| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our current GOT patching code is platform specific and fails to work
when V8 is built as a library.
Instead we define global functions for those functions which we wish
to override. Since we will be first in the dynamic resolution order,
the dynamic linker will point callers to our versions of these
functions. However, we have the same binary for both the browser and
the renderers, which means that our overrides will apply in the
browser too.
The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
renderer process. It's set in ZygoteMain and inherited by the
renderers when they fork. (This means that it'll be incorrect for
global constructor functions and before ZygoteMain is called -
beware).
Our replacement functions can check this global and either proxy the
call to the browser over the sandbox IPC
(http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can
use dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols
in the current module.
TEST=Run javascript:alert(new Date().getTimezoneOffset()). It shouldn't return 0 unless you're actually in GMT.
BUG=16800
http://codereview.chromium.org/165011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22636 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the sandbox, the renderer cannot load the ffmpeg shared
objects from disk. So we load them in the zygote before the sandbox is
started.
(Note that this doesn't get media working, but it's a start.)
BUG=18329
http://codereview.chromium.org/159841
(Note: relanding. Original landing in r22392, reverted in r22405 due
to check-deps failure.)
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22492 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
| |
This reverts commit r22392.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22405 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
In the sandbox, reading shmmax from proc always fails. Thus, we move
the function into base and call it before starting the sandbox. The
value is then cached.
http://codereview.chromium.org/159843
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22393 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the sandbox, the renderer cannot load the ffmpeg shared
objects from disk. So we load them in the zygote before the sandbox is
started.
(Note that this doesn't get media working, but it's a start.)
BUG=18329
http://codereview.chromium.org/159841
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22392 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
| |
Review URL: http://codereview.chromium.org/160288
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@21891 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
before the sandbox is triggered.
BUG=16860 (http://crbug.com/16860 )
TEST=Run Chrome with LC_ALL=en_US.UTF-8. 1. Make sure that you don't see
any warning about 'setlocale failing'. 2. Upload a file whose name
contains non-ASCII characters in UTF-8 (e.g. "café.txt" or "一二.txt" ) . The
filename field in a form should be populated with the name (rather than empty).
Review URL: http://codereview.chromium.org/160112
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@21586 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
| |
r21097, 'Linux sandbox: plumb timezone calls through the sandbox' adds some
ia32 assembly by the way of a define. This is bad for building for ARM.
Patch by Joel Stanley.
Review URL: http://codereview.chromium.org/160097
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@21527 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Glibc adds a field to struct tm, tm_zone, which contains a pointer to
a string for the current time zone. Since this makes struct tm a
non-POD data type, it only works for the non-thread-safe localtime()
call, not localtime_r().
However, V8 relies on it so this patch adds support for passing it
through our sandbox.
BUG=17458
http://codereview.chromium.org/159216
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@21311 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
| |
Review URL: http://codereview.chromium.org/159124
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@21248 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The localtime (and localtime_r) functions try to access /etc/localtime
in the filesystem. For sandboxed renderers, this fails, the the
functions default to a UTC timezone.
These functions are called from within WebCore and V8 and there's no
clean way to patch the source code in place to do a hairpin turn and
manage an IPC. Additionally, we cannot overwrite the calls with the
usual symbol resolution procedures since the same chrome binary must
serve as both the unsandboxed browser and sandboxed renderer.
Thus we patch the GOT at runtime if we find, in the zygote process,
that we are sandboxed.
BUG=16800
TEST=Run javascript:alert(new Date().getTimezoneOffset()) in a sandboxed renderer. The resulting timezone offset (in minutes) should be correct for the local timezone.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@21097 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
TEST=start chrome with a SUID sandbox and check that no zombies persist.
http://codereview.chromium.org/149734
(Reland of r20838. Hopefully with the reaping in the correct place this time.)
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20845 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Markus pointed out that the cwd was already shared between the chroot
helper process and the zygote, therefore we could avoid some
complexity in passing the file descriptor so, also, we could then make
the directory mode 0000.
http://codereview.chromium.org/155366
BUG=16363
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20398 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ubuntu systems (at least) wipe /var/run at boot time, which is
deleting our sandbox directory. Instead, we have the SUID helper
create a temp directory in /tmp, unlink it and use that for the chroot
directory. A file descriptor is passed to the zygote process for it to
fchdir into.
(Thanks to fta for discussions on this.)
BUG=16363
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20388 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we required that the binary be non-readable. This causes the
kernel to mark the process as non-dumpable at startup. The thinking was
that, although we were putting the renderers into a PID namespace (with
the SUID sandbox), they would none the less be in the /same/ PID
namespace. So they could ptrace each other unless they were non-dumpable.
If the binary was readable, then there would be a window between process
startup and the point where we set the non-dumpable flag in which a
compromised renderer could ptrace attach.
However, now that we have a zygote model, only the (trusted) zygote
exists at this point and we can set the non-dumpable flag which is
inherited by all our renderer children.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20383 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Make processes dumpable when they crash.
* Find crashing processes by searching for a socket inode, rather
than relying on SCM_CREDENTIALS. The kernel doesn't translate PIDs
between PID namespaces with SCM_CREDENTIALS, so we can't use the
PID there.
* Use a command line flag to the renderer to enable crash dumping.
Previously it tried to access the user's home directory for this
information.
* Search for a sandbox helper binary and, if found, use it.
* Include the source for a sandbox helper binary. It's currently not
built by default.
http://codereview.chromium.org/149230
R=evan,markus
BUG=8081
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20110 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We are using the sandbox host for font fallback now via the WebKit
API. However, a patch landed in WebKit which added an assertion about
being on the correct thread. Since the sandbox host was using
WebString::fromUTF8, we hit the assertion and died.
So, we have to implement a WebKitClient for the sandbox host. We
cannot just pass in NULL because there's an assertion that it's
non-NULL. Also, we cannot pass in a bogus pointer because it actually
ends up getting called back.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@19324 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
Relands r18641, original code review: http://codereview.chromium.org/125268
Expect a crash on Windows.
The old method of crashing was flawed on posix (KillProcess just does a SIGTERM). On Windows though, it would terminate the process with the desired exit code, in order to make DidProcessCrash() return true. This process termination does not dump crash information though, since it just forcibly terminates the process, like a SIGKILL on posix. When I switched it to navigate to about:crash though, it actually crashes, and dumps crash information, which the UITest in windows (but not linux/mac) detects. Therefore, until those platforms can detect, we just use #if defined(OS_WIN) around the expected_crashes = 1.
Review URL: http://codereview.chromium.org/131007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18680 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
Broke ui_tests.
Review URL: http://codereview.chromium.org/125268
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18646 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
| |
Add support for zygotes to call DidProcessCrash on renderers.
TEST=metrics_server_uitest.cc
Review URL: http://codereview.chromium.org/126264
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18641 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://code.google.com/p/chromium/wiki/LinuxSandboxIPC
Without filesystem access from the renderers, we need another way of
dealing with fontconfig and font loading.
This add support for:
* An "SBX_D" environment variable in the renderers which is used to
signal the end of dynamic linking so that the chroot can be
enforced.
* A sandbox_host process, running outside the sandbox, to deal with
fontconfig requests from the renderers. See the wiki page for
the reasoning behind making it a separate process.
* A new, custom SkFontHost for Skia. Because this is Chrome
specific, it will live outside the upstream Skia tree. This
FontHost can be configured either to drive fontconfig directly
(for the browser process and for any unsandboxed renderers) or to
use an IPC system. Since the same SkFontHost has to be linked into
both the browser and renderer (they are the same binary), this
switch has to be made at run time.
Sandbox IPC calls are rare (a couple of dozen at page load time) and
add about 50us of overhead for each call.
(Reland of r17575 which was reverted in r17577)
http://codereview.chromium.org/112074
BUG=8081
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18405 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://code.google.com/p/chromium/wiki/LinuxZygote
* Move Chrome specific bits out of base
* Move away from the idea of reserved file descriptors (which don't really work
with zygotes)
* Load resources before forking renderers (means that we don't need
communication between the zygote process and the renderers)
* Make sure that gdb works against the browser again
* Make sure that we have different ASLR between the renderers and the browser.
http://codereview.chromium.org/119335
(This is a reland. First landed in r18109, reverted in r18112.)
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18291 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
| |
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18112 0039d316-1c4b-4281-b951-d872f2087c98
|
|
|
http://code.google.com/p/chromium/wiki/LinuxZygote
* Move Chrome specific bits out of base
* Move away from the idea of reserved file descriptors (which don't
really work with zygotes)
* Load resources before forking renderers (means that we don't need
communication between the zygote process and the renderers)
* Make sure that gdb works against the browser again
* Make sure that we have different ASLR between the renderers and the
browser.
http://codereview.chromium.org/119335
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18109 0039d316-1c4b-4281-b951-d872f2087c98
|
