mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Fail in monitor if init process pid not received
PiperOrigin-RevId: 266886637 Change-Id: I4e896ebda8d9e15d0aefcb4139c8dc07ab938502
This commit is contained in:
parent
84702e6c97
commit
da3c6c138e
|
@ -153,17 +153,17 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
|||
pid_t sandboxee_pid = fork_client_->SendRequest(
|
||||
request, exec_fd_, client_comms_fd_, ns_fd, &init_pid);
|
||||
|
||||
if (init_pid == -1) {
|
||||
if (init_pid < 0) {
|
||||
LOG(ERROR) << "Could not obtain init PID";
|
||||
} else if (init_pid == 0 && request.clone_flags() & CLONE_NEWPID) {
|
||||
LOG(FATAL)
|
||||
<< "No init process was spawned even though a PID NS was created, "
|
||||
<< "potential logic bug";
|
||||
} else if (init_pid > 0) {
|
||||
}
|
||||
|
||||
if (init_pid_out) {
|
||||
*init_pid_out = init_pid;
|
||||
}
|
||||
}
|
||||
|
||||
started_ = true;
|
||||
|
||||
|
|
|
@ -199,17 +199,16 @@ void Monitor::Run() {
|
|||
|
||||
// Get PID of the sandboxee.
|
||||
pid_t init_pid = 0;
|
||||
pid_ = executor_->StartSubProcess(clone_flags, policy_->GetNamespace(),
|
||||
policy_->GetCapabilities(), &init_pid);
|
||||
Namespace* ns = policy_->GetNamespace();
|
||||
bool should_have_init = ns && (ns->GetCloneFlags() & CLONE_NEWPID);
|
||||
pid_ = executor_->StartSubProcess(clone_flags, ns, policy_->GetCapabilities(),
|
||||
&init_pid);
|
||||
|
||||
if (init_pid < 0) {
|
||||
// TODO(hamacher): does this require additional handling here?
|
||||
LOG(ERROR) << "Spawning init process failed";
|
||||
} else if (init_pid > 0) {
|
||||
if (init_pid > 0) {
|
||||
PCHECK(ptrace(PTRACE_SEIZE, init_pid, 0, PTRACE_O_EXITKILL) == 0);
|
||||
}
|
||||
|
||||
if (pid_ < 0) {
|
||||
if (pid_ <= 0 || (should_have_init && init_pid <= 0)) {
|
||||
SetExitStatusCode(Result::SETUP_ERROR, Result::FAILED_SUBPROCESS);
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user