Make NaCl process non-dumpable.

This can be disabled with the allow-sandbox-debugging flag. BUG=455964 Review URL: https://codereview.chromium.org/901683003 Cr-Commit-Position: refs/heads/master@{#315139}

Make NaCl process non-dumpable.
This can be disabled with the allow-sandbox-debugging flag. BUG=455964 Review URL: https://codereview.chromium.org/901683003 Cr-Commit-Position: refs/heads/master@{#315139}
8dea07ad · rickyz · Commit bot · 0540e174 · 8dea07ad · 8dea07ad
Commit 8dea07ad authored Feb 06, 2015 by rickyz Committed by Commit bot Feb 06, 2015
4 changed files
--- a/components/nacl/loader/DEPS
+++ b/components/nacl/loader/DEPS
 include_rules = [
  "+components/nacl",
  "+content/public/app/startup_helper_win.h",
+  "+content/public/common",
  "+crypto",
  "+sandbox/linux/bpf_dsl",
  "+sandbox/linux/seccomp-bpf",

--- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
+++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
@@ -6,6 +6,7 @@

 #include <errno.h>
 #include <fcntl.h>
+#include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -22,6 +23,7 @@
 #include "components/nacl/common/nacl_switches.h"
 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
 #include "components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.h"
+#include "content/public/common/content_switches.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/services/proc_util.h"
 #include "sandbox/linux/services/thread_helpers.h"
@@ -50,6 +52,21 @@ base::ScopedFD GetProcSelfTask(int proc_fd) {
  return proc_self_task.Pass();
 }

+bool MaybeSetProcessNonDumpable() {
+  const base::CommandLine& command_line =
+      *base::CommandLine::ForCurrentProcess();
+  if (command_line.HasSwitch(switches::kAllowSandboxDebugging)) {
+    return true;
+  }
+
+  if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
+    PLOG(ERROR) << "Failed to set non-dumpable flag";
+    return false;
+  }
+
+  return prctl(PR_GET_DUMPABLE) == 0;
+}
+
 }  // namespace

 NaClSandbox::NaClSandbox()
@@ -91,6 +108,7 @@ void NaClSandbox::InitializeLayerOneSandbox() {

    // Get sandboxed.
    CHECK(setuid_sandbox_client_->ChrootMe());
+    CHECK(MaybeSetProcessNonDumpable());
    CHECK(IsSandboxed());
    layer_one_enabled_ = true;
  }

--- a/components/nacl/zygote/nacl_fork_delegate_linux.cc
+++ b/components/nacl/zygote/nacl_fork_delegate_linux.cc
@@ -209,6 +209,7 @@ void NaClForkDelegate::Init(const int sandboxdesc,

      // Append any switches that need to be forwarded to the NaCl helper.
      static const char* kForwardSwitches[] = {
+        switches::kAllowSandboxDebugging,
        switches::kDisableSeccompFilterSandbox,
        switches::kEnableNaClDebug,
        switches::kNaClDangerousNoSandboxNonSfi,

--- a/content/public/common/content_switches.h
+++ b/content/public/common/content_switches.h
@@ -19,7 +19,7 @@ CONTENT_EXPORT extern const char kAllowFileAccessFromFiles[];
 CONTENT_EXPORT extern const char kAllowInsecureWebSocketFromHttpsOrigin[];
 CONTENT_EXPORT extern const char kAllowLoopbackInPeerConnection[];
 CONTENT_EXPORT extern const char kAllowNoSandboxJob[];
-extern const char kAllowSandboxDebugging[];
+CONTENT_EXPORT extern const char kAllowSandboxDebugging[];
 extern const char kAuditAllHandles[];
 extern const char kAuditHandles[];
 CONTENT_EXPORT extern const char kBlinkPlatformLogChannels[];