1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "content/zygote/zygote_main.h" 6 7 #include <dlfcn.h> 8 #include <fcntl.h> 9 #include <pthread.h> 10 #include <signal.h> 11 #include <string.h> 12 #include <sys/socket.h> 13 #include <sys/types.h> 14 #include <unistd.h> 15 16 #include "base/basictypes.h" 17 #include "base/bind.h" 18 #include "base/command_line.h" 19 #include "base/compiler_specific.h" 20 #include "base/memory/scoped_vector.h" 21 #include "base/native_library.h" 22 #include "base/pickle.h" 23 #include "base/posix/eintr_wrapper.h" 24 #include "base/posix/unix_domain_socket_linux.h" 25 #include "base/rand_util.h" 26 #include "base/strings/safe_sprintf.h" 27 #include "base/strings/string_number_conversions.h" 28 #include "base/sys_info.h" 29 #include "build/build_config.h" 30 #include "content/common/child_process_sandbox_support_impl_linux.h" 31 #include "content/common/font_config_ipc_linux.h" 32 #include "content/common/sandbox_linux/sandbox_linux.h" 33 #include "content/common/zygote_commands_linux.h" 34 #include "content/public/common/content_switches.h" 35 #include "content/public/common/main_function_params.h" 36 #include "content/public/common/sandbox_linux.h" 37 #include "content/public/common/zygote_fork_delegate_linux.h" 38 #include "content/zygote/zygote_linux.h" 39 #include "crypto/nss_util.h" 40 #include "sandbox/linux/services/init_process_reaper.h" 41 #include "sandbox/linux/services/libc_urandom_override.h" 42 #include "sandbox/linux/suid/client/setuid_sandbox_client.h" 43 #include "third_party/icu/source/i18n/unicode/timezone.h" 44 #include "third_party/skia/include/ports/SkFontConfigInterface.h" 45 46 #if defined(OS_LINUX) 47 #include <sys/prctl.h> 48 #endif 49 50 #if defined(USE_OPENSSL) 51 #include <openssl/rand.h> 52 #endif 53 54 #if defined(ENABLE_PLUGINS) 55 #include "content/common/pepper_plugin_list.h" 56 #include "content/public/common/pepper_plugin_info.h" 57 #endif 58 59 #if defined(ENABLE_WEBRTC) 60 #include "third_party/libjingle/overrides/init_webrtc.h" 61 #endif 62 63 #if defined(ADDRESS_SANITIZER) 64 #include <sanitizer/asan_interface.h> 65 #endif 66 67 namespace content { 68 69 namespace { 70 71 void DoChrootSignalHandler(int) { 72 const int old_errno = errno; 73 const char kFirstMessage[] = "Chroot signal handler called.\n"; 74 ignore_result(write(STDERR_FILENO, kFirstMessage, sizeof(kFirstMessage) - 1)); 75 76 const int chroot_ret = chroot("/"); 77 78 char kSecondMessage[100]; 79 const ssize_t printed = 80 base::strings::SafeSPrintf(kSecondMessage, 81 "chroot() returned %d. Errno is %d.\n", 82 chroot_ret, 83 errno); 84 if (printed > 0 && printed < static_cast<ssize_t>(sizeof(kSecondMessage))) { 85 ignore_result(write(STDERR_FILENO, kSecondMessage, printed)); 86 } 87 errno = old_errno; 88 } 89 90 // This is a quick hack to allow testing sandbox crash reports in production 91 // binaries. 92 // This installs a signal handler for SIGUSR2 that performs a chroot(). 93 // In most of our BPF policies, it is a "watched" system call which will 94 // trigger a SIGSYS signal whose handler will crash. 95 // This has been added during the investigation of https://crbug.com/415842. 96 void InstallSandboxCrashTestHandler() { 97 struct sigaction act = {}; 98 act.sa_handler = DoChrootSignalHandler; 99 CHECK_EQ(0, sigemptyset(&act.sa_mask)); 100 act.sa_flags = 0; 101 102 PCHECK(0 == sigaction(SIGUSR2, &act, NULL)); 103 } 104 } // namespace 105 106 // See http://code.google.com/p/chromium/wiki/LinuxZygote 107 108 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output, 109 char* timezone_out, 110 size_t timezone_out_len) { 111 Pickle request; 112 request.WriteInt(LinuxSandbox::METHOD_LOCALTIME); 113 request.WriteString( 114 std::string(reinterpret_cast<char*>(&input), sizeof(input))); 115 116 uint8_t reply_buf[512]; 117 const ssize_t r = UnixDomainSocket::SendRecvMsg( 118 GetSandboxFD(), reply_buf, sizeof(reply_buf), NULL, 119 request); 120 if (r == -1) { 121 memset(output, 0, sizeof(struct tm)); 122 return; 123 } 124 125 Pickle reply(reinterpret_cast<char*>(reply_buf), r); 126 PickleIterator iter(reply); 127 std::string result, timezone; 128 if (!reply.ReadString(&iter, &result) || 129 !reply.ReadString(&iter, &timezone) || 130 result.size() != sizeof(struct tm)) { 131 memset(output, 0, sizeof(struct tm)); 132 return; 133 } 134 135 memcpy(output, result.data(), sizeof(struct tm)); 136 if (timezone_out_len) { 137 const size_t copy_len = std::min(timezone_out_len - 1, timezone.size()); 138 memcpy(timezone_out, timezone.data(), copy_len); 139 timezone_out[copy_len] = 0; 140 output->tm_zone = timezone_out; 141 } else { 142 output->tm_zone = NULL; 143 } 144 } 145 146 static bool g_am_zygote_or_renderer = false; 147 148 // Sandbox interception of libc calls. 149 // 150 // Because we are running in a sandbox certain libc calls will fail (localtime 151 // being the motivating example - it needs to read /etc/localtime). We need to 152 // intercept these calls and proxy them to the browser. However, these calls 153 // may come from us or from our libraries. In some cases we can't just change 154 // our code. 155 // 156 // It's for these cases that we have the following setup: 157 // 158 // We define global functions for those functions which we wish to override. 159 // Since we will be first in the dynamic resolution order, the dynamic linker 160 // will point callers to our versions of these functions. However, we have the 161 // same binary for both the browser and the renderers, which means that our 162 // overrides will apply in the browser too. 163 // 164 // The global |g_am_zygote_or_renderer| is true iff we are in a zygote or 165 // renderer process. It's set in ZygoteMain and inherited by the renderers when 166 // they fork. (This means that it'll be incorrect for global constructor 167 // functions and before ZygoteMain is called - beware). 168 // 169 // Our replacement functions can check this global and either proxy 170 // the call to the browser over the sandbox IPC 171 // (http://code.google.com/p/chromium/wiki/LinuxSandboxIPC) or they can use 172 // dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in the 173 // current module. 174 // 175 // Other avenues: 176 // 177 // Our first attempt involved some assembly to patch the GOT of the current 178 // module. This worked, but was platform specific and doesn't catch the case 179 // where a library makes a call rather than current module. 180 // 181 // We also considered patching the function in place, but this would again by 182 // platform specific and the above technique seems to work well enough. 183 184 typedef struct tm* (*LocaltimeFunction)(const time_t* timep); 185 typedef struct tm* (*LocaltimeRFunction)(const time_t* timep, 186 struct tm* result); 187 188 static pthread_once_t g_libc_localtime_funcs_guard = PTHREAD_ONCE_INIT; 189 static LocaltimeFunction g_libc_localtime; 190 static LocaltimeFunction g_libc_localtime64; 191 static LocaltimeRFunction g_libc_localtime_r; 192 static LocaltimeRFunction g_libc_localtime64_r; 193 194 static void InitLibcLocaltimeFunctions() { 195 g_libc_localtime = reinterpret_cast<LocaltimeFunction>( 196 dlsym(RTLD_NEXT, "localtime")); 197 g_libc_localtime64 = reinterpret_cast<LocaltimeFunction>( 198 dlsym(RTLD_NEXT, "localtime64")); 199 g_libc_localtime_r = reinterpret_cast<LocaltimeRFunction>( 200 dlsym(RTLD_NEXT, "localtime_r")); 201 g_libc_localtime64_r = reinterpret_cast<LocaltimeRFunction>( 202 dlsym(RTLD_NEXT, "localtime64_r")); 203 204 if (!g_libc_localtime || !g_libc_localtime_r) { 205 // http://code.google.com/p/chromium/issues/detail?id=16800 206 // 207 // Nvidia's libGL.so overrides dlsym for an unknown reason and replaces 208 // it with a version which doesn't work. In this case we'll get a NULL 209 // result. There's not a lot we can do at this point, so we just bodge it! 210 LOG(ERROR) << "Your system is broken: dlsym doesn't work! This has been " 211 "reported to be caused by Nvidia's libGL. You should expect" 212 " time related functions to misbehave. " 213 "http://code.google.com/p/chromium/issues/detail?id=16800"; 214 } 215 216 if (!g_libc_localtime) 217 g_libc_localtime = gmtime; 218 if (!g_libc_localtime64) 219 g_libc_localtime64 = g_libc_localtime; 220 if (!g_libc_localtime_r) 221 g_libc_localtime_r = gmtime_r; 222 if (!g_libc_localtime64_r) 223 g_libc_localtime64_r = g_libc_localtime_r; 224 } 225 226 // Define localtime_override() function with asm name "localtime", so that all 227 // references to localtime() will resolve to this function. Notice that we need 228 // to set visibility attribute to "default" to export the symbol, as it is set 229 // to "hidden" by default in chrome per build/common.gypi. 230 __attribute__ ((__visibility__("default"))) 231 struct tm* localtime_override(const time_t* timep) __asm__ ("localtime"); 232 233 __attribute__ ((__visibility__("default"))) 234 struct tm* localtime_override(const time_t* timep) { 235 if (g_am_zygote_or_renderer) { 236 static struct tm time_struct; 237 static char timezone_string[64]; 238 ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string, 239 sizeof(timezone_string)); 240 return &time_struct; 241 } else { 242 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, 243 InitLibcLocaltimeFunctions)); 244 struct tm* res = g_libc_localtime(timep); 245 #if defined(MEMORY_SANITIZER) 246 if (res) __msan_unpoison(res, sizeof(*res)); 247 if (res->tm_zone) __msan_unpoison_string(res->tm_zone); 248 #endif 249 return res; 250 } 251 } 252 253 // Use same trick to override localtime64(), localtime_r() and localtime64_r(). 254 __attribute__ ((__visibility__("default"))) 255 struct tm* localtime64_override(const time_t* timep) __asm__ ("localtime64"); 256 257 __attribute__ ((__visibility__("default"))) 258 struct tm* localtime64_override(const time_t* timep) { 259 if (g_am_zygote_or_renderer) { 260 static struct tm time_struct; 261 static char timezone_string[64]; 262 ProxyLocaltimeCallToBrowser(*timep, &time_struct, timezone_string, 263 sizeof(timezone_string)); 264 return &time_struct; 265 } else { 266 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, 267 InitLibcLocaltimeFunctions)); 268 struct tm* res = g_libc_localtime64(timep); 269 #if defined(MEMORY_SANITIZER) 270 if (res) __msan_unpoison(res, sizeof(*res)); 271 if (res->tm_zone) __msan_unpoison_string(res->tm_zone); 272 #endif 273 return res; 274 } 275 } 276 277 __attribute__ ((__visibility__("default"))) 278 struct tm* localtime_r_override(const time_t* timep, 279 struct tm* result) __asm__ ("localtime_r"); 280 281 __attribute__ ((__visibility__("default"))) 282 struct tm* localtime_r_override(const time_t* timep, struct tm* result) { 283 if (g_am_zygote_or_renderer) { 284 ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0); 285 return result; 286 } else { 287 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, 288 InitLibcLocaltimeFunctions)); 289 struct tm* res = g_libc_localtime_r(timep, result); 290 #if defined(MEMORY_SANITIZER) 291 if (res) __msan_unpoison(res, sizeof(*res)); 292 if (res->tm_zone) __msan_unpoison_string(res->tm_zone); 293 #endif 294 return res; 295 } 296 } 297 298 __attribute__ ((__visibility__("default"))) 299 struct tm* localtime64_r_override(const time_t* timep, 300 struct tm* result) __asm__ ("localtime64_r"); 301 302 __attribute__ ((__visibility__("default"))) 303 struct tm* localtime64_r_override(const time_t* timep, struct tm* result) { 304 if (g_am_zygote_or_renderer) { 305 ProxyLocaltimeCallToBrowser(*timep, result, NULL, 0); 306 return result; 307 } else { 308 CHECK_EQ(0, pthread_once(&g_libc_localtime_funcs_guard, 309 InitLibcLocaltimeFunctions)); 310 struct tm* res = g_libc_localtime64_r(timep, result); 311 #if defined(MEMORY_SANITIZER) 312 if (res) __msan_unpoison(res, sizeof(*res)); 313 if (res->tm_zone) __msan_unpoison_string(res->tm_zone); 314 #endif 315 return res; 316 } 317 } 318 319 #if defined(ENABLE_PLUGINS) 320 // Loads the (native) libraries but does not initialize them (i.e., does not 321 // call PPP_InitializeModule). This is needed by the zygote on Linux to get 322 // access to the plugins before entering the sandbox. 323 void PreloadPepperPlugins() { 324 std::vector<PepperPluginInfo> plugins; 325 ComputePepperPluginList(&plugins); 326 for (size_t i = 0; i < plugins.size(); ++i) { 327 if (!plugins[i].is_internal && plugins[i].is_sandboxed) { 328 base::NativeLibraryLoadError error; 329 base::NativeLibrary library = base::LoadNativeLibrary(plugins[i].path, 330 &error); 331 VLOG_IF(1, !library) << "Unable to load plugin " 332 << plugins[i].path.value() << " " 333 << error.ToString(); 334 335 (void)library; // Prevent release-mode warning. 336 } 337 } 338 } 339 #endif 340 341 // This function triggers the static and lazy construction of objects that need 342 // to be created before imposing the sandbox. 343 static void ZygotePreSandboxInit() { 344 base::RandUint64(); 345 346 base::SysInfo::AmountOfPhysicalMemory(); 347 base::SysInfo::MaxSharedMemorySize(); 348 base::SysInfo::NumberOfProcessors(); 349 350 // ICU DateFormat class (used in base/time_format.cc) needs to get the 351 // Olson timezone ID by accessing the zoneinfo files on disk. After 352 // TimeZone::createDefault is called once here, the timezone ID is 353 // cached and there's no more need to access the file system. 354 scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault()); 355 356 #if defined(USE_NSS) 357 // NSS libraries are loaded before sandbox is activated. This is to allow 358 // successful initialization of NSS which tries to load extra library files. 359 crypto::LoadNSSLibraries(); 360 #elif defined(USE_OPENSSL) 361 // Read a random byte in order to cause BoringSSL to open a file descriptor 362 // for /dev/urandom. 363 uint8_t scratch; 364 RAND_bytes(&scratch, 1); 365 #else 366 // It's possible that another hypothetical crypto stack would not require 367 // pre-sandbox init, but more likely this is just a build configuration error. 368 #error Which SSL library are you using? 369 #endif 370 #if defined(ENABLE_PLUGINS) 371 // Ensure access to the Pepper plugins before the sandbox is turned on. 372 PreloadPepperPlugins(); 373 #endif 374 #if defined(ENABLE_WEBRTC) 375 InitializeWebRtcModule(); 376 #endif 377 SkFontConfigInterface::SetGlobal( 378 new FontConfigIPC(GetSandboxFD()))->unref(); 379 } 380 381 static bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback) { 382 // The current process becomes init(1), this function returns from a 383 // newly created process. 384 const bool init_created = 385 sandbox::CreateInitProcessReaper(post_fork_parent_callback); 386 if (!init_created) { 387 LOG(ERROR) << "Error creating an init process to reap zombies"; 388 return false; 389 } 390 return true; 391 } 392 393 // Enter the setuid sandbox. This requires the current process to have been 394 // created through the setuid sandbox. 395 static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox, 396 base::Closure* post_fork_parent_callback) { 397 DCHECK(setuid_sandbox); 398 DCHECK(setuid_sandbox->IsSuidSandboxChild()); 399 400 // Use the SUID sandbox. This still allows the seccomp sandbox to 401 // be enabled by the process later. 402 403 if (!setuid_sandbox->IsSuidSandboxUpToDate()) { 404 LOG(WARNING) << 405 "You are using a wrong version of the setuid binary!\n" 406 "Please read " 407 "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment." 408 "\n\n"; 409 } 410 411 if (!setuid_sandbox->ChrootMe()) 412 return false; 413 414 if (setuid_sandbox->IsInNewPIDNamespace()) { 415 CHECK_EQ(1, getpid()) 416 << "The SUID sandbox created a new PID namespace but Zygote " 417 "is not the init process. Please, make sure the SUID " 418 "binary is up to date."; 419 } 420 421 if (getpid() == 1) { 422 // The setuid sandbox has created a new PID namespace and we need 423 // to assume the role of init. 424 CHECK(CreateInitProcessReaper(post_fork_parent_callback)); 425 } 426 427 #if !defined(OS_OPENBSD) 428 // Previously, we required that the binary be non-readable. This causes the 429 // kernel to mark the process as non-dumpable at startup. The thinking was 430 // that, although we were putting the renderers into a PID namespace (with 431 // the SUID sandbox), they would nonetheless be in the /same/ PID 432 // namespace. So they could ptrace each other unless they were non-dumpable. 433 // 434 // If the binary was readable, then there would be a window between process 435 // startup and the point where we set the non-dumpable flag in which a 436 // compromised renderer could ptrace attach. 437 // 438 // However, now that we have a zygote model, only the (trusted) zygote 439 // exists at this point and we can set the non-dumpable flag which is 440 // inherited by all our renderer children. 441 // 442 // Note: a non-dumpable process can't be debugged. To debug sandbox-related 443 // issues, one can specify --allow-sandbox-debugging to let the process be 444 // dumpable. 445 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 446 if (!command_line.HasSwitch(switches::kAllowSandboxDebugging)) { 447 prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); 448 if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) { 449 LOG(ERROR) << "Failed to set non-dumpable flag"; 450 return false; 451 } 452 } else { 453 // If sandbox debugging is allowed, install a handler for sandbox-related 454 // crash testing. 455 InstallSandboxCrashTestHandler(); 456 } 457 458 #endif 459 460 return true; 461 } 462 463 #if defined(ADDRESS_SANITIZER) 464 const size_t kSanitizerMaxMessageLength = 1 * 1024 * 1024; 465 466 // A helper process which collects code coverage data from the renderers over a 467 // socket and dumps it to a file. See http://crbug.com/336212 for discussion. 468 static void SanitizerCoverageHelper(int socket_fd, int file_fd) { 469 scoped_ptr<char[]> buffer(new char[kSanitizerMaxMessageLength]); 470 while (true) { 471 ssize_t received_size = HANDLE_EINTR( 472 recv(socket_fd, buffer.get(), kSanitizerMaxMessageLength, 0)); 473 PCHECK(received_size >= 0); 474 if (received_size == 0) 475 // All clients have closed the socket. We should die. 476 _exit(0); 477 PCHECK(file_fd >= 0); 478 ssize_t written_size = 0; 479 while (written_size < received_size) { 480 ssize_t write_res = 481 HANDLE_EINTR(write(file_fd, buffer.get() + written_size, 482 received_size - written_size)); 483 PCHECK(write_res >= 0); 484 written_size += write_res; 485 } 486 PCHECK(0 == HANDLE_EINTR(fsync(file_fd))); 487 } 488 } 489 490 // fds[0] is the read end, fds[1] is the write end. 491 static void CreateSanitizerCoverageSocketPair(int fds[2]) { 492 PCHECK(0 == socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds)); 493 PCHECK(0 == shutdown(fds[0], SHUT_WR)); 494 PCHECK(0 == shutdown(fds[1], SHUT_RD)); 495 } 496 497 static pid_t ForkSanitizerCoverageHelper(int child_fd, int parent_fd, 498 base::ScopedFD file_fd) { 499 pid_t pid = fork(); 500 PCHECK(pid >= 0); 501 if (pid == 0) { 502 // In the child. 503 PCHECK(0 == IGNORE_EINTR(close(parent_fd))); 504 SanitizerCoverageHelper(child_fd, file_fd.get()); 505 _exit(0); 506 } else { 507 // In the parent. 508 PCHECK(0 == IGNORE_EINTR(close(child_fd))); 509 return pid; 510 } 511 } 512 513 void CloseFdPair(const int fds[2]) { 514 PCHECK(0 == IGNORE_EINTR(close(fds[0]))); 515 PCHECK(0 == IGNORE_EINTR(close(fds[1]))); 516 } 517 #endif // defined(ADDRESS_SANITIZER) 518 519 // If |is_suid_sandbox_child|, then make sure that the setuid sandbox is 520 // engaged. 521 static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox, 522 bool is_suid_sandbox_child, 523 base::Closure* post_fork_parent_callback) { 524 DCHECK(linux_sandbox); 525 526 ZygotePreSandboxInit(); 527 528 // Check that the pre-sandbox initialization didn't spawn threads. 529 #if !defined(THREAD_SANITIZER) 530 DCHECK(linux_sandbox->IsSingleThreaded()); 531 #endif 532 533 sandbox::SetuidSandboxClient* setuid_sandbox = 534 linux_sandbox->setuid_sandbox_client(); 535 536 if (is_suid_sandbox_child) { 537 CHECK(EnterSuidSandbox(setuid_sandbox, post_fork_parent_callback)) 538 << "Failed to enter setuid sandbox"; 539 } 540 } 541 542 bool ZygoteMain(const MainFunctionParams& params, 543 ScopedVector<ZygoteForkDelegate> fork_delegates) { 544 g_am_zygote_or_renderer = true; 545 sandbox::InitLibcUrandomOverrides(); 546 547 base::Closure *post_fork_parent_callback = NULL; 548 549 LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); 550 551 #if defined(ADDRESS_SANITIZER) 552 const std::string sancov_file_name = 553 "zygote." + base::Uint64ToString(base::RandUint64()); 554 base::ScopedFD sancov_file_fd( 555 __sanitizer_maybe_open_cov_file(sancov_file_name.c_str())); 556 int sancov_socket_fds[2] = {-1, -1}; 557 CreateSanitizerCoverageSocketPair(sancov_socket_fds); 558 linux_sandbox->sanitizer_args()->coverage_sandboxed = 1; 559 linux_sandbox->sanitizer_args()->coverage_fd = sancov_socket_fds[1]; 560 linux_sandbox->sanitizer_args()->coverage_max_block_size = 561 kSanitizerMaxMessageLength; 562 // Zygote termination will block until the helper process exits, which will 563 // not happen until the write end of the socket is closed everywhere. Make 564 // sure the init process does not hold on to it. 565 base::Closure close_sancov_socket_fds = 566 base::Bind(&CloseFdPair, sancov_socket_fds); 567 post_fork_parent_callback = &close_sancov_socket_fds; 568 #endif 569 570 // This will pre-initialize the various sandboxes that need it. 571 linux_sandbox->PreinitializeSandbox(); 572 573 const bool must_enable_setuid_sandbox = 574 linux_sandbox->setuid_sandbox_client()->IsSuidSandboxChild(); 575 if (must_enable_setuid_sandbox) { 576 linux_sandbox->setuid_sandbox_client()->CloseDummyFile(); 577 578 // Let the ZygoteHost know we're booting up. 579 CHECK(UnixDomainSocket::SendMsg(kZygoteSocketPairFd, 580 kZygoteBootMessage, 581 sizeof(kZygoteBootMessage), 582 std::vector<int>())); 583 } 584 585 VLOG(1) << "ZygoteMain: initializing " << fork_delegates.size() 586 << " fork delegates"; 587 for (ScopedVector<ZygoteForkDelegate>::iterator i = fork_delegates.begin(); 588 i != fork_delegates.end(); 589 ++i) { 590 (*i)->Init(GetSandboxFD(), must_enable_setuid_sandbox); 591 } 592 593 // Turn on the first layer of the sandbox if the configuration warrants it. 594 EnterLayerOneSandbox(linux_sandbox, must_enable_setuid_sandbox, 595 post_fork_parent_callback); 596 597 std::vector<pid_t> extra_children; 598 std::vector<int> extra_fds; 599 600 #if defined(ADDRESS_SANITIZER) 601 pid_t sancov_helper_pid = ForkSanitizerCoverageHelper( 602 sancov_socket_fds[0], sancov_socket_fds[1], sancov_file_fd.Pass()); 603 // It's important that the zygote reaps the helper before dying. Otherwise, 604 // the destruction of the PID namespace could kill the helper before it 605 // completes its I/O tasks. |sancov_helper_pid| will exit once the last 606 // renderer holding the write end of |sancov_socket_fds| closes it. 607 extra_children.push_back(sancov_helper_pid); 608 // Sanitizer code in the renderers will inherit the write end of the socket 609 // from the zygote. We must keep it open until the very end of the zygote's 610 // lifetime, even though we don't explicitly use it. 611 extra_fds.push_back(sancov_socket_fds[1]); 612 #endif 613 614 int sandbox_flags = linux_sandbox->GetStatus(); 615 bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID; 616 CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged); 617 618 Zygote zygote(sandbox_flags, fork_delegates.Pass(), extra_children, 619 extra_fds); 620 // This function call can return multiple times, once per fork(). 621 return zygote.ProcessRequests(); 622 } 623 624 } // namespace content 625