Supervised user whitelists: Cleanup
[chromium-blink-merge.git] / content / common / sandbox_linux / sandbox_debug_handling_linux.cc
blob0bf8799f0489cf222b690d0723c8e6f64878f3d7
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/common/sandbox_linux/sandbox_debug_handling_linux.h"
7 #include <errno.h>
8 #include <signal.h>
9 #include <sys/prctl.h>
10 #include <unistd.h>
12 #include "base/command_line.h"
13 #include "base/logging.h"
14 #include "base/macros.h"
15 #include "base/strings/safe_sprintf.h"
16 #include "content/public/common/content_switches.h"
18 namespace content {
20 namespace {
22 void DoChrootSignalHandler(int) {
23 const int old_errno = errno;
24 const char kFirstMessage[] = "Chroot signal handler called.\n";
25 ignore_result(write(STDERR_FILENO, kFirstMessage, sizeof(kFirstMessage) - 1));
27 const int chroot_ret = chroot("/");
29 char kSecondMessage[100];
30 const ssize_t printed = base::strings::SafeSPrintf(
31 kSecondMessage, "chroot() returned %d. Errno is %d.\n", chroot_ret,
32 errno);
33 if (printed > 0 && printed < static_cast<ssize_t>(sizeof(kSecondMessage))) {
34 ignore_result(write(STDERR_FILENO, kSecondMessage, printed));
36 errno = old_errno;
39 // This is a quick hack to allow testing sandbox crash reports in production
40 // binaries.
41 // This installs a signal handler for SIGUSR2 that performs a chroot().
42 // In most of our BPF policies, it is a "watched" system call which will
43 // trigger a SIGSYS signal whose handler will crash.
44 // This has been added during the investigation of https://crbug.com/415842.
45 void InstallCrashTestHandler() {
46 struct sigaction act = {};
47 act.sa_handler = DoChrootSignalHandler;
48 CHECK_EQ(0, sigemptyset(&act.sa_mask));
49 act.sa_flags = 0;
51 PCHECK(0 == sigaction(SIGUSR2, &act, NULL));
54 bool IsSandboxDebuggingEnabled() {
55 const base::CommandLine& command_line =
56 *base::CommandLine::ForCurrentProcess();
57 return command_line.HasSwitch(switches::kAllowSandboxDebugging);
60 } // namespace
62 // static
63 bool SandboxDebugHandling::SetDumpableStatusAndHandlers() {
64 if (IsSandboxDebuggingEnabled()) {
65 // If sandbox debugging is allowed, install a handler for sandbox-related
66 // crash testing.
67 InstallCrashTestHandler();
68 return true;
71 if (prctl(PR_SET_DUMPABLE, 0) != 0) {
72 PLOG(ERROR) << "Failed to set non-dumpable flag";
73 return false;
76 return prctl(PR_GET_DUMPABLE) == 0;
79 } // namespace content