From 48a69110f29e0fa819401bd9bef3b6d377d6cb91 Mon Sep 17 00:00:00 2001
From: "markus@chromium.org"
 <markus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed, 23 May 2012 17:58:55 +0000
Subject: Roll the revision of the seccomp sandbox forward. In the process, we
 also fixed a missing include file in the zygote, that effectively disabled
 the entire sandbox. This apparently happened recently, when the zygote code
 was refactored.

BUG=n/a
TEST=SECCOMP_SANDBOX_DEBUGGING=1 ./out/Debug/chrome --enable-seccomp-sandbox, then verify that the sandbox is actually activated; it should be printing log data to the console
Review URL: https://chromiumcodereview.appspot.com/10407036

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138521 0039d316-1c4b-4281-b951-d872f2087c98
---
 content/zygote/zygote_linux.cc      | 14 +++++++-------
 content/zygote/zygote_main_linux.cc |  2 ++
 2 files changed, 9 insertions(+), 7 deletions(-)

(limited to 'content/zygote')

diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc
index cf57999..ff50f24 100644
--- a/content/zygote/zygote_linux.cc
+++ b/content/zygote/zygote_linux.cc
@@ -4,6 +4,7 @@
 
 #include "content/zygote/zygote_linux.h"
 
+#include <fcntl.h>
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/types.h>
@@ -23,6 +24,7 @@
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "content/common/chrome_descriptors.h"
+#include "content/common/seccomp_sandbox.h"
 #include "content/common/set_process_title.h"
 #include "content/common/unix_domain_socket_posix.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
@@ -396,15 +398,13 @@ base::ProcessId Zygote::ReadArgsAndFork(const Pickle& pickle,
   if (!child_pid) {
     // This is the child process.
 #if defined(SECCOMP_SANDBOX)
-    if (SeccompSandboxEnabled() && proc_fd_for_seccomp_ >= 0) {
-      // Try to open /proc/self/maps as the seccomp sandbox needs access to it
-      int proc_self_maps = openat(proc_fd_for_seccomp_, "self/maps", O_RDONLY);
-      if (proc_self_maps >= 0) {
-        SeccompSandboxSetProcSelfMaps(proc_self_maps);
+    if (proc_fd_for_seccomp_ >= 0) {
+      if (process_type == switches::kRendererProcess &&
+          SeccompSandboxEnabled()) {
+        SeccompSandboxSetProcFd(proc_fd_for_seccomp_);
       } else {
-        PLOG(ERROR) << "openat(/proc/self/maps)";
+        close(proc_fd_for_seccomp_);
       }
-      close(proc_fd_for_seccomp_);
       proc_fd_for_seccomp_ = -1;
     }
 #endif
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
index 21c09c4..2cb2af1 100644
--- a/content/zygote/zygote_main_linux.cc
+++ b/content/zygote/zygote_main_linux.cc
@@ -669,6 +669,8 @@ bool ZygoteMain(const MainFunctionParams& params,
       LOG(ERROR) << "WARNING! This machine lacks support needed for the "
                     "Seccomp sandbox. Running renderers with Seccomp "
                     "sandboxing disabled.";
+      close(proc_fd_for_seccomp);
+      proc_fd_for_seccomp = -1;
     } else {
       VLOG(1) << "Enabling experimental Seccomp sandbox.";
       sandbox_flags |= kSandboxLinuxSeccomp;
-- 
cgit v1.1