OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/public/common/sandbox_init.h" | 5 #include "content/public/common/sandbox_init.h" |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/file_path.h" | 8 #include "base/file_path.h" |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "content/common/sandbox_mac.h" | 10 #include "content/common/sandbox_mac.h" |
11 #include "content/public/common/content_switches.h" | 11 #include "content/public/common/content_switches.h" |
12 #include "grit/content_resources.h" | |
12 | 13 |
13 namespace content { | 14 namespace content { |
14 | 15 |
15 bool InitializeSandbox() { | 16 bool InitializeSandbox(int sandbox_definition_resource_id) { |
jeremy
2011/11/17 13:36:11
I would refactor this into 3 functions:
Initialize
| |
17 using sandbox::Sandbox; | |
18 | |
19 // Warm up APIs before turning on the sandbox. | |
20 Sandbox::SandboxWarmup(sandbox_definition_resource_id); | |
21 | |
22 // Actually sandbox the process. | |
23 return Sandbox::EnableSandbox(sandbox_definition_resource_id, FilePath()); | |
24 } | |
25 | |
26 bool InitializeSandboxFromProcessType() { | |
16 using sandbox::Sandbox; | 27 using sandbox::Sandbox; |
17 | 28 |
18 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 29 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); |
19 if (command_line.HasSwitch(switches::kNoSandbox)) | 30 if (command_line.HasSwitch(switches::kNoSandbox)) |
20 return true; | 31 return true; |
21 | 32 |
22 Sandbox::SandboxProcessType sandbox_process_type; | 33 int sandbox_definition_resource_id; |
23 FilePath allowed_dir; // Empty by default. | 34 FilePath allowed_dir; // Empty by default. |
24 | 35 |
25 std::string process_type = | 36 std::string process_type = |
26 command_line.GetSwitchValueASCII(switches::kProcessType); | 37 command_line.GetSwitchValueASCII(switches::kProcessType); |
27 if (process_type.empty()) { | 38 if (process_type.empty()) { |
28 // Browser process isn't sandboxed. | 39 // Browser process isn't sandboxed. |
29 return true; | 40 return true; |
30 } else if (process_type == switches::kRendererProcess) { | 41 } else if (process_type == switches::kRendererProcess) { |
31 if (!command_line.HasSwitch(switches::kDisable3DAPIs) && | 42 if (!command_line.HasSwitch(switches::kDisable3DAPIs) && |
32 !command_line.HasSwitch(switches::kDisableExperimentalWebGL) && | 43 !command_line.HasSwitch(switches::kDisableExperimentalWebGL) && |
33 command_line.HasSwitch(switches::kInProcessWebGL)) { | 44 command_line.HasSwitch(switches::kInProcessWebGL)) { |
34 // TODO(kbr): this check seems to be necessary only on this | 45 // TODO(kbr): this check seems to be necessary only on this |
35 // platform because the sandbox is initialized later. Remove | 46 // platform because the sandbox is initialized later. Remove |
36 // this once this flag is removed. | 47 // this once this flag is removed. |
37 return true; | 48 return true; |
38 } else { | 49 } else { |
39 sandbox_process_type = Sandbox::SANDBOX_TYPE_RENDERER; | 50 sandbox_definition_resource_id = IDR_RENDERER_SANDBOX_DEFINITION; |
40 } | 51 } |
41 } else if (process_type == switches::kUtilityProcess) { | 52 } else if (process_type == switches::kUtilityProcess) { |
42 // Utility process sandbox. | 53 // Utility process sandbox. |
43 sandbox_process_type = Sandbox::SANDBOX_TYPE_UTILITY; | 54 sandbox_definition_resource_id = IDR_UTILITY_SANDBOX_DEFINITION; |
44 allowed_dir = | 55 allowed_dir = |
45 command_line.GetSwitchValuePath(switches::kUtilityProcessAllowedDir); | 56 command_line.GetSwitchValuePath(switches::kUtilityProcessAllowedDir); |
46 } else if (process_type == switches::kWorkerProcess) { | 57 } else if (process_type == switches::kWorkerProcess) { |
47 // Worker process sandbox. | 58 // Worker process sandbox. |
48 sandbox_process_type = Sandbox::SANDBOX_TYPE_WORKER; | 59 sandbox_definition_resource_id = IDR_WORKER_SANDBOX_DEFINITION; |
49 } else if (process_type == switches::kNaClLoaderProcess) { | |
50 // Native Client sel_ldr (user untrusted code) sandbox. | |
51 sandbox_process_type = Sandbox::SANDBOX_TYPE_NACL_LOADER; | |
52 } else if (process_type == switches::kGpuProcess) { | 60 } else if (process_type == switches::kGpuProcess) { |
53 sandbox_process_type = Sandbox::SANDBOX_TYPE_GPU; | 61 sandbox_definition_resource_id = IDR_GPU_SANDBOX_DEFINITION; |
54 } else if ((process_type == switches::kPluginProcess) || | 62 } else if ((process_type == switches::kPluginProcess) || |
55 (process_type == switches::kServiceProcess) || | 63 (process_type == switches::kServiceProcess) || |
56 (process_type == switches::kPpapiBrokerProcess)) { | 64 (process_type == switches::kPpapiBrokerProcess)) { |
57 return true; | 65 return true; |
58 } else if (process_type == switches::kPpapiPluginProcess) { | 66 } else if (process_type == switches::kPpapiPluginProcess) { |
59 sandbox_process_type = Sandbox::SANDBOX_TYPE_PPAPI; | 67 sandbox_definition_resource_id = IDR_PPAPI_SANDBOX_DEFINITION; |
60 } else { | 68 } else { |
61 // Failsafe: If you hit an unreached here, is your new process type in need | 69 // Failsafe: If you hit an unreached here, is your new process type in need |
62 // of sandboxing? | 70 // of sandboxing? |
63 NOTREACHED() << "Unknown process type " << process_type; | 71 NOTREACHED() << "Unknown process type " << process_type; |
64 return true; | 72 return true; |
65 } | 73 } |
66 | 74 |
67 // Warm up APIs before turning on the sandbox. | 75 // Warm up APIs before turning on the sandbox. |
68 Sandbox::SandboxWarmup(sandbox_process_type); | 76 Sandbox::SandboxWarmup(sandbox_definition_resource_id); |
69 | 77 |
70 // Actually sandbox the process. | 78 // Actually sandbox the process. |
71 return Sandbox::EnableSandbox(sandbox_process_type, allowed_dir); | 79 return Sandbox::EnableSandbox(sandbox_definition_resource_id, allowed_dir); |
72 } | 80 } |
73 | 81 |
74 } // namespace content | 82 } // namespace content |
OLD | NEW |