Home | History | Annotate | Download | only in zygote
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "content/zygote/zygote_main.h"
      6 
      7 #include <dlfcn.h>
      8 #include <fcntl.h>
      9 #include <pthread.h>
     10 #include <signal.h>
     11 #include <string.h>
     12 #include <sys/socket.h>
     13 #include <sys/types.h>
     14 #include <unistd.h>
     15 
     16 #include "base/basictypes.h"
     17 #include "base/bind.h"
     18 #include "base/command_line.h"
     19 #include "base/compiler_specific.h"
     20 #include "base/memory/scoped_vector.h"
     21 #include "base/native_library.h"
     22 #include "base/pickle.h"
     23 #include "base/posix/eintr_wrapper.h"
     24 #include "base/posix/unix_domain_socket_linux.h"
     25 #include "base/rand_util.h"
     26 #include "base/strings/safe_sprintf.h"
     27 #include "base/strings/string_number_conversions.h"
     28 #include "base/sys_info.h"
     29 #include "build/build_config.h"
     30 #include "content/common/child_process_sandbox_support_impl_linux.h"
     31 #include "content/common/font_config_ipc_linux.h"
     32 #include "content/common/sandbox_linux/sandbox_linux.h"
     33 #include "content/common/zygote_commands_linux.h"
     34 #include "content/public/common/content_switches.h"
     35 #include "content/public/common/main_function_params.h"
     36 #include "content/public/common/sandbox_linux.h"
     37 #include "content/public/common/zygote_fork_delegate_linux.h"
     38 #include "content/zygote/zygote_linux.h"
     39 #include "crypto/nss_util.h"
     40 #include "sandbox/linux/services/init_process_reaper.h"
     41 #include "sandbox/linux/services/libc_urandom_override.h"
     42 #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
     43 #include "third_party/icu/source/i18n/unicode/timezone.h"
     44 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
     45 
     46 #if defined(OS_LINUX)
     47 #include <sys/prctl.h>
     48 #endif
     49 
     50 #if defined(USE_OPENSSL)
     51 #include <openssl/rand.h>
     52 #endif
     53 
     54 #if defined(ENABLE_PLUGINS)
     55 #include "content/common/pepper_plugin_list.h"
     56 #include "content/public/common/pepper_plugin_info.h"
     57 #endif
     58 
     59 #if defined(ENABLE_WEBRTC)
     60 #include "third_party/libjingle/overrides/init_webrtc.h"
     61 #endif
     62 
     63 #if defined(ADDRESS_SANITIZER)
     64 #include <sanitizer/asan_interface.h>
     65 #endif
     66 
     67 namespace content {
     68 
     69 namespace {
     70 
     71 void DoChrootSignalHandler(int) {
     72   const int old_errno = errno;
     73   const char kFirstMessage[] = "Chroot signal handler called.\n";
     74   ignore_result(write(STDERR_FILENO, kFirstMessage, sizeof(kFirstMessage) - 1));
     75 
     76   const int chroot_ret = chroot("/");
     77 
     78   char kSecondMessage[100];
     79   const ssize_t printed =
     80       base::strings::SafeSPrintf(kSecondMessage,
     81                                  "chroot() returned %d. Errno is %d.\n",
     82                                  chroot_ret,
     83                                  errno);
     84   if (printed > 0 && printed < static_cast<ssize_t>(sizeof(kSecondMessage))) {
     85     ignore_result(write(STDERR_FILENO, kSecondMessage, printed));
     86   }
     87   errno = old_errno;
     88 }
     89 
     90 // This is a quick hack to allow testing sandbox crash reports in production
     91 // binaries.
     92 // This installs a signal handler for SIGUSR2 that performs a chroot().
     93 // In most of our BPF policies, it is a "watched" system call which will
     94 // trigger a SIGSYS signal whose handler will crash.
     95 // This has been added during the investigation of https://crbug.com/415842.
     96 void InstallSandboxCrashTestHandler() {
     97   struct sigaction act = {};
     98   act.sa_handler = DoChrootSignalHandler;
     99   CHECK_EQ(0, sigemptyset(&act.sa_mask));
    100   act.sa_flags = 0;
    101 
    102   PCHECK(0 == sigaction(SIGUSR2, &act, NULL));
    103 }
    104 }  // namespace
    105 
    106 // See http://code.google.com/p/chromium/wiki/LinuxZygote
    107 
    108 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
    109                                         char* timezone_out,
    110                                         size_t timezone_out_len) {
    111   Pickle request;
    112   request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
    113   request.WriteString(
    114       std::string(reinterpret_cast<char*>(&input), sizeof(input)));
    115 
    116   uint8_t reply_buf[512];
    117   const ssize_t r = UnixDomainSocket::SendRecvMsg(
    118       GetSandboxFD(), reply_buf, sizeof(reply_buf), NULL,
    119       request);
    120   if (r == -1) {
    121     memset(output, 0, sizeof(struct tm));
    122     return;
    123   }
    124 
    125   Pickle reply(reinterpret_cast<char*>(reply_buf), r);
    126   PickleIterator iter(reply);
    127   std::string result, timezone;
    128   if (!reply.ReadString(&iter, &result) ||
    129       !reply.ReadString(&iter, &timezone) ||
    130       result.size() != sizeof(struct tm)) {
    131     memset(output, 0, sizeof(struct tm));
    132     return;
    133   }
    134 
    135   memcpy(output, result.data(), sizeof(struct tm));
    136   if (timezone_out_len) {
    137     const size_t copy_len = std::min(timezone_out_len - 1, timezone.size());
    138     memcpy(timezone_out, timezone.data(), copy_len);
    139     timezone_out[copy_len] = 0;
    140     output->tm_zone = timezone_out;
    141   } else {
    142     output->tm_zone = NULL;
    143   }
    144 }
    145 
    146 static bool g_am_zygote_or_renderer = false;
    147 
    148 // Sandbox interception of libc calls.
    149 //
    150 // Because we are running in a sandbox certain libc calls will fail (localtime
    151 // being the motivating example - it needs to read /etc/localtime). We need to
    152 // intercept these calls and proxy them to the browser. However, these calls
    153 // may come from us or from our libraries. In some cases we can't just change
    154 // our code.
    155 //
    156 // It's for these cases that we have the following setup:
    157 //
    158 // We define global functions for those functions which we wish to override.
    159 // Since we will be first in the dynamic resolution order, the dynamic linker
    160 // will point callers to our versions of these functions. However, we have the
    161 // same binary for both the browser and the renderers, which means that our
    162 // overrides will apply in the browser too.
    163 //
    164 // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or
    165 // renderer process. It's set in ZygoteMain and inherited by the renderers when
    166 // they fork. (This means that it'll be incorrect for global constructor
    167 // functions and before ZygoteMain is called - beware).
    168 //
    169 // Our replacement functions can check this global and either proxy
    170 // the call to the browser over the sandbox IPC
    171 // (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use
    172 // dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the
    173 // current module.
    174 //
    175 // Other avenues:
    176 //
    177 // Our first attempt involved some assembly to patch the GOT of the current
    178 // module. This worked, but was platform specific and doesn't catch the case
    179 // where a library makes a call rather than current module.
    180 //
    181 // We also considered patching the function in place, but this would again by
    182 // platform specific and the above technique seems to work well enough.
    183 
    184 typedef struct tm* (*LocaltimeFunction)(const time_t* timep);
    185 typedef struct tm* (*LocaltimeRFunction)(const time_t* timep,
    186                                          struct tm* result);
    187 
    188 static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT;
    189 static LocaltimeFunction g_libc_localtime;
    190 static LocaltimeFunction g_libc_localtime64;
    191 static LocaltimeRFunction g_libc_localtime_r;
    192 static LocaltimeRFunction g_libc_localtime64_r;
    193 
    194 static void InitLibcLocaltimeFunctions() {
    195   g_libc_localtime = reinterpret_cast<LocaltimeFunction>(
    196       dlsym(RTLD_NEXT, "localtime"));
    197   g_libc_localtime64 = reinterpret_cast<LocaltimeFunction>(
    198       dlsym(RTLD_NEXT, "localtime64"));
    199   g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>(
    200       dlsym(RTLD_NEXT, "localtime_r"));
    201   g_libc_localtime64_r = reinterpret_cast<LocaltimeRFunction>(
    202       dlsym(RTLD_NEXT, "localtime64_r"));
    203 
    204   if (!g_libc_localtime || !g_libc_localtime_r) {
    205     // http://code.google.com/p/chromium/issues/detail?id=16800
    206     //
    207     // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces
    208     // it with a version which doesn't work. In this case we'll get a NULL
    209     // result. There's not a lot we can do at this point, so we just bodge it!
    210     LOG(ERROR) << "Your system is broken: dlsym doesn't work! This has been "
    211                   "reported to be caused by Nvidia's libGL. You should expect"
    212                   " time related functions to misbehave. "
    213                   "http://code.google.com/p/chromium/issues/detail?id=16800";
    214   }
    215 
    216   if (!g_libc_localtime)
    217     g_libc_localtime = gmtime;
    218   if (!g_libc_localtime64)
    219     g_libc_localtime64 = g_libc_localtime;
    220   if (!g_libc_localtime_r)
    221     g_libc_localtime_r = gmtime_r;
    222   if (!g_libc_localtime64_r)
    223     g_libc_localtime64_r = g_libc_localtime_r;
    224 }
    225 
    226 // Define localtime_override() function with asm name "localtime", so that all
    227 // references to localtime() will resolve to this function. Notice that we need
    228 // to set visibility attribute to "default" to export the symbol, as it is set
    229 // to "hidden" by default in chrome per build/common.gypi.
    230 __attribute__ ((__visibility__("default")))
    231 struct tm* localtime_override(const time_t* timep) __asm__ ("localtime");
    232 
    233 __attribute__ ((__visibility__("default")))
    234 struct tm* localtime_override(const time_t* timep) {
    235   if (g_am_zygote_or_renderer) {
    236     static struct tm time_struct;
    237     static char timezone_string[64];
    238     ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
    239                                 sizeof(timezone_string));
    240     return &time_struct;
    241   } else {
    242     CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
    243                              InitLibcLocaltimeFunctions));
    244     struct tm* res = g_libc_localtime(timep);
    245 #if defined(MEMORY_SANITIZER)
    246     if (res) __msan_unpoison(res, sizeof(*res));
    247     if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
    248 #endif
    249     return res;
    250   }
    251 }
    252 
    253 // Use same trick to override localtime64(), localtime_r() and localtime64_r().
    254 __attribute__ ((__visibility__("default")))
    255 struct tm* localtime64_override(const time_t* timep) __asm__ ("localtime64");
    256 
    257 __attribute__ ((__visibility__("default")))
    258 struct tm* localtime64_override(const time_t* timep) {
    259   if (g_am_zygote_or_renderer) {
    260     static struct tm time_struct;
    261     static char timezone_string[64];
    262     ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string,
    263                                 sizeof(timezone_string));
    264     return &time_struct;
    265   } else {
    266     CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
    267                              InitLibcLocaltimeFunctions));
    268     struct tm* res = g_libc_localtime64(timep);
    269 #if defined(MEMORY_SANITIZER)
    270     if (res) __msan_unpoison(res, sizeof(*res));
    271     if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
    272 #endif
    273     return res;
    274   }
    275 }
    276 
    277 __attribute__ ((__visibility__("default")))
    278 struct tm* localtime_r_override(const time_t* timep,
    279                                 struct tm* result) __asm__ ("localtime_r");
    280 
    281 __attribute__ ((__visibility__("default")))
    282 struct tm* localtime_r_override(const time_t* timep, struct tm* result) {
    283   if (g_am_zygote_or_renderer) {
    284     ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
    285     return result;
    286   } else {
    287     CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
    288                              InitLibcLocaltimeFunctions));
    289     struct tm* res = g_libc_localtime_r(timep, result);
    290 #if defined(MEMORY_SANITIZER)
    291     if (res) __msan_unpoison(res, sizeof(*res));
    292     if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
    293 #endif
    294     return res;
    295   }
    296 }
    297 
    298 __attribute__ ((__visibility__("default")))
    299 struct tm* localtime64_r_override(const time_t* timep,
    300                                   struct tm* result) __asm__ ("localtime64_r");
    301 
    302 __attribute__ ((__visibility__("default")))
    303 struct tm* localtime64_r_override(const time_t* timep, struct tm* result) {
    304   if (g_am_zygote_or_renderer) {
    305     ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0);
    306     return result;
    307   } else {
    308     CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard,
    309                              InitLibcLocaltimeFunctions));
    310     struct tm* res = g_libc_localtime64_r(timep, result);
    311 #if defined(MEMORY_SANITIZER)
    312     if (res) __msan_unpoison(res, sizeof(*res));
    313     if (res->tm_zone) __msan_unpoison_string(res->tm_zone);
    314 #endif
    315     return res;
    316   }
    317 }
    318 
    319 #if defined(ENABLE_PLUGINS)
    320 // Loads the (native) libraries but does not initialize them (i.e., does not
    321 // call PPP_InitializeModule). This is needed by the zygote on Linux to get
    322 // access to the plugins before entering the sandbox.
    323 void PreloadPepperPlugins() {
    324   std::vector<PepperPluginInfo> plugins;
    325   ComputePepperPluginList(&plugins);
    326   for (size_t i = 0; i < plugins.size(); ++i) {
    327     if (!plugins[i].is_internal && plugins[i].is_sandboxed) {
    328       base::NativeLibraryLoadError error;
    329       base::NativeLibrary library = base::LoadNativeLibrary(plugins[i].path,
    330                                                             &error);
    331       VLOG_IF(1, !library) << "Unable to load plugin "
    332                            << plugins[i].path.value() << " "
    333                            << error.ToString();
    334 
    335       (void)library;  // Prevent release-mode warning.
    336     }
    337   }
    338 }
    339 #endif
    340 
    341 // This function triggers the static and lazy construction of objects that need
    342 // to be created before imposing the sandbox.
    343 static void ZygotePreSandboxInit() {
    344   base::RandUint64();
    345 
    346   base::SysInfo::AmountOfPhysicalMemory();
    347   base::SysInfo::MaxSharedMemorySize();
    348   base::SysInfo::NumberOfProcessors();
    349 
    350   // ICU DateFormat class (used in base/time_format.cc) needs to get the
    351   // Olson timezone ID by accessing the zoneinfo files on disk. After
    352   // TimeZone::createDefault is called once here, the timezone ID is
    353   // cached and there's no more need to access the file system.
    354   scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault());
    355 
    356 #if defined(USE_NSS)
    357   // NSS libraries are loaded before sandbox is activated. This is to allow
    358   // successful initialization of NSS which tries to load extra library files.
    359   crypto::LoadNSSLibraries();
    360 #elif defined(USE_OPENSSL)
    361   // Read a random byte in order to cause BoringSSL to open a file descriptor
    362   // for /dev/urandom.
    363   uint8_t scratch;
    364   RAND_bytes(&scratch, 1);
    365 #else
    366   // It's possible that another hypothetical crypto stack would not require
    367   // pre-sandbox init, but more likely this is just a build configuration error.
    368   #error Which SSL library are you using?
    369 #endif
    370 #if defined(ENABLE_PLUGINS)
    371   // Ensure access to the Pepper plugins before the sandbox is turned on.
    372   PreloadPepperPlugins();
    373 #endif
    374 #if defined(ENABLE_WEBRTC)
    375   InitializeWebRtcModule();
    376 #endif
    377   SkFontConfigInterface::SetGlobal(
    378       new FontConfigIPC(GetSandboxFD()))->unref();
    379 }
    380 
    381 static bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback) {
    382   // The current process becomes init(1), this function returns from a
    383   // newly created process.
    384   const bool init_created =
    385       sandbox::CreateInitProcessReaper(post_fork_parent_callback);
    386   if (!init_created) {
    387     LOG(ERROR) << "Error creating an init process to reap zombies";
    388     return false;
    389   }
    390   return true;
    391 }
    392 
    393 // Enter the setuid sandbox. This requires the current process to have been
    394 // created through the setuid sandbox.
    395 static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox,
    396                              base::Closure* post_fork_parent_callback) {
    397   DCHECK(setuid_sandbox);
    398   DCHECK(setuid_sandbox->IsSuidSandboxChild());
    399 
    400   // Use the SUID sandbox.  This still allows the seccomp sandbox to
    401   // be enabled by the process later.
    402 
    403   if (!setuid_sandbox->IsSuidSandboxUpToDate()) {
    404     LOG(WARNING) <<
    405         "You are using a wrong version of the setuid binary!\n"
    406         "Please read "
    407         "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment."
    408         "\n\n";
    409   }
    410 
    411   if (!setuid_sandbox->ChrootMe())
    412     return false;
    413 
    414   if (setuid_sandbox->IsInNewPIDNamespace()) {
    415     CHECK_EQ(1, getpid())
    416         << "The SUID sandbox created a new PID namespace but Zygote "
    417            "is not the init process. Please, make sure the SUID "
    418            "binary is up to date.";
    419   }
    420 
    421   if (getpid() == 1) {
    422     // The setuid sandbox has created a new PID namespace and we need
    423     // to assume the role of init.
    424     CHECK(CreateInitProcessReaper(post_fork_parent_callback));
    425   }
    426 
    427 #if !defined(OS_OPENBSD)
    428   // Previously, we required that the binary be non-readable. This causes the
    429   // kernel to mark the process as non-dumpable at startup. The thinking was
    430   // that, although we were putting the renderers into a PID namespace (with
    431   // the SUID sandbox), they would nonetheless be in the /same/ PID
    432   // namespace. So they could ptrace each other unless they were non-dumpable.
    433   //
    434   // If the binary was readable, then there would be a window between process
    435   // startup and the point where we set the non-dumpable flag in which a
    436   // compromised renderer could ptrace attach.
    437   //
    438   // However, now that we have a zygote model, only the (trusted) zygote
    439   // exists at this point and we can set the non-dumpable flag which is
    440   // inherited by all our renderer children.
    441   //
    442   // Note: a non-dumpable process can't be debugged. To debug sandbox-related
    443   // issues, one can specify --allow-sandbox-debugging to let the process be
    444   // dumpable.
    445   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
    446   if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) {
    447     prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
    448     if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
    449       LOG(ERROR) << "Failed to set non-dumpable flag";
    450       return false;
    451     }
    452   } else {
    453     // If sandbox debugging is allowed, install a handler for sandbox-related
    454     // crash testing.
    455     InstallSandboxCrashTestHandler();
    456   }
    457 
    458 #endif
    459 
    460   return true;
    461 }
    462 
    463 #if defined(ADDRESS_SANITIZER)
    464 const size_t kSanitizerMaxMessageLength = 1 * 1024 * 1024;
    465 
    466 // A helper process which collects code coverage data from the renderers over a
    467 // socket and dumps it to a file. See http://crbug.com/336212 for discussion.
    468 static void SanitizerCoverageHelper(int socket_fd, int file_fd) {
    469   scoped_ptr<char[]> buffer(new char[kSanitizerMaxMessageLength]);
    470   while (true) {
    471     ssize_t received_size = HANDLE_EINTR(
    472         recv(socket_fd, buffer.get(), kSanitizerMaxMessageLength, 0));
    473     PCHECK(received_size >= 0);
    474     if (received_size == 0)
    475       // All clients have closed the socket. We should die.
    476       _exit(0);
    477     PCHECK(file_fd >= 0);
    478     ssize_t written_size = 0;
    479     while (written_size < received_size) {
    480       ssize_t write_res =
    481           HANDLE_EINTR(write(file_fd, buffer.get() + written_size,
    482                              received_size - written_size));
    483       PCHECK(write_res >= 0);
    484       written_size += write_res;
    485     }
    486     PCHECK(0 == HANDLE_EINTR(fsync(file_fd)));
    487   }
    488 }
    489 
    490 // fds[0] is the read end, fds[1] is the write end.
    491 static void CreateSanitizerCoverageSocketPair(int fds[2]) {
    492   PCHECK(0 == socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds));
    493   PCHECK(0 == shutdown(fds[0], SHUT_WR));
    494   PCHECK(0 == shutdown(fds[1], SHUT_RD));
    495 }
    496 
    497 static pid_t ForkSanitizerCoverageHelper(int child_fd, int parent_fd,
    498                                         base::ScopedFD file_fd) {
    499   pid_t pid = fork();
    500   PCHECK(pid >= 0);
    501   if (pid == 0) {
    502     // In the child.
    503     PCHECK(0 == IGNORE_EINTR(close(parent_fd)));
    504     SanitizerCoverageHelper(child_fd, file_fd.get());
    505     _exit(0);
    506   } else {
    507     // In the parent.
    508     PCHECK(0 == IGNORE_EINTR(close(child_fd)));
    509     return pid;
    510   }
    511 }
    512 
    513 void CloseFdPair(const int fds[2]) {
    514   PCHECK(0 == IGNORE_EINTR(close(fds[0])));
    515   PCHECK(0 == IGNORE_EINTR(close(fds[1])));
    516 }
    517 #endif  // defined(ADDRESS_SANITIZER)
    518 
    519 // If |is_suid_sandbox_child|, then make sure that the setuid sandbox is
    520 // engaged.
    521 static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox,
    522                                  bool is_suid_sandbox_child,
    523                                  base::Closure* post_fork_parent_callback) {
    524   DCHECK(linux_sandbox);
    525 
    526   ZygotePreSandboxInit();
    527 
    528   // Check that the pre-sandbox initialization didn't spawn threads.
    529 #if !defined(THREAD_SANITIZER)
    530   DCHECK(linux_sandbox->IsSingleThreaded());
    531 #endif
    532 
    533   sandbox::SetuidSandboxClient* setuid_sandbox =
    534       linux_sandbox->setuid_sandbox_client();
    535 
    536   if (is_suid_sandbox_child) {
    537     CHECK(EnterSuidSandbox(setuid_sandbox, post_fork_parent_callback))
    538         << "Failed to enter setuid sandbox";
    539   }
    540 }
    541 
    542 bool ZygoteMain(const MainFunctionParams& params,
    543                 ScopedVector<ZygoteForkDelegate> fork_delegates) {
    544   g_am_zygote_or_renderer = true;
    545   sandbox::InitLibcUrandomOverrides();
    546 
    547   base::Closure *post_fork_parent_callback = NULL;
    548 
    549   LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
    550 
    551 #if defined(ADDRESS_SANITIZER)
    552   const std::string sancov_file_name =
    553       "zygote." + base::Uint64ToString(base::RandUint64());
    554   base::ScopedFD sancov_file_fd(
    555       __sanitizer_maybe_open_cov_file(sancov_file_name.c_str()));
    556   int sancov_socket_fds[2] = {-1, -1};
    557   CreateSanitizerCoverageSocketPair(sancov_socket_fds);
    558   linux_sandbox->sanitizer_args()->coverage_sandboxed = 1;
    559   linux_sandbox->sanitizer_args()->coverage_fd = sancov_socket_fds[1];
    560   linux_sandbox->sanitizer_args()->coverage_max_block_size =
    561       kSanitizerMaxMessageLength;
    562   // Zygote termination will block until the helper process exits, which will
    563   // not happen until the write end of the socket is closed everywhere. Make
    564   // sure the init process does not hold on to it.
    565   base::Closure close_sancov_socket_fds =
    566       base::Bind(&CloseFdPair, sancov_socket_fds);
    567   post_fork_parent_callback = &close_sancov_socket_fds;
    568 #endif
    569 
    570   // This will pre-initialize the various sandboxes that need it.
    571   linux_sandbox->PreinitializeSandbox();
    572 
    573   const bool must_enable_setuid_sandbox =
    574       linux_sandbox->setuid_sandbox_client()->IsSuidSandboxChild();
    575   if (must_enable_setuid_sandbox) {
    576     linux_sandbox->setuid_sandbox_client()->CloseDummyFile();
    577 
    578     // Let the ZygoteHost know we're booting up.
    579     CHECK(UnixDomainSocket::SendMsg(kZygoteSocketPairFd,
    580                                     kZygoteBootMessage,
    581                                     sizeof(kZygoteBootMessage),
    582                                     std::vector<int>()));
    583   }
    584 
    585   VLOG(1) << "ZygoteMain: initializing " << fork_delegates.size()
    586           << " fork delegates";
    587   for (ScopedVector<ZygoteForkDelegate>::iterator i = fork_delegates.begin();
    588        i != fork_delegates.end();
    589        ++i) {
    590     (*i)->Init(GetSandboxFD(), must_enable_setuid_sandbox);
    591   }
    592 
    593   // Turn on the first layer of the sandbox if the configuration warrants it.
    594   EnterLayerOneSandbox(linux_sandbox, must_enable_setuid_sandbox,
    595                        post_fork_parent_callback);
    596 
    597   std::vector<pid_t> extra_children;
    598   std::vector<int> extra_fds;
    599 
    600 #if defined(ADDRESS_SANITIZER)
    601   pid_t sancov_helper_pid = ForkSanitizerCoverageHelper(
    602       sancov_socket_fds[0], sancov_socket_fds[1], sancov_file_fd.Pass());
    603   // It's important that the zygote reaps the helper before dying. Otherwise,
    604   // the destruction of the PID namespace could kill the helper before it
    605   // completes its I/O tasks. |sancov_helper_pid| will exit once the last
    606   // renderer holding the write end of |sancov_socket_fds| closes it.
    607   extra_children.push_back(sancov_helper_pid);
    608   // Sanitizer code in the renderers will inherit the write end of the socket
    609   // from the zygote. We must keep it open until the very end of the zygote's
    610   // lifetime, even though we don't explicitly use it.
    611   extra_fds.push_back(sancov_socket_fds[1]);
    612 #endif
    613 
    614   int sandbox_flags = linux_sandbox->GetStatus();
    615   bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;
    616   CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged);
    617 
    618   Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children,
    619                 extra_fds);
    620   // This function call can return multiple times, once per fork().
    621   return zygote.ProcessRequests();
    622 }
    623 
    624 }  // namespace content
    625