StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Only spawn init processes when using PID NS

Browse Source 
PiperOrigin-RevId: 239169620
Change-Id: I9f26cfab90189a1baa5b87a700ce892cf0c95a89
This commit is contained in:
Kevin Hamacher 2019-03-19 05:14:08 -07:00 committed by Copybara-Service
parent 7ecdd2f8fc
commit 5d216fb191
2 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sandboxed_api/sandbox2/executor.cc
View File

@ -153,13 +153,12 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
pid_t sandboxee_pid = fork_client_->SendRequest(
request, exec_fd_, client_comms_fd_, ns_fd, &init_pid);
// init_pid = 0 means that we're executing the libunwind sandbox and don't
// need an init process.
// TODO(hamacher): This is also the case for spawning the custom forksever
// (not spawning children from the custom forkserver), so
// we should clean it up.
if (init_pid == -1) {
LOG(ERROR) << "Could not obtain init PID";
} else if (init_pid == 0 && request.clone_flags() & CLONE_NEWPID) {
LOG(FATAL)
<< "No init process was spawned even though a PID NS was created, "
<< "potential logic bug";
} else if (init_pid > 0) {
if (init_pid_out) {
*init_pid_out = init_pid;

12
sandboxed_api/sandbox2/forkserver.cc
View File

@ -255,9 +255,8 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
SAPI_RAW_CHECK(cap_set_proc(caps) == 0, "while dropping capabilities");
cap_free(caps);
// The unwind sandbox is not running in a PID namespace and doesn't require
// an init process, everything else does.
if (request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
// A custom init process is only needed if a new PID NS is created.
if (request.clone_flags() & CLONE_NEWPID) {
RunInitProcess(signaling_fd, open_fds);
}
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
@ -392,7 +391,7 @@ pid_t ForkServer::ServeRequest() const {
fd_closer1.Close();
if (fork_request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
if (fork_request.clone_flags() & CLONE_NEWPID) {
union {
struct cmsghdr cmh;
char ctrl[CMSG_SPACE(sizeof(struct ucred))];
@ -414,8 +413,8 @@ pid_t ForkServer::ServeRequest() const {
// previously forked.
init_pid = sandboxee_pid;
// And the actual sandboxee will be forked from the init process, so we need
// to receive the actual PID.
// And the actual sandboxee will be forked from the init process, so we
// need to receive the actual PID.
struct cmsghdr* cmsgp = nullptr;
if (TEMP_FAILURE_RETRY(recvmsg(fd_closer0.get(), &msgh, MSG_WAITALL)) <=
0 ||
@ -431,6 +430,7 @@ pid_t ForkServer::ServeRequest() const {
sandboxee_pid = ucredp->pid;
}
}
// Parent.
close(comms_fd);
if (exec_fd >= 0) {