Create a LinuxSandbox class.

The LinuxSandbox class aims to become the central place for Linux
sandboxing inside content/.

For now, this refactors mostly code from the Zygote.

(Note: this is a re-land of https://chromiumcodereview.appspot.com/10826093/
 with a trivial fix for ARM architectures).

BUG=
TBR=piman@chromium.org
NOTRY=true

Review URL: https://chromiumcodereview.appspot.com/10843059

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149734 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 19 insertions, 3 deletions

diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc
index 749d2d0..4f62d09 100644
--- a/sandbox/linux/suid/client/setuid_sandbox_client.cc
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc
@@ -103,8 +103,9 @@ SetuidSandboxClient* SetuidSandboxClient::Create() {
   return sandbox_client;
 }
 
-SetuidSandboxClient::SetuidSandboxClient() {
-  env_ = NULL;
+SetuidSandboxClient::SetuidSandboxClient()
+    : env_(NULL),
+      sandboxed_(false) {
 }
 
 SetuidSandboxClient::~SetuidSandboxClient() {
@@ -142,6 +143,10 @@ bool SetuidSandboxClient::ChrootMe() {
     LOG(ERROR) << "Error code reply from chroot helper";
     return false;
   }
+
+  // We now consider ourselves "fully sandboxed" as far as the
+  // setuid sandbox is concerned.
+  sandboxed_ = true;
   return true;
 }
 
@@ -161,6 +166,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const {
   return env_->HasVar(kSandboxNETNSEnvironmentVarName);
 }
 
+bool SetuidSandboxClient::IsSandboxed() const {
+  return sandboxed_;
+}
+
 void SetuidSandboxClient::SetupLaunchEnvironment() {
   SaveSUIDUnsafeEnvironmentVariables(env_);
   SetSandboxAPIEnvironmentVariable(env_);
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h
index afbde0a..da77ce0 100644
--- a/sandbox/linux/suid/client/setuid_sandbox_client.h
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.h
@@ -6,7 +6,8 @@
 #define SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_
 
 #include "base/basictypes.h"
-#include "base/environment.h"
+
+namespace base { class Environment; }
 
 namespace sandbox {
 
@@ -38,6 +39,8 @@ class SetuidSandboxClient {
   bool IsInNewPIDNamespace() const;
   // Did the setuid helper create a new network namespace ?
   bool IsInNewNETNamespace() const;
+  // Are we done and fully sandboxed ?
+  bool IsSandboxed() const;
 
   // Set-up the environment. This should be done prior to launching the setuid
   // helper.
@@ -46,6 +49,7 @@ class SetuidSandboxClient {
  private:
   // Holds the environment. Will never be NULL.
   base::Environment* env_;
+  bool sandboxed_;
   DISALLOW_IMPLICIT_CONSTRUCTORS(SetuidSandboxClient);
 };
 
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client_unittest.cc b/sandbox/linux/suid/client/setuid_sandbox_client_unittest.cc
index 59b02eb..764ccb1 100644
--- a/sandbox/linux/suid/client/setuid_sandbox_client_unittest.cc
+++ b/sandbox/linux/suid/client/setuid_sandbox_client_unittest.cc
@@ -73,6 +73,9 @@ TEST(SetuidSandboxClient, SandboxedClientAPI) {
   EXPECT_TRUE(env->SetVar(kSandboxEnvironmentApiProvides,
               base::IntToString(kSUIDSandboxApiNumber + 1)));
   EXPECT_FALSE(sandbox_client->IsSuidSandboxUpToDate());
+  // We didn't go through the actual sandboxing mechanism as it is
+  // very hard in a unit test.
+  EXPECT_FALSE(sandbox_client->IsSandboxed());
 }
 
 }  // namespace sandbox