diff options
author | Michal Klocek <michal.klocek@qt.io> | 2019-02-26 13:47:00 +0100 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2019-02-27 09:35:34 +0000 |
commit | 3fe203d43c33e7eeb362b89587f8fb90fec9e826 (patch) | |
tree | 91d129db2d521e832c0728590c87666904450a34 | |
parent | 29a45e8b7f5ddd792eb1e8a0332f68a68b08c2c6 (diff) | |
download | qtwebengine-chromium-3fe203d43c33e7eeb362b89587f8fb90fec9e826.tar.gz |
Soften check for single thread only if layer1 or layer2 sandbox
Currently qemu emulation for arm spawns some threads before
entering level 1 of sandbox. Chromium code is written to make check
even before trying to check support for layer1 sandbox (even
with --no-sandbox flag)
Make minimal code change to simply avoid the check if level1 or level2
sandbox is not supported or unwanted.
Task-number: QTBUG-63346
Change-Id: Ia017f97281b7e41fbf2294e58a6ea77c838f6bd6
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
3 files changed, 8 insertions, 4 deletions
diff --git a/chromium/services/service_manager/sandbox/linux/sandbox_linux.cc b/chromium/services/service_manager/sandbox/linux/sandbox_linux.cc index 09dbba50467..183e5827c9e 100644 --- a/chromium/services/service_manager/sandbox/linux/sandbox_linux.cc +++ b/chromium/services/service_manager/sandbox/linux/sandbox_linux.cc @@ -154,7 +154,7 @@ SandboxLinux* SandboxLinux::GetInstance() { return instance; } -void SandboxLinux::PreinitializeSandbox() { +bool SandboxLinux::PreinitializeSandbox() { CHECK(!pre_initialized_); seccomp_bpf_supported_ = false; #if BUILDFLAG(USING_SANITIZER) @@ -189,6 +189,7 @@ void SandboxLinux::PreinitializeSandbox() { yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) && (yama_status & Yama::STATUS_ENFORCING); pre_initialized_ = true; + return seccomp_bpf_supported_; } void SandboxLinux::EngageNamespaceSandbox(bool from_zygote) { diff --git a/chromium/services/service_manager/sandbox/linux/sandbox_linux.h b/chromium/services/service_manager/sandbox/linux/sandbox_linux.h index 21817971a45..be0b23ec3bb 100644 --- a/chromium/services/service_manager/sandbox/linux/sandbox_linux.h +++ b/chromium/services/service_manager/sandbox/linux/sandbox_linux.h @@ -119,7 +119,7 @@ class SERVICE_MANAGER_SANDBOX_EXPORT SandboxLinux { // Otherwise file descriptors that bypass the security of the setuid sandbox // would be kept open. One must be particularly careful if a process performs // a fork(). - void PreinitializeSandbox(); + bool PreinitializeSandbox(); // Check that the current process is the init process of a new PID // namespace and then proceed to drop access to the file system by using diff --git a/chromium/services/service_manager/zygote/zygote_main_linux.cc b/chromium/services/service_manager/zygote/zygote_main_linux.cc index a00717066a1..4fa23def41e 100644 --- a/chromium/services/service_manager/zygote/zygote_main_linux.cc +++ b/chromium/services/service_manager/zygote/zygote_main_linux.cc @@ -151,6 +151,7 @@ static void EnterNamespaceSandbox(service_manager::SandboxLinux* linux_sandbox, static void EnterLayerOneSandbox(service_manager::SandboxLinux* linux_sandbox, const bool using_layer1_sandbox, + const bool using_layer2_sandbox, base::OnceClosure post_fork_parent_callback) { DCHECK(linux_sandbox); @@ -160,6 +161,7 @@ static void EnterLayerOneSandbox(service_manager::SandboxLinux* linux_sandbox, // It's not just our code which may do so - some system-installed libraries // are known to be culprits, e.g. lttng. #if !defined(THREAD_SANITIZER) + if (using_layer1_sandbox || using_layer2_sandbox) CHECK(sandbox::ThreadHelpers::IsSingleThreaded()); #endif @@ -184,10 +186,11 @@ bool ZygoteMain( // Skip pre-initializing sandbox when sandbox is disabled for // https://crbug.com/444900. + bool using_layer2_sandbox = false; if (!base::CommandLine::ForCurrentProcess()->HasSwitch( service_manager::switches::kNoSandbox)) { // This will pre-initialize the various sandboxes that need it. - linux_sandbox->PreinitializeSandbox(); + using_layer2_sandbox = linux_sandbox->PreinitializeSandbox(); } const bool using_setuid_sandbox = @@ -222,7 +225,7 @@ bool ZygoteMain( // Turn on the first layer of the sandbox if the configuration warrants it. EnterLayerOneSandbox( - linux_sandbox, using_layer1_sandbox, + linux_sandbox, using_layer1_sandbox, using_layer2_sandbox, base::BindOnce(CloseFds, linux_sandbox->GetFileDescriptorsToClose())); const int sandbox_flags = linux_sandbox->GetStatus(); |