Failed to get fopen64() from libc. Using fopen() instead.";
+#endif  // !defined(OS_OPENBSD) && !defined(OS_FREEBSD)
+    g_libc_fopen64 = g_libc_fopen;
+  }
+
+  // TODO(sergeyu): This works only on systems with glibc. Fix it to
+  // work properly on other systems if necessary.
+  g_libc_xstat = reinterpret_cast<XstatFunction>(
+      dlsym(RTLD_NEXT, "__xstat"));
+  g_libc_xstat64 = reinterpret_cast<Xstat64Function>(
+      dlsym(RTLD_NEXT, "__xstat64"));
+
+  if (!g_libc_xstat) {
+    LOG(FATAL) << "Failed to get __xstat() from libc.";
+  }
+  if (!g_libc_xstat64) {
+    LOG(WARNING) << "Failed to get __xstat64() from libc.";
+  }
+}
+
+// fopen() and fopen64() are intercepted here so that NSS can open
+// /dev/urandom to seed its random number generator. NSS is used by
+// remoting in the sendbox.
+
+// fopen() call may be redirected to fopen64() in stdio.h using
+// __REDIRECT(), which sets asm name for fopen() to "fopen64". This
+// means that we cannot override fopen() directly here. Instead the
+// the code below defines fopen_override() function with asm name
+// "fopen", so that all references to fopen() will resolve to this
+// function.
+__attribute__ ((__visibility__("default")))
+FILE* fopen_override(const char* path, const char* mode)  __asm__ ("fopen");
+
+__attribute__ ((__visibility__("default")))
+FILE* fopen_override(const char* path, const char* mode) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int fd = HANDLE_EINTR(dup(GetUrandomFD()));
+    if (fd < 0) {
+      PLOG(ERROR) << "dup() failed.";
+      return NULL;
+    }
+    return fdopen(fd, mode);
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
+                             InitLibcFileIOFunctions));
+    return g_libc_fopen(path, mode);
+  }
+}
+
+__attribute__ ((__visibility__("default")))
+FILE* fopen64(const char* path, const char* mode) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int fd = HANDLE_EINTR(dup(GetUrandomFD()));
+    if (fd < 0) {
+      PLOG(ERROR) << "dup() failed.";
+      return NULL;
+    }
+    return fdopen(fd, mode);
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
+                             InitLibcFileIOFunctions));
+    return g_libc_fopen64(path, mode);
+  }
+}
+
+// stat() is subject to the same problem as fopen(), so we have to use
+// the same trick to override it.
+__attribute__ ((__visibility__("default")))
+int xstat_override(int version,
+                   const char *path,
+                   struct stat *buf)  __asm__ ("__xstat");
+
+__attribute__ ((__visibility__("default")))
+int xstat_override(int version, const char *path, struct stat *buf) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int result = __fxstat(version, GetUrandomFD(), buf);
+    return result;
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
+                             InitLibcFileIOFunctions));
+    return g_libc_xstat(version, path, buf);
+  }
+}
+
+__attribute__ ((__visibility__("default")))
+int xstat64_override(int version,
+                     const char *path,
+                     struct stat64 *buf)  __asm__ ("__xstat64");
+
+__attribute__ ((__visibility__("default")))
+int xstat64_override(int version, const char *path, struct stat64 *buf) {
+  if (g_am_zygote_or_renderer && strcmp(path, kUrandomDevPath) == 0) {
+    int result = __fxstat64(version, GetUrandomFD(), buf);
+    return result;
+  } else {
+    CHECK_EQ(0, pthread_once(&g_libc_file_io_funcs_guard,
+                             InitLibcFileIOFunctions));
+    CHECK(g_libc_xstat64);
+    return g_libc_xstat64(version, path, buf);
+  }
+}
+
+#endif  // !ADDRESS_SANITIZER
+
+#endif  // !CHROMIUM_SELINUX
+
+// This function triggers the static and lazy construction of objects that need
+// to be created before imposing the sandbox.
+static void PreSandboxInit() {
+  base::RandUint64();
+
+  base::SysInfo::MaxSharedMemorySize();
+
+  // ICU DateFormat class (used in base/time_format.cc) needs to get the
+  // Olson timezone ID by accessing the zoneinfo files on disk. After
+  // TimeZone::createDefault is called once here, the timezone ID is
+  // cached and there's no more need to access the file system.
+  scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault());
+
+#if defined(USE_NSS)
+  // NSS libraries are loaded before sandbox is activated. This is to allow
+  // successful initialization of NSS which tries to load extra library files.
+  crypto::LoadNSSLibraries();
+#elif defined(USE_OPENSSL)
+  // OpenSSL is intentionally not supported in the sandboxed processes, see
+  // http://crbug.com/99163. If that ever changes we'll likely need to init
+  // OpenSSL here (at least, load the library and error strings).
+#else
+  // It's possible that another hypothetical crypto stack would not require
+  // pre-sandbox init, but more likely this is just a build configuration error.
+  #error Which SSL library are you using?
+#endif
+
+  // Ensure access to the Pepper plugins before the sandbox is turned on.
+  PepperPluginRegistry::PreloadModules();
+}
+
+#if !defined(CHROMIUM_SELINUX)
+static bool EnterSandbox() {
+  PreSandboxInit();
+  SkiaFontConfigSetImplementation(
+      new FontConfigIPC(kMagicSandboxIPCDescriptor));
+
+  // The SUID sandbox sets this environment variable to a file descriptor
+  // over which we can signal that we have completed our startup and can be
+  // chrooted.
+  const char* const sandbox_fd_string = getenv("SBX_D");
+
+  if (sandbox_fd_string) {
+    // Use the SUID sandbox.  This still allows the seccomp sandbox to
+    // be enabled by the process later.
+    g_suid_sandbox_active = true;
+
+    char* endptr;
+    const long fd_long = strtol(sandbox_fd_string, &endptr, 10);
+    if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX)
+      return false;
+    const int fd = fd_long;
+
+    static const char kMsgChrootMe = 'C';
+    static const char kMsgChrootSuccessful = 'O';
+
+    if (HANDLE_EINTR(write(fd, &kMsgChrootMe, 1)) != 1) {
+      LOG(ERROR) << "Failed to write to chroot pipe: " << errno;
+      return false;
+    }
+
+    // We need to reap the chroot helper process in any event:
+    wait(NULL);
+
+    char reply;
+    if (HANDLE_EINTR(read(fd, &reply, 1)) != 1) {
+      LOG(ERROR) << "Failed to read from chroot pipe: " << errno;
+      return false;
+    }
+
+    if (reply != kMsgChrootSuccessful) {
+      LOG(ERROR) << "Error code reply from chroot helper";
+      return false;
+    }
+
+#if !defined(OS_OPENBSD)
+    // Previously, we required that the binary be non-readable. This causes the
+    // kernel to mark the process as non-dumpable at startup. The thinking was
+    // that, although we were putting the renderers into a PID namespace (with
+    // the SUID sandbox), they would nonetheless be in the /same/ PID
+    // namespace. So they could ptrace each other unless they were non-dumpable.
+    //
+    // If the binary was readable, then there would be a window between process
+    // startup and the point where we set the non-dumpable flag in which a
+    // compromised renderer could ptrace attach.
+    //
+    // However, now that we have a zygote model, only the (trusted) zygote
+    // exists at this point and we can set the non-dumpable flag which is
+    // inherited by all our renderer children.
+    //
+    // Note: a non-dumpable process can't be debugged. To debug sandbox-related
+    // issues, one can specify --allow-sandbox-debugging to let the process be
+    // dumpable.
+    const CommandLine& command_line = *CommandLine::ForCurrentProcess();
+    if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) {
+      prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
+      if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
+        LOG(ERROR) << "Failed to set non-dumpable flag";
+        return false;
+      }
+    }
+#endif
+  }
+
+  return true;
+}
+#else  // CHROMIUM_SELINUX
+
+static bool EnterSandbox() {
+  PreSandboxInit();
+  SkiaFontConfigSetImplementation(
+      new FontConfigIPC(kMagicSandboxIPCDescriptor));
+  return true;
+}
+
+#endif  // CHROMIUM_SELINUX
+
+bool ZygoteMain(const MainFunctionParams& params,
+                ZygoteForkDelegate* forkdelegate) {
+#if !defined(CHROMIUM_SELINUX)
+  g_am_zygote_or_renderer = true;
+#endif
+
+#if defined(SECCOMP_SANDBOX)
+  if (SeccompSandboxEnabled()) {
+    // The seccomp sandbox needs access to files in /proc, which might be denied
+    // after one of the other sandboxes have been started. So, obtain a suitable
+    // file handle in advance.
+    g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY);
+    if (g_proc_fd < 0) {
+      LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp "
+          "sandboxing.";
+    }
+  }
+#endif  // SECCOMP_SANDBOX
+
+  if (forkdelegate != NULL) {
+    VLOG(1) << "ZygoteMain: initializing fork delegate";
+    forkdelegate->Init(getenv("SBX_D") != NULL, // g_suid_sandbox_active,
+                       kBrowserDescriptor,
+                       kMagicSandboxIPCDescriptor);
+  } else {
+    VLOG(1) << "ZygoteMain: fork delegate is NULL";
+  }
+
+  // Turn on the SELinux or SUID sandbox
+  if (!EnterSandbox()) {
+    LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
+               << errno << ")";
+    return false;
+  }
+
+  int sandbox_flags = 0;
+  if (getenv("SBX_D"))
+    sandbox_flags |= kSandboxLinuxSUID;
+  if (getenv("SBX_PID_NS"))
+    sandbox_flags |= kSandboxLinuxPIDNS;
+  if (getenv("SBX_NET_NS"))
+    sandbox_flags |= kSandboxLinuxNetNS;
+
+#if defined(SECCOMP_SANDBOX)
+  // The seccomp sandbox will be turned on when the renderers start. But we can
+  // already check if sufficient support is available so that we only need to
+  // print one error message for the entire browser session.
+  if (g_proc_fd >= 0 && SeccompSandboxEnabled()) {
+    if (!SupportsSeccompSandbox(g_proc_fd)) {
+      // There are a good number of users who cannot use the seccomp sandbox
+      // (e.g. because their distribution does not enable seccomp mode by
+      // default). While we would prefer to deny execution in this case, it
+      // seems more realistic to continue in degraded mode.
+      LOG(ERROR) << "WARNING! This machine lacks support needed for the "
+                    "Seccomp sandbox. Running renderers with Seccomp "
+                    "sandboxing disabled.";
+    } else {
+      VLOG(1) << "Enabling experimental Seccomp sandbox.";
+      sandbox_flags |= kSandboxLinuxSeccomp;
+    }
+  }
+#endif  // SECCOMP_SANDBOX
+
+  Zygote zygote(sandbox_flags, forkdelegate);
+  // This function call can return multiple times, once per fork().
+  return zygote.ProcessRequests();
+}
+
+}  // namespace content