1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/zygote/zygote_main.h"
12 #include <sys/socket.h>
13 #include <sys/types.h>
18 #include "base/basictypes.h"
19 #include "base/bind.h"
20 #include "base/command_line.h"
21 #include "base/compiler_specific.h"
22 #include "base/memory/scoped_vector.h"
23 #include "base/native_library.h"
24 #include "base/pickle.h"
25 #include "base/posix/eintr_wrapper.h"
26 #include "base/posix/unix_domain_socket_linux.h"
27 #include "base/rand_util.h"
28 #include "base/strings/safe_sprintf.h"
29 #include "base/strings/string_number_conversions.h"
30 #include "base/sys_info.h"
31 #include "build/build_config.h"
32 #include "content/common/child_process_sandbox_support_impl_linux.h"
33 #include "content/common/font_config_ipc_linux.h"
34 #include "content/common/sandbox_linux/sandbox_debug_handling_linux.h"
35 #include "content/common/sandbox_linux/sandbox_linux.h"
36 #include "content/common/zygote_commands_linux.h"
37 #include "content/public/common/content_switches.h"
38 #include "content/public/common/main_function_params.h"
39 #include "content/public/common/sandbox_linux.h"
40 #include "content/public/common/zygote_fork_delegate_linux.h"
41 #include "content/zygote/zygote_linux.h"
42 #include "crypto/nss_util.h"
43 #include "sandbox/linux/services/credentials.h"
44 #include "sandbox/linux/services/init_process_reaper.h"
45 #include "sandbox/linux/services/namespace_sandbox.h"
46 #include "sandbox/linux/services/thread_helpers.h"
47 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
48 #include "third_party/icu/source/i18n/unicode/timezone.h"
49 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
52 #include <sys/prctl.h>
55 #if defined(USE_OPENSSL)
56 #include <openssl/rand.h>
58 #include "sandbox/linux/services/libc_urandom_override.h"
61 #if defined(ENABLE_PLUGINS)
62 #include "content/common/pepper_plugin_list.h"
63 #include "content/public/common/pepper_plugin_info.h"
66 #if defined(ENABLE_WEBRTC)
67 #include "third_party/libjingle/overrides/init_webrtc.h"
70 #if defined(SANITIZER_COVERAGE)
71 #include <sanitizer/common_interface_defs.h>
72 #include <sanitizer/coverage_interface.h>
79 void CloseFds(const std::vector
<int>& fds
) {
80 for (const auto& it
: fds
) {
81 PCHECK(0 == IGNORE_EINTR(close(it
)));
85 void RunTwoClosures(const base::Closure
* first
, const base::Closure
* second
) {
92 // See http://code.google.com/p/chromium/wiki/LinuxZygote
94 static void ProxyLocaltimeCallToBrowser(time_t input
, struct tm
* output
,
96 size_t timezone_out_len
) {
98 request
.WriteInt(LinuxSandbox::METHOD_LOCALTIME
);
100 std::string(reinterpret_cast<char*>(&input
), sizeof(input
)));
102 uint8_t reply_buf
[512];
103 const ssize_t r
= base::UnixDomainSocket::SendRecvMsg(
104 GetSandboxFD(), reply_buf
, sizeof(reply_buf
), NULL
, request
);
106 memset(output
, 0, sizeof(struct tm
));
110 base::Pickle
reply(reinterpret_cast<char*>(reply_buf
), r
);
111 base::PickleIterator
iter(reply
);
112 std::string result
, timezone
;
113 if (!iter
.ReadString(&result
) ||
114 !iter
.ReadString(&timezone
) ||
115 result
.size() != sizeof(struct tm
)) {
116 memset(output
, 0, sizeof(struct tm
));
120 memcpy(output
, result
.data(), sizeof(struct tm
));
121 if (timezone_out_len
) {
122 const size_t copy_len
= std::min(timezone_out_len
- 1, timezone
.size());
123 memcpy(timezone_out
, timezone
.data(), copy_len
);
124 timezone_out
[copy_len
] = 0;
125 output
->tm_zone
= timezone_out
;
127 output
->tm_zone
= NULL
;
131 static bool g_am_zygote_or_renderer
= false;
133 // Sandbox interception of libc calls.
135 // Because we are running in a sandbox certain libc calls will fail (localtime
136 // being the motivating example - it needs to read /etc/localtime). We need to
137 // intercept these calls and proxy them to the browser. However, these calls
138 // may come from us or from our libraries. In some cases we can't just change
141 // It's for these cases that we have the following setup:
143 // We define global functions for those functions which we wish to override.
144 // Since we will be first in the dynamic resolution order, the dynamic linker
145 // will point callers to our versions of these functions. However, we have the
146 // same binary for both the browser and the renderers, which means that our
147 // overrides will apply in the browser too.
149 // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
150 // renderer process. It's set in ZygoteMain and inherited by the renderers when
151 // they fork. (This means that it'll be incorrect for global constructor
152 // functions and before ZygoteMain is called - beware).
154 // Our replacement functions can check this global and either proxy
155 // the call to the browser over the sandbox IPC
156 // (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
157 // dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
162 // Our first attempt involved some assembly to patch the GOT of the current
163 // module. This worked, but was platform specific and doesn't catch the case
164 // where a library makes a call rather than current module.
166 // We also considered patching the function in place, but this would again by
167 // platform specific and the above technique seems to work well enough.
169 typedef struct tm
* (*LocaltimeFunction
)(const time_t* timep
);
170 typedef struct tm
* (*LocaltimeRFunction
)(const time_t* timep
,
173 static pthread_once_t g_libc_localtime_funcs_guard
= PTHREAD_ONCE_INIT
;
174 static LocaltimeFunction g_libc_localtime
;
175 static LocaltimeFunction g_libc_localtime64
;
176 static LocaltimeRFunction g_libc_localtime_r
;
177 static LocaltimeRFunction g_libc_localtime64_r
;
179 static void InitLibcLocaltimeFunctions() {
180 g_libc_localtime
= reinterpret_cast<LocaltimeFunction
>(
181 dlsym(RTLD_NEXT
, "localtime"));
182 g_libc_localtime64
= reinterpret_cast<LocaltimeFunction
>(
183 dlsym(RTLD_NEXT
, "localtime64"));
184 g_libc_localtime_r
= reinterpret_cast<LocaltimeRFunction
>(
185 dlsym(RTLD_NEXT
, "localtime_r"));
186 g_libc_localtime64_r
= reinterpret_cast<LocaltimeRFunction
>(
187 dlsym(RTLD_NEXT
, "localtime64_r"));
189 if (!g_libc_localtime
|| !g_libc_localtime_r
) {
190 // http://code.google.com/p/chromium/issues/detail?id=16800
192 // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
193 // it with a version which doesn't work. In this case we'll get a NULL
194 // result. There's not a lot we can do at this point, so we just bodge it!
195 LOG(ERROR
) << "Your system is broken: dlsym doesn't work! This has been "
196 "reported to be caused by Nvidia's libGL. You should expect"
197 " time related functions to misbehave. "
198 "http://code.google.com/p/chromium/issues/detail?id=16800";
201 if (!g_libc_localtime
)
202 g_libc_localtime
= gmtime
;
203 if (!g_libc_localtime64
)
204 g_libc_localtime64
= g_libc_localtime
;
205 if (!g_libc_localtime_r
)
206 g_libc_localtime_r
= gmtime_r
;
207 if (!g_libc_localtime64_r
)
208 g_libc_localtime64_r
= g_libc_localtime_r
;
211 // Define localtime_override() function with asm name "localtime", so that all
212 // references to localtime() will resolve to this function. Notice that we need
213 // to set visibility attribute to "default" to export the symbol, as it is set
214 // to "hidden" by default in chrome per build/common.gypi.
215 __attribute__ ((__visibility__("default")))
216 struct tm
* localtime_override(const time_t* timep
) __asm__ ("localtime");
218 __attribute__ ((__visibility__("default")))
219 struct tm
* localtime_override(const time_t* timep
) {
220 if (g_am_zygote_or_renderer
) {
221 static struct tm time_struct
;
222 static char timezone_string
[64];
223 ProxyLocaltimeCallToBrowser(*timep
, &time_struct
, timezone_string
,
224 sizeof(timezone_string
));
227 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard
,
228 InitLibcLocaltimeFunctions
));
229 struct tm
* res
= g_libc_localtime(timep
);
230 #if defined(MEMORY_SANITIZER)
231 if (res
) __msan_unpoison(res
, sizeof(*res
));
232 if (res
->tm_zone
) __msan_unpoison_string(res
->tm_zone
);
238 // Use same trick to override localtime64(), localtime_r() and localtime64_r().
239 __attribute__ ((__visibility__("default")))
240 struct tm
* localtime64_override(const time_t* timep
) __asm__ ("localtime64");
242 __attribute__ ((__visibility__("default")))
243 struct tm
* localtime64_override(const time_t* timep
) {
244 if (g_am_zygote_or_renderer
) {
245 static struct tm time_struct
;
246 static char timezone_string
[64];
247 ProxyLocaltimeCallToBrowser(*timep
, &time_struct
, timezone_string
,
248 sizeof(timezone_string
));
251 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard
,
252 InitLibcLocaltimeFunctions
));
253 struct tm
* res
= g_libc_localtime64(timep
);
254 #if defined(MEMORY_SANITIZER)
255 if (res
) __msan_unpoison(res
, sizeof(*res
));
256 if (res
->tm_zone
) __msan_unpoison_string(res
->tm_zone
);
262 __attribute__ ((__visibility__("default")))
263 struct tm
* localtime_r_override(const time_t* timep
,
264 struct tm
* result
) __asm__ ("localtime_r");
266 __attribute__ ((__visibility__("default")))
267 struct tm
* localtime_r_override(const time_t* timep
, struct tm
* result
) {
268 if (g_am_zygote_or_renderer
) {
269 ProxyLocaltimeCallToBrowser(*timep
, result
, NULL
, 0);
272 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard
,
273 InitLibcLocaltimeFunctions
));
274 struct tm
* res
= g_libc_localtime_r(timep
, result
);
275 #if defined(MEMORY_SANITIZER)
276 if (res
) __msan_unpoison(res
, sizeof(*res
));
277 if (res
->tm_zone
) __msan_unpoison_string(res
->tm_zone
);
283 __attribute__ ((__visibility__("default")))
284 struct tm
* localtime64_r_override(const time_t* timep
,
285 struct tm
* result
) __asm__ ("localtime64_r");
287 __attribute__ ((__visibility__("default")))
288 struct tm
* localtime64_r_override(const time_t* timep
, struct tm
* result
) {
289 if (g_am_zygote_or_renderer
) {
290 ProxyLocaltimeCallToBrowser(*timep
, result
, NULL
, 0);
293 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard
,
294 InitLibcLocaltimeFunctions
));
295 struct tm
* res
= g_libc_localtime64_r(timep
, result
);
296 #if defined(MEMORY_SANITIZER)
297 if (res
) __msan_unpoison(res
, sizeof(*res
));
298 if (res
->tm_zone
) __msan_unpoison_string(res
->tm_zone
);
304 #if defined(ENABLE_PLUGINS)
305 // Loads the (native) libraries but does not initialize them (i.e., does not
306 // call PPP_InitializeModule). This is needed by the zygote on Linux to get
307 // access to the plugins before entering the sandbox.
308 void PreloadPepperPlugins() {
309 std::vector
<PepperPluginInfo
> plugins
;
310 ComputePepperPluginList(&plugins
);
311 for (size_t i
= 0; i
< plugins
.size(); ++i
) {
312 if (!plugins
[i
].is_internal
) {
313 base::NativeLibraryLoadError error
;
314 base::NativeLibrary library
= base::LoadNativeLibrary(plugins
[i
].path
,
316 VLOG_IF(1, !library
) << "Unable to load plugin "
317 << plugins
[i
].path
.value() << " "
320 (void)library
; // Prevent release-mode warning.
326 // This function triggers the static and lazy construction of objects that need
327 // to be created before imposing the sandbox.
328 static void ZygotePreSandboxInit() {
331 base::SysInfo::AmountOfPhysicalMemory();
332 base::SysInfo::MaxSharedMemorySize();
333 base::SysInfo::NumberOfProcessors();
335 // ICU DateFormat class (used in base/time_format.cc) needs to get the
336 // Olson timezone ID by accessing the zoneinfo files on disk. After
337 // TimeZone::createDefault is called once here, the timezone ID is
338 // cached and there's no more need to access the file system.
339 scoped_ptr
<icu::TimeZone
> zone(icu::TimeZone::createDefault());
341 #if defined(USE_OPENSSL)
342 // Pass BoringSSL a copy of the /dev/urandom file descriptor so RAND_bytes
343 // will work inside the sandbox.
344 RAND_set_urandom_fd(base::GetUrandomFD());
346 // NSS libraries are loaded before sandbox is activated. This is to allow
347 // successful initialization of NSS which tries to load extra library files.
348 crypto::LoadNSSLibraries();
350 #if defined(ENABLE_PLUGINS)
351 // Ensure access to the Pepper plugins before the sandbox is turned on.
352 PreloadPepperPlugins();
354 #if defined(ENABLE_WEBRTC)
355 InitializeWebRtcModule();
357 SkFontConfigInterface::SetGlobal(
358 new FontConfigIPC(GetSandboxFD()))->unref();
361 static bool CreateInitProcessReaper(base::Closure
* post_fork_parent_callback
) {
362 // The current process becomes init(1), this function returns from a
363 // newly created process.
364 const bool init_created
=
365 sandbox::CreateInitProcessReaper(post_fork_parent_callback
);
367 LOG(ERROR
) << "Error creating an init process to reap zombies";
373 // Enter the setuid sandbox. This requires the current process to have been
374 // created through the setuid sandbox.
375 static bool EnterSuidSandbox(sandbox::SetuidSandboxClient
* setuid_sandbox
,
376 base::Closure
* post_fork_parent_callback
) {
377 DCHECK(setuid_sandbox
);
378 DCHECK(setuid_sandbox
->IsSuidSandboxChild());
380 // Use the SUID sandbox. This still allows the seccomp sandbox to
381 // be enabled by the process later.
383 if (!setuid_sandbox
->IsSuidSandboxUpToDate()) {
385 "You are using a wrong version of the setuid binary!\n"
387 "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment."
391 if (!setuid_sandbox
->ChrootMe())
394 if (setuid_sandbox
->IsInNewPIDNamespace()) {
395 CHECK_EQ(1, getpid())
396 << "The SUID sandbox created a new PID namespace but Zygote "
397 "is not the init process. Please, make sure the SUID "
398 "binary is up to date.";
402 // The setuid sandbox has created a new PID namespace and we need
403 // to assume the role of init.
404 CHECK(CreateInitProcessReaper(post_fork_parent_callback
));
407 CHECK(SandboxDebugHandling::SetDumpableStatusAndHandlers());
411 static void DropAllCapabilities(int proc_fd
) {
412 CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd
));
415 static void EnterNamespaceSandbox(LinuxSandbox
* linux_sandbox
,
416 base::Closure
* post_fork_parent_callback
) {
417 linux_sandbox
->EngageNamespaceSandbox();
420 base::Closure drop_all_caps_callback
=
421 base::Bind(&DropAllCapabilities
, linux_sandbox
->proc_fd());
422 base::Closure callback
= base::Bind(
423 &RunTwoClosures
, &drop_all_caps_callback
, post_fork_parent_callback
);
424 CHECK(CreateInitProcessReaper(&callback
));
428 #if defined(SANITIZER_COVERAGE)
429 static int g_sanitizer_message_length
= 1 * 1024 * 1024;
431 // A helper process which collects code coverage data from the renderers over a
432 // socket and dumps it to a file. See http://crbug.com/336212 for discussion.
433 static void SanitizerCoverageHelper(int socket_fd
, int file_fd
) {
434 scoped_ptr
<char[]> buffer(new char[g_sanitizer_message_length
]);
436 ssize_t received_size
= HANDLE_EINTR(
437 recv(socket_fd
, buffer
.get(), g_sanitizer_message_length
, 0));
438 PCHECK(received_size
>= 0);
439 if (received_size
== 0)
440 // All clients have closed the socket. We should die.
442 PCHECK(file_fd
>= 0);
443 ssize_t written_size
= 0;
444 while (written_size
< received_size
) {
446 HANDLE_EINTR(write(file_fd
, buffer
.get() + written_size
,
447 received_size
- written_size
));
448 PCHECK(write_res
>= 0);
449 written_size
+= write_res
;
451 PCHECK(0 == HANDLE_EINTR(fsync(file_fd
)));
455 // fds[0] is the read end, fds[1] is the write end.
456 static void CreateSanitizerCoverageSocketPair(int fds
[2]) {
457 PCHECK(0 == socketpair(AF_UNIX
, SOCK_SEQPACKET
, 0, fds
));
458 PCHECK(0 == shutdown(fds
[0], SHUT_WR
));
459 PCHECK(0 == shutdown(fds
[1], SHUT_RD
));
461 // Find the right buffer size for sending coverage data.
462 // The kernel will silently set the buffer size to the allowed maximum when
463 // the specified size is too large, so we set our desired size and read it
465 int* buf_size
= &g_sanitizer_message_length
;
466 socklen_t option_length
= sizeof(*buf_size
);
467 PCHECK(0 == setsockopt(fds
[1], SOL_SOCKET
, SO_SNDBUF
,
468 buf_size
, option_length
));
469 PCHECK(0 == getsockopt(fds
[1], SOL_SOCKET
, SO_SNDBUF
,
470 buf_size
, &option_length
));
471 DCHECK_EQ(sizeof(*buf_size
), option_length
);
472 // The kernel returns the doubled buffer size.
474 PCHECK(*buf_size
> 0);
477 static pid_t
ForkSanitizerCoverageHelper(
480 base::ScopedFD file_fd
,
481 const std::vector
<int>& extra_fds_to_close
) {
486 PCHECK(0 == IGNORE_EINTR(close(parent_fd
)));
487 CloseFds(extra_fds_to_close
);
488 SanitizerCoverageHelper(child_fd
, file_fd
.get());
492 PCHECK(0 == IGNORE_EINTR(close(child_fd
)));
497 #endif // defined(SANITIZER_COVERAGE)
499 static void EnterLayerOneSandbox(LinuxSandbox
* linux_sandbox
,
500 const bool using_layer1_sandbox
,
501 base::Closure
* post_fork_parent_callback
) {
502 DCHECK(linux_sandbox
);
504 ZygotePreSandboxInit();
506 // Check that the pre-sandbox initialization didn't spawn threads.
507 #if !defined(THREAD_SANITIZER)
508 DCHECK(sandbox::ThreadHelpers::IsSingleThreaded());
511 sandbox::SetuidSandboxClient
* setuid_sandbox
=
512 linux_sandbox
->setuid_sandbox_client();
513 if (setuid_sandbox
->IsSuidSandboxChild()) {
514 CHECK(EnterSuidSandbox(setuid_sandbox
, post_fork_parent_callback
))
515 << "Failed to enter setuid sandbox";
516 } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
517 EnterNamespaceSandbox(linux_sandbox
, post_fork_parent_callback
);
519 CHECK(!using_layer1_sandbox
);
523 bool ZygoteMain(const MainFunctionParams
& params
,
524 ScopedVector
<ZygoteForkDelegate
> fork_delegates
) {
525 g_am_zygote_or_renderer
= true;
526 #if !defined(USE_OPENSSL)
527 sandbox::InitLibcUrandomOverrides();
530 std::vector
<int> fds_to_close_post_fork
;
532 LinuxSandbox
* linux_sandbox
= LinuxSandbox::GetInstance();
534 #if defined(SANITIZER_COVERAGE)
535 const std::string sancov_file_name
=
536 "zygote." + base::Uint64ToString(base::RandUint64());
537 base::ScopedFD
sancov_file_fd(
538 __sanitizer_maybe_open_cov_file(sancov_file_name
.c_str()));
539 int sancov_socket_fds
[2] = {-1, -1};
540 CreateSanitizerCoverageSocketPair(sancov_socket_fds
);
541 linux_sandbox
->sanitizer_args()->coverage_sandboxed
= 1;
542 linux_sandbox
->sanitizer_args()->coverage_fd
= sancov_socket_fds
[1];
543 linux_sandbox
->sanitizer_args()->coverage_max_block_size
=
544 g_sanitizer_message_length
;
545 // Zygote termination will block until the helper process exits, which will
546 // not happen until the write end of the socket is closed everywhere. Make
547 // sure the init process does not hold on to it.
548 fds_to_close_post_fork
.push_back(sancov_socket_fds
[0]);
549 fds_to_close_post_fork
.push_back(sancov_socket_fds
[1]);
550 #endif // SANITIZER_COVERAGE
552 // Skip pre-initializing sandbox under --no-sandbox for crbug.com/444900.
553 if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
554 switches::kNoSandbox
)) {
555 // This will pre-initialize the various sandboxes that need it.
556 linux_sandbox
->PreinitializeSandbox();
559 const bool using_setuid_sandbox
=
560 linux_sandbox
->setuid_sandbox_client()->IsSuidSandboxChild();
561 const bool using_namespace_sandbox
=
562 sandbox::NamespaceSandbox::InNewUserNamespace();
563 const bool using_layer1_sandbox
=
564 using_setuid_sandbox
|| using_namespace_sandbox
;
566 if (using_setuid_sandbox
) {
567 linux_sandbox
->setuid_sandbox_client()->CloseDummyFile();
570 if (using_layer1_sandbox
) {
571 // Let the ZygoteHost know we're booting up.
572 CHECK(base::UnixDomainSocket::SendMsg(kZygoteSocketPairFd
,
574 sizeof(kZygoteBootMessage
),
575 std::vector
<int>()));
578 VLOG(1) << "ZygoteMain: initializing " << fork_delegates
.size()
579 << " fork delegates";
580 for (ZygoteForkDelegate
* fork_delegate
: fork_delegates
) {
581 fork_delegate
->Init(GetSandboxFD(), using_layer1_sandbox
);
584 const std::vector
<int> sandbox_fds_to_close_post_fork
=
585 linux_sandbox
->GetFileDescriptorsToClose();
587 fds_to_close_post_fork
.insert(fds_to_close_post_fork
.end(),
588 sandbox_fds_to_close_post_fork
.begin(),
589 sandbox_fds_to_close_post_fork
.end());
590 base::Closure post_fork_parent_callback
=
591 base::Bind(&CloseFds
, fds_to_close_post_fork
);
593 // Turn on the first layer of the sandbox if the configuration warrants it.
594 EnterLayerOneSandbox(linux_sandbox
, using_layer1_sandbox
,
595 &post_fork_parent_callback
);
597 // Extra children and file descriptors created that the Zygote must have
599 std::vector
<pid_t
> extra_children
;
600 std::vector
<int> extra_fds
;
602 #if defined(SANITIZER_COVERAGE)
603 pid_t sancov_helper_pid
= ForkSanitizerCoverageHelper(
604 sancov_socket_fds
[0], sancov_socket_fds
[1], sancov_file_fd
.Pass(),
605 sandbox_fds_to_close_post_fork
);
606 // It's important that the zygote reaps the helper before dying. Otherwise,
607 // the destruction of the PID namespace could kill the helper before it
608 // completes its I/O tasks. |sancov_helper_pid| will exit once the last
609 // renderer holding the write end of |sancov_socket_fds| closes it.
610 extra_children
.push_back(sancov_helper_pid
);
611 // Sanitizer code in the renderers will inherit the write end of the socket
612 // from the zygote. We must keep it open until the very end of the zygote's
613 // lifetime, even though we don't explicitly use it.
614 extra_fds
.push_back(sancov_socket_fds
[1]);
615 #endif // SANITIZER_COVERAGE
617 const int sandbox_flags
= linux_sandbox
->GetStatus();
619 const bool setuid_sandbox_engaged
= sandbox_flags
& kSandboxLinuxSUID
;
620 CHECK_EQ(using_setuid_sandbox
, setuid_sandbox_engaged
);
622 const bool namespace_sandbox_engaged
= sandbox_flags
& kSandboxLinuxUserNS
;
623 CHECK_EQ(using_namespace_sandbox
, namespace_sandbox_engaged
);
625 Zygote
zygote(sandbox_flags
, fork_delegates
.Pass(), extra_children
,
627 // This function call can return multiple times, once per fork().
628 return zygote
.ProcessRequests();
631 } // namespace content