content/renderer/renderer_main_platform_delegate_linux.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "content/renderer/renderer_main_platform_delegate.h"
   6
   7 #include <errno.h>
   8 #include <sys/stat.h>
   9
  10 #include "base/command_line.h"
  11 #include "base/files/file_util.h"
  12 #include "base/logging.h"
  13 #include "content/common/sandbox_linux/sandbox_linux.h"
  14 #include "content/public/common/content_switches.h"
  15 #include "content/public/common/sandbox_init.h"
  16
  17 #ifdef ENABLE_VTUNE_JIT_INTERFACE
  18 #include "v8/src/third_party/vtune/v8-vtune.h"
  19 #endif
  20
  21 namespace content {
  22
  23 RendererMainPlatformDelegate::RendererMainPlatformDelegate(
  24     const MainFunctionParams& parameters)
  25     : parameters_(parameters) {
  26 }
  27
  28 RendererMainPlatformDelegate::~RendererMainPlatformDelegate() {
  29 }
  30
  31 void RendererMainPlatformDelegate::PlatformInitialize() {
  32 #ifdef ENABLE_VTUNE_JIT_INTERFACE
  33   const CommandLine& command_line = parameters_.command_line;
  34   if (command_line.HasSwitch(switches::kEnableVtune))
  35     vTune::InitializeVtuneForV8();
  36 #endif
  37 }
  38
  39 void RendererMainPlatformDelegate::PlatformUninitialize() {
  40 }
  41
  42 bool RendererMainPlatformDelegate::EnableSandbox() {
  43   // The setuid sandbox is started in the zygote process: zygote_main_linux.cc
  44   // http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox
  45   //
  46   // Anything else is started in InitializeSandbox().
  47   LinuxSandbox::InitializeSandbox();
  48   // about:sandbox uses a value returned from LinuxSandbox::GetStatus() before
  49   // any renderer has been started.
  50   // Here, we test that the status of SeccompBpf in the renderer is consistent
  51   // with what LinuxSandbox::GetStatus() said we would do.
  52   class LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
  53   if (linux_sandbox->GetStatus() & kSandboxLinuxSeccompBPF) {
  54     CHECK(linux_sandbox->seccomp_bpf_started());
  55   }
  56
  57   // Under the setuid sandbox, we should not be able to open any file via the
  58   // filesystem.
  59   if (linux_sandbox->GetStatus() & kSandboxLinuxSUID) {
  60     CHECK(!base::PathExists(base::FilePath("/proc/cpuinfo")));
  61   }
  62
  63 #if defined(__x86_64__)
  64   // Limit this test to architectures where seccomp BPF is active in renderers.
  65   if (linux_sandbox->seccomp_bpf_started()) {
  66     errno = 0;
  67     // This should normally return EBADF since the first argument is bogus,
  68     // but we know that under the seccomp-bpf sandbox, this should return EPERM.
  69     CHECK_EQ(fchmod(-1, 07777), -1);
  70     CHECK_EQ(errno, EPERM);
  71   }
  72 #endif  // __x86_64__
  73
  74   return true;
  75 }
  76
  77 }  // namespace content