diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-07-10 17:50:24 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-07-10 17:50:24 +0000 |
| commit | 415493bea409a054a89b153abf3e508842f1d73c (patch) | |
| tree | a71a33d4c988baf582fd981a1f38980531bf2644 /o3d | |
| parent | 058b13225061a013cd839f36a73b08a9dbaf6f1e (diff) | |
| download | chromium_src-415493bea409a054a89b153abf3e508842f1d73c.zip chromium_src-415493bea409a054a89b153abf3e508842f1d73c.tar.gz chromium_src-415493bea409a054a89b153abf3e508842f1d73c.tar.bz2 | |
Linux: all the binary to be readable with the SUID sandbox.
Previously, we required that the binary be non-readable. This causes the
kernel to mark the process as non-dumpable at startup. The thinking was
that, although we were putting the renderers into a PID namespace (with
the SUID sandbox), they would none the less be in the /same/ PID
namespace. So they could ptrace each other unless they were non-dumpable.
If the binary was readable, then there would be a window between process
startup and the point where we set the non-dumpable flag in which a
compromised renderer could ptrace attach.
However, now that we have a zygote model, only the (trusted) zygote
exists at this point and we can set the non-dumpable flag which is
inherited by all our renderer children.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20383 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'o3d')
0 files changed, 0 insertions, 0 deletions