Give plug-in processes an executable heap and disable PIE/ASLR for Native

content/common/child_process_host.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_COMMON_CHILD_PROCESS_HOST_H_
 #define CONTENT_COMMON_CHILD_PROCESS_HOST_H_
 #pragma once
 
 #include <string>
 #include <vector>
@@ skipping 15 matching lines @@
 namespace IPC {
 class Message;
 }
 
 // Provides common functionality for hosting a child process and processing IPC
 // messages between the host and the child process. Subclasses are responsible
 // for the actual launching and terminating of the child processes.
 class ChildProcessHost : public IPC::Channel::Listener,
                          public IPC::Message::Sender {
  public:
+
+  // These flags may be passed to GetChildPath in order to alter its behavior,
+  // causing it to return a child path more suited to a specific task.
+  enum {
+    // No special behavior requested.
+    CHILD_NORMAL = 0,
+
+#if defined(OS_LINUX)
+    // Indicates that the child execed after forking may be execced from
+    // /proc/self/exe rather than using the "real" app path. This prevents
+    // autoupdate from confusing us if it changes the file out from under us.
+    // You will generally want to set this to true, except when there is an

[TVL, 2011/08/24 01:21:34]

"to true" here isn't right.  needs a tweak since it's now on a flag.

+    // override to the command line (for example, we're forking a renderer in
+    // gdb). In this case, you'd use GetChildPath to get the real executable
+    // file name, and then prepend the GDB command to the command line.
+    CHILD_ALLOW_SELF = 1 << 0,
+#elif defined(OS_MACOSX)
+
+    // Requests that the child run in a process that does not have the
+    // PIE (position-independent executable) bit set, effectively disabling
+    // ASLR. For process types that need to allocate a large contiguous
+    // region, ASLR may not leave a large enough "hole" for the purpose. This
+    // This option should be used sparingly, and only when absolutely
+    // necessary. This option is currently incompatible with
+    // CHILD_ALLOW_HEAP_EXECUTION.
+    CHILD_NO_PIE = 1 << 1,
+
+    // Requests that the child run in a process that does not protect the
+    // heap against execution. Normally, heap pages may be made executable
+    // with mprotect, so this mode should be used sparingly. It is intended
+    // for processes that may host plug-ins that expect an executable heap
+    // without having to call mprotect. This option is currently incompatible
+    // with CHILD_NO_PIE.
+    CHILD_ALLOW_HEAP_EXECUTION = 1 << 2,
+#endif
+  };
+
   virtual ~ChildProcessHost();
 
   // Returns the pathname to be used for a child process.  If a subprocess
   // pathname was specified on the command line, that will be used.  Otherwise,
   // the default child process pathname will be returned.  On most platforms,
   // this will be the same as the currently-executing process.
   //
-  // The argument allow_self is used on Linux to indicate that we allow us to
-  // fork from /proc/self/exe rather than using the "real" app path. This
-  // prevents autoupdate from confusing us if it changes the file out from
-  // under us. You will generally want to set this to true, except when there
-  // is an override to the command line (for example, we're forking a renderer
-  // in gdb). In this case, you'd use GetChildPath to get the real executable
-  // file name, and then prepend the GDB command to the command line.
+  // The |flags| argument accepts one or more flags such as CHILD_ALLOW_SELF
+  // CHILD_ALLOW_HEAP_EXECUTION as defined above. Pass only CHILD_NORMAL if
+  // none of these special behaviors are required.
   //
   // On failure, returns an empty FilePath.
-  static FilePath GetChildPath(bool allow_self);
+  static FilePath GetChildPath(int flags);
 
 #if defined(OS_WIN)
   // See comments in the cc file. This is a common hack needed for a process
   // hosting a sandboxed child process. Hence it lives in this file.
   static void PreCacheFont(LOGFONT font);
 #endif  // defined(OS_WIN)
 
   // IPC::Message::Sender implementation.
   virtual bool Send(IPC::Message* message);
 
@@ skipping 54 matching lines @@
 
   // Holds all the IPC message filters.  Since this object lives on the IO
   // thread, we don't have a IPC::ChannelProxy and so we manage filters
   // manually.
   std::vector<scoped_refptr<IPC::ChannelProxy::MessageFilter> > filters_;
 
   DISALLOW_COPY_AND_ASSIGN(ChildProcessHost);
 };
 
 #endif  // CONTENT_COMMON_CHILD_PROCESS_HOST_H_