1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "content/renderer/renderer_main_platform_delegate.h" 6 7 #include <errno.h> 8 #include <sys/stat.h> 9 10 #include "base/command_line.h" 11 #include "base/files/file_util.h" 12 #include "base/logging.h" 13 #include "content/common/sandbox_linux/sandbox_linux.h" 14 #include "content/public/common/content_switches.h" 15 #include "content/public/common/sandbox_init.h" 16 17 #ifdef ENABLE_VTUNE_JIT_INTERFACE 18 #include "v8/src/third_party/vtune/v8-vtune.h" 19 #endif 20 21 namespace content { 22 23 RendererMainPlatformDelegate::RendererMainPlatformDelegate( 24 const MainFunctionParams& parameters) 25 : parameters_(parameters) { 26 } 27 28 RendererMainPlatformDelegate::~RendererMainPlatformDelegate() { 29 } 30 31 void RendererMainPlatformDelegate::PlatformInitialize() { 32 #ifdef ENABLE_VTUNE_JIT_INTERFACE 33 const CommandLine& command_line = parameters_.command_line; 34 if (command_line.HasSwitch(switches::kEnableVtune)) 35 vTune::InitializeVtuneForV8(); 36 #endif 37 } 38 39 void RendererMainPlatformDelegate::PlatformUninitialize() { 40 } 41 42 bool RendererMainPlatformDelegate::EnableSandbox() { 43 // The setuid sandbox is started in the zygote process: zygote_main_linux.cc 44 // http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox 45 // 46 // Anything else is started in InitializeSandbox(). 47 LinuxSandbox::InitializeSandbox(); 48 // about:sandbox uses a value returned from LinuxSandbox::GetStatus() before 49 // any renderer has been started. 50 // Here, we test that the status of SeccompBpf in the renderer is consistent 51 // with what LinuxSandbox::GetStatus() said we would do. 52 class LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); 53 if (linux_sandbox->GetStatus() & kSandboxLinuxSeccompBPF) { 54 CHECK(linux_sandbox->seccomp_bpf_started()); 55 } 56 57 // Under the setuid sandbox, we should not be able to open any file via the 58 // filesystem. 59 if (linux_sandbox->GetStatus() & kSandboxLinuxSUID) { 60 CHECK(!base::PathExists(base::FilePath("/proc/cpuinfo"))); 61 } 62 63 #if defined(__x86_64__) 64 // Limit this test to architectures where seccomp BPF is active in renderers. 65 if (linux_sandbox->seccomp_bpf_started()) { 66 errno = 0; 67 // This should normally return EBADF since the first argument is bogus, 68 // but we know that under the seccomp-bpf sandbox, this should return EPERM. 69 CHECK_EQ(fchmod(-1, 07777), -1); 70 CHECK_EQ(errno, EPERM); 71 } 72 #endif // __x86_64__ 73 74 return true; 75 } 76 77 } // namespace content 78