diff options
-rw-r--r-- | base/process_util.h | 7 | ||||
-rw-r--r-- | base/process_util_linux.cc | 18 | ||||
-rw-r--r-- | chrome/app/chrome_dll_main.cc | 37 | ||||
-rw-r--r-- | chrome/browser/zygote_host_linux.cc | 41 | ||||
-rw-r--r-- | chrome/browser/zygote_host_linux.h | 2 | ||||
-rw-r--r-- | sandbox/linux/suid/process_util.h | 21 | ||||
-rw-r--r-- | sandbox/linux/suid/process_util_linux.c | 45 | ||||
-rw-r--r-- | sandbox/linux/suid/sandbox.c | 16 | ||||
-rw-r--r-- | sandbox/sandbox.gyp | 2 |
9 files changed, 175 insertions, 14 deletions
diff --git a/base/process_util.h b/base/process_util.h index 41d1d17..1122de7 100644 --- a/base/process_util.h +++ b/base/process_util.h @@ -100,6 +100,13 @@ FilePath GetProcessExecutablePath(ProcessHandle process); // CPU-related ticks. Returns -1 on parse error. // Exposed for testing. int ParseProcStatCPU(const std::string& input); + +static const char kAdjustOOMScoreSwitch[] = "--adjust-oom-score"; + +// This adjusts /proc/process/oom_adj so the Linux OOM killer will prefer +// certain process types over others. The range for the adjustment is +// [-17,15], with [0,15] being user accessible. +bool AdjustOOMScore(ProcessId process, int score); #endif #if defined(OS_POSIX) diff --git a/base/process_util_linux.cc b/base/process_util_linux.cc index bd6bcf3..1a7e090 100644 --- a/base/process_util_linux.cc +++ b/base/process_util_linux.cc @@ -513,7 +513,6 @@ void OnNoMemory() { } // namespace extern "C" { - #if !defined(LINUX_USE_TCMALLOC) typedef void* (*malloc_type)(size_t size); @@ -600,7 +599,6 @@ int posix_memalign(void** ptr, size_t alignment, size_t size) { } #endif // !defined(LINUX_USE_TCMALLOC) - } // extern C void EnableTerminationOnOutOfMemory() { @@ -610,4 +608,20 @@ void EnableTerminationOnOutOfMemory() { // malloc and friends and make them die on out of memory. } +bool AdjustOOMScore(ProcessId process, int score) { + if (score < 0 || score > 15) + return false; + + FilePath oom_adj("/proc"); + oom_adj = oom_adj.Append(Int64ToString(process)); + oom_adj = oom_adj.AppendASCII("oom_adj"); + + if (!file_util::PathExists(oom_adj)) + return false; + + std::string score_str = IntToString(score); + return (static_cast<int>(score_str.length()) == + file_util::WriteFile(oom_adj, score_str.c_str(), score_str.length())); +} + } // namespace base diff --git a/chrome/app/chrome_dll_main.cc b/chrome/app/chrome_dll_main.cc index 3531e80..e78cec7 100644 --- a/chrome/app/chrome_dll_main.cc +++ b/chrome/app/chrome_dll_main.cc @@ -245,6 +245,37 @@ static void SetUpGLibLogHandler() { NULL); } } + +static void AdjustLinuxOOMScore(const std::string& process_type) { + const int kMiscScore = 7; + const int kPluginScore = 10; + int score = -1; + + if (process_type == switches::kPluginProcess) { + score = kPluginScore; + } else if (process_type == switches::kUtilityProcess || + process_type == switches::kWorkerProcess) { + score = kMiscScore; + } else if (process_type == switches::kProfileImportProcess) { + NOTIMPLEMENTED(); +#ifndef DISABLE_NACL + } else if (process_type == switches::kNaClProcess) { + score = kPluginScore; +#endif + } else if (process_type == switches::kZygoteProcess || + process_type.empty()) { + // Pass - browser / zygote process stays at 0. + } else if (process_type == switches::kExtensionProcess || + process_type == switches::kRendererProcess) { + // Set in chrome/browser/zygote_host_linux.cc. + NOTREACHED() << "process type " << process_type + << "should go through the zygote."; + } else { + NOTREACHED() << "Unknown process type"; + } + if (score > -1) + base::AdjustOOMScore(base::GetCurrentProcId(), score); +} #endif // defined(OS_LINUX) // Register the invalid param handler and pure call handler to be able to @@ -601,6 +632,12 @@ int ChromeMain(int argc, char** argv) { MainFunctionParams main_params(parsed_command_line, sandbox_wrapper, &autorelease_pool); + // Note: If you are adding a new process type below, be sure to adjust the + // AdjustLinuxOOMScore function too. +#if defined(OS_LINUX) + AdjustLinuxOOMScore(process_type); +#endif + // TODO(port): turn on these main() functions as they've been de-winified. int rv = -1; if (process_type == switches::kRendererProcess) { diff --git a/chrome/browser/zygote_host_linux.cc b/chrome/browser/zygote_host_linux.cc index 5e811f7..33f0dff 100644 --- a/chrome/browser/zygote_host_linux.cc +++ b/chrome/browser/zygote_host_linux.cc @@ -49,7 +49,8 @@ static void SaveSUIDUnsafeEnvironmentVariables() { ZygoteHost::ZygoteHost() : pid_(-1), - init_(false) { + init_(false), + using_suid_sandbox_(false) { } ZygoteHost::~ZygoteHost() { @@ -100,24 +101,23 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) { cmd_line.AppendSwitch(switches::kEnableSeccompSandbox); } - const char* sandbox_binary = sandbox_cmd.c_str(); + sandbox_binary_ = sandbox_cmd.c_str(); struct stat st; - bool using_suid_sandbox = false; - if (!sandbox_cmd.empty() && stat(sandbox_binary, &st) == 0) { - if (access(sandbox_binary, X_OK) == 0 && + if (!sandbox_cmd.empty() && stat(sandbox_binary_.c_str(), &st) == 0) { + if (access(sandbox_binary_.c_str(), X_OK) == 0 && (st.st_uid == 0) && (st.st_mode & S_ISUID) && (st.st_mode & S_IXOTH)) { - using_suid_sandbox = true; - cmd_line.PrependWrapper(ASCIIToWide(sandbox_binary)); + using_suid_sandbox_ = true; + cmd_line.PrependWrapper(ASCIIToWide(sandbox_binary_.c_str())); SaveSUIDUnsafeEnvironmentVariables(); } else { LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " "configured correctly. Rather than run without sandboxing " "I'm aborting now. You need to make sure that " - << sandbox_binary << " is mode 4755 and owned by root."; + << sandbox_binary_ << " is mode 4755 and owned by root."; } } @@ -127,7 +127,7 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) { fds_to_map.push_back(std::make_pair(sfd, 5)); int dummy_fd = -1; - if (using_suid_sandbox) { + if (using_suid_sandbox_) { dummy_fd = socket(PF_UNIX, SOCK_DGRAM, 0); CHECK(dummy_fd >= 0); fds_to_map.push_back(std::make_pair(dummy_fd, 7)); @@ -137,7 +137,7 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) { base::LaunchApp(cmd_line.argv(), fds_to_map, false, &process); CHECK(process != -1) << "Failed to launch zygote process"; - if (using_suid_sandbox) { + if (using_suid_sandbox_) { // In the SUID sandbox, the real zygote is forked from the sandbox. // We need to look for it. // But first, wait for the zygote to tell us it's running. @@ -156,7 +156,7 @@ void ZygoteHost::Init(const std::string& sandbox_cmd) { if (base::FileDescriptorGetInode(&inode, dummy_fd)) { close(dummy_fd); std::vector<std::string> get_inode_cmdline; - get_inode_cmdline.push_back(sandbox_binary); + get_inode_cmdline.push_back(sandbox_binary_); get_inode_cmdline.push_back(base::kFindInodeSwitch); get_inode_cmdline.push_back(Int64ToString(inode)); CommandLine get_inode_cmd(get_inode_cmdline); @@ -207,6 +207,25 @@ pid_t ZygoteHost::ForkRenderer( if (HANDLE_EINTR(read(control_fd_, &pid, sizeof(pid))) != sizeof(pid)) return base::kNullProcessHandle; + const int kRendererScore = 5; + if (using_suid_sandbox_) { + base::ProcessHandle sandbox_helper_process; + base::file_handle_mapping_vector dummy_map; + std::vector<std::string> adj_oom_score_cmdline; + + adj_oom_score_cmdline.push_back(sandbox_binary_); + adj_oom_score_cmdline.push_back(base::kAdjustOOMScoreSwitch); + adj_oom_score_cmdline.push_back(Int64ToString(pid)); + adj_oom_score_cmdline.push_back(IntToString(kRendererScore)); + CommandLine adj_oom_score_cmd(adj_oom_score_cmdline); + if (base::LaunchApp(adj_oom_score_cmdline, dummy_map, false, + &sandbox_helper_process)) { + ProcessWatcher::EnsureProcessGetsReaped(sandbox_helper_process); + } + } else { + base::AdjustOOMScore(pid, kRendererScore); + } + return pid; } diff --git a/chrome/browser/zygote_host_linux.h b/chrome/browser/zygote_host_linux.h index f84a88b..53485e0 100644 --- a/chrome/browser/zygote_host_linux.h +++ b/chrome/browser/zygote_host_linux.h @@ -55,6 +55,8 @@ class ZygoteHost { int control_fd_; // the socket to the zygote pid_t pid_; bool init_; + bool using_suid_sandbox_; + std::string sandbox_binary_; }; #endif // CHROME_BROWSER_ZYGOTE_HOST_LINUX_H_ diff --git a/sandbox/linux/suid/process_util.h b/sandbox/linux/suid/process_util.h new file mode 100644 index 0000000..68ff81d --- /dev/null +++ b/sandbox/linux/suid/process_util.h @@ -0,0 +1,21 @@ +// Copyright (c) 2009 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// The following is duplicated from base/process_utils.h. +// We shouldn't link against C++ code in a setuid binary. + +#ifndef SANDBOX_LINUX_SUID_PROCESS_UTIL_H_ +#define SANDBOX_LINUX_SUID_PROCESS_UTIL_H_ + +#include <stdbool.h> +#include <sys/types.h> + +static const char kAdjustOOMScoreSwitch[] = "--adjust-oom-score"; + +// This adjusts /proc/process/oom_adj so the Linux OOM killer will prefer +// certain process types over others. The range for the adjustment is +// [-17,15], with [0,15] being user accessible. +bool AdjustOOMScore(pid_t process, int score); + +#endif // SANDBOX_LINUX_SUID_PROCESS_UTIL_H_ diff --git a/sandbox/linux/suid/process_util_linux.c b/sandbox/linux/suid/process_util_linux.c new file mode 100644 index 0000000..4a574ad --- /dev/null +++ b/sandbox/linux/suid/process_util_linux.c @@ -0,0 +1,45 @@ +// Copyright (c) 2009 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// The following is the C version of code from base/process_utils_linux.cc. +// We shouldn't link against C++ code in a setuid binary. + +#include "process_util.h" + +#include <fcntl.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +bool AdjustOOMScore(pid_t process, int score) { + if (score < 0 || score > 15) + return false; + + char oom_adj[35]; // "/proc/" + log_2(2**64) + "/oom_adj\0" + // 6 + 20 + 9 = 35 + snprintf(oom_adj, sizeof(oom_adj), "/proc/%lu", process); + + struct stat statbuf; + if (stat(oom_adj, &statbuf) < 0) + return false; + if (getuid() != statbuf.st_uid) + return false; + + strcat(oom_adj, "/oom_adj"); + int fd = open(oom_adj, O_WRONLY); + if (fd < 0) + return false; + + char buf[3]; // 0 <= |score| <= 15; + snprintf(buf, sizeof(buf), "%d", score); + size_t len = strlen(buf); + + ssize_t bytes_written = write(fd, buf, len); + close(fd); + return (bytes_written == len); +} diff --git a/sandbox/linux/suid/sandbox.c b/sandbox/linux/suid/sandbox.c index f54bcd1..04073d4 100644 --- a/sandbox/linux/suid/sandbox.c +++ b/sandbox/linux/suid/sandbox.c @@ -26,6 +26,7 @@ #include <unistd.h> #include "linux_util.h" +#include "process_util.h" #include "suid_unsafe_environment_variables.h" #if !defined(CLONE_NEWPID) @@ -309,7 +310,7 @@ int main(int argc, char **argv) { // when you call it with --find-inode INODE_NUMBER. if (argc == 3 && (0 == strcmp(argv[1], kFindInodeSwitch))) { pid_t pid; - char *endptr; + char* endptr; ino_t inode = strtoull(argv[2], &endptr, 10); if (inode == ULLONG_MAX || *endptr) return 1; @@ -318,6 +319,19 @@ int main(int argc, char **argv) { printf("%d\n", pid); return 0; } + // Likewise, we cannot adjust /proc/pid/oom_adj for sandboxed renderers + // because those files are owned by root. So we need another helper here. + if (argc == 4 && (0 == strcmp(argv[1], kAdjustOOMScoreSwitch))) { + char* endptr; + int score; + pid_t pid = strtoul(argv[2], &endptr, 10); + if (pid == ULONG_MAX || *endptr) + return 1; + score = strtol(argv[3], &endptr, 10); + if (score == LONG_MAX || score == LONG_MIN || *endptr) + return 1; + return AdjustOOMScore(pid, score); + } if (!MoveToNewPIDNamespace()) return 1; diff --git a/sandbox/sandbox.gyp b/sandbox/sandbox.gyp index eccd772..e457661 100644 --- a/sandbox/sandbox.gyp +++ b/sandbox/sandbox.gyp @@ -12,6 +12,8 @@ 'sources': [ 'linux/suid/linux_util.c', 'linux/suid/linux_util.h', + 'linux/suid/process_util.h', + 'linux/suid/process_util_linux.c', 'linux/suid/sandbox.c', ], 'cflags': [ |