Chromium Code Reviews Chromium Code Reviews
Issue 7714018:
Give plug-in processes an executable heap and disable PIE/ASLR for Native (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: content/common/child_process_host.h |
| =================================================================== |
| --- content/common/child_process_host.h (revision 97870) |
| +++ content/common/child_process_host.h (working copy) |
| @@ -33,6 +33,43 @@ |
| class ChildProcessHost : public IPC::Channel::Listener, |
| public IPC::Message::Sender { |
| public: |
| + |
| + // These flags may be passed to GetChildPath in order to alter its behavior, |
| + // causing it to return a child path more suited to a specific task. |
| + enum { |
| + // No special behavior requested. |
| + CHILD_NORMAL = 0, |
| + |
| +#if defined(OS_LINUX) |
| + // Indicates that the child execed after forking may be execced from |
| + // /proc/self/exe rather than using the "real" app path. This prevents |
| + // autoupdate from confusing us if it changes the file out from under us. |
| + // You will generally want to set this to true, except when there is an |
|
TVL
2011/08/24 01:21:34
"to true" here isn't right. needs a tweak since i
|
| + // override to the command line (for example, we're forking a renderer in |
| + // gdb). In this case, you'd use GetChildPath to get the real executable |
| + // file name, and then prepend the GDB command to the command line. |
| + CHILD_ALLOW_SELF = 1 << 0, |
| +#elif defined(OS_MACOSX) |
| + |
| + // Requests that the child run in a process that does not have the |
| + // PIE (position-independent executable) bit set, effectively disabling |
| + // ASLR. For process types that need to allocate a large contiguous |
| + // region, ASLR may not leave a large enough "hole" for the purpose. This |
| + // This option should be used sparingly, and only when absolutely |
| + // necessary. This option is currently incompatible with |
| + // CHILD_ALLOW_HEAP_EXECUTION. |
| + CHILD_NO_PIE = 1 << 1, |
| + |
| + // Requests that the child run in a process that does not protect the |
| + // heap against execution. Normally, heap pages may be made executable |
| + // with mprotect, so this mode should be used sparingly. It is intended |
| + // for processes that may host plug-ins that expect an executable heap |
| + // without having to call mprotect. This option is currently incompatible |
| + // with CHILD_NO_PIE. |
| + CHILD_ALLOW_HEAP_EXECUTION = 1 << 2, |
| +#endif |
| + }; |
| + |
| virtual ~ChildProcessHost(); |
| // Returns the pathname to be used for a child process. If a subprocess |
| @@ -40,16 +77,12 @@ |
| // the default child process pathname will be returned. On most platforms, |
| // this will be the same as the currently-executing process. |
| // |
| - // The argument allow_self is used on Linux to indicate that we allow us to |
| - // fork from /proc/self/exe rather than using the "real" app path. This |
| - // prevents autoupdate from confusing us if it changes the file out from |
| - // under us. You will generally want to set this to true, except when there |
| - // is an override to the command line (for example, we're forking a renderer |
| - // in gdb). In this case, you'd use GetChildPath to get the real executable |
| - // file name, and then prepend the GDB command to the command line. |
| + // The |flags| argument accepts one or more flags such as CHILD_ALLOW_SELF |
| + // CHILD_ALLOW_HEAP_EXECUTION as defined above. Pass only CHILD_NORMAL if |
| + // none of these special behaviors are required. |
| // |
| // On failure, returns an empty FilePath. |
| - static FilePath GetChildPath(bool allow_self); |
| + static FilePath GetChildPath(int flags); |
| #if defined(OS_WIN) |
| // See comments in the cc file. This is a common hack needed for a process |
