chrome/browser/gpu.sb - Issue 5580002: Mac: Tell the GPU sandbox to deny a few things.

Side by Side Diff: chrome/browser/gpu.sb

Issue 5580002: Mac: Tell the GPU sandbox to deny a few things. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: works in release Created 10 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 ;;	1 ;;

2 ;; Copyright (c) 2010 The Chromium Authors. All rights reserved.	2 ;; Copyright (c) 2010 The Chromium Authors. All rights reserved.

3 ;; Use of this source code is governed by a BSD-style license that can be	3 ;; Use of this source code is governed by a BSD-style license that can be

4 ;; found in the LICENSE file.	4 ;; found in the LICENSE file.

5 ;;	5 ;;

6	6

7 ; * The contents of chrome/common/common.sb are implicitly included here. *	7 ; * The contents of chrome/common/common.sb are implicitly included here. *

8	8

9 ; TODO(thakis): Deny most things by default.	9 ; The GPU process opens a shared memory file to communicate with the renderer.

10 (allow default)	10 ; This is backed by a file in /var/folders.

	11 (allow file-read* file-write* (regex "^/(private/)?(tmp\|var)(/\|$)"))
	jeremy 2010/12/03 14:22:09 I'm a bit apprehensive about opening this since th I'm a bit apprehensive about opening this since this will allow access to any file in /tmp or /var. Would it be possible to have the browser be the one to allocate the shared memory file and send the handle back to the GPU process? The OS is smart enough to allow file access in the Sandbox to FDs sent over IPC. (sidenote, you should only need /private/tmp here and not /tmp since the sandbox operates on normalized paths and /tmp is just a symlink). Nico 2010/12/04 00:26:10 Worth thinking about…I've filed a bug and put in a Show quoted text On 2010/12/03 14:22:09, jeremy wrote: > I'm a bit apprehensive about opening this since this will allow access to any > file in /tmp or /var. > > Would it be possible to have the browser be the one to allocate the shared > memory file and send the handle back to the GPU process? The OS is smart enough > to allow file access in the Sandbox to FDs sent over IPC. Worth thinking about…I've filed a bug and put in a TODO. Show quoted text > (sidenote, you should only need /private/tmp here and not /tmp since the sandbox > operates on normalized paths and /tmp is just a symlink). Done. Nico 2010/12/04 01:58:36 Turns out that the ringbuffer creation fails if I Show quoted text On 2010/12/04 00:26:10, Nico wrote: > On 2010/12/03 14:22:09, jeremy wrote: > > I'm a bit apprehensive about opening this since this will allow access to any > > file in /tmp or /var. > > > > Would it be possible to have the browser be the one to allocate the shared > > memory file and send the handle back to the GPU process? The OS is smart > enough > > to allow file access in the Sandbox to FDs sent over IPC. > > Worth thinking about…I've filed a bug and put in a TODO. > > > (sidenote, you should only need /private/tmp here and not /tmp since the > sandbox > > operates on normalized paths and /tmp is just a symlink). > > Done. Turns out that the ringbuffer creation fails if I replace (private/)? with private/, so I undid this change.
	12

	13 ; Without this, the GPU process prints

	14 ; *** CFMessagePort: bootstrap_register(): failed 268435459 (0x10000003) '(ipc/s end) invalid destination port', port = 0x5907, name = 'com.apple.tsm.portname'

	15 ; That's probably harmless, but allowing the look-up is also probably harmless.
	jeremy 2010/12/03 14:22:09 I don't think you need this comment. Perhaps some I don't think you need this comment. Perhaps something like: Allow communication between the GPU process and UI server. Another piece of useful information would be the system call that needs this. Nico 2010/12/04 00:26:10 Done. Show quoted text On 2010/12/03 14:22:09, jeremy wrote: > I don't think you need this comment. Perhaps something like: > Allow communication between the GPU process and UI server. Done. Show quoted text > Another piece of useful information would be the system call that needs this. It's this stack: *** Sandbox Exception: pid: 17186 0 Chromium Framework 0x00d20d10 base::debug::StackTrace::StackTrace() + 32 1 Chromium Framework 0x001a8cc4 (anonymous namespace)::SandboxBlockedExceptionHandler(int) + 69 2 libSystem.B.dylib 0x93ac01fb _sigtramp + 43 3 ??? 0xffffffff 0x0 + 4294967295 4 libSystem.B.dylib 0x93a719f1 vproc_mig_look_up2 + 229 5 libSystem.B.dylib 0x93a717cc bootstrap_look_up2 + 294 6 libSystem.B.dylib 0x93a716a4 bootstrap_look_up + 55 7 libSystem.B.dylib 0x93b699b2 _asl_get_global_server_port + 88 8 libSystem.B.dylib 0x93ab6bfd asl_open + 73 9 CoreFoundation 0x99753074 __CFLogCString + 116 10 CoreFoundation 0x99752fee _CFLogvEx + 334 11 CoreFoundation 0x9975ea6a CFLog + 58 12 CoreFoundation 0x996e67c5 __CFMessagePortCreateLocal + 1765 13 HIToolbox 0x977f2015 InitializeTSMMessageReceiving + 137 14 HIToolbox 0x977f1e49 InitTSMFirstEventTime + 180 15 HIToolbox 0x977f1461 _FirstEventTime + 1204 16 HIToolbox 0x977f0e44 RunCurrentEventLoopInMode + 48 17 HIToolbox 0x977f0c8d ReceiveNextEventCommon + 158 18 HIToolbox 0x977f0bd6 BlockUntilNextEventMatchingListInMode + 81 19 AppKit 0x98bdda89 _DPSNextEvent + 847 20 AppKit 0x98bdd2ca -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 156 21 AppKit 0x98b9f55b -[NSApplication run] + 821 22 Chromium Framework 0x00d08004 base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate) + 130 23 Chromium Framework 0x00d085f3 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate) + 175 24 Chromium Framework 0x00d3fa79 MessageLoop::RunInternal() + 209 25 Chromium Framework 0x00d3fa93 MessageLoop::RunHandler() + 17 26 Chromium Framework 0x00d3faf7 MessageLoop::Run() + 35 27 Chromium Framework 0x00b88984 GpuMain(MainFunctionParams const&) + 1556 28 Chromium Framework 0x00008c36 (anonymous namespace)::RunNamedProcessTypeMain(std::string const&, MainFunctionParams const&) + 78 29 Chromium Framework 0x000088d6 ChromeMain + 3496 30 Chromium Helper 0x00001f52 main + 24 31 Chromium Helper 0x00001f0e start + 54 2010-12-03 21:14:16.383 Chromium Helper[17186:107] * CFMessagePort: bootstrap_register(): failed 268435459 (0x10000003) '(ipc/send) invalid destination port', port = 0x5907, name = 'com.apple.tsm.portname' See /usr/include/servers/bootstrap_defs.h for the error codes. (happens only in Debug) I don't think including any one of the function names in this stack really helps. jeremy** 2010/12/05 08:04:50 Are you sure you need this? Does this cause thing Are you sure you need this? Does this cause things to not work, or just print a warning? Apologies for pressing the point, just wanted to make sure this is as minimal as possible.
	16 (allow mach-lookup (global-name "com.apple.tsm.uiserver"))

	17

	18 ; From renderer.sb
	jeremy 2010/12/03 14:22:09 Could you change this comment to the system call t Could you change this comment to the system call that needs this. I'm also fine with removing the comment since this is pretty harmless. Nico 2010/12/04 00:26:10 Done, removed the comment. Show quoted text On 2010/12/03 14:22:09, jeremy wrote: > Could you change this comment to the system call that needs this. I'm also fine > with removing the comment since this is pretty harmless. Done, removed the comment.
	19 (allow file-read-metadata (literal "/"))

OLD	NEW

« no previous file with comments | « no previous file | chrome/common/chrome_switches.cc » ('j') | chrome/common/sandbox_mac.h » ('J')