|
|
|
@ -1,4 +1,4 @@
|
|
|
|
From ab11528f26a212417b0b6084b52c02e992fe43f7 Mon Sep 17 00:00:00 2001
|
|
|
|
From e29f4b52c8770033504794b934bc14b1d7261ef1 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Ryan Gonzalez <rymg19@gmail.com>
|
|
|
|
From: Ryan Gonzalez <rymg19@gmail.com>
|
|
|
|
Date: Tue, 17 Mar 2020 13:18:27 -0500
|
|
|
|
Date: Tue, 17 Mar 2020 13:18:27 -0500
|
|
|
|
Subject: [PATCH] flatpak: Add initial sandbox support
|
|
|
|
Subject: [PATCH] flatpak: Add initial sandbox support
|
|
|
|
@ -42,10 +42,10 @@ index 9056030523807..2c13d0ad5f1c7 100644
|
|
|
|
/.externalToolBuilders/
|
|
|
|
/.externalToolBuilders/
|
|
|
|
/.settings/
|
|
|
|
/.settings/
|
|
|
|
diff --git a/base/threading/thread_restrictions.h b/base/threading/thread_restrictions.h
|
|
|
|
diff --git a/base/threading/thread_restrictions.h b/base/threading/thread_restrictions.h
|
|
|
|
index 149838be725f2..81034acc71e97 100644
|
|
|
|
index e029700325e79..14ef172d37087 100644
|
|
|
|
--- a/base/threading/thread_restrictions.h
|
|
|
|
--- a/base/threading/thread_restrictions.h
|
|
|
|
+++ b/base/threading/thread_restrictions.h
|
|
|
|
+++ b/base/threading/thread_restrictions.h
|
|
|
|
@@ -407,6 +407,9 @@ class ScopedAllowThreadJoinForWebRtcTransport;
|
|
|
|
@@ -409,6 +409,9 @@ class ScopedAllowThreadJoinForWebRtcTransport;
|
|
|
|
namespace rlz_lib {
|
|
|
|
namespace rlz_lib {
|
|
|
|
class FinancialPing;
|
|
|
|
class FinancialPing;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@ -55,7 +55,7 @@ index 149838be725f2..81034acc71e97 100644
|
|
|
|
namespace service_manager {
|
|
|
|
namespace service_manager {
|
|
|
|
class ServiceProcessLauncher;
|
|
|
|
class ServiceProcessLauncher;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -649,6 +652,7 @@ class BASE_EXPORT ScopedAllowBlocking {
|
|
|
|
@@ -646,6 +649,7 @@ class BASE_EXPORT ScopedAllowBlocking {
|
|
|
|
friend class remoting::
|
|
|
|
friend class remoting::
|
|
|
|
ScopedBypassIOThreadRestrictions; // http://crbug.com/1144161
|
|
|
|
ScopedBypassIOThreadRestrictions; // http://crbug.com/1144161
|
|
|
|
friend class remoting::ScopedAllowBlockingForCrashReporting;
|
|
|
|
friend class remoting::ScopedAllowBlockingForCrashReporting;
|
|
|
|
@ -63,7 +63,7 @@ index 149838be725f2..81034acc71e97 100644
|
|
|
|
friend class ui::DrmDisplayHostManager;
|
|
|
|
friend class ui::DrmDisplayHostManager;
|
|
|
|
friend class ui::ScopedAllowBlockingForGbmSurface;
|
|
|
|
friend class ui::ScopedAllowBlockingForGbmSurface;
|
|
|
|
friend class ui::SelectFileDialogLinux;
|
|
|
|
friend class ui::SelectFileDialogLinux;
|
|
|
|
@@ -792,6 +796,7 @@ class BASE_EXPORT ScopedAllowBaseSyncPrimitives {
|
|
|
|
@@ -788,6 +792,7 @@ class BASE_EXPORT ScopedAllowBaseSyncPrimitives {
|
|
|
|
friend class rlz_lib::FinancialPing;
|
|
|
|
friend class rlz_lib::FinancialPing;
|
|
|
|
friend class shell_integration_linux::
|
|
|
|
friend class shell_integration_linux::
|
|
|
|
LaunchXdgUtilityScopedAllowBaseSyncPrimitives;
|
|
|
|
LaunchXdgUtilityScopedAllowBaseSyncPrimitives;
|
|
|
|
@ -72,7 +72,7 @@ index 149838be725f2..81034acc71e97 100644
|
|
|
|
friend class syncer::HttpBridge;
|
|
|
|
friend class syncer::HttpBridge;
|
|
|
|
friend class syncer::GetLocalChangesRequest;
|
|
|
|
friend class syncer::GetLocalChangesRequest;
|
|
|
|
diff --git a/chrome/browser/resources/sandbox_internals/sandbox_internals.ts b/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
|
|
|
|
diff --git a/chrome/browser/resources/sandbox_internals/sandbox_internals.ts b/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
|
|
|
|
index f6d2f3f0bc41c..fcc58c6735eaa 100644
|
|
|
|
index 1d2c06f540674..9946482709bbf 100644
|
|
|
|
--- a/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
|
|
|
|
--- a/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
|
|
|
|
+++ b/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
|
|
|
|
+++ b/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
|
|
|
|
@@ -140,6 +140,7 @@ function addGoodBadRow(name: string, result: boolean): HTMLElement {
|
|
|
|
@@ -140,6 +140,7 @@ function addGoodBadRow(name: string, result: boolean): HTMLElement {
|
|
|
|
@ -94,10 +94,10 @@ index f6d2f3f0bc41c..fcc58c6735eaa 100644
|
|
|
|
|
|
|
|
|
|
|
|
addStatusRow('Layer 1 Sandbox', layer1SandboxType, layer1SandboxCssClass);
|
|
|
|
addStatusRow('Layer 1 Sandbox', layer1SandboxType, layer1SandboxCssClass);
|
|
|
|
diff --git a/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc b/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
|
|
|
|
diff --git a/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc b/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
|
|
|
|
index 82aa27787a5e0..32bf674f33da6 100644
|
|
|
|
index 1174a704b8126..e7fd738b705fb 100644
|
|
|
|
--- a/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
|
|
|
|
--- a/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
|
|
|
|
+++ b/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
|
|
|
|
+++ b/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
|
|
|
|
@@ -20,6 +20,7 @@
|
|
|
|
@@ -15,6 +15,7 @@
|
|
|
|
#include "content/public/browser/web_contents.h"
|
|
|
|
#include "content/public/browser/web_contents.h"
|
|
|
|
#include "content/public/browser/web_ui.h"
|
|
|
|
#include "content/public/browser/web_ui.h"
|
|
|
|
#include "content/public/browser/web_ui_data_source.h"
|
|
|
|
#include "content/public/browser/web_ui_data_source.h"
|
|
|
|
@ -105,7 +105,7 @@ index 82aa27787a5e0..32bf674f33da6 100644
|
|
|
|
#include "services/network/public/mojom/content_security_policy.mojom.h"
|
|
|
|
#include "services/network/public/mojom/content_security_policy.mojom.h"
|
|
|
|
|
|
|
|
|
|
|
|
#if BUILDFLAG(IS_WIN)
|
|
|
|
#if BUILDFLAG(IS_WIN)
|
|
|
|
@@ -46,6 +47,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
|
|
|
|
@@ -41,6 +42,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
|
|
|
|
|
|
|
|
|
|
|
|
source->AddBoolean("suid", status & sandbox::policy::SandboxLinux::kSUID);
|
|
|
|
source->AddBoolean("suid", status & sandbox::policy::SandboxLinux::kSUID);
|
|
|
|
source->AddBoolean("userNs", status & sandbox::policy::SandboxLinux::kUserNS);
|
|
|
|
source->AddBoolean("userNs", status & sandbox::policy::SandboxLinux::kUserNS);
|
|
|
|
@ -114,7 +114,7 @@ index 82aa27787a5e0..32bf674f33da6 100644
|
|
|
|
source->AddBoolean("pidNs", status & sandbox::policy::SandboxLinux::kPIDNS);
|
|
|
|
source->AddBoolean("pidNs", status & sandbox::policy::SandboxLinux::kPIDNS);
|
|
|
|
source->AddBoolean("netNs", status & sandbox::policy::SandboxLinux::kNetNS);
|
|
|
|
source->AddBoolean("netNs", status & sandbox::policy::SandboxLinux::kNetNS);
|
|
|
|
source->AddBoolean("seccompBpf",
|
|
|
|
source->AddBoolean("seccompBpf",
|
|
|
|
@@ -63,7 +66,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
|
|
|
|
@@ -58,7 +61,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
|
|
|
|
|
|
|
|
|
|
|
|
// Require either the setuid or namespace sandbox for our first-layer sandbox.
|
|
|
|
// Require either the setuid or namespace sandbox for our first-layer sandbox.
|
|
|
|
bool good_layer1 = (status & sandbox::policy::SandboxLinux::kSUID ||
|
|
|
|
bool good_layer1 = (status & sandbox::policy::SandboxLinux::kSUID ||
|
|
|
|
@ -125,10 +125,10 @@ index 82aa27787a5e0..32bf674f33da6 100644
|
|
|
|
status & sandbox::policy::SandboxLinux::kNetNS;
|
|
|
|
status & sandbox::policy::SandboxLinux::kNetNS;
|
|
|
|
// A second-layer sandbox is also required to be adequately sandboxed.
|
|
|
|
// A second-layer sandbox is also required to be adequately sandboxed.
|
|
|
|
diff --git a/content/browser/child_process_host_impl.cc b/content/browser/child_process_host_impl.cc
|
|
|
|
diff --git a/content/browser/child_process_host_impl.cc b/content/browser/child_process_host_impl.cc
|
|
|
|
index 95df576580a9e..8d5e0694660b6 100644
|
|
|
|
index 583a386414590..c1cf93992da5b 100644
|
|
|
|
--- a/content/browser/child_process_host_impl.cc
|
|
|
|
--- a/content/browser/child_process_host_impl.cc
|
|
|
|
+++ b/content/browser/child_process_host_impl.cc
|
|
|
|
+++ b/content/browser/child_process_host_impl.cc
|
|
|
|
@@ -45,6 +45,7 @@
|
|
|
|
@@ -46,6 +46,7 @@
|
|
|
|
|
|
|
|
|
|
|
|
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
|
|
|
|
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
|
|
|
|
#include "base/linux_util.h"
|
|
|
|
#include "base/linux_util.h"
|
|
|
|
@ -136,7 +136,7 @@ index 95df576580a9e..8d5e0694660b6 100644
|
|
|
|
#elif BUILDFLAG(IS_MAC)
|
|
|
|
#elif BUILDFLAG(IS_MAC)
|
|
|
|
#include "base/apple/foundation_util.h"
|
|
|
|
#include "base/apple/foundation_util.h"
|
|
|
|
#include "content/browser/mac_helpers.h"
|
|
|
|
#include "content/browser/mac_helpers.h"
|
|
|
|
@@ -78,7 +79,12 @@ base::FilePath ChildProcessHost::GetChildPath(int flags) {
|
|
|
|
@@ -72,7 +73,12 @@ base::FilePath ChildProcessHost::GetChildPath(int flags) {
|
|
|
|
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
|
|
|
|
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
|
|
|
|
// Use /proc/self/exe rather than our known binary path so updates
|
|
|
|
// Use /proc/self/exe rather than our known binary path so updates
|
|
|
|
// can't swap out the binary from underneath us.
|
|
|
|
// can't swap out the binary from underneath us.
|
|
|
|
@ -151,7 +151,7 @@ index 95df576580a9e..8d5e0694660b6 100644
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
|
|
|
|
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
|
|
|
|
index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
index bd1013ccdd503..00f6ff8e13af5 100644
|
|
|
|
--- a/content/browser/zygote_host/zygote_host_impl_linux.cc
|
|
|
|
--- a/content/browser/zygote_host/zygote_host_impl_linux.cc
|
|
|
|
+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
|
|
|
|
+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
|
|
|
|
@@ -12,6 +12,7 @@
|
|
|
|
@@ -12,6 +12,7 @@
|
|
|
|
@ -162,7 +162,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
#include "base/process/memory.h"
|
|
|
|
#include "base/process/memory.h"
|
|
|
|
#include "base/strings/string_number_conversions.h"
|
|
|
|
#include "base/strings/string_number_conversions.h"
|
|
|
|
#include "base/types/fixed_array.h"
|
|
|
|
#include "base/types/fixed_array.h"
|
|
|
|
@@ -22,6 +23,7 @@
|
|
|
|
@@ -21,6 +22,7 @@
|
|
|
|
#include "content/common/zygote/zygote_handle_impl_linux.h"
|
|
|
|
#include "content/common/zygote/zygote_handle_impl_linux.h"
|
|
|
|
#include "content/public/common/zygote/zygote_handle.h"
|
|
|
|
#include "content/public/common/zygote/zygote_handle.h"
|
|
|
|
#include "sandbox/linux/services/credentials.h"
|
|
|
|
#include "sandbox/linux/services/credentials.h"
|
|
|
|
@ -170,7 +170,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
#include "sandbox/linux/services/namespace_sandbox.h"
|
|
|
|
#include "sandbox/linux/services/namespace_sandbox.h"
|
|
|
|
#include "sandbox/linux/suid/client/setuid_sandbox_host.h"
|
|
|
|
#include "sandbox/linux/suid/client/setuid_sandbox_host.h"
|
|
|
|
#include "sandbox/linux/suid/common/sandbox.h"
|
|
|
|
#include "sandbox/linux/suid/common/sandbox.h"
|
|
|
|
@@ -72,6 +74,7 @@ ZygoteHostImpl::ZygoteHostImpl()
|
|
|
|
@@ -71,6 +73,7 @@ ZygoteHostImpl::ZygoteHostImpl()
|
|
|
|
: use_namespace_sandbox_(false),
|
|
|
|
: use_namespace_sandbox_(false),
|
|
|
|
use_suid_sandbox_(false),
|
|
|
|
use_suid_sandbox_(false),
|
|
|
|
use_suid_sandbox_for_adj_oom_score_(false),
|
|
|
|
use_suid_sandbox_for_adj_oom_score_(false),
|
|
|
|
@ -178,7 +178,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
sandbox_binary_(),
|
|
|
|
sandbox_binary_(),
|
|
|
|
zygote_pids_lock_(),
|
|
|
|
zygote_pids_lock_(),
|
|
|
|
zygote_pids_() {}
|
|
|
|
zygote_pids_() {}
|
|
|
|
@@ -110,9 +113,12 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) {
|
|
|
|
@@ -109,9 +112,12 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) {
|
|
|
|
sandbox_binary_ = setuid_sandbox_host->GetSandboxBinaryPath().value();
|
|
|
|
sandbox_binary_ = setuid_sandbox_host->GetSandboxBinaryPath().value();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -194,7 +194,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
use_namespace_sandbox_ = true;
|
|
|
|
use_namespace_sandbox_ = true;
|
|
|
|
} else if (!command_line.HasSwitch(
|
|
|
|
} else if (!command_line.HasSwitch(
|
|
|
|
sandbox::policy::switches::kDisableSetuidSandbox) &&
|
|
|
|
sandbox::policy::switches::kDisableSetuidSandbox) &&
|
|
|
|
@@ -183,10 +189,16 @@ pid_t ZygoteHostImpl::LaunchZygote(
|
|
|
|
@@ -182,10 +188,16 @@ pid_t ZygoteHostImpl::LaunchZygote(
|
|
|
|
sandbox_host->SetupLaunchEnvironment();
|
|
|
|
sandbox_host->SetupLaunchEnvironment();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -215,7 +215,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
CHECK(process.IsValid()) << "Failed to launch zygote process";
|
|
|
|
CHECK(process.IsValid()) << "Failed to launch zygote process";
|
|
|
|
|
|
|
|
|
|
|
|
dummy_fd.reset();
|
|
|
|
dummy_fd.reset();
|
|
|
|
@@ -195,7 +207,8 @@ pid_t ZygoteHostImpl::LaunchZygote(
|
|
|
|
@@ -194,7 +206,8 @@ pid_t ZygoteHostImpl::LaunchZygote(
|
|
|
|
|
|
|
|
|
|
|
|
pid_t pid = process.Pid();
|
|
|
|
pid_t pid = process.Pid();
|
|
|
|
|
|
|
|
|
|
|
|
@ -225,7 +225,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
// The namespace and SUID sandbox will execute the zygote in a new
|
|
|
|
// The namespace and SUID sandbox will execute the zygote in a new
|
|
|
|
// PID namespace, and the main zygote process will then fork from
|
|
|
|
// PID namespace, and the main zygote process will then fork from
|
|
|
|
// there. Watch now our elaborate dance to find and validate the
|
|
|
|
// there. Watch now our elaborate dance to find and validate the
|
|
|
|
@@ -223,7 +236,11 @@ pid_t ZygoteHostImpl::LaunchZygote(
|
|
|
|
@@ -222,7 +235,11 @@ pid_t ZygoteHostImpl::LaunchZygote(
|
|
|
|
|
|
|
|
|
|
|
|
if (real_pid != pid) {
|
|
|
|
if (real_pid != pid) {
|
|
|
|
// Reap the sandbox.
|
|
|
|
// Reap the sandbox.
|
|
|
|
@ -238,7 +238,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
}
|
|
|
|
}
|
|
|
|
pid = real_pid;
|
|
|
|
pid = real_pid;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -274,6 +291,10 @@ void ZygoteHostImpl::AdjustRendererOOMScore(base::ProcessHandle pid,
|
|
|
|
@@ -273,6 +290,10 @@ void ZygoteHostImpl::AdjustRendererOOMScore(base::ProcessHandle pid,
|
|
|
|
selinux_valid = true;
|
|
|
|
selinux_valid = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -250,10 +250,10 @@ index 8eca918b65cbe..1703fb6ade044 100644
|
|
|
|
if (!base::AdjustOOMScore(pid, score))
|
|
|
|
if (!base::AdjustOOMScore(pid, score))
|
|
|
|
PLOG(ERROR) << "Failed to adjust OOM score of renderer with pid " << pid;
|
|
|
|
PLOG(ERROR) << "Failed to adjust OOM score of renderer with pid " << pid;
|
|
|
|
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.h b/content/browser/zygote_host/zygote_host_impl_linux.h
|
|
|
|
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.h b/content/browser/zygote_host/zygote_host_impl_linux.h
|
|
|
|
index 720d823d4a695..ad470963693c4 100644
|
|
|
|
index 8ef884a7db6f4..f441900dd6343 100644
|
|
|
|
--- a/content/browser/zygote_host/zygote_host_impl_linux.h
|
|
|
|
--- a/content/browser/zygote_host/zygote_host_impl_linux.h
|
|
|
|
+++ b/content/browser/zygote_host/zygote_host_impl_linux.h
|
|
|
|
+++ b/content/browser/zygote_host/zygote_host_impl_linux.h
|
|
|
|
@@ -70,6 +70,7 @@ class CONTENT_EXPORT ZygoteHostImpl : public ZygoteHost {
|
|
|
|
@@ -69,6 +69,7 @@ class CONTENT_EXPORT ZygoteHostImpl : public ZygoteHost {
|
|
|
|
bool use_namespace_sandbox_;
|
|
|
|
bool use_namespace_sandbox_;
|
|
|
|
bool use_suid_sandbox_;
|
|
|
|
bool use_suid_sandbox_;
|
|
|
|
bool use_suid_sandbox_for_adj_oom_score_;
|
|
|
|
bool use_suid_sandbox_for_adj_oom_score_;
|
|
|
|
@ -262,10 +262,10 @@ index 720d823d4a695..ad470963693c4 100644
|
|
|
|
|
|
|
|
|
|
|
|
// This lock protects the |zygote_pids_| set.
|
|
|
|
// This lock protects the |zygote_pids_| set.
|
|
|
|
diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc
|
|
|
|
diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc
|
|
|
|
index bdcb36f7eb2fe..239a6462e4b41 100644
|
|
|
|
index f2c3b43281d53..9f3f3f6b1bc12 100644
|
|
|
|
--- a/content/zygote/zygote_linux.cc
|
|
|
|
--- a/content/zygote/zygote_linux.cc
|
|
|
|
+++ b/content/zygote/zygote_linux.cc
|
|
|
|
+++ b/content/zygote/zygote_linux.cc
|
|
|
|
@@ -127,7 +127,7 @@ bool Zygote::ProcessRequests() {
|
|
|
|
@@ -126,7 +126,7 @@ bool Zygote::ProcessRequests() {
|
|
|
|
PCHECK(sigaddset(&sigset, SIGCHLD) == 0);
|
|
|
|
PCHECK(sigaddset(&sigset, SIGCHLD) == 0);
|
|
|
|
PCHECK(sigprocmask(SIG_BLOCK, &sigset, &orig_sigmask) == 0);
|
|
|
|
PCHECK(sigprocmask(SIG_BLOCK, &sigset, &orig_sigmask) == 0);
|
|
|
|
|
|
|
|
|
|
|
|
@ -274,7 +274,7 @@ index bdcb36f7eb2fe..239a6462e4b41 100644
|
|
|
|
// Let the ZygoteHost know we are ready to go.
|
|
|
|
// Let the ZygoteHost know we are ready to go.
|
|
|
|
// The receiving code is in
|
|
|
|
// The receiving code is in
|
|
|
|
// content/browser/zygote_host/zygote_host_impl_linux.cc.
|
|
|
|
// content/browser/zygote_host/zygote_host_impl_linux.cc.
|
|
|
|
@@ -233,6 +233,10 @@ bool Zygote::UsingNSSandbox() const {
|
|
|
|
@@ -231,6 +231,10 @@ bool Zygote::UsingNSSandbox() const {
|
|
|
|
return sandbox_flags_ & sandbox::policy::SandboxLinux::kUserNS;
|
|
|
|
return sandbox_flags_ & sandbox::policy::SandboxLinux::kUserNS;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -506,7 +506,7 @@ index 0000000000000..22799eb42f782
|
|
|
|
+#endif
|
|
|
|
+#endif
|
|
|
|
diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc
|
|
|
|
diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc
|
|
|
|
new file mode 100644
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000000000..2a915a5b9fa11
|
|
|
|
index 0000000000000..31229fdf59127
|
|
|
|
--- /dev/null
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/sandbox/linux/services/flatpak_sandbox.cc
|
|
|
|
+++ b/sandbox/linux/services/flatpak_sandbox.cc
|
|
|
|
@@ -0,0 +1,576 @@
|
|
|
|
@@ -0,0 +1,576 @@
|
|
|
|
@ -570,7 +570,7 @@ index 0000000000000..2a915a5b9fa11
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+void WriteStringAsByteArray(dbus::MessageWriter* writer,
|
|
|
|
+void WriteStringAsByteArray(dbus::MessageWriter* writer,
|
|
|
|
+ const std::string& str) {
|
|
|
|
+ const std::string& str) {
|
|
|
|
+ writer->AppendArrayOfBytes(base::make_span(
|
|
|
|
+ writer->AppendArrayOfBytes(base::span(
|
|
|
|
+ reinterpret_cast<const uint8_t*>(str.c_str()), str.size() + 1));
|
|
|
|
+ reinterpret_cast<const uint8_t*>(str.c_str()), str.size() + 1));
|
|
|
|
+}
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+
|
|
|
|
@ -1211,10 +1211,10 @@ index 0000000000000..167bbc85945ad
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+#endif // SANDBOX_LINUX_SERVICES_FLATPAK_SANDBOX_H_
|
|
|
|
+#endif // SANDBOX_LINUX_SERVICES_FLATPAK_SANDBOX_H_
|
|
|
|
diff --git a/sandbox/policy/BUILD.gn b/sandbox/policy/BUILD.gn
|
|
|
|
diff --git a/sandbox/policy/BUILD.gn b/sandbox/policy/BUILD.gn
|
|
|
|
index 4fe53b047b9aa..794e1ad1805d8 100644
|
|
|
|
index 6767e25821a9a..521c089a5f3df 100644
|
|
|
|
--- a/sandbox/policy/BUILD.gn
|
|
|
|
--- a/sandbox/policy/BUILD.gn
|
|
|
|
+++ b/sandbox/policy/BUILD.gn
|
|
|
|
+++ b/sandbox/policy/BUILD.gn
|
|
|
|
@@ -129,6 +129,9 @@ component("policy") {
|
|
|
|
@@ -116,6 +116,9 @@ component("policy") {
|
|
|
|
"//sandbox/linux:suid_sandbox_client",
|
|
|
|
"//sandbox/linux:suid_sandbox_client",
|
|
|
|
]
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@ -1225,7 +1225,7 @@ index 4fe53b047b9aa..794e1ad1805d8 100644
|
|
|
|
sources += [
|
|
|
|
sources += [
|
|
|
|
"linux/bpf_ime_policy_linux.cc",
|
|
|
|
"linux/bpf_ime_policy_linux.cc",
|
|
|
|
diff --git a/sandbox/policy/linux/sandbox_linux.cc b/sandbox/policy/linux/sandbox_linux.cc
|
|
|
|
diff --git a/sandbox/policy/linux/sandbox_linux.cc b/sandbox/policy/linux/sandbox_linux.cc
|
|
|
|
index c7313416e6183..0cb8043f0ac72 100644
|
|
|
|
index 6249a61685332..a3ae93f9f4191 100644
|
|
|
|
--- a/sandbox/policy/linux/sandbox_linux.cc
|
|
|
|
--- a/sandbox/policy/linux/sandbox_linux.cc
|
|
|
|
+++ b/sandbox/policy/linux/sandbox_linux.cc
|
|
|
|
+++ b/sandbox/policy/linux/sandbox_linux.cc
|
|
|
|
@@ -37,6 +37,7 @@
|
|
|
|
@@ -37,6 +37,7 @@
|
|
|
|
@ -1236,7 +1236,7 @@ index c7313416e6183..0cb8043f0ac72 100644
|
|
|
|
#include "sandbox/linux/services/libc_interceptor.h"
|
|
|
|
#include "sandbox/linux/services/libc_interceptor.h"
|
|
|
|
#include "sandbox/linux/services/namespace_sandbox.h"
|
|
|
|
#include "sandbox/linux/services/namespace_sandbox.h"
|
|
|
|
#include "sandbox/linux/services/proc_util.h"
|
|
|
|
#include "sandbox/linux/services/proc_util.h"
|
|
|
|
@@ -236,6 +237,9 @@ void SandboxLinux::PreinitializeSandbox() {
|
|
|
|
@@ -232,6 +233,9 @@ void SandboxLinux::PreinitializeSandbox() {
|
|
|
|
const int yama_status = Yama::GetStatus();
|
|
|
|
const int yama_status = Yama::GetStatus();
|
|
|
|
yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) &&
|
|
|
|
yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) &&
|
|
|
|
(yama_status & Yama::STATUS_ENFORCING);
|
|
|
|
(yama_status & Yama::STATUS_ENFORCING);
|
|
|
|
@ -1246,7 +1246,7 @@ index c7313416e6183..0cb8043f0ac72 100644
|
|
|
|
pre_initialized_ = true;
|
|
|
|
pre_initialized_ = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@@ -274,6 +278,10 @@ int SandboxLinux::GetStatus() {
|
|
|
|
@@ -270,6 +274,10 @@ int SandboxLinux::GetStatus() {
|
|
|
|
sandbox_status_flags_ |= kPIDNS;
|
|
|
|
sandbox_status_flags_ |= kPIDNS;
|
|
|
|
if (NamespaceSandbox::InNewNetNamespace())
|
|
|
|
if (NamespaceSandbox::InNewNetNamespace())
|
|
|
|
sandbox_status_flags_ |= kNetNS;
|
|
|
|
sandbox_status_flags_ |= kNetNS;
|
|
|
|
@ -1291,10 +1291,10 @@ index 0e4f78b9e6cb7..91b638d8a96e0 100644
|
|
|
|
#if BUILDFLAG(USING_SANITIZER)
|
|
|
|
#if BUILDFLAG(USING_SANITIZER)
|
|
|
|
std::unique_ptr<__sanitizer_sandbox_arguments> sanitizer_args_;
|
|
|
|
std::unique_ptr<__sanitizer_sandbox_arguments> sanitizer_args_;
|
|
|
|
diff --git a/services/service_manager/service_process_launcher.cc b/services/service_manager/service_process_launcher.cc
|
|
|
|
diff --git a/services/service_manager/service_process_launcher.cc b/services/service_manager/service_process_launcher.cc
|
|
|
|
index e24a262fe90d5..c20fdbd88a1a6 100644
|
|
|
|
index bb99780fb878d..4dcdee34d2338 100644
|
|
|
|
--- a/services/service_manager/service_process_launcher.cc
|
|
|
|
--- a/services/service_manager/service_process_launcher.cc
|
|
|
|
+++ b/services/service_manager/service_process_launcher.cc
|
|
|
|
+++ b/services/service_manager/service_process_launcher.cc
|
|
|
|
@@ -41,6 +41,7 @@
|
|
|
|
@@ -40,6 +40,7 @@
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
|
|
|
|
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
|
|
|
|
@ -1302,7 +1302,7 @@ index e24a262fe90d5..c20fdbd88a1a6 100644
|
|
|
|
#include "sandbox/linux/services/namespace_sandbox.h"
|
|
|
|
#include "sandbox/linux/services/namespace_sandbox.h"
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
@@ -286,8 +287,15 @@ void ServiceProcessLauncher::ProcessState::StopInBackground() {
|
|
|
|
@@ -285,8 +286,15 @@ void ServiceProcessLauncher::ProcessState::StopInBackground() {
|
|
|
|
return;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
int rv = -1;
|
|
|
|
int rv = -1;
|
|
|
|
@ -1321,5 +1321,5 @@ index e24a262fe90d5..c20fdbd88a1a6 100644
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
--
|
|
|
|
2.46.1
|
|
|
|
2.47.1
|
|
|
|
|
|
|
|
|
|
|
|
|
Yaakov Selkowitz
1 week ago