1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
--- content/app/content_main_runner_impl.cc.orig 2022-06-17 14:20:10 UTC
+++ content/app/content_main_runner_impl.cc
@@ -128,13 +128,13 @@
#include "base/posix/global_descriptors.h"
#include "content/public/common/content_descriptors.h"
-#if !BUILDFLAG(IS_MAC)
+#if !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_BSD)
#include "content/public/common/zygote/zygote_fork_delegate_linux.h"
#endif
#endif // BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_BSD)
#include "base/native_library.h"
#include "base/rand_util.h"
#include "content/public/common/zygote/sandbox_support_linux.h"
@@ -173,6 +173,10 @@
#include "media/base/media_switches.h"
#endif
+#if BUILDFLAG(IS_BSD)
+#include "base/system/sys_info.h"
+#endif
+
#if BUILDFLAG(IS_ANDROID)
#include "base/system/sys_info.h"
#include "content/browser/android/battery_metrics.h"
@@ -356,7 +360,7 @@ void InitializeZygoteSandboxForBrowserProcess(
}
#endif // BUILDFLAG(USE_ZYGOTE_HANDLE)
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_BSD)
#if BUILDFLAG(ENABLE_PLUGINS)
// Loads the (native) libraries but does not initialize them (i.e., does not
@@ -392,7 +396,7 @@ void PreloadLibraryCdms() {
}
#endif // BUILDFLAG(ENABLE_LIBRARY_CDMS)
-#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+#if BUILDFLAG(USE_ZYGOTE_HANDLE) || BUILDFLAG(IS_BSD)
void PreSandboxInit() {
// Pre-acquire resources needed by BoringSSL. See
// https://boringssl.googlesource.com/boringssl/+/HEAD/SANDBOXING.md
@@ -408,6 +412,11 @@ void PreSandboxInit() {
#endif
InitializeWebRtcModule();
+#if BUILDFLAG(IS_BSD)
+ // "cache" the amount of physical memory before pledge(2)
+ base::SysInfo::AmountOfPhysicalMemoryMB();
+#endif
+
// Set the android SkFontMgr for blink. We need to ensure this is done
// before the sandbox is initialized to allow the font manager to access
// font configuration files on disk.
@@ -577,7 +586,7 @@ int NO_STACK_PROTECTOR RunZygote(ContentMainDelegate*
delegate->ZygoteStarting(&zygote_fork_delegates);
media::InitializeMediaLibrary();
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_BSD)
PreSandboxInit();
#endif
@@ -763,11 +772,10 @@ int ContentMainRunnerImpl::Initialize(ContentMainParam
kFieldTrialDescriptor + base::GlobalDescriptors::kBaseDescriptor);
#endif // !BUILDFLAG(IS_ANDROID)
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_OPENBSD)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
g_fds->Set(kCrashDumpSignal,
kCrashDumpSignal + base::GlobalDescriptors::kBaseDescriptor);
-#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) ||
- // BUILDFLAG(IS_OPENBSD)
+#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
#endif // !BUILDFLAG(IS_WIN)
@@ -944,6 +952,16 @@ int ContentMainRunnerImpl::Initialize(ContentMainParam
}
#endif
+#if BUILDFLAG(IS_BSD)
+ if (process_type.empty()) {
+ sandbox::policy::SandboxLinux::Options sandbox_options;
+ sandbox::policy::SandboxLinux::GetInstance()->InitializeSandbox(
+ sandbox::policy::SandboxTypeFromCommandLine(
+ *base::CommandLine::ForCurrentProcess()),
+ sandbox::policy::SandboxLinux::PreSandboxHook(), sandbox_options);
+ }
+#endif
+
delegate_->SandboxInitialized(process_type);
#if BUILDFLAG(USE_ZYGOTE_HANDLE)
@@ -999,7 +1017,7 @@ int NO_STACK_PROTECTOR ContentMainRunnerImpl::Run() {
mojo::core::InitFeatures();
}
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_BSD)
// If dynamic Mojo Core is being used, ensure that it's loaded very early in
// the child/zygote process, before any sandbox is initialized. The library
// is not fully initialized with IPC support until a ChildProcess is later
@@ -1032,6 +1050,11 @@ int NO_STACK_PROTECTOR ContentMainRunnerImpl::Run() {
content_main_params_.reset();
RegisterMainThreadFactories();
+
+#if BUILDFLAG(IS_BSD)
+ if (!process_type.empty())
+ PreSandboxInit();
+#endif
if (process_type.empty())
return RunBrowser(std::move(main_params), start_minimal_browser);
|
