[nacl/zygote] prevent gnutls opens /dev/urandom

In component build, the number of opened file descritors may be different depends on loaded shared library. On Xenial component build, nacl_helper loads libgnutls.so. And libgnutls opens additional /dev/urandom, that makes CheckForExpectedNumberOfOpenFds() fail on Xenial. To prevent such check failure, let me disable libgnutls initialization by passing GNUTLS_NO_EXPLICIT_INIT envvar to nacl_helper. Bug: 973024 Change-Id: I03abd93b2dc48c8c11c3ed70f7c27c953ad16639 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1713024 Commit-Queue: Takuto Ikuta <tikuta@chromium.org> Reviewed-by: Mark Seaborn <mseaborn@chromium.org> Auto-Submit: Takuto Ikuta <tikuta@chromium.org> Cr-Commit-Position: refs/heads/master@{#686272}

[nacl/zygote] prevent gnutls opens /dev/urandom
In component build, the number of opened file descritors may be different depends on loaded shared library. On Xenial component build, nacl_helper loads libgnutls.so. And libgnutls opens additional /dev/urandom, that makes CheckForExpectedNumberOfOpenFds() fail on Xenial. To prevent such check failure, let me disable libgnutls initialization by passing GNUTLS_NO_EXPLICIT_INIT envvar to nacl_helper. Bug: 973024 Change-Id: I03abd93b2dc48c8c11c3ed70f7c27c953ad16639 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1713024 Commit-Queue: Takuto Ikuta <tikuta@chromium.org> Reviewed-by: Mark Seaborn <mseaborn@chromium.org> Auto-Submit: Takuto Ikuta <tikuta@chromium.org> Cr-Commit-Position: refs/heads/master@{#686272}
6127c748 · Takuto Ikuta · Commit Bot · 41e360a5 · 6127c748
Commit 6127c748 authored Aug 13, 2019 by Takuto Ikuta Committed by Commit Bot Aug 13, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

components/nacl/zygote/nacl_fork_delegate_linux.cc components/nacl/zygote/nacl_fork_delegate_linux.cc +9 -0

No files found.
--- a/components/nacl/zygote/nacl_fork_delegate_linux.cc
+++ b/components/nacl/zygote/nacl_fork_delegate_linux.cc
@@ -280,6 +280,15 @@ void NaClForkDelegate::Init(const int sandboxdesc,
    options.clear_environment = true;
    AddPassthroughEnvToOptions(&options);
+#ifdef COMPONENT_BUILD
+    // In component build, nacl_helper loads libgnutls.so.
+    // Newer versions of libgnutls do implicit initialization when loaded that
+    // leaves an additional /dev/urandom file descriptor open.  Passing the
+    // following env var asks libgnutls not to do that implicit initialization.
+    // (crbug.com/973024)
+    options.environment["GNUTLS_NO_EXPLICIT_INIT"] = "1";
+#endif
    base::Process process =
        using_namespace_sandbox
            ? sandbox::NamespaceSandbox::LaunchProcess(argv_to_launch, options)