mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Only spawn init processes when using PID NS
PiperOrigin-RevId: 239169620 Change-Id: I9f26cfab90189a1baa5b87a700ce892cf0c95a89
This commit is contained in:
parent
7ecdd2f8fc
commit
5d216fb191
|
@ -153,13 +153,12 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
|||
pid_t sandboxee_pid = fork_client_->SendRequest(
|
||||
request, exec_fd_, client_comms_fd_, ns_fd, &init_pid);
|
||||
|
||||
// init_pid = 0 means that we're executing the libunwind sandbox and don't
|
||||
// need an init process.
|
||||
// TODO(hamacher): This is also the case for spawning the custom forksever
|
||||
// (not spawning children from the custom forkserver), so
|
||||
// we should clean it up.
|
||||
if (init_pid == -1) {
|
||||
LOG(ERROR) << "Could not obtain init PID";
|
||||
} else if (init_pid == 0 && request.clone_flags() & CLONE_NEWPID) {
|
||||
LOG(FATAL)
|
||||
<< "No init process was spawned even though a PID NS was created, "
|
||||
<< "potential logic bug";
|
||||
} else if (init_pid > 0) {
|
||||
if (init_pid_out) {
|
||||
*init_pid_out = init_pid;
|
||||
|
|
|
@ -255,9 +255,8 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
|
|||
SAPI_RAW_CHECK(cap_set_proc(caps) == 0, "while dropping capabilities");
|
||||
cap_free(caps);
|
||||
|
||||
// The unwind sandbox is not running in a PID namespace and doesn't require
|
||||
// an init process, everything else does.
|
||||
if (request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
|
||||
// A custom init process is only needed if a new PID NS is created.
|
||||
if (request.clone_flags() & CLONE_NEWPID) {
|
||||
RunInitProcess(signaling_fd, open_fds);
|
||||
}
|
||||
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
|
||||
|
@ -392,7 +391,7 @@ pid_t ForkServer::ServeRequest() const {
|
|||
|
||||
fd_closer1.Close();
|
||||
|
||||
if (fork_request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
|
||||
if (fork_request.clone_flags() & CLONE_NEWPID) {
|
||||
union {
|
||||
struct cmsghdr cmh;
|
||||
char ctrl[CMSG_SPACE(sizeof(struct ucred))];
|
||||
|
@ -414,8 +413,8 @@ pid_t ForkServer::ServeRequest() const {
|
|||
// previously forked.
|
||||
init_pid = sandboxee_pid;
|
||||
|
||||
// And the actual sandboxee will be forked from the init process, so we need
|
||||
// to receive the actual PID.
|
||||
// And the actual sandboxee will be forked from the init process, so we
|
||||
// need to receive the actual PID.
|
||||
struct cmsghdr* cmsgp = nullptr;
|
||||
if (TEMP_FAILURE_RETRY(recvmsg(fd_closer0.get(), &msgh, MSG_WAITALL)) <=
|
||||
0 ||
|
||||
|
@ -431,6 +430,7 @@ pid_t ForkServer::ServeRequest() const {
|
|||
sandboxee_pid = ucredp->pid;
|
||||
}
|
||||
}
|
||||
|
||||
// Parent.
|
||||
close(comms_fd);
|
||||
if (exec_fd >= 0) {
|
||||
|
|
Loading…
Reference in New Issue
Block a user