1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/zygote/zygote_main.h"
6
7 #include <dlfcn.h>
8 #include <fcntl.h>
9 #include <pthread.h>
10 #include <signal.h>
11 #include <string.h>
12 #include <sys/socket.h>
13 #include <sys/types.h>
14 #include <unistd.h>
15
16 #include "base/basictypes.h"
17 #include "base/bind.h"
18 #include "base/command_line.h"
19 #include "base/compiler_specific.h"
20 #include "base/memory/scoped_vector.h"
21 #include "base/native_library.h"
22 #include "base/pickle.h"
23 #include "base/posix/eintr_wrapper.h"
24 #include "base/posix/unix_domain_socket_linux.h"
25 #include "base/rand_util.h"
26 #include "base/strings/safe_sprintf.h"
27 #include "base/strings/string_number_conversions.h"
28 #include "base/sys_info.h"
29 #include "build/build_config.h"
30 #include "content/common/child_process_sandbox_support_impl_linux.h"
31 #include "content/common/font_config_ipc_linux.h"
32 #include "content/common/sandbox_linux/sandbox_linux.h"
33 #include "content/common/zygote_commands_linux.h"
34 #include "content/public/common/content_switches.h"
35 #include "content/public/common/main_function_params.h"
36 #include "content/public/common/sandbox_linux.h"
37 #include "content/public/common/zygote_fork_delegate_linux.h"
38 #include "content/zygote/zygote_linux.h"
39 #include "crypto/nss_util.h"
40 #include "sandbox/linux/services/init_process_reaper.h"
41 #include "sandbox/linux/services/libc_urandom_override.h"
42 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
43 #include "third_party/icu/source/i18n/unicode/timezone.h"
44 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
45
46 #if defined(OS_LINUX)
47 #include <sys/prctl.h>
48 #endif
49
50 #if defined(USE_OPENSSL)
51 #include <openssl/rand.h>
52 #endif
53
54 #if defined(ENABLE_PLUGINS)
55 #include "content/common/pepper_plugin_list.h"
56 #include "content/public/common/pepper_plugin_info.h"
57 #endif
58
59 #if defined(ENABLE_WEBRTC)
60 #include "third_party/libjingle/overrides/init_webrtc.h"
61 #endif
62
63 #if defined(ADDRESS_SANITIZER)
64 #include <sanitizer/asan_interface.h>
65 #endif
66
67 namespace content {
68
69 namespace {
70
DoChrootSignalHandler(int)71 void DoChrootSignalHandler(int) {
72 const int old_errno = errno;
73 const char kFirstMessage[] = "Chroot signal handler called.\n";
74 ignore_result(write(STDERR_FILENO, kFirstMessage, sizeof(kFirstMessage) - 1));
75
76 const int chroot_ret = chroot("/");
77
78 char kSecondMessage[100];
79 const ssize_t printed =
80 base::strings::SafeSPrintf(kSecondMessage,
81 "chroot() returned %d. Errno is %d.\n",
82 chroot_ret,
83 errno);
84 if (printed > 0 && printed < static_cast<ssize_t>(sizeof(kSecondMessage))) {
85 ignore_result(write(STDERR_FILENO, kSecondMessage, printed));
86 }
87 errno = old_errno;
88 }
89
90 // This is a quick hack to allow testing sandbox crash reports in production
91 // binaries.
92 // This installs a signal handler for SIGUSR2 that performs a chroot().
93 // In most of our BPF policies, it is a "watched" system call which will
94 // trigger a SIGSYS signal whose handler will crash.
95 // This has been added during the investigation of https://crbug.com/415842.
InstallSandboxCrashTestHandler()96 void InstallSandboxCrashTestHandler() {
97 struct sigaction act = {};
98 act.sa_handler = DoChrootSignalHandler;
99 CHECK_EQ(0, sigemptyset(&act.sa_mask));
100 act.sa_flags = 0;
101
102 PCHECK(0 == sigaction(SIGUSR2, &act, NULL));
103 }
104 } // namespace
105
106 // See http://code.google.com/p/chromium/wiki/LinuxZygote
107
ProxyLocaltimeCallToBrowser(time_t input,struct tm * output,char * timezone_out,size_t timezone_out_len)108 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
109 char* timezone_out,
110 size_t timezone_out_len) {
111 Pickle request;
112 request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
113 request.WriteString(
114 std::string(reinterpret_cast<char*>(&input), sizeof(input)));
115
116 uint8_t reply_buf[512];
117 const ssize_t r = UnixDomainSocket::SendRecvMsg(
118 GetSandboxFD(), reply_buf, sizeof(reply_buf), NULL,
119 request);
120 if (r == -1) {
121 memset(output, 0, sizeof(struct tm));
122 return;
123 }
124
125 Pickle reply(reinterpret_cast<char*>(reply_buf), r);
126 PickleIterator iter(reply);
127 std::string result, timezone;
128 if (!reply.ReadString(&iter, &result) ||
129 !reply.ReadString(&iter, &timezone) ||
130 result.size() != sizeof(struct tm)) {
131 memset(output, 0, sizeof(struct tm));
132 return;
133 }
134
135 memcpy(output, result.data(), sizeof(struct tm));
136 if (timezone_out_len) {
137 const size_t copy_len = std::min(timezone_out_len - 1, timezone.size());
138 memcpy(timezone_out, timezone.data(), copy_len);
139 timezone_out[copy_len] = 0;
140 output->tm_zone = timezone_out;
141 } else {
142 output->tm_zone = NULL;
143 }
144 }
145
146 static bool g_am_zygote_or_renderer = false;
147
148 // Sandbox interception of libc calls.
149 //
150 // Because we are running in a sandbox certain libc calls will fail (localtime
151 // being the motivating example - it needs to read /etc/localtime). We need to
152 // intercept these calls and proxy them to the browser. However, these calls
153 // may come from us or from our libraries. In some cases we can't just change
154 // our code.
155 //
156 // It's for these cases that we have the following setup:
157 //
158 // We define global functions for those functions which we wish to override.
159 // Since we will be first in the dynamic resolution order, the dynamic linker
160 // will point callers to our versions of these functions. However, we have the
161 // same binary for both the browser and the renderers, which means that our
162 // overrides will apply in the browser too.
163 //
164 // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
165 // renderer process. It's set in ZygoteMain and inherited by the renderers when
166 // they fork. (This means that it'll be incorrect for global constructor
167 // functions and before ZygoteMain is called - beware).
168 //
169 // Our replacement functions can check this global and either proxy
170 // the call to the browser over the sandbox IPC
171 // (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
172 // dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
173 // current module.
174 //
175 // Other avenues:
176 //
177 // Our first attempt involved some assembly to patch the GOT of the current
178 // module. This worked, but was platform specific and doesn't catch the case
179 // where a library makes a call rather than current module.
180 //
181 // We also considered patching the function in place, but this would again by
182 // platform specific and the above technique seems to work well enough.
183
184 typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
185 typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
186 struct tm* result);
187
188 static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
189 static LocaltimeFunction g_libc_localtime;
190 static LocaltimeFunction g_libc_localtime64;
191 static LocaltimeRFunction g_libc_localtime_r;
192 static LocaltimeRFunction g_libc_localtime64_r;
193
InitLibcLocaltimeFunctions()194 static void InitLibcLocaltimeFunctions() {
195 g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
196 dlsym(RTLD_NEXT, "localtime"));
197 g_libc_localtime64 = reinterpret_cast<LocaltimeFunction>(
198 dlsym(RTLD_NEXT, "localtime64"));
199 g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
200 dlsym(RTLD_NEXT, "localtime_r"));
201 g_libc_localtime64_r = reinterpret_cast<LocaltimeRFunction>(
202 dlsym(RTLD_NEXT, "localtime64_r"));
203
204 if (!g_libc_localtime || !g_libc_localtime_r) {
205 // http://code.google.com/p/chromium/issues/detail?id=16800
206 //
207 // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
208 // it with a version which doesn't work. In this case we'll get a NULL
209 // result. There's not a lot we can do at this point, so we just bodge it!
210 LOG(ERROR) << "Your system is broken: dlsym doesn't work! This has been "
211 "reported to be caused by Nvidia's libGL. You should expect"
212 " time related functions to misbehave. "
213 "http://code.google.com/p/chromium/issues/detail?id=16800";
214 }
215
216 if (!g_libc_localtime)
217 g_libc_localtime = gmtime;
218 if (!g_libc_localtime64)
219 g_libc_localtime64 = g_libc_localtime;
220 if (!g_libc_localtime_r)
221 g_libc_localtime_r = gmtime_r;
222 if (!g_libc_localtime64_r)
223 g_libc_localtime64_r = g_libc_localtime_r;
224 }
225
226 // Define localtime_override() function with asm name "localtime", so that all
227 // references to localtime() will resolve to this function. Notice that we need
228 // to set visibility attribute to "default" to export the symbol, as it is set
229 // to "hidden" by default in chrome per build/common.gypi.
230 __attribute__ ((__visibility__("default")))
231 struct tm* localtime_override(const time_t* timep) __asm__ ("localtime");
232
233 __attribute__ ((__visibility__("default")))
localtime_override(const time_t * timep)234 struct tm* localtime_override(const time_t* timep) {
235 if (g_am_zygote_or_renderer) {
236 static struct tm time_struct;
237 static char timezone_string[64];
238 ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
239 sizeof(timezone_string));
240 return &time_struct;
241 } else {
242 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
243 InitLibcLocaltimeFunctions));
244 struct tm* res = g_libc_localtime(timep);
245 #if defined(MEMORY_SANITIZER)
246 if (res) __msan_unpoison(res, sizeof(*res));
247 if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
248 #endif
249 return res;
250 }
251 }
252
253 // Use same trick to override localtime64(), localtime_r() and localtime64_r().
254 __attribute__ ((__visibility__("default")))
255 struct tm* localtime64_override(const time_t* timep) __asm__ ("localtime64");
256
257 __attribute__ ((__visibility__("default")))
localtime64_override(const time_t * timep)258 struct tm* localtime64_override(const time_t* timep) {
259 if (g_am_zygote_or_renderer) {
260 static struct tm time_struct;
261 static char timezone_string[64];
262 ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
263 sizeof(timezone_string));
264 return &time_struct;
265 } else {
266 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
267 InitLibcLocaltimeFunctions));
268 struct tm* res = g_libc_localtime64(timep);
269 #if defined(MEMORY_SANITIZER)
270 if (res) __msan_unpoison(res, sizeof(*res));
271 if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
272 #endif
273 return res;
274 }
275 }
276
277 __attribute__ ((__visibility__("default")))
278 struct tm* localtime_r_override(const time_t* timep,
279 struct tm* result) __asm__ ("localtime_r");
280
281 __attribute__ ((__visibility__("default")))
localtime_r_override(const time_t * timep,struct tm * result)282 struct tm* localtime_r_override(const time_t* timep, struct tm* result) {
283 if (g_am_zygote_or_renderer) {
284 ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
285 return result;
286 } else {
287 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
288 InitLibcLocaltimeFunctions));
289 struct tm* res = g_libc_localtime_r(timep, result);
290 #if defined(MEMORY_SANITIZER)
291 if (res) __msan_unpoison(res, sizeof(*res));
292 if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
293 #endif
294 return res;
295 }
296 }
297
298 __attribute__ ((__visibility__("default")))
299 struct tm* localtime64_r_override(const time_t* timep,
300 struct tm* result) __asm__ ("localtime64_r");
301
302 __attribute__ ((__visibility__("default")))
localtime64_r_override(const time_t * timep,struct tm * result)303 struct tm* localtime64_r_override(const time_t* timep, struct tm* result) {
304 if (g_am_zygote_or_renderer) {
305 ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
306 return result;
307 } else {
308 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
309 InitLibcLocaltimeFunctions));
310 struct tm* res = g_libc_localtime64_r(timep, result);
311 #if defined(MEMORY_SANITIZER)
312 if (res) __msan_unpoison(res, sizeof(*res));
313 if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
314 #endif
315 return res;
316 }
317 }
318
319 #if defined(ENABLE_PLUGINS)
320 // Loads the (native) libraries but does not initialize them (i.e., does not
321 // call PPP_InitializeModule). This is needed by the zygote on Linux to get
322 // access to the plugins before entering the sandbox.
PreloadPepperPlugins()323 void PreloadPepperPlugins() {
324 std::vector<PepperPluginInfo> plugins;
325 ComputePepperPluginList(&plugins);
326 for (size_t i = 0; i < plugins.size(); ++i) {
327 if (!plugins[i].is_internal && plugins[i].is_sandboxed) {
328 base::NativeLibraryLoadError error;
329 base::NativeLibrary library = base::LoadNativeLibrary(plugins[i].path,
330 &error);
331 VLOG_IF(1, !library) << "Unable to load plugin "
332 << plugins[i].path.value() << " "
333 << error.ToString();
334
335 (void)library; // Prevent release-mode warning.
336 }
337 }
338 }
339 #endif
340
341 // This function triggers the static and lazy construction of objects that need
342 // to be created before imposing the sandbox.
ZygotePreSandboxInit()343 static void ZygotePreSandboxInit() {
344 base::RandUint64();
345
346 base::SysInfo::AmountOfPhysicalMemory();
347 base::SysInfo::MaxSharedMemorySize();
348 base::SysInfo::NumberOfProcessors();
349
350 // ICU DateFormat class (used in base/time_format.cc) needs to get the
351 // Olson timezone ID by accessing the zoneinfo files on disk. After
352 // TimeZone::createDefault is called once here, the timezone ID is
353 // cached and there's no more need to access the file system.
354 scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault());
355
356 #if defined(USE_NSS)
357 // NSS libraries are loaded before sandbox is activated. This is to allow
358 // successful initialization of NSS which tries to load extra library files.
359 crypto::LoadNSSLibraries();
360 #elif defined(USE_OPENSSL)
361 // Read a random byte in order to cause BoringSSL to open a file descriptor
362 // for /dev/urandom.
363 uint8_t scratch;
364 RAND_bytes(&scratch, 1);
365 #else
366 // It's possible that another hypothetical crypto stack would not require
367 // pre-sandbox init, but more likely this is just a build configuration error.
368 #error Which SSL library are you using?
369 #endif
370 #if defined(ENABLE_PLUGINS)
371 // Ensure access to the Pepper plugins before the sandbox is turned on.
372 PreloadPepperPlugins();
373 #endif
374 #if defined(ENABLE_WEBRTC)
375 InitializeWebRtcModule();
376 #endif
377 SkFontConfigInterface::SetGlobal(
378 new FontConfigIPC(GetSandboxFD()))->unref();
379 }
380
CreateInitProcessReaper(base::Closure * post_fork_parent_callback)381 static bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback) {
382 // The current process becomes init(1), this function returns from a
383 // newly created process.
384 const bool init_created =
385 sandbox::CreateInitProcessReaper(post_fork_parent_callback);
386 if (!init_created) {
387 LOG(ERROR) << "Error creating an init process to reap zombies";
388 return false;
389 }
390 return true;
391 }
392
393 // Enter the setuid sandbox. This requires the current process to have been
394 // created through the setuid sandbox.
EnterSuidSandbox(sandbox::SetuidSandboxClient * setuid_sandbox,base::Closure * post_fork_parent_callback)395 static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox,
396 base::Closure* post_fork_parent_callback) {
397 DCHECK(setuid_sandbox);
398 DCHECK(setuid_sandbox->IsSuidSandboxChild());
399
400 // Use the SUID sandbox. This still allows the seccomp sandbox to
401 // be enabled by the process later.
402
403 if (!setuid_sandbox->IsSuidSandboxUpToDate()) {
404 LOG(WARNING) <<
405 "You are using a wrong version of the setuid binary!\n"
406 "Please read "
407 "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment."
408 "\n\n";
409 }
410
411 if (!setuid_sandbox->ChrootMe())
412 return false;
413
414 if (setuid_sandbox->IsInNewPIDNamespace()) {
415 CHECK_EQ(1, getpid())
416 << "The SUID sandbox created a new PID namespace but Zygote "
417 "is not the init process. Please, make sure the SUID "
418 "binary is up to date.";
419 }
420
421 if (getpid() == 1) {
422 // The setuid sandbox has created a new PID namespace and we need
423 // to assume the role of init.
424 CHECK(CreateInitProcessReaper(post_fork_parent_callback));
425 }
426
427 #if !defined(OS_OPENBSD)
428 // Previously, we required that the binary be non-readable. This causes the
429 // kernel to mark the process as non-dumpable at startup. The thinking was
430 // that, although we were putting the renderers into a PID namespace (with
431 // the SUID sandbox), they would nonetheless be in the /same/ PID
432 // namespace. So they could ptrace each other unless they were non-dumpable.
433 //
434 // If the binary was readable, then there would be a window between process
435 // startup and the point where we set the non-dumpable flag in which a
436 // compromised renderer could ptrace attach.
437 //
438 // However, now that we have a zygote model, only the (trusted) zygote
439 // exists at this point and we can set the non-dumpable flag which is
440 // inherited by all our renderer children.
441 //
442 // Note: a non-dumpable process can't be debugged. To debug sandbox-related
443 // issues, one can specify --allow-sandbox-debugging to let the process be
444 // dumpable.
445 const CommandLine& command_line = *CommandLine::ForCurrentProcess();
446 if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) {
447 prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
448 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
449 LOG(ERROR) << "Failed to set non-dumpable flag";
450 return false;
451 }
452 } else {
453 // If sandbox debugging is allowed, install a handler for sandbox-related
454 // crash testing.
455 InstallSandboxCrashTestHandler();
456 }
457
458 #endif
459
460 return true;
461 }
462
463 #if defined(ADDRESS_SANITIZER)
464 const size_t kSanitizerMaxMessageLength = 1 * 1024 * 1024;
465
466 // A helper process which collects code coverage data from the renderers over a
467 // socket and dumps it to a file. See http://crbug.com/336212 for discussion.
SanitizerCoverageHelper(int socket_fd,int file_fd)468 static void SanitizerCoverageHelper(int socket_fd, int file_fd) {
469 scoped_ptr<char[]> buffer(new char[kSanitizerMaxMessageLength]);
470 while (true) {
471 ssize_t received_size = HANDLE_EINTR(
472 recv(socket_fd, buffer.get(), kSanitizerMaxMessageLength, 0));
473 PCHECK(received_size >= 0);
474 if (received_size == 0)
475 // All clients have closed the socket. We should die.
476 _exit(0);
477 PCHECK(file_fd >= 0);
478 ssize_t written_size = 0;
479 while (written_size < received_size) {
480 ssize_t write_res =
481 HANDLE_EINTR(write(file_fd, buffer.get() + written_size,
482 received_size - written_size));
483 PCHECK(write_res >= 0);
484 written_size += write_res;
485 }
486 PCHECK(0 == HANDLE_EINTR(fsync(file_fd)));
487 }
488 }
489
490 // fds[0] is the read end, fds[1] is the write end.
CreateSanitizerCoverageSocketPair(int fds[2])491 static void CreateSanitizerCoverageSocketPair(int fds[2]) {
492 PCHECK(0 == socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds));
493 PCHECK(0 == shutdown(fds[0], SHUT_WR));
494 PCHECK(0 == shutdown(fds[1], SHUT_RD));
495 }
496
ForkSanitizerCoverageHelper(int child_fd,int parent_fd,base::ScopedFD file_fd)497 static pid_t ForkSanitizerCoverageHelper(int child_fd, int parent_fd,
498 base::ScopedFD file_fd) {
499 pid_t pid = fork();
500 PCHECK(pid >= 0);
501 if (pid == 0) {
502 // In the child.
503 PCHECK(0 == IGNORE_EINTR(close(parent_fd)));
504 SanitizerCoverageHelper(child_fd, file_fd.get());
505 _exit(0);
506 } else {
507 // In the parent.
508 PCHECK(0 == IGNORE_EINTR(close(child_fd)));
509 return pid;
510 }
511 }
512
CloseFdPair(const int fds[2])513 void CloseFdPair(const int fds[2]) {
514 PCHECK(0 == IGNORE_EINTR(close(fds[0])));
515 PCHECK(0 == IGNORE_EINTR(close(fds[1])));
516 }
517 #endif // defined(ADDRESS_SANITIZER)
518
519 // If |is_suid_sandbox_child|, then make sure that the setuid sandbox is
520 // engaged.
EnterLayerOneSandbox(LinuxSandbox * linux_sandbox,bool is_suid_sandbox_child,base::Closure * post_fork_parent_callback)521 static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox,
522 bool is_suid_sandbox_child,
523 base::Closure* post_fork_parent_callback) {
524 DCHECK(linux_sandbox);
525
526 ZygotePreSandboxInit();
527
528 // Check that the pre-sandbox initialization didn't spawn threads.
529 #if !defined(THREAD_SANITIZER)
530 DCHECK(linux_sandbox->IsSingleThreaded());
531 #endif
532
533 sandbox::SetuidSandboxClient* setuid_sandbox =
534 linux_sandbox->setuid_sandbox_client();
535
536 if (is_suid_sandbox_child) {
537 CHECK(EnterSuidSandbox(setuid_sandbox, post_fork_parent_callback))
538 << "Failed to enter setuid sandbox";
539 }
540 }
541
ZygoteMain(const MainFunctionParams & params,ScopedVector<ZygoteForkDelegate> fork_delegates)542 bool ZygoteMain(const MainFunctionParams& params,
543 ScopedVector<ZygoteForkDelegate> fork_delegates) {
544 g_am_zygote_or_renderer = true;
545 sandbox::InitLibcUrandomOverrides();
546
547 base::Closure *post_fork_parent_callback = NULL;
548
549 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
550
551 #if defined(ADDRESS_SANITIZER)
552 const std::string sancov_file_name =
553 "zygote." + base::Uint64ToString(base::RandUint64());
554 base::ScopedFD sancov_file_fd(
555 __sanitizer_maybe_open_cov_file(sancov_file_name.c_str()));
556 int sancov_socket_fds[2] = {-1, -1};
557 CreateSanitizerCoverageSocketPair(sancov_socket_fds);
558 linux_sandbox->sanitizer_args()->coverage_sandboxed = 1;
559 linux_sandbox->sanitizer_args()->coverage_fd = sancov_socket_fds[1];
560 linux_sandbox->sanitizer_args()->coverage_max_block_size =
561 kSanitizerMaxMessageLength;
562 // Zygote termination will block until the helper process exits, which will
563 // not happen until the write end of the socket is closed everywhere. Make
564 // sure the init process does not hold on to it.
565 base::Closure close_sancov_socket_fds =
566 base::Bind(&CloseFdPair, sancov_socket_fds);
567 post_fork_parent_callback = &close_sancov_socket_fds;
568 #endif
569
570 // This will pre-initialize the various sandboxes that need it.
571 linux_sandbox->PreinitializeSandbox();
572
573 const bool must_enable_setuid_sandbox =
574 linux_sandbox->setuid_sandbox_client()->IsSuidSandboxChild();
575 if (must_enable_setuid_sandbox) {
576 linux_sandbox->setuid_sandbox_client()->CloseDummyFile();
577
578 // Let the ZygoteHost know we're booting up.
579 CHECK(UnixDomainSocket::SendMsg(kZygoteSocketPairFd,
580 kZygoteBootMessage,
581 sizeof(kZygoteBootMessage),
582 std::vector<int>()));
583 }
584
585 VLOG(1) << "ZygoteMain: initializing " << fork_delegates.size()
586 << " fork delegates";
587 for (ScopedVector<ZygoteForkDelegate>::iterator i = fork_delegates.begin();
588 i != fork_delegates.end();
589 ++i) {
590 (*i)->Init(GetSandboxFD(), must_enable_setuid_sandbox);
591 }
592
593 // Turn on the first layer of the sandbox if the configuration warrants it.
594 EnterLayerOneSandbox(linux_sandbox, must_enable_setuid_sandbox,
595 post_fork_parent_callback);
596
597 std::vector<pid_t> extra_children;
598 std::vector<int> extra_fds;
599
600 #if defined(ADDRESS_SANITIZER)
601 pid_t sancov_helper_pid = ForkSanitizerCoverageHelper(
602 sancov_socket_fds[0], sancov_socket_fds[1], sancov_file_fd.Pass());
603 // It's important that the zygote reaps the helper before dying. Otherwise,
604 // the destruction of the PID namespace could kill the helper before it
605 // completes its I/O tasks. |sancov_helper_pid| will exit once the last
606 // renderer holding the write end of |sancov_socket_fds| closes it.
607 extra_children.push_back(sancov_helper_pid);
608 // Sanitizer code in the renderers will inherit the write end of the socket
609 // from the zygote. We must keep it open until the very end of the zygote's
610 // lifetime, even though we don't explicitly use it.
611 extra_fds.push_back(sancov_socket_fds[1]);
612 #endif
613
614 int sandbox_flags = linux_sandbox->GetStatus();
615 bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;
616 CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged);
617
618 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children,
619 extra_fds);
620 // This function call can return multiple times, once per fork().
621 return zygote.ProcessRequests();
622 }
623
624 } // namespace content
625