[Extensions] Check incognito windows for last active in browserAction.openPopup
[chromium-blink-merge.git] / content / zygote / zygote_main_linux.cc
blob8f89580d42f6ed7a97b86e0e8651acf0905675a5
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/zygote/zygote_main.h"
7 #include <dlfcn.h>
8 #include <fcntl.h>
9 #include <pthread.h>
10 #include <signal.h>
11 #include <string.h>
12 #include <sys/socket.h>
13 #include <sys/types.h>
14 #include <unistd.h>
16 #include <vector>
18 #include "base/basictypes.h"
19 #include "base/bind.h"
20 #include "base/command_line.h"
21 #include "base/compiler_specific.h"
22 #include "base/memory/scoped_vector.h"
23 #include "base/native_library.h"
24 #include "base/pickle.h"
25 #include "base/posix/eintr_wrapper.h"
26 #include "base/posix/unix_domain_socket_linux.h"
27 #include "base/rand_util.h"
28 #include "base/strings/safe_sprintf.h"
29 #include "base/strings/string_number_conversions.h"
30 #include "base/sys_info.h"
31 #include "build/build_config.h"
32 #include "content/common/child_process_sandbox_support_impl_linux.h"
33 #include "content/common/font_config_ipc_linux.h"
34 #include "content/common/sandbox_linux/sandbox_linux.h"
35 #include "content/common/zygote_commands_linux.h"
36 #include "content/public/common/content_switches.h"
37 #include "content/public/common/main_function_params.h"
38 #include "content/public/common/sandbox_linux.h"
39 #include "content/public/common/zygote_fork_delegate_linux.h"
40 #include "content/zygote/zygote_linux.h"
41 #include "crypto/nss_util.h"
42 #include "sandbox/linux/services/init_process_reaper.h"
43 #include "sandbox/linux/services/libc_urandom_override.h"
44 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
45 #include "third_party/icu/source/i18n/unicode/timezone.h"
46 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
48 #if defined(OS_LINUX)
49 #include <sys/prctl.h>
50 #endif
52 #if defined(USE_OPENSSL)
53 #include <openssl/rand.h>
54 #endif
56 #if defined(ENABLE_PLUGINS)
57 #include "content/common/pepper_plugin_list.h"
58 #include "content/public/common/pepper_plugin_info.h"
59 #endif
61 #if defined(ENABLE_WEBRTC)
62 #include "third_party/libjingle/overrides/init_webrtc.h"
63 #endif
65 #if defined(ADDRESS_SANITIZER)
66 #include <sanitizer/asan_interface.h>
67 #endif
69 namespace content {
71 namespace {
73 void DoChrootSignalHandler(int) {
74 const int old_errno = errno;
75 const char kFirstMessage[] = "Chroot signal handler called.\n";
76 ignore_result(write(STDERR_FILENO, kFirstMessage, sizeof(kFirstMessage) - 1));
78 const int chroot_ret = chroot("/");
80 char kSecondMessage[100];
81 const ssize_t printed =
82 base::strings::SafeSPrintf(kSecondMessage,
83 "chroot() returned %d. Errno is %d.\n",
84 chroot_ret,
85 errno);
86 if (printed > 0 && printed < static_cast<ssize_t>(sizeof(kSecondMessage))) {
87 ignore_result(write(STDERR_FILENO, kSecondMessage, printed));
89 errno = old_errno;
92 // This is a quick hack to allow testing sandbox crash reports in production
93 // binaries.
94 // This installs a signal handler for SIGUSR2 that performs a chroot().
95 // In most of our BPF policies, it is a "watched" system call which will
96 // trigger a SIGSYS signal whose handler will crash.
97 // This has been added during the investigation of https://crbug.com/415842.
98 void InstallSandboxCrashTestHandler() {
99 struct sigaction act = {};
100 act.sa_handler = DoChrootSignalHandler;
101 CHECK_EQ(0, sigemptyset(&act.sa_mask));
102 act.sa_flags = 0;
104 PCHECK(0 == sigaction(SIGUSR2, &act, NULL));
107 void CloseFds(const std::vector<int>& fds) {
108 for (const auto& it : fds) {
109 PCHECK(0 == IGNORE_EINTR(close(it)));
113 } // namespace
115 // See http://code.google.com/p/chromium/wiki/LinuxZygote
117 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
118 char* timezone_out,
119 size_t timezone_out_len) {
120 Pickle request;
121 request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
122 request.WriteString(
123 std::string(reinterpret_cast<char*>(&input), sizeof(input)));
125 uint8_t reply_buf[512];
126 const ssize_t r = UnixDomainSocket::SendRecvMsg(
127 GetSandboxFD(), reply_buf, sizeof(reply_buf), NULL,
128 request);
129 if (r == -1) {
130 memset(output, 0, sizeof(struct tm));
131 return;
134 Pickle reply(reinterpret_cast<char*>(reply_buf), r);
135 PickleIterator iter(reply);
136 std::string result, timezone;
137 if (!iter.ReadString(&result) ||
138 !iter.ReadString(&timezone) ||
139 result.size() != sizeof(struct tm)) {
140 memset(output, 0, sizeof(struct tm));
141 return;
144 memcpy(output, result.data(), sizeof(struct tm));
145 if (timezone_out_len) {
146 const size_t copy_len = std::min(timezone_out_len - 1, timezone.size());
147 memcpy(timezone_out, timezone.data(), copy_len);
148 timezone_out[copy_len] = 0;
149 output->tm_zone = timezone_out;
150 } else {
151 output->tm_zone = NULL;
155 static bool g_am_zygote_or_renderer = false;
157 // Sandbox interception of libc calls.
159 // Because we are running in a sandbox certain libc calls will fail (localtime
160 // being the motivating example - it needs to read /etc/localtime). We need to
161 // intercept these calls and proxy them to the browser. However, these calls
162 // may come from us or from our libraries. In some cases we can't just change
163 // our code.
165 // It's for these cases that we have the following setup:
167 // We define global functions for those functions which we wish to override.
168 // Since we will be first in the dynamic resolution order, the dynamic linker
169 // will point callers to our versions of these functions. However, we have the
170 // same binary for both the browser and the renderers, which means that our
171 // overrides will apply in the browser too.
173 // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
174 // renderer process. It's set in ZygoteMain and inherited by the renderers when
175 // they fork. (This means that it'll be incorrect for global constructor
176 // functions and before ZygoteMain is called - beware).
178 // Our replacement functions can check this global and either proxy
179 // the call to the browser over the sandbox IPC
180 // (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
181 // dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
182 // current module.
184 // Other avenues:
186 // Our first attempt involved some assembly to patch the GOT of the current
187 // module. This worked, but was platform specific and doesn't catch the case
188 // where a library makes a call rather than current module.
190 // We also considered patching the function in place, but this would again by
191 // platform specific and the above technique seems to work well enough.
193 typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
194 typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
195 struct tm* result);
197 static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
198 static LocaltimeFunction g_libc_localtime;
199 static LocaltimeFunction g_libc_localtime64;
200 static LocaltimeRFunction g_libc_localtime_r;
201 static LocaltimeRFunction g_libc_localtime64_r;
203 static void InitLibcLocaltimeFunctions() {
204 g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
205 dlsym(RTLD_NEXT, "localtime"));
206 g_libc_localtime64 = reinterpret_cast<LocaltimeFunction>(
207 dlsym(RTLD_NEXT, "localtime64"));
208 g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
209 dlsym(RTLD_NEXT, "localtime_r"));
210 g_libc_localtime64_r = reinterpret_cast<LocaltimeRFunction>(
211 dlsym(RTLD_NEXT, "localtime64_r"));
213 if (!g_libc_localtime || !g_libc_localtime_r) {
214 // http://code.google.com/p/chromium/issues/detail?id=16800
216 // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
217 // it with a version which doesn't work. In this case we'll get a NULL
218 // result. There's not a lot we can do at this point, so we just bodge it!
219 LOG(ERROR) << "Your system is broken: dlsym doesn't work! This has been "
220 "reported to be caused by Nvidia's libGL. You should expect"
221 " time related functions to misbehave. "
222 "http://code.google.com/p/chromium/issues/detail?id=16800";
225 if (!g_libc_localtime)
226 g_libc_localtime = gmtime;
227 if (!g_libc_localtime64)
228 g_libc_localtime64 = g_libc_localtime;
229 if (!g_libc_localtime_r)
230 g_libc_localtime_r = gmtime_r;
231 if (!g_libc_localtime64_r)
232 g_libc_localtime64_r = g_libc_localtime_r;
235 // Define localtime_override() function with asm name "localtime", so that all
236 // references to localtime() will resolve to this function. Notice that we need
237 // to set visibility attribute to "default" to export the symbol, as it is set
238 // to "hidden" by default in chrome per build/common.gypi.
239 __attribute__ ((__visibility__("default")))
240 struct tm* localtime_override(const time_t* timep) __asm__ ("localtime");
242 __attribute__ ((__visibility__("default")))
243 struct tm* localtime_override(const time_t* timep) {
244 if (g_am_zygote_or_renderer) {
245 static struct tm time_struct;
246 static char timezone_string[64];
247 ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
248 sizeof(timezone_string));
249 return &time_struct;
250 } else {
251 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
252 InitLibcLocaltimeFunctions));
253 struct tm* res = g_libc_localtime(timep);
254 #if defined(MEMORY_SANITIZER)
255 if (res) __msan_unpoison(res, sizeof(*res));
256 if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
257 #endif
258 return res;
262 // Use same trick to override localtime64(), localtime_r() and localtime64_r().
263 __attribute__ ((__visibility__("default")))
264 struct tm* localtime64_override(const time_t* timep) __asm__ ("localtime64");
266 __attribute__ ((__visibility__("default")))
267 struct tm* localtime64_override(const time_t* timep) {
268 if (g_am_zygote_or_renderer) {
269 static struct tm time_struct;
270 static char timezone_string[64];
271 ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
272 sizeof(timezone_string));
273 return &time_struct;
274 } else {
275 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
276 InitLibcLocaltimeFunctions));
277 struct tm* res = g_libc_localtime64(timep);
278 #if defined(MEMORY_SANITIZER)
279 if (res) __msan_unpoison(res, sizeof(*res));
280 if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
281 #endif
282 return res;
286 __attribute__ ((__visibility__("default")))
287 struct tm* localtime_r_override(const time_t* timep,
288 struct tm* result) __asm__ ("localtime_r");
290 __attribute__ ((__visibility__("default")))
291 struct tm* localtime_r_override(const time_t* timep, struct tm* result) {
292 if (g_am_zygote_or_renderer) {
293 ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
294 return result;
295 } else {
296 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
297 InitLibcLocaltimeFunctions));
298 struct tm* res = g_libc_localtime_r(timep, result);
299 #if defined(MEMORY_SANITIZER)
300 if (res) __msan_unpoison(res, sizeof(*res));
301 if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
302 #endif
303 return res;
307 __attribute__ ((__visibility__("default")))
308 struct tm* localtime64_r_override(const time_t* timep,
309 struct tm* result) __asm__ ("localtime64_r");
311 __attribute__ ((__visibility__("default")))
312 struct tm* localtime64_r_override(const time_t* timep, struct tm* result) {
313 if (g_am_zygote_or_renderer) {
314 ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
315 return result;
316 } else {
317 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
318 InitLibcLocaltimeFunctions));
319 struct tm* res = g_libc_localtime64_r(timep, result);
320 #if defined(MEMORY_SANITIZER)
321 if (res) __msan_unpoison(res, sizeof(*res));
322 if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
323 #endif
324 return res;
328 #if defined(ENABLE_PLUGINS)
329 // Loads the (native) libraries but does not initialize them (i.e., does not
330 // call PPP_InitializeModule). This is needed by the zygote on Linux to get
331 // access to the plugins before entering the sandbox.
332 void PreloadPepperPlugins() {
333 std::vector<PepperPluginInfo> plugins;
334 ComputePepperPluginList(&plugins);
335 for (size_t i = 0; i < plugins.size(); ++i) {
336 if (!plugins[i].is_internal && plugins[i].is_sandboxed) {
337 base::NativeLibraryLoadError error;
338 base::NativeLibrary library = base::LoadNativeLibrary(plugins[i].path,
339 &error);
340 VLOG_IF(1, !library) << "Unable to load plugin "
341 << plugins[i].path.value() << " "
342 << error.ToString();
344 (void)library; // Prevent release-mode warning.
348 #endif
350 // This function triggers the static and lazy construction of objects that need
351 // to be created before imposing the sandbox.
352 static void ZygotePreSandboxInit() {
353 base::RandUint64();
355 base::SysInfo::AmountOfPhysicalMemory();
356 base::SysInfo::MaxSharedMemorySize();
357 base::SysInfo::NumberOfProcessors();
359 // ICU DateFormat class (used in base/time_format.cc) needs to get the
360 // Olson timezone ID by accessing the zoneinfo files on disk. After
361 // TimeZone::createDefault is called once here, the timezone ID is
362 // cached and there's no more need to access the file system.
363 scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault());
365 #if defined(USE_NSS)
366 // NSS libraries are loaded before sandbox is activated. This is to allow
367 // successful initialization of NSS which tries to load extra library files.
368 crypto::LoadNSSLibraries();
369 #elif defined(USE_OPENSSL)
370 // Read a random byte in order to cause BoringSSL to open a file descriptor
371 // for /dev/urandom.
372 uint8_t scratch;
373 RAND_bytes(&scratch, 1);
374 #else
375 // It's possible that another hypothetical crypto stack would not require
376 // pre-sandbox init, but more likely this is just a build configuration error.
377 #error Which SSL library are you using?
378 #endif
379 #if defined(ENABLE_PLUGINS)
380 // Ensure access to the Pepper plugins before the sandbox is turned on.
381 PreloadPepperPlugins();
382 #endif
383 #if defined(ENABLE_WEBRTC)
384 InitializeWebRtcModule();
385 #endif
386 SkFontConfigInterface::SetGlobal(
387 new FontConfigIPC(GetSandboxFD()))->unref();
390 static bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback) {
391 // The current process becomes init(1), this function returns from a
392 // newly created process.
393 const bool init_created =
394 sandbox::CreateInitProcessReaper(post_fork_parent_callback);
395 if (!init_created) {
396 LOG(ERROR) << "Error creating an init process to reap zombies";
397 return false;
399 return true;
402 // Enter the setuid sandbox. This requires the current process to have been
403 // created through the setuid sandbox.
404 static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox,
405 base::Closure* post_fork_parent_callback) {
406 DCHECK(setuid_sandbox);
407 DCHECK(setuid_sandbox->IsSuidSandboxChild());
409 // Use the SUID sandbox. This still allows the seccomp sandbox to
410 // be enabled by the process later.
412 if (!setuid_sandbox->IsSuidSandboxUpToDate()) {
413 LOG(WARNING) <<
414 "You are using a wrong version of the setuid binary!\n"
415 "Please read "
416 "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment."
417 "\n\n";
420 if (!setuid_sandbox->ChrootMe())
421 return false;
423 if (setuid_sandbox->IsInNewPIDNamespace()) {
424 CHECK_EQ(1, getpid())
425 << "The SUID sandbox created a new PID namespace but Zygote "
426 "is not the init process. Please, make sure the SUID "
427 "binary is up to date.";
430 if (getpid() == 1) {
431 // The setuid sandbox has created a new PID namespace and we need
432 // to assume the role of init.
433 CHECK(CreateInitProcessReaper(post_fork_parent_callback));
436 #if !defined(OS_OPENBSD)
437 // Previously, we required that the binary be non-readable. This causes the
438 // kernel to mark the process as non-dumpable at startup. The thinking was
439 // that, although we were putting the renderers into a PID namespace (with
440 // the SUID sandbox), they would nonetheless be in the /same/ PID
441 // namespace. So they could ptrace each other unless they were non-dumpable.
443 // If the binary was readable, then there would be a window between process
444 // startup and the point where we set the non-dumpable flag in which a
445 // compromised renderer could ptrace attach.
447 // However, now that we have a zygote model, only the (trusted) zygote
448 // exists at this point and we can set the non-dumpable flag which is
449 // inherited by all our renderer children.
451 // Note: a non-dumpable process can't be debugged. To debug sandbox-related
452 // issues, one can specify --allow-sandbox-debugging to let the process be
453 // dumpable.
454 const base::CommandLine& command_line =
455 *base::CommandLine::ForCurrentProcess();
456 if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) {
457 prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
458 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
459 LOG(ERROR) << "Failed to set non-dumpable flag";
460 return false;
462 } else {
463 // If sandbox debugging is allowed, install a handler for sandbox-related
464 // crash testing.
465 InstallSandboxCrashTestHandler();
468 #endif
470 return true;
473 #if defined(ADDRESS_SANITIZER)
474 const size_t kSanitizerMaxMessageLength = 1 * 1024 * 1024;
476 // A helper process which collects code coverage data from the renderers over a
477 // socket and dumps it to a file. See http://crbug.com/336212 for discussion.
478 static void SanitizerCoverageHelper(int socket_fd, int file_fd) {
479 scoped_ptr<char[]> buffer(new char[kSanitizerMaxMessageLength]);
480 while (true) {
481 ssize_t received_size = HANDLE_EINTR(
482 recv(socket_fd, buffer.get(), kSanitizerMaxMessageLength, 0));
483 PCHECK(received_size >= 0);
484 if (received_size == 0)
485 // All clients have closed the socket. We should die.
486 _exit(0);
487 PCHECK(file_fd >= 0);
488 ssize_t written_size = 0;
489 while (written_size < received_size) {
490 ssize_t write_res =
491 HANDLE_EINTR(write(file_fd, buffer.get() + written_size,
492 received_size - written_size));
493 PCHECK(write_res >= 0);
494 written_size += write_res;
496 PCHECK(0 == HANDLE_EINTR(fsync(file_fd)));
500 // fds[0] is the read end, fds[1] is the write end.
501 static void CreateSanitizerCoverageSocketPair(int fds[2]) {
502 PCHECK(0 == socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds));
503 PCHECK(0 == shutdown(fds[0], SHUT_WR));
504 PCHECK(0 == shutdown(fds[1], SHUT_RD));
507 static pid_t ForkSanitizerCoverageHelper(
508 int child_fd,
509 int parent_fd,
510 base::ScopedFD file_fd,
511 const std::vector<int>& extra_fds_to_close) {
512 pid_t pid = fork();
513 PCHECK(pid >= 0);
514 if (pid == 0) {
515 // In the child.
516 PCHECK(0 == IGNORE_EINTR(close(parent_fd)));
517 CloseFds(extra_fds_to_close);
518 SanitizerCoverageHelper(child_fd, file_fd.get());
519 _exit(0);
520 } else {
521 // In the parent.
522 PCHECK(0 == IGNORE_EINTR(close(child_fd)));
523 return pid;
527 #endif // defined(ADDRESS_SANITIZER)
529 // If |is_suid_sandbox_child|, then make sure that the setuid sandbox is
530 // engaged.
531 static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox,
532 bool is_suid_sandbox_child,
533 base::Closure* post_fork_parent_callback) {
534 DCHECK(linux_sandbox);
536 ZygotePreSandboxInit();
538 // Check that the pre-sandbox initialization didn't spawn threads.
539 #if !defined(THREAD_SANITIZER)
540 DCHECK(linux_sandbox->IsSingleThreaded());
541 #endif
543 sandbox::SetuidSandboxClient* setuid_sandbox =
544 linux_sandbox->setuid_sandbox_client();
546 if (is_suid_sandbox_child) {
547 CHECK(EnterSuidSandbox(setuid_sandbox, post_fork_parent_callback))
548 << "Failed to enter setuid sandbox";
552 bool ZygoteMain(const MainFunctionParams& params,
553 ScopedVector<ZygoteForkDelegate> fork_delegates) {
554 g_am_zygote_or_renderer = true;
555 sandbox::InitLibcUrandomOverrides();
557 std::vector<int> fds_to_close_post_fork;
559 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
561 #if defined(ADDRESS_SANITIZER)
562 const std::string sancov_file_name =
563 "zygote." + base::Uint64ToString(base::RandUint64());
564 base::ScopedFD sancov_file_fd(
565 __sanitizer_maybe_open_cov_file(sancov_file_name.c_str()));
566 int sancov_socket_fds[2] = {-1, -1};
567 CreateSanitizerCoverageSocketPair(sancov_socket_fds);
568 linux_sandbox->sanitizer_args()->coverage_sandboxed = 1;
569 linux_sandbox->sanitizer_args()->coverage_fd = sancov_socket_fds[1];
570 linux_sandbox->sanitizer_args()->coverage_max_block_size =
571 kSanitizerMaxMessageLength;
572 // Zygote termination will block until the helper process exits, which will
573 // not happen until the write end of the socket is closed everywhere. Make
574 // sure the init process does not hold on to it.
575 fds_to_close_post_fork.push_back(sancov_socket_fds[0]);
576 fds_to_close_post_fork.push_back(sancov_socket_fds[1]);
577 #endif
579 // Skip pre-initializing sandbox under --no-sandbox for crbug.com/444900.
580 if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
581 switches::kNoSandbox)) {
582 // This will pre-initialize the various sandboxes that need it.
583 linux_sandbox->PreinitializeSandbox();
586 const bool must_enable_setuid_sandbox =
587 linux_sandbox->setuid_sandbox_client()->IsSuidSandboxChild();
588 if (must_enable_setuid_sandbox) {
589 linux_sandbox->setuid_sandbox_client()->CloseDummyFile();
591 // Let the ZygoteHost know we're booting up.
592 CHECK(UnixDomainSocket::SendMsg(kZygoteSocketPairFd,
593 kZygoteBootMessage,
594 sizeof(kZygoteBootMessage),
595 std::vector<int>()));
598 VLOG(1) << "ZygoteMain: initializing " << fork_delegates.size()
599 << " fork delegates";
600 for (ScopedVector<ZygoteForkDelegate>::iterator i = fork_delegates.begin();
601 i != fork_delegates.end();
602 ++i) {
603 (*i)->Init(GetSandboxFD(), must_enable_setuid_sandbox);
606 const std::vector<int> sandbox_fds_to_close_post_fork =
607 linux_sandbox->GetFileDescriptorsToClose();
609 fds_to_close_post_fork.insert(fds_to_close_post_fork.end(),
610 sandbox_fds_to_close_post_fork.begin(),
611 sandbox_fds_to_close_post_fork.end());
612 base::Closure post_fork_parent_callback =
613 base::Bind(&CloseFds, fds_to_close_post_fork);
615 // Turn on the first layer of the sandbox if the configuration warrants it.
616 EnterLayerOneSandbox(linux_sandbox, must_enable_setuid_sandbox,
617 &post_fork_parent_callback);
619 // Extra children and file descriptors created that the Zygote must have
620 // knowledge of.
621 std::vector<pid_t> extra_children;
622 std::vector<int> extra_fds;
624 #if defined(ADDRESS_SANITIZER)
625 pid_t sancov_helper_pid = ForkSanitizerCoverageHelper(
626 sancov_socket_fds[0], sancov_socket_fds[1], sancov_file_fd.Pass(),
627 sandbox_fds_to_close_post_fork);
628 // It's important that the zygote reaps the helper before dying. Otherwise,
629 // the destruction of the PID namespace could kill the helper before it
630 // completes its I/O tasks. |sancov_helper_pid| will exit once the last
631 // renderer holding the write end of |sancov_socket_fds| closes it.
632 extra_children.push_back(sancov_helper_pid);
633 // Sanitizer code in the renderers will inherit the write end of the socket
634 // from the zygote. We must keep it open until the very end of the zygote's
635 // lifetime, even though we don't explicitly use it.
636 extra_fds.push_back(sancov_socket_fds[1]);
637 #endif
639 int sandbox_flags = linux_sandbox->GetStatus();
640 bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;
641 CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged);
643 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children,
644 extra_fds);
645 // This function call can return multiple times, once per fork().
646 return zygote.ProcessRequests();
649 } // namespace content