1 files changed, 93 insertions, 0 deletions

diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.cc
new file mode 100644
index 0000000000..3baf1f13d9
--- /dev/null
+++ b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.cc
@@ -0,0 +1,93 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/seccomp-bpf/die.h"
+
+#include <errno.h>
+#include <signal.h>
+#include <stdio.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+#include <string>
+
+#include "base/logging.h"
+#include "base/posix/eintr_wrapper.h"
+#include "sandbox/linux/seccomp-bpf/syscall.h"
+#include "sandbox/linux/services/syscall_wrappers.h"
+#include "sandbox/linux/system_headers/linux_signal.h"
+
+namespace sandbox {
+
+void Die::ExitGroup() {
+  // exit_group() should exit our program. After all, it is defined as a
+  // function that doesn't return. But things can theoretically go wrong.
+  // Especially, since we are dealing with system call filters. Continuing
+  // execution would be very bad in most cases where ExitGroup() gets called.
+  // So, we'll try a few other strategies too.
+  Syscall::Call(__NR_exit_group, 1);
+
+  // We have no idea what our run-time environment looks like. So, signal
+  // handlers might or might not do the right thing. Try to reset settings
+  // to a defined state; but we have not way to verify whether we actually
+  // succeeded in doing so. Nonetheless, triggering a fatal signal could help
+  // us terminate.
+  struct sigaction sa = {};
+  sa.sa_handler = LINUX_SIG_DFL;
+  sa.sa_flags = LINUX_SA_RESTART;
+  sys_sigaction(LINUX_SIGSEGV, &sa, nullptr);
+  Syscall::Call(__NR_prctl, PR_SET_DUMPABLE, (void*)0, (void*)0, (void*)0);
+  if (*(volatile char*)0) {
+  }
+
+  // If there is no way for us to ask for the program to exit, the next
+  // best thing we can do is to loop indefinitely. Maybe, somebody will notice
+  // and file a bug...
+  // We in fact retry the system call inside of our loop so that it will
+  // stand out when somebody tries to diagnose the problem by using "strace".
+  for (;;) {
+    Syscall::Call(__NR_exit_group, 1);
+  }
+}
+
+void Die::SandboxDie(const char* msg, const char* file, int line) {
+  if (simple_exit_) {
+    LogToStderr(msg, file, line);
+  } else {
+    logging::LogMessage(file, line, logging::LOG_FATAL).stream() << msg;
+  }
+  ExitGroup();
+}
+
+void Die::RawSandboxDie(const char* msg) {
+  if (!msg)
+    msg = "";
+  RAW_LOG(FATAL, msg);
+  ExitGroup();
+}
+
+void Die::SandboxInfo(const char* msg, const char* file, int line) {
+  if (!suppress_info_) {
+    logging::LogMessage(file, line, logging::LOG_INFO).stream() << msg;
+  }
+}
+
+void Die::LogToStderr(const char* msg, const char* file, int line) {
+  if (msg) {
+    char buf[40];
+    snprintf(buf, sizeof(buf), "%d", line);
+    std::string s = std::string(file) + ":" + buf + ":" + msg + "\n";
+
+    // No need to loop. Short write()s are unlikely and if they happen we
+    // probably prefer them over a loop that blocks.
+    ignore_result(
+        HANDLE_EINTR(Syscall::Call(__NR_write, 2, s.c_str(), s.length())));
+  }
+}
+
+bool Die::simple_exit_ = false;
+bool Die::suppress_info_ = false;
+
+}  // namespace sandbox