From a9c54a176540e3a8173d72a1794cac3855bc9ce0 Mon Sep 17 00:00:00 2001 From: "markus@chromium.org" Date: Sat, 7 Nov 2009 06:09:38 +0000 Subject: Allow the seccomp sandbox to be enabled, even if the suid sandbox has already put a chroot() jail around it. The only tricky part is access to /proc/self/maps, but we can safely pass in an open file descriptor. BUG=26527 Review URL: http://codereview.chromium.org/371047 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31372 0039d316-1c4b-4281-b951-d872f2087c98 --- sandbox/linux/seccomp/open.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sandbox/linux/seccomp/open.cc') diff --git a/sandbox/linux/seccomp/open.cc b/sandbox/linux/seccomp/open.cc index 9b4786b..982d768 100644 --- a/sandbox/linux/seccomp/open.cc +++ b/sandbox/linux/seccomp/open.cc @@ -30,7 +30,7 @@ int Sandbox::sandbox_open(const char *pathname, int flags, mode_t mode) { return static_cast(rc); } -bool Sandbox::process_open(int parentProc, int sandboxFd, int threadFdPub, +bool Sandbox::process_open(int parentMapsFd, int sandboxFd, int threadFdPub, int threadFd, SecureMem::Args* mem) { // Read request SysCalls sys; @@ -70,7 +70,7 @@ bool Sandbox::process_open(int parentProc, int sandboxFd, int threadFdPub, return false; } - SecureMem::lockSystemCall(parentProc, mem); + SecureMem::lockSystemCall(parentMapsFd, mem); if (read(sys, sandboxFd, mem->pathname, open_req.path_length) != (ssize_t)open_req.path_length) { goto read_parm_failed; @@ -83,7 +83,7 @@ bool Sandbox::process_open(int parentProc, int sandboxFd, int threadFdPub, "\"").c_str()); // Tell trusted thread to open the file. - SecureMem::sendSystemCall(threadFdPub, true, parentProc, mem, __NR_open, + SecureMem::sendSystemCall(threadFdPub, true, parentMapsFd, mem, __NR_open, mem->pathname - (char*)mem + (char*)mem->self, open_req.flags, open_req.mode); return true; -- cgit v1.1