diff options
| -rw-r--r-- | build/common.gypi | 7 | ||||
| -rw-r--r-- | chrome/browser/renderer_host/browser_render_process_host.cc | 4 | ||||
| -rw-r--r-- | chrome/browser/zygote_host_linux.cc | 8 | ||||
| -rw-r--r-- | chrome/browser/zygote_main_linux.cc | 10 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.cc | 25 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.h | 9 | ||||
| -rw-r--r-- | chrome/renderer/renderer_main_platform_delegate_linux.cc | 5 | ||||
| -rw-r--r-- | chrome/test/nacl/nacl_test.cc | 6 |
8 files changed, 57 insertions, 17 deletions
diff --git a/build/common.gypi b/build/common.gypi index 3b8f20e..2d0902a 100644 --- a/build/common.gypi +++ b/build/common.gypi @@ -208,6 +208,10 @@ # Disable TCMalloc's heapchecker. 'linux_use_heapchecker%': 0, + # Turn on seccomp sandbox by default. + # (Note: this is disabled for official builds.) + 'linux_use_seccomp_sandbox%': 1, + # Set to select the Title Case versions of strings in GRD files. 'use_titlecase_in_grd_files%': 0, @@ -957,6 +961,9 @@ 'cflags': [ '-gstabs' ], 'defines': ['USE_LINUX_BREAKPAD'], }], + ['linux_use_seccomp_sandbox==1 and buildtype!="Official"', { + 'defines': ['USE_SECCOMP_SANDBOX'], + }], ['library=="shared_library"', { # When building with shared libraries, remove the visiblity-hiding # flag. diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc index 1c700b8..88cf631 100644 --- a/chrome/browser/renderer_host/browser_render_process_host.cc +++ b/chrome/browser/renderer_host/browser_render_process_host.cc @@ -500,7 +500,11 @@ void BrowserRenderProcessHost::PropagateBrowserCommandLineToRenderer( switches::kRendererStartupDialog, switches::kNoSandbox, switches::kTestSandbox, +#if defined(USE_SECCOMP_SANDBOX) + switches::kDisableSeccompSandbox, +#else switches::kEnableSeccompSandbox, +#endif #if !defined (GOOGLE_CHROME_BUILD) // These are unsupported and not fully tested modes, so don't enable them // for official Google Chrome builds. diff --git a/chrome/browser/zygote_host_linux.cc b/chrome/browser/zygote_host_linux.cc index 96506bb..cdeda42 100644 --- a/chrome/browser/zygote_host_linux.cc +++ b/chrome/browser/zygote_host_linux.cc @@ -103,9 +103,13 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) { browser_command_line.GetSwitchValueASCII( switches::kUserDataDir)); } - if (browser_command_line.HasSwitch(switches::kEnableSeccompSandbox)) { +#if defined(USE_SECCOMP_SANDBOX) + if (browser_command_line.HasSwitch(switches::kDisableSeccompSandbox)) + cmd_line.AppendSwitch(switches::kDisableSeccompSandbox); +#else + if (browser_command_line.HasSwitch(switches::kEnableSeccompSandbox)) cmd_line.AppendSwitch(switches::kEnableSeccompSandbox); - } +#endif sandbox_binary_ = sandbox_cmd.c_str(); struct stat st; diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc index 7d877bd..793c855 100644 --- a/chrome/browser/zygote_main_linux.cc +++ b/chrome/browser/zygote_main_linux.cc @@ -509,8 +509,7 @@ static bool EnterSandbox() { // chrooted. const char* const sandbox_fd_string = getenv("SBX_D"); - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (switches::SeccompSandboxEnabled()) { PreSandboxInit(); SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor); } else if (sandbox_fd_string) { // Use the SUID sandbox. @@ -618,8 +617,7 @@ bool ZygoteMain(const MainFunctionParams& params) { // The seccomp sandbox needs access to files in /proc, which might be denied // after one of the other sandboxes have been started. So, obtain a suitable // file handle in advance. - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (switches::SeccompSandboxEnabled()) { g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY); if (g_proc_fd < 0) { LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp " @@ -639,9 +637,7 @@ bool ZygoteMain(const MainFunctionParams& params) { // The seccomp sandbox will be turned on when the renderers start. But we can // already check if sufficient support is available so that we only need to // print one error message for the entire browser session. - if (g_proc_fd >= 0 && - CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (g_proc_fd >= 0 && switches::SeccompSandboxEnabled()) { if (!SupportsSeccompSandbox(g_proc_fd)) { // There are a good number of users who cannot use the seccomp sandbox // (e.g. because their distribution does not enable seccomp mode by diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc index acd11af..a9a9b42 100644 --- a/chrome/common/chrome_switches.cc +++ b/chrome/common/chrome_switches.cc @@ -5,6 +5,7 @@ #include "chrome/common/chrome_switches.h" #include "base/base_switches.h" +#include "base/command_line.h" namespace switches { @@ -287,9 +288,6 @@ const char kEnablePrivacyBlacklists[] = "enable-privacy-blacklists"; // http://b/issue?id=1432077 is fixed. const char kEnableRendererAccessibility[] = "enable-renderer-accessibility"; -// Enable the seccomp sandbox (Linux only) -const char kEnableSeccompSandbox[] = "enable-seccomp-sandbox"; - // Enables StatsTable, logging statistics to a global named shared memory table. const char kEnableStatsTable[] = "enable-stats-table"; @@ -883,6 +881,27 @@ const char kInvalidateSyncLogin[] = "invalidate-sync-login"; const char kInvalidateSyncXmppLogin[] = "invalidate-sync-xmpp-login"; #endif +// USE_SECCOMP_SANDBOX controls whether the seccomp sandbox is opt-in or -out. +// TODO(evan): unify all of these once we turn the seccomp sandbox always +// on. Also remove the #include of command_line.h above. +#if defined(USE_SECCOMP_SANDBOX) +// Disable the seccomp sandbox (Linux only) +const char kDisableSeccompSandbox[] = "disable-seccomp-sandbox"; +#else +// Enable the seccomp sandbox (Linux only) +const char kEnableSeccompSandbox[] = "enable-seccomp-sandbox"; +#endif + +bool SeccompSandboxEnabled() { +#if defined(USE_SECCOMP_SANDBOX) + return !CommandLine::ForCurrentProcess()->HasSwitch( + switches::kDisableSeccompSandbox); +#else + return CommandLine::ForCurrentProcess()->HasSwitch( + switches::kEnableSeccompSandbox); +#endif +} + // ----------------------------------------------------------------------------- // DO NOT ADD YOUR CRAP TO THE BOTTOM OF THIS FILE. // diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h index a6ff6dac..c2b50bf 100644 --- a/chrome/common/chrome_switches.h +++ b/chrome/common/chrome_switches.h @@ -97,7 +97,6 @@ extern const char kEnableNaCl[]; extern const char kEnableNativeWebWorkers[]; extern const char kEnablePrivacyBlacklists[]; extern const char kEnableRendererAccessibility[]; -extern const char kEnableSeccompSandbox[]; extern const char kEnableStatsTable[]; extern const char kEnableSync[]; extern const char kEnableSyncAutofill[]; @@ -268,6 +267,14 @@ extern const char kInvalidateSyncXmppLogin[]; extern const char kRendererCheckFalseTest[]; #endif +#if defined(USE_SECCOMP_SANDBOX) +extern const char kDisableSeccompSandbox[]; +#else +extern const char kEnableSeccompSandbox[]; +#endif +// Return true if the switches indicate the seccomp sandbox is enabled. +bool SeccompSandboxEnabled(); + // DON'T ADD RANDOM STUFF HERE. Put it in the main section above in // alphabetical order, or in one of the ifdefs (also in order in each section). diff --git a/chrome/renderer/renderer_main_platform_delegate_linux.cc b/chrome/renderer/renderer_main_platform_delegate_linux.cc index bce15dd..98b0aca 100644 --- a/chrome/renderer/renderer_main_platform_delegate_linux.cc +++ b/chrome/renderer/renderer_main_platform_delegate_linux.cc @@ -40,11 +40,8 @@ bool RendererMainPlatformDelegate::EnableSandbox() { // N.b. SupportsSeccompSandbox() returns a cached result, as we already // called it earlier in the zygote. Thus, it is OK for us to not pass in // a file descriptor for "/proc". - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox) && - SupportsSeccompSandbox(-1)) { + if (switches::SeccompSandboxEnabled() && SupportsSeccompSandbox(-1)) StartSeccompSandbox(); - } #endif return true; } diff --git a/chrome/test/nacl/nacl_test.cc b/chrome/test/nacl/nacl_test.cc index 1560484..456cc1d 100644 --- a/chrome/test/nacl/nacl_test.cc +++ b/chrome/test/nacl/nacl_test.cc @@ -57,8 +57,14 @@ const FilePath::CharType kServerHtmlFileName[] = NaClTest::NaClTest() : UITest() { launch_arguments_.AppendSwitch(switches::kEnableNaCl); + + // Currently we disable some of the sandboxes. See: + // Make NaCl work in Chromium's Linux seccomp sandbox and the Mac sandbox + // http://code.google.com/p/nativeclient/issues/detail?id=344 #if defined(OS_MACOSX) launch_arguments_.AppendSwitch(switches::kNoSandbox); +#elif defined(OS_LINUX) && defined(USE_SECCOMP_SANDBOX) + launch_arguments_.AppendSwitch(switches::kDisableSeccompSandbox); #endif } |