Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(224)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_init_mac.cc

Issue 8589001: Load mac sandbox definitions from resources instead of the bundle. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: updates Created 9 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « content/common/sandbox_init_mac.h ('k') | content/common/sandbox_mac.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/public/common/sandbox_init.h" 5 #include "content/public/common/sandbox_init.h"
6 6
7 #include "base/command_line.h" 7 #include "base/command_line.h"
8 #include "base/file_path.h" 8 #include "base/file_path.h"
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "content/common/sandbox_mac.h" 10 #include "content/common/sandbox_mac.h"
11 #include "content/public/common/content_switches.h" 11 #include "content/public/common/content_switches.h"
12 12
13 namespace content { 13 namespace content {
14 14
15 bool InitializeSandbox() { 15 bool InitializeSandbox(int sandbox_type, const FilePath& allowed_dir) {
16 using sandbox::Sandbox; 16 // Warm up APIs before turning on the sandbox.
17 sandbox::Sandbox::SandboxWarmup(sandbox_type);
18
19 // Actually sandbox the process.
20 return sandbox::Sandbox::EnableSandbox(sandbox_type, allowed_dir);
21 }
22
23 // Fill in |sandbox_type| and |allowed_dir| based on the command line, returns
24 // false if the current process type doesn't need to be sandboxed or if the
25 // sandbox was disabled from the command line.
26 bool GetSandboxTypeFromCommandLine(int* sandbox_type,
27 FilePath* allowed_dir) {
28 DCHECK(sandbox_type);
29 DCHECK(allowed_dir);
30
31 *sandbox_type = -1;
32 *allowed_dir = FilePath(); // Empty by default.
17 33
18 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); 34 const CommandLine& command_line = *CommandLine::ForCurrentProcess();
19 if (command_line.HasSwitch(switches::kNoSandbox)) 35 if (command_line.HasSwitch(switches::kNoSandbox))
20 return true; 36 return false;
21
22 Sandbox::SandboxProcessType sandbox_process_type;
23 FilePath allowed_dir; // Empty by default.
24 37
25 std::string process_type = 38 std::string process_type =
26 command_line.GetSwitchValueASCII(switches::kProcessType); 39 command_line.GetSwitchValueASCII(switches::kProcessType);
27 if (process_type.empty()) { 40 if (process_type.empty()) {
28 // Browser process isn't sandboxed. 41 // Browser process isn't sandboxed.
29 return true; 42 return false;
30 } else if (process_type == switches::kRendererProcess) { 43 } else if (process_type == switches::kRendererProcess) {
31 if (!command_line.HasSwitch(switches::kDisable3DAPIs) && 44 if (!command_line.HasSwitch(switches::kDisable3DAPIs) &&
32 !command_line.HasSwitch(switches::kDisableExperimentalWebGL) && 45 !command_line.HasSwitch(switches::kDisableExperimentalWebGL) &&
33 command_line.HasSwitch(switches::kInProcessWebGL)) { 46 command_line.HasSwitch(switches::kInProcessWebGL)) {
34 // TODO(kbr): this check seems to be necessary only on this 47 // TODO(kbr): this check seems to be necessary only on this
35 // platform because the sandbox is initialized later. Remove 48 // platform because the sandbox is initialized later. Remove
36 // this once this flag is removed. 49 // this once this flag is removed.
37 return true; 50 return false;
38 } else { 51 } else {
39 sandbox_process_type = Sandbox::SANDBOX_TYPE_RENDERER; 52 *sandbox_type = SANDBOX_TYPE_RENDERER;
40 } 53 }
41 } else if (process_type == switches::kUtilityProcess) { 54 } else if (process_type == switches::kUtilityProcess) {
42 // Utility process sandbox. 55 // Utility process sandbox.
43 sandbox_process_type = Sandbox::SANDBOX_TYPE_UTILITY; 56 *sandbox_type = SANDBOX_TYPE_UTILITY;
44 allowed_dir = 57 *allowed_dir =
45 command_line.GetSwitchValuePath(switches::kUtilityProcessAllowedDir); 58 command_line.GetSwitchValuePath(switches::kUtilityProcessAllowedDir);
46 } else if (process_type == switches::kWorkerProcess) { 59 } else if (process_type == switches::kWorkerProcess) {
47 // Worker process sandbox. 60 // Worker process sandbox.
48 sandbox_process_type = Sandbox::SANDBOX_TYPE_WORKER; 61 *sandbox_type = SANDBOX_TYPE_WORKER;
49 } else if (process_type == switches::kNaClLoaderProcess) {
50 // Native Client sel_ldr (user untrusted code) sandbox.
51 sandbox_process_type = Sandbox::SANDBOX_TYPE_NACL_LOADER;
52 } else if (process_type == switches::kGpuProcess) { 62 } else if (process_type == switches::kGpuProcess) {
53 sandbox_process_type = Sandbox::SANDBOX_TYPE_GPU; 63 *sandbox_type = SANDBOX_TYPE_GPU;
54 } else if ((process_type == switches::kPluginProcess) || 64 } else if ((process_type == switches::kPluginProcess) ||
55 (process_type == switches::kServiceProcess) || 65 (process_type == switches::kServiceProcess) ||
56 (process_type == switches::kPpapiBrokerProcess)) { 66 (process_type == switches::kPpapiBrokerProcess)) {
57 return true; 67 return false;
58 } else if (process_type == switches::kPpapiPluginProcess) { 68 } else if (process_type == switches::kPpapiPluginProcess) {
59 sandbox_process_type = Sandbox::SANDBOX_TYPE_PPAPI; 69 *sandbox_type = SANDBOX_TYPE_PPAPI;
60 } else { 70 } else {
61 // Failsafe: If you hit an unreached here, is your new process type in need 71 // Failsafe: If you hit an unreached here, is your new process type in need
62 // of sandboxing? 72 // of sandboxing?
63 NOTREACHED() << "Unknown process type " << process_type; 73 NOTREACHED() << "Unknown process type " << process_type;
74 return false;
75 }
76 return true;
77 }
78
79 bool InitializeSandbox() {
80 int sandbox_type = 0;
81 FilePath allowed_dir;
82 if (!GetSandboxTypeFromCommandLine(&sandbox_type, &allowed_dir))
64 return true; 83 return true;
65 } 84 return InitializeSandbox(sandbox_type, allowed_dir);
66
67 // Warm up APIs before turning on the sandbox.
68 Sandbox::SandboxWarmup(sandbox_process_type);
69
70 // Actually sandbox the process.
71 return Sandbox::EnableSandbox(sandbox_process_type, allowed_dir);
72 } 85 }
73 86
74 } // namespace content 87 } // namespace content
OLDNEW
« no previous file with comments | « content/common/sandbox_init_mac.h ('k') | content/common/sandbox_mac.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698