Non-SFI mode: Enable namespace sandbox for nacl_helper_nonsfi.

This CL enables namespace sandbox, which replaces suid
sandbox of nacl_helper_nonsfi.

TEST=browser_tests --gtest_filter=*Traditional*, ran bots.
BUG=464663
CQ_EXTRA_TRYBOTS=tryserver.chromium.linux:linux_chromium_trusty32_rel,linux_arm
TBR=jln@chromium.org

Review URL: https://codereview.chromium.org/1058783002

Cr-Commit-Position: refs/heads/master@{#324438}

5 files changed, 31 insertions, 11 deletions

diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
index 23e87ea..475ce3f 100644
--- a/sandbox/linux/services/credentials.cc
+++ b/sandbox/linux/services/credentials.cc
@@ -32,6 +32,11 @@ namespace sandbox {
 
 namespace {
 
+// Signal ABI for some toolchain is incompatible with Linux's. In particular,
+// PNaCl toolchain defines SIGCHLD = 20. So, here, directly define Linux's
+// value.
+const int kLinuxSIGCHLD = 17;
+
 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
 
 // Checks that the set of RES-uids and the set of RES-gids have
@@ -89,9 +94,10 @@ bool ChrootToSafeEmptyDir() {
 #else
 #error "Unsupported architecture"
 #endif
+
   pid = clone(ChrootToSelfFdinfo, stack,
-              CLONE_VM | CLONE_VFORK | CLONE_FS | SIGCHLD, nullptr, nullptr,
-              nullptr, nullptr);
+              CLONE_VM | CLONE_VFORK | CLONE_FS | kLinuxSIGCHLD,
+              nullptr, nullptr, nullptr, nullptr);
   PCHECK(pid != -1);
 
   int status = -1;
diff --git a/sandbox/linux/services/namespace_sandbox.cc b/sandbox/linux/services/namespace_sandbox.cc
index dfee8b2..2379644 100644
--- a/sandbox/linux/services/namespace_sandbox.cc
+++ b/sandbox/linux/services/namespace_sandbox.cc
@@ -29,6 +29,11 @@ namespace sandbox {
 
 namespace {
 
+const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS";
+const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS";
+const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS";
+
+#if !defined(OS_NACL_NONSFI)
 class WriteUidGidMapDelegate : public base::LaunchOptions::PreExecDelegate {
  public:
   WriteUidGidMapDelegate()
@@ -61,10 +66,6 @@ void SetEnvironForNamespaceType(base::EnvironmentMap* environ,
   (*environ)[env_var] = value ? "1" : "";
 }
 
-const char kSandboxUSERNSEnvironmentVarName[] = "SBX_USER_NS";
-const char kSandboxPIDNSEnvironmentVarName[] = "SBX_PID_NS";
-const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS";
-
 // Linux supports up to 64 signals. This should be updated if that ever changes.
 int g_signal_exit_codes[64];
 
@@ -78,9 +79,11 @@ void TerminationSignalHandler(int sig) {
 
   _exit(NamespaceSandbox::kDefaultExitCode);
 }
+#endif  // !defined(OS_NACL_NONSFI)
 
 }  // namespace
 
+#if !defined(OS_NACL_NONSFI)
 // static
 base::Process NamespaceSandbox::LaunchProcess(
     const base::CommandLine& cmdline,
@@ -185,6 +188,7 @@ bool NamespaceSandbox::InstallTerminationSignalHandler(
   PCHECK(sigaction(sig, &action, nullptr) == 0);
   return true;
 }
+#endif  // !defined(OS_NACL_NONSFI)
 
 // static
 bool NamespaceSandbox::InNewUserNamespace() {
diff --git a/sandbox/linux/services/namespace_sandbox.h b/sandbox/linux/services/namespace_sandbox.h
index b2ddbcf..80097fb 100644
--- a/sandbox/linux/services/namespace_sandbox.h
+++ b/sandbox/linux/services/namespace_sandbox.h
@@ -37,6 +37,7 @@ namespace sandbox {
 //    Credentials::DropAllCapabilities().
 class SANDBOX_EXPORT NamespaceSandbox {
  public:
+#if !defined(OS_NACL_NONSFI)
   static const int kDefaultExitCode = 1;
 
   // Launch a new process inside its own user/PID/network namespaces (depending
@@ -82,6 +83,7 @@ class SANDBOX_EXPORT NamespaceSandbox {
   // signal handler was already present for |sig|, does nothing and returns
   // false.
   static bool InstallTerminationSignalHandler(int sig, int exit_code);
+#endif  // !defined(OS_NACL_NONSFI)
 
   // Returns whether the namespace sandbox created a new user, PID, and network
   // namespace. In particular, InNewUserNamespace should return true iff the
diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h b/sandbox/linux/system_headers/arm_linux_syscalls.h
index b11041d..bfd5342 100644
--- a/sandbox/linux/system_headers/arm_linux_syscalls.h
+++ b/sandbox/linux/system_headers/arm_linux_syscalls.h
@@ -10,8 +10,10 @@
 #error "Including header on wrong architecture"
 #endif
 
-// __NR_SYSCALL_BASE, __ARM_NR_BASE are defined in <asm/unistd.h>.
-#include <asm/unistd.h>
+#if !defined(__NR_SYSCALL_BASE)
+// On ARM EABI arch, __NR_SYSCALL_BASE is 0.
+#define __NR_SYSCALL_BASE 0
+#endif
 
 // This syscall list has holes, because ARM EABI makes some syscalls obsolete.
 
@@ -1380,6 +1382,10 @@
 #endif
 
 // ARM private syscalls.
+#if !defined(__ARM_NR_BASE)
+#define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
+#endif
+
 #if !defined(__ARM_NR_breakpoint)
 #define __ARM_NR_breakpoint (__ARM_NR_BASE+1)
 #endif
@@ -1406,4 +1412,3 @@
 #endif
 
 #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_ARM_LINUX_SYSCALLS_H_
-
diff --git a/sandbox/sandbox_nacl_nonsfi.gyp b/sandbox/sandbox_nacl_nonsfi.gyp
index c55b124..c757ec5 100644
--- a/sandbox/sandbox_nacl_nonsfi.gyp
+++ b/sandbox/sandbox_nacl_nonsfi.gyp
@@ -27,11 +27,14 @@
             'sources': [
               # This is the subset of linux build target, needed for
               # nacl_helper_nonsfi's sandbox implementation.
+              'linux/services/credentials.cc',
+              'linux/services/namespace_utils.cc',
+              'linux/services/namespace_sandbox.cc',
               'linux/services/proc_util.cc',
+              'linux/services/syscall_wrappers.cc',
               'linux/services/thread_helpers.cc',
               'linux/suid/client/setuid_sandbox_client.cc',
-              # TODO(hidehiko): Support namespace sandbox and seccomp-bpf
-              # sandbox.
+              # TODO(hidehiko): Support seccomp-bpf sandbox.
             ],
           },
           'dependencies': [