diff options
| author | rickyz <rickyz@chromium.org> | 2015-02-06 19:51:41 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-02-07 03:52:22 +0000 |
| commit | 660e2d468bf22b4c315463173d0651af4fe6143f (patch) | |
| tree | 39779561b2f7da14383de6eb4140982d85e92d5d /sandbox | |
| parent | 0264cb1161367ed0dc5431069405212c7e3aab88 (diff) | |
| download | chromium_src-660e2d468bf22b4c315463173d0651af4fe6143f.zip chromium_src-660e2d468bf22b4c315463173d0651af4fe6143f.tar.gz chromium_src-660e2d468bf22b4c315463173d0651af4fe6143f.tar.bz2 | |
Allow using the namespace sandbox in zygote host.
Currently, this is gated behind the enable-namespace-sandbox switch.
Furthermore, the namespace sandbox is only used if seccomp-bpf is
supported.
BUG=312380
Review URL: https://codereview.chromium.org/897723005
Cr-Commit-Position: refs/heads/master@{#315177}
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/linux/services/namespace_sandbox.cc | 10 | ||||
| -rw-r--r-- | sandbox/linux/services/namespace_sandbox.h | 5 |
2 files changed, 14 insertions, 1 deletions
diff --git a/sandbox/linux/services/namespace_sandbox.cc b/sandbox/linux/services/namespace_sandbox.cc index 559b93c..d585688 100644 --- a/sandbox/linux/services/namespace_sandbox.cc +++ b/sandbox/linux/services/namespace_sandbox.cc @@ -11,6 +11,7 @@ #include <string> #include <utility> +#include <vector> #include "base/command_line.h" #include "base/environment.h" @@ -59,6 +60,13 @@ const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS"; base::Process NamespaceSandbox::LaunchProcess( const base::CommandLine& cmdline, const base::LaunchOptions& options) { + return LaunchProcess(cmdline.argv(), options); +} + +// static +base::Process NamespaceSandbox::LaunchProcess( + const std::vector<std::string>& argv, + const base::LaunchOptions& options) { int clone_flags = 0; int ns_types[] = {CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET}; for (const int ns_type : ns_types) { @@ -91,7 +99,7 @@ base::Process NamespaceSandbox::LaunchProcess( SetEnvironForNamespaceType(environ, environ_name, clone_flags & flag); } - return base::LaunchProcess(cmdline, launch_options); + return base::LaunchProcess(argv, launch_options); } // static diff --git a/sandbox/linux/services/namespace_sandbox.h b/sandbox/linux/services/namespace_sandbox.h index ddc4dee..b92f581 100644 --- a/sandbox/linux/services/namespace_sandbox.h +++ b/sandbox/linux/services/namespace_sandbox.h @@ -5,6 +5,9 @@ #ifndef SANDBOX_LINUX_SERVICES_NAMESPACE_SANDBOX_H_ #define SANDBOX_LINUX_SERVICES_NAMESPACE_SANDBOX_H_ +#include <string> +#include <vector> + #include "base/command_line.h" #include "base/macros.h" #include "base/process/launch.h" @@ -41,6 +44,8 @@ class SANDBOX_EXPORT NamespaceSandbox { // overrides them. static base::Process LaunchProcess(const base::CommandLine& cmdline, const base::LaunchOptions& options); + static base::Process LaunchProcess(const std::vector<std::string>& argv, + const base::LaunchOptions& options); // Returns whether the namespace sandbox created a new user, PID, and network // namespace. In particular, InNewUserNamespace should return true iff the |