Give plug-in processes an executable heap and disable PIE/ASLR for Native

content/common/child_process_host.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/child_process_host.h"
 
 #include "base/command_line.h"
 #include "base/file_path.h"
 #include "base/metrics/histogram.h"
 #include "base/path_service.h"
 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
 #include "content/common/child_process_info.h"
 #include "content/common/child_process_messages.h"
 #include "content/common/content_paths.h"
 #include "content/common/content_switches.h"
 #include "ipc/ipc_logging.h"
 
 #if defined(OS_LINUX)
 #include "base/linux_util.h"
 #endif  // OS_LINUX
 
+#if defined(OS_MACOSX)
+namespace {
+
+// Given |path| identifying a Mac-style child process executable path, adjusts
+// it to correspond to |feature|. For a child process path such as
+// ".../Chromium Helper.app/Contents/MacOS/Chromium Helper", the transformed
+// path for feature "NP" would be
+// ".../Chromium Helper NP.app/Contents/MacOS/Chromium Helper NP". The new
+// path is returned.
+FilePath TransformPathForFeature(const FilePath& path,
+                                 const std::string& feature) {
+  std::string basename = path.BaseName().value();
+
+  FilePath macos_path = path.DirName();
+  const char kMacOSName[] = "MacOS";
+  CHECK_EQ(kMacOSName, macos_path.BaseName().value());
+
+  FilePath contents_path = macos_path.DirName();
+  const char kContentsName[] = "Contents";
+  CHECK_EQ(kContentsName, contents_path.BaseName().value());
+
+  FilePath helper_app_path = contents_path.DirName();
+  const char kAppExtension[] = ".app";
+  std::string basename_app = basename;
+  basename_app.append(kAppExtension);
+  CHECK_EQ(basename_app, helper_app_path.BaseName().value());
+
+  FilePath root_path = helper_app_path.DirName();
+
+  std::string new_basename = basename;
+  new_basename.append(1, ' ');
+  new_basename.append(feature);
+  std::string new_basename_app = new_basename;
+  new_basename_app.append(kAppExtension);
+
+  FilePath new_path = root_path.Append(new_basename_app)
+                               .Append(kContentsName)
+                               .Append(kMacOSName)
+                               .Append(new_basename);
+
+  return new_path;
+}
+
+}  // namespace
+#endif  // OS_MACOSX
+
 ChildProcessHost::ChildProcessHost()
     : ALLOW_THIS_IN_INITIALIZER_LIST(listener_(this)),
       opening_channel_(false) {
 }
 
 ChildProcessHost::~ChildProcessHost() {
   for (size_t i = 0; i < filters_.size(); ++i) {
     filters_[i]->OnChannelClosing();
     filters_[i]->OnFilterRemoved();
   }
 }
 
 void ChildProcessHost::AddFilter(IPC::ChannelProxy::MessageFilter* filter) {
   filters_.push_back(filter);
 
   if (channel_.get())
     filter->OnFilterAdded(channel_.get());
 }
 
 // static
-FilePath ChildProcessHost::GetChildPath(bool allow_self) {
+FilePath ChildProcessHost::GetChildPath(int flags) {
   FilePath child_path;
 
   child_path = CommandLine::ForCurrentProcess()->GetSwitchValuePath(
       switches::kBrowserSubprocessPath);
   if (!child_path.empty())
     return child_path;
 
 #if defined(OS_LINUX)
   // Use /proc/self/exe rather than our known binary path so updates
   // can't swap out the binary from underneath us.
   // When running under Valgrind, forking /proc/self/exe ends up forking the
   // Valgrind executable, which then crashes. However, it's almost safe to
   // assume that the updates won't happen while testing with Valgrind tools.
-  if (allow_self && !RunningOnValgrind())
+  if (flags & CHILD_ALLOW_SELF && !RunningOnValgrind())
     return FilePath("/proc/self/exe");
 #endif
 
   // On most platforms, the child executable is the same as the current
   // executable.
   PathService::Get(content::CHILD_PROCESS_EXE, &child_path);
+
+#if defined(OS_MACOSX)
+  DCHECK(!(flags & CHILD_NO_PIE && flags & CHILD_ALLOW_HEAP_EXECUTION));
+
+  // If needed, choose an executable with special flags set that inform the
+  // kernel to enable or disable specific optional process-wide features.
+  if (flags & CHILD_NO_PIE) {
+    // "NP" is "No PIE".
+    child_path = TransformPathForFeature(child_path, "NP");
+  } else if (flags & CHILD_ALLOW_HEAP_EXECUTION) {
+    // "EH" is "Executable Heap". A non-executable heap is only available to
+    // 32-bit processes on Mac OS X 10.7. Most code can and should run with a
+    // non-executable heap, but the "EH" feature is provided to allow code
+    // intolerant of a non-executable heap to work properly on 10.7.
+    child_path = TransformPathForFeature(child_path, "EH");
+  }
+#endif
+
   return child_path;
 }
 
 #if defined(OS_WIN)
 // static
 void ChildProcessHost::PreCacheFont(LOGFONT font) {
   // If a child process is running in a sandbox, GetTextMetrics()
   // can sometimes fail. If a font has not been loaded
   // previously, GetTextMetrics() will try to load the font
   // from the font file. However, the sandboxed process does
@@ skipping 149 matching lines @@
   for (size_t i = 0; i < host_->filters_.size(); ++i)
     host_->filters_[i]->OnChannelError();
 
   // This will delete host_, which will also destroy this!
   host_->OnChildDied();
 }
 
 void ChildProcessHost::ForceShutdown() {
   Send(new ChildProcessMsg_Shutdown());
 }