Chromium Code Reviews Chromium Code Reviews
Issue 8589001:
Load mac sandbox definitions from resources instead of the bundle. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
|
jeremy
2011/11/25 19:53:16
Did you remove these lines on purpose?
jochen (gone - plz use gerrit)
2011/11/25 20:30:16
Oops, good catch!
| |
| 3 // found in the LICENSE file. | 1 // found in the LICENSE file. |
| 4 | 2 |
| 5 #include "content/public/common/sandbox_init.h" | 3 #include "content/public/common/sandbox_init.h" |
| 6 | 4 |
| 7 #include "base/command_line.h" | 5 #include "base/command_line.h" |
| 8 #include "base/file_path.h" | 6 #include "base/file_path.h" |
| 9 #include "base/logging.h" | 7 #include "base/logging.h" |
| 10 #include "content/common/sandbox_mac.h" | 8 #include "content/common/sandbox_mac.h" |
| 11 #include "content/public/common/content_switches.h" | 9 #include "content/public/common/content_switches.h" |
| 12 | 10 |
| 13 namespace content { | 11 namespace content { |
| 14 | 12 |
| 15 bool InitializeSandbox() { | 13 bool InitializeSandbox(int sandbox_type, const FilePath& allowed_dir) { |
| 16 using sandbox::Sandbox; | 14 // Warm up APIs before turning on the sandbox. |
| 15 sandbox::Sandbox::SandboxWarmup(sandbox_type); | |
| 16 | |
| 17 // Actually sandbox the process. | |
| 18 return sandbox::Sandbox::EnableSandbox(sandbox_type, allowed_dir); | |
| 19 } | |
| 20 | |
| 21 // Fill in |sandbox_type| and |allowed_dir| based on the command line, returns | |
| 22 // false if the current process type doesn't need to be sandboxed or if the | |
| 23 // sandbox was disabled from the command line. | |
| 24 bool GetSandboxTypeFromCommandLine(int* sandbox_type, | |
| 25 FilePath* allowed_dir) { | |
| 26 DCHECK(sandbox_type); | |
| 27 DCHECK(allowed_dir); | |
| 28 | |
| 29 *sandbox_type = -1; | |
| 30 *allowed_dir = FilePath(); // Empty by default. | |
| 17 | 31 |
| 18 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 32 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
| 19 if (command_line.HasSwitch(switches::kNoSandbox)) | 33 if (command_line.HasSwitch(switches::kNoSandbox)) |
| 20 return true; | 34 return false; |
| 21 | |
| 22 Sandbox::SandboxProcessType sandbox_process_type; | |
| 23 FilePath allowed_dir; // Empty by default. | |
| 24 | 35 |
| 25 std::string process_type = | 36 std::string process_type = |
| 26 command_line.GetSwitchValueASCII(switches::kProcessType); | 37 command_line.GetSwitchValueASCII(switches::kProcessType); |
| 27 if (process_type.empty()) { | 38 if (process_type.empty()) { |
| 28 // Browser process isn't sandboxed. | 39 // Browser process isn't sandboxed. |
| 29 return true; | 40 return false; |
| 30 } else if (process_type == switches::kRendererProcess) { | 41 } else if (process_type == switches::kRendererProcess) { |
| 31 if (!command_line.HasSwitch(switches::kDisable3DAPIs) && | 42 if (!command_line.HasSwitch(switches::kDisable3DAPIs) && |
| 32 !command_line.HasSwitch(switches::kDisableExperimentalWebGL) && | 43 !command_line.HasSwitch(switches::kDisableExperimentalWebGL) && |
| 33 command_line.HasSwitch(switches::kInProcessWebGL)) { | 44 command_line.HasSwitch(switches::kInProcessWebGL)) { |
| 34 // TODO(kbr): this check seems to be necessary only on this | 45 // TODO(kbr): this check seems to be necessary only on this |
| 35 // platform because the sandbox is initialized later. Remove | 46 // platform because the sandbox is initialized later. Remove |
| 36 // this once this flag is removed. | 47 // this once this flag is removed. |
| 37 return true; | 48 return false; |
| 38 } else { | 49 } else { |
| 39 sandbox_process_type = Sandbox::SANDBOX_TYPE_RENDERER; | 50 *sandbox_type = SANDBOX_TYPE_RENDERER; |
| 40 } | 51 } |
| 41 } else if (process_type == switches::kUtilityProcess) { | 52 } else if (process_type == switches::kUtilityProcess) { |
| 42 // Utility process sandbox. | 53 // Utility process sandbox. |
| 43 sandbox_process_type = Sandbox::SANDBOX_TYPE_UTILITY; | 54 *sandbox_type = SANDBOX_TYPE_UTILITY; |
| 44 allowed_dir = | 55 *allowed_dir = |
| 45 command_line.GetSwitchValuePath(switches::kUtilityProcessAllowedDir); | 56 command_line.GetSwitchValuePath(switches::kUtilityProcessAllowedDir); |
| 46 } else if (process_type == switches::kWorkerProcess) { | 57 } else if (process_type == switches::kWorkerProcess) { |
| 47 // Worker process sandbox. | 58 // Worker process sandbox. |
| 48 sandbox_process_type = Sandbox::SANDBOX_TYPE_WORKER; | 59 *sandbox_type = SANDBOX_TYPE_WORKER; |
| 49 } else if (process_type == switches::kNaClLoaderProcess) { | |
| 50 // Native Client sel_ldr (user untrusted code) sandbox. | |
| 51 sandbox_process_type = Sandbox::SANDBOX_TYPE_NACL_LOADER; | |
| 52 } else if (process_type == switches::kGpuProcess) { | 60 } else if (process_type == switches::kGpuProcess) { |
| 53 sandbox_process_type = Sandbox::SANDBOX_TYPE_GPU; | 61 *sandbox_type = SANDBOX_TYPE_GPU; |
| 54 } else if ((process_type == switches::kPluginProcess) || | 62 } else if ((process_type == switches::kPluginProcess) || |
| 55 (process_type == switches::kServiceProcess) || | 63 (process_type == switches::kServiceProcess) || |
| 56 (process_type == switches::kPpapiBrokerProcess)) { | 64 (process_type == switches::kPpapiBrokerProcess)) { |
| 57 return true; | 65 return false; |
| 58 } else if (process_type == switches::kPpapiPluginProcess) { | 66 } else if (process_type == switches::kPpapiPluginProcess) { |
| 59 sandbox_process_type = Sandbox::SANDBOX_TYPE_PPAPI; | 67 *sandbox_type = SANDBOX_TYPE_PPAPI; |
| 60 } else { | 68 } else { |
| 61 // Failsafe: If you hit an unreached here, is your new process type in need | 69 // Failsafe: If you hit an unreached here, is your new process type in need |
| 62 // of sandboxing? | 70 // of sandboxing? |
| 63 NOTREACHED() << "Unknown process type " << process_type; | 71 NOTREACHED() << "Unknown process type " << process_type; |
| 72 return false; | |
| 73 } | |
| 74 return true; | |
| 75 } | |
| 76 | |
| 77 bool InitializeSandbox() { | |
| 78 int sandbox_type = 0; | |
| 79 FilePath allowed_dir; | |
| 80 if (!GetSandboxTypeFromCommandLine(&sandbox_type, &allowed_dir)) | |
| 64 return true; | 81 return true; |
| 65 } | 82 return InitializeSandbox(sandbox_type, allowed_dir); |
| 66 | |
| 67 // Warm up APIs before turning on the sandbox. | |
| 68 Sandbox::SandboxWarmup(sandbox_process_type); | |
| 69 | |
| 70 // Actually sandbox the process. | |
| 71 return Sandbox::EnableSandbox(sandbox_process_type, allowed_dir); | |
| 72 } | 83 } |
| 73 | 84 |
| 74 } // namespace content | 85 } // namespace content |
| OLD | NEW |
