| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, this is gated behind the enable-namespace-sandbox switch.
Furthermore, the namespace sandbox is only used if seccomp-bpf is
supported.
BUG=312380
Review URL: https://codereview.chromium.org/897723005
Cr-Commit-Position: refs/heads/master@{#315177}
|
| |
|
|
|
|
|
|
|
|
| |
This can be disabled with the allow-sandbox-debugging flag.
BUG=455964
Review URL: https://codereview.chromium.org/901683003
Cr-Commit-Position: refs/heads/master@{#315139}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This separates the code used to "host" the setuid sandbox binary from
the code used to run underneath it (i.e., the client). The primary
motivation for this is so that lightweight clients (e.g., the BMM
non-SFI sandbox) can avoid all of the additional dependencies required
only for hosting the setuid sandbox.
TBR=mseaborn@chromium.org,nasko@chromium.org
BUG=455087
Review URL: https://codereview.chromium.org/877153005
Cr-Commit-Position: refs/heads/master@{#314734}
|
| |
|
|
|
|
|
|
| |
BUG=417532
Review URL: https://codereview.chromium.org/830153005
Cr-Commit-Position: refs/heads/master@{#310943}
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Prefix all CommandLine usage in the components/ directory's following subdirectories:
feedback, gcm_driver, google, infobars, invalidation, keyed_service, metrics, nacl,
omnibox and os_crypt with the base:: namespace
BUG=422426
Review URL: https://codereview.chromium.org/774933004
Cr-Commit-Position: refs/heads/master@{#306790}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CL introduces a flag to switch nacl_helper binary for NaCl in Non-SFI
mode. When the flag, nacl_helper_nonsfi binary is used, otherwise nacl_helper
binary in Non-SFI mode is used.
nacl_helper_nonsfi binary is under development, and this flag is for
its experiment. Also, the flag will be used to run browser_tests with
nacl_helper_nonsfi binary (similar to NaClBrowserTestNonSfiMode test suites).
BUG=358465
TEST=Ran trybot. Ran browser tests locally with local modification on
NaClBrowserTestNonSfiMode and made sure the binary is actually switched.
Review URL: https://codereview.chromium.org/676323002
Cr-Commit-Position: refs/heads/master@{#302217}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we allowed socket syscalls which were only needed by the
NaCl gdb stub. Now, we only allow these syscalls when the
--enable-nacl-debug flag is present.
Also restricts cross-process interaction for sched_* syscalls now that
non-crashing SIGSYS handlers are allowed under NaCl.
BUG=270914,413855
Review URL: https://codereview.chromium.org/670603002
Cr-Commit-Position: refs/heads/master@{#301982}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Google C++ style guide states:
Explicitly annotate overrides of virtual functions or virtual
destructors with an override or (less frequently) final specifier.
Older (pre-C++11) code will use the virtual keyword as an inferior
alternative annotation. For clarity, use exactly one of override,
final, or virtual when declaring an override.
To better conform to these guidelines, the following constructs have
been rewritten:
- if a base class has a virtual destructor, then:
virtual ~Foo(); -> ~Foo() override;
- virtual void Foo() override; -> void Foo() override;
- virtual void Foo() override final; -> void Foo() final;
This patch was automatically generated. The clang plugin can generate
fixit hints, which are suggested edits when it is 100% sure it knows how
to fix a problem. The hints from the clang plugin were applied to the
source tree using the tool in https://codereview.chromium.org/598073004.
BUG=417463
R=caitkp@chromium.org
Review URL: https://codereview.chromium.org/684513002
Cr-Commit-Position: refs/heads/master@{#301931}
|
| |
|
|
|
|
|
|
| |
BUG=417463
Review URL: https://codereview.chromium.org/623133002
Cr-Commit-Position: refs/heads/master@{#298237}
|
| |
|
|
|
|
|
|
|
|
| |
This suppresses a warning about the setuid sandbox API version on Linux.
BUG=385995
Review URL: https://codereview.chromium.org/335453009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@278512 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
BUG=358413
Review URL: https://codereview.chromium.org/308073002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@275259 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Also did small style fixes for NaClForkDelegate declaration.
TEST=trybots
TEST=Our app still works with both SFI/non-SFI NaCl ARM
BUG=363710
Review URL: https://codereview.chromium.org/289683003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@270624 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this change, NaCl SFI and non-SFI processes now run in disjoint
PID namespaces, so the kernel should prevent sending signals from an SFI
process to a non-SFI process, or vice versa. (The NaCl PID namespaces
are still nested within the renderer's PID namespace though.)
BUG=364945
NOTRY=true
Review URL: https://codereview.chromium.org/279693002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@270244 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
Move handling of the dummy file descriptor into SetuidSandboxClient.
Review URL: https://codereview.chromium.org/262533004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@267743 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is slightly suboptimal because ScopedVector forces each ScopedFD
to be individually heap allocated, but it's the simplest solution
until C++11 is available.
BUG=360274
NOTRY=true
Review URL: https://codereview.chromium.org/258543006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@267350 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes three changes:
1. Removes the AckChild() delegate method used to send a custom
message to the child process.
2. Instead, the parent always writes the child's PID (as seen by the
browser) over the pipe. (Exception: When writing to a NaCl child
process, we instead send 0 to avoid leaking the real PID into the
NaCl address space.)
3. Makes the Fork() delegate method responsible for sending the IPC
channel ID to the child process.
This is in preparation for the next patch which will switch the pipe
direction to make the child responsible for discovering its own PID
and sending it to the parent process. By removing AckChild(), this
simplifies the protocol and makes this change easier to implement.
BUG=357670
Review URL: https://codereview.chromium.org/240673002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@264764 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We always pass channel_switch as "--channel=XYZ" and then the
recipient pointlessly verifies that it still starts with "--channel=".
So instead rename AckChild() parameter to channel_id and just pass the
"XYZ" part to remove a possible failure case, and simplify the
receiving code a little bit.
BUG=357670
Review URL: https://codereview.chromium.org/239333009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@264681 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NaCl now uses its own instance of the setuid sandbox. In particular, NaCl
is now running in its own PID namespace (which is a sub-space of the Zygote
PID namespace).
Moreover, the NaCl helper is responsible for getting chrooted, instead of
relying on a shared FS view (via CLONE_FS) with the Zygote.
This CL also ensures consistency between the setuid sandbox status as
reported in about:sandbox and NaCl's setuid sandbox status.
Before, the process tree looks like this:
__browser
____chrome-sandbox [X, fs_state1]
______init [pid_ns1, fs_state1]
________zygote [pid_ns1, fs_state1]
________nacl_helper [pid_ns1, fs_state1]
-- "X" means same as parent.
After:
__browser
____chrome-sandbox [X , fs_state1]
______init [pid_ns1, fs_state1]
________zygote [pid_ns1, fs_state1]
________chrome-sandbox [pid_ns1, fs_state2]
__________nacl_helper [pid_ns2, fs_state2] (nacl_helper doubles as init(1) in pid_ns2).
The main change is to make nacl_fork_delegate_linux.cc launch nacl_helper via
chrome-sandbox instead trying to share the view of the file system with the Zygote
via CLONE_FS. It uses SetuidSandboxClient to help with this.
Then change nacl_helper_linux.cc to tell (via IPC) chrome-sandbox to enable
the sandbox, and add some more sanity checks.
BUG=358733
R=mseaborn@chromium.org, piman@chromium.org
Review URL: https://codereview.chromium.org/239803003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@264372 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Also introduce --nacl-dangerous-no-sandbox-nonsfi, which
allows us to skip sandbox entirely for development.
TEST=out/Release/browser_tests --gtest_filter='NaCl*'
TEST=trybots
BUG=359230
Review URL: https://codereview.chromium.org/226033002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@263824 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch, we were passing this info by the first IPC
to nacl_helper (NaClProcessMsg_Start). This timing is too late
for seccomp sandbox initialization.
This patch introduces a new process type, nacl-loader-nonsfi.
For now, nacl_helper says it can handle both nacl-loader and
nacl-loader-nonsfi. Once we have splitted nacl_helper into two
binaries, we will probably create two NaClForkDelegate
instances and let each of them to focus on a single process
type.
Also removed uses_nonsfi_mode from NaClStartParams. This is
unnecessary anymore.
BUG=https://code.google.com/p/nativeclient/issues/detail?id=3734
TEST=out/Release/browser_tests --gtest_filter='NaCl*' and trybot
R=jln@chromium.org, jochen@chromium.org, mseaborn@chromium.org
Review URL: https://codereview.chromium.org/216603002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@261279 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
| |
BUG=331459
TBR=sehr@chromium.org
Review URL: https://codereview.chromium.org/126823003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@243720 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is incorrect to wrap close in HANDLE_EINTR on Linux. Correctness is
generally undefined on Mac, but as of r223369, it is incorrect in Chrome on
Mac.
To avoid new offenders, a PRESUBMIT check ensures that HANDLE_EINTR is not
used with close, and that IGNORE_EINTR is only used with close. Unnecessary
#includes of eintr_wrapper.h are also removed.
base/posix/einter_wrapper.h, PRESUBMIT.py, and ppapi/tests/test_broker.cc
contain non-mechanical changes. Variable naming within the latter is updated
per r178174. Missing #includes for <errno.h> in
content/zygote/zygote_main_linux.cc and tools/android/common/daemon.cc were
manually added. Mechanical changes were generated by running:
sed -E -i '' \
-e 's/((=|if|return|CHECK|EXPECT|ASSERT).*)HANDLE(_EINTR\(.*close)/\1IGNORE\3/' \
-e 's/(ignore_result|void ?)\(HANDLE_EINTR\((.*close\(.*)\)\)/\2/' \
-e 's/(\(void\) ?)?HANDLE_EINTR\((.*close\(.*)\)/\2/' \
$(git grep -El 'HANDLE_EINTR.*close')
sed -E -i '' -e '/#include.*eintr_wrapper\.h"/d' \
$(grep -EL '(HANDLE|IGNORE)_EINTR' \
$(git grep -El '#include.*eintr_wrapper\.h"'))
BUG=269623
R=agl@chromium.org, jln@chromium.org
TBR=OWNERS
Review URL: https://codereview.chromium.org/100253002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@238390 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the NaCl linux helper into the components/nacl/loader directory as well
as the build target to components/nacl.gyp. This patch also
removed chrome/nacl.gypi which is not needed anymore.
This is part of an effort to componentize NaCl code.
Patch by mrunal.kapade@intel.com with modifications by myself.
BUG=244791
Review URL: https://codereview.chromium.org/58333002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@234379 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this change, if the NaCl zygote (nacl_helper) failed to start,
NaCl would fall back to launching NaCl loader processes via the
Chromium zygote process, using the second copy of the NaCl runtime
that was still being linked into the "chrome" executable.
There were two problems with this:
* It bloats the binaries with two copies of NaCl (one in nacl_helper,
one in chrome).
* This fallback case was not tested at all on the buildbots, and in
fact it got broken a while ago. It would fail with the error
"AssertNoOtherSignalHandlers: A signal handler is registered for
signal 17".
Running this untested code path is risky from a security point of
view, so it's better to remove it.
It's enough to remove chrome's reference to NaClMain(). Also,
changing CanHelp() to always return true for nacl-loader processes
stops the zygote from trying the fallback if nacl_helper failed.
Size of out/Release/chrome:
Before: 145989408
After: 144569176
This saves 1.4MB.
BUG=118263
TEST=NaCl tests in browser_tests; also tested error from
PPAPINaClNewlibTest.Core with nacl_helper removed
Review URL: https://codereview.chromium.org/41043002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@230891 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
using named shared memory.
This is required for to enable chrome://stats Android where there is no
/dev/shm. This also provides the added advantage of not requiring the
--no-sandbox command line flag with the --enable-stats-table on Posix.
BUG=None
Review URL: https://codereview.chromium.org/22911027
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@228903 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
child_process_launcher.cc constructs a mapping from FD numbers to FDs,
and normal Chromium child processes receive this as a mapping.
However, before this change, when zygote_linux.cc passed these FDs to
nacl_helper, it stripped the keys from the mapping and only passed the
values.
This meant that if child_process_launcher.cc were changed to add more
key+value pairs to the FD mapping, nacl_helper_linux.cc would need to
be updated to use or skip over them. Also, the order in which
child_process_launcher.cc adds the FDs to the mapping would be
significant, but only to nacl_helper, which would be weird. This
would be particularly awkward for FDs that are added to the mapping
conditionally.
We clean this up by explicitly taking the one FD that nacl_helper
needs from the FD mapping, rather than passing across all of the
mapping's values.
The aim of this cleanup is to simplify this change --
https://codereview.chromium.org/22911027/ -- which changes
child_process_launcher.cc to add an FD conditionally.
Also make the #defines of the FD numbers clearer by moving them to
zygote_fork_delegate_linux.h, since that's the component that's
responsible for them.
BUG=none
TEST=NaCl tests in browser_tests
Review URL: https://codereview.chromium.org/24449002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@228228 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(Reland of https://chromiumcodereview.appspot.com/23020010/)
This does three things:
1. Clean-up a lot of the code in the Linux NaCl loader.
2. Create a new IPC to the NaCl loader "Zygote" for the
main Zygote to query the termination status of processes.
3. Clean-up some code in the Zygote and fix "process tracking".
zygote_linux.cc:
* Split GetTerminationStatus() out from HandleGetTerminationStatus().
* Handle the case where we need to perform a remote IPC for GetTerminationStatus()
* Use the new GetTerminationStatus() to support the remote case for HandleReapRequest().
* Replace real_pids_to_sandbox_pids mapping with process_info_map_.
* Update shortcut case in ForkWithRealPid() to fill this out.
* Update GetTerminationStatus() to remove existing entries.
zygote_fork_delegate_linux.h:
* Create a new GetTerminationStatus() interface.
nacl_helper_linux.cc:
* Split HandleZygoteRequest() out from main().
* Split ChildNaClLoaderInit() to handle the child side of a fork().
* Handle a new IPC in HandleGetTerminationStatusRequest().
nacl_fork_delegate_linux.cc:
* Implement the new GetTerminationStatus() interface.
* Use Pickle for IPCs, make IPCs easier to write with SendIPCRequestAndReadReply().
BUG=133453
R=mseaborn@chromium.org, piman@chromium.org
TBR=mseaborn@chromium.org
Review URL: https://codereview.chromium.org/22875026
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@218610 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Broke the ChromiumOS (amd64) bot:
chromeos-chrome-31.0.1607.0_alpha-r1: chrome/nacl/nacl_helper_linux.cc: In function 'int main(int, char**)':
chromeos-chrome-31.0.1607.0_alpha-r1: chrome/nacl/nacl_helper_linux.cc:369:33: error: narrowing conversion of 'sysconf(84)' from 'long int' to 'int' inside { } is ill-formed in C++11 [-Werror=narrowing]
http://build.chromium.org/p/chromium.chromiumos/builders/ChromiumOS%20%28amd64%29/builds/10667
> Support a new remote IPC for for GetTerminationStatus.
>
> This does three things:
>
> 1. Clean-up a lot of the code in the Linux NaCl loader.
> 2. Create a new IPC to the NaCl loader "Zygote" for the
> main Zygote to query the termination status of processes.
> 3. Clean-up some code in the Zygote and fix "process tracking".
>
> zygote_linux.cc:
> * Split GetTerminationStatus() out from HandleGetTerminationStatus().
> * Handle the case where we need to perform a remote IPC for GetTerminationStatus()
> * Use the new GetTerminationStatus() to support the remote case for HandleReapRequest().
> * Replace real_pids_to_sandbox_pids mapping with process_info_map_.
> * Update shortcut case in ForkWithRealPid() to fill this out.
> * Update GetTerminationStatus() to remove existing entries.
>
> zygote_fork_delegate_linux.h:
> * Create a new GetTerminationStatus() interface.
>
> nacl_helper_linux.cc:
> * Split HandleZygoteRequest() out from main().
> * Split ChildNaClLoaderInit() to handle the child side of a fork().
> * Handle a new IPC in HandleGetTerminationStatusRequest().
>
> nacl_fork_delegate_linux.cc:
> * Implement the new GetTerminationStatus() interface.
> * Use Pickle for IPCs, make IPCs easier to write with SendIPCRequestAndReadReply().
>
> BUG=133453
> R=mseaborn@chromium.org, piman@chromium.org
>
> Review URL: https://codereview.chromium.org/23020010
TBR=jln@chromium.org
Review URL: https://codereview.chromium.org/22886011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@218602 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This does three things:
1. Clean-up a lot of the code in the Linux NaCl loader.
2. Create a new IPC to the NaCl loader "Zygote" for the
main Zygote to query the termination status of processes.
3. Clean-up some code in the Zygote and fix "process tracking".
zygote_linux.cc:
* Split GetTerminationStatus() out from HandleGetTerminationStatus().
* Handle the case where we need to perform a remote IPC for GetTerminationStatus()
* Use the new GetTerminationStatus() to support the remote case for HandleReapRequest().
* Replace real_pids_to_sandbox_pids mapping with process_info_map_.
* Update shortcut case in ForkWithRealPid() to fill this out.
* Update GetTerminationStatus() to remove existing entries.
zygote_fork_delegate_linux.h:
* Create a new GetTerminationStatus() interface.
nacl_helper_linux.cc:
* Split HandleZygoteRequest() out from main().
* Split ChildNaClLoaderInit() to handle the child side of a fork().
* Handle a new IPC in HandleGetTerminationStatusRequest().
nacl_fork_delegate_linux.cc:
* Implement the new GetTerminationStatus() interface.
* Use Pickle for IPCs, make IPCs easier to write with SendIPCRequestAndReadReply().
BUG=133453
R=mseaborn@chromium.org, piman@chromium.org
Review URL: https://codereview.chromium.org/23020010
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@218584 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Forward a few command line flags to the NaCl helper from the browser.
Presently, we added:
--no-sandbox
--disable-seccomp-filter-sandbox
BUG=264942
R=mseaborn@chromium.org
Review URL: https://codereview.chromium.org/21022009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@214388 0039d316-1c4b-4281-b951-d872f2087c98
|
|
|
nacl_fork_delegate_linux is running in the zygote process so it is moved to components/nacl/zygote.
This is part of an effort to componentize NaCl code.
BUG=244791
NOTRY=true
R=jam@chromium.org, mseaborn@chromium.org
Review URL: https://codereview.chromium.org/21031004
Patch from Yael Aharon <yael.aharon@intel.com>.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@214362 0039d316-1c4b-4281-b951-d872f2087c98
|
