Refactor OS X sandbox processing and audit sandbox files

content/common/sandbox_mac.mm

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_mac.h"
 
 #import <Cocoa/Cocoa.h>
 
 #include <CoreFoundation/CFTimeZone.h>
 extern "C" {
@@ skipping 26 matching lines @@
 #include "content/grit/content_resources.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "third_party/icu/source/common/unicode/uchar.h"
 #include "ui/base/layout.h"
 #include "ui/gl/gl_surface.h"
 
 extern "C" {
 void CGSSetDenyWindowServerConnections(bool);
 void CGSShutdownServerConnections();
+
+void* sandbox_create_params();
+int sandbox_set_param(void* params, const char* key, const char* value);
+void* sandbox_compile_string(const char* profile_str,
+                             void* params,
+                             char** error);
+int sandbox_apply(void* profile);
+void sandbox_free_params(void* params);
+void sandbox_free_profile(void* profile);
 };
 
 namespace content {
 namespace {
 
 // Is the sandbox currently active.
 bool gSandboxIsActive = false;
 
 struct SandboxTypeToResourceIDMapping {
   SandboxType sandbox_type;
   int sandbox_profile_resource_id;
 };
 
+// This is the internal definition of the structure used by sandbox parameters
+// on OS X 10.6.
+struct SandboxParams {
+  void* buf;
+  size_t count;
+  size_t size;
+};
+
 // Mapping from sandbox process types to resource IDs containing the sandbox
 // profile for all process types known to content.
 SandboxTypeToResourceIDMapping kDefaultSandboxTypeToResourceIDMapping[] = {
   { SANDBOX_TYPE_RENDERER, IDR_RENDERER_SANDBOX_PROFILE },
   { SANDBOX_TYPE_UTILITY,  IDR_UTILITY_SANDBOX_PROFILE },
   { SANDBOX_TYPE_GPU,      IDR_GPU_SANDBOX_PROFILE },
   { SANDBOX_TYPE_PPAPI,    IDR_PPAPI_SANDBOX_PROFILE },
 };
 
 static_assert(arraysize(kDefaultSandboxTypeToResourceIDMapping) == \
@@ skipping 40 matching lines @@
 // in a central place.
 NOINLINE void FatalStringQuoteException(const std::string& str) {
   // Copy bad string to the stack so it's recorded in the crash dump.
   char bad_string[256] = {0};
   base::strlcpy(bad_string, str.c_str(), arraysize(bad_string));
   DLOG(FATAL) << "String quoting failed " << bad_string;
 }
 
 }  // namespace
 
-// static
-NSString* Sandbox::AllowMetadataForPath(const base::FilePath& allowed_path) {
-  // Collect a list of all parent directories.
-  base::FilePath last_path = allowed_path;
-  std::vector<base::FilePath> subpaths;
-  for (base::FilePath path = allowed_path;
-       path.value() != last_path.value();
-       path = path.DirName()) {
-    subpaths.push_back(path);
-    last_path = path;
+SandboxCompiler::SandboxCompiler(const std::string& profile_str)
+    : params_map_(), profile_str_(profile_str) {
+}
+
+SandboxCompiler::~SandboxCompiler() {
+}
+
+bool SandboxCompiler::InsertBooleanParam(const std::string& key, bool value) {
+  return params_map_.insert(std::make_pair(key, value ? "TRUE" : "FALSE"))
+      .second;
+}
+
+bool SandboxCompiler::InsertStringParam(const std::string& key,
+                                        const std::string& value) {
+  return params_map_.insert(std::make_pair(key, value)).second;
+}
+
+void SandboxCompiler::FreeSandboxResources(void* profile,
+                                           void* params,
+                                           char* error) {
+  if (error)
+    sandbox_free_error(error);
+  if (params)
+    sandbox_free_params(params);
+  if (profile)
+    sandbox_free_profile(profile);
+}
+
+bool SandboxCompiler::CompileAndApplyProfile(std::string* error) {
+  char* error_internal = nullptr;
+  void* profile = nullptr;
+  void* params = nullptr;
+
+  if (!params_map_.empty()) {
+    if (base::mac::IsOSSnowLeopard()) {
+      // This is a workaround for 10.6, see crbug.com/509114.
+      // Check that there is no integer overflow.
+      base::CheckedNumeric<size_t> checked_size = params_map_.size();
+      checked_size *= 2;
+      if (!checked_size.IsValid())
+        return false;
+
+      SandboxParams* internal_params =
+          static_cast<SandboxParams*>(malloc(sizeof(SandboxParams)));
+      internal_params->buf = calloc(checked_size.ValueOrDie(), sizeof(void*));
+      internal_params->count = 0;
+      internal_params->size = checked_size.ValueOrDie();
+      params = internal_params;
+    } else {
+      params = sandbox_create_params();
+      if (!params)
+        return false;
+    }
+
+    for (const auto& kv : params_map_)
+      sandbox_set_param(params, kv.first.c_str(), kv.second.c_str());
   }
 
-  // Iterate through all parents and allow stat() on them explicitly.
-  NSString* sandbox_command = @"(allow file-read-metadata ";
-  for (std::vector<base::FilePath>::reverse_iterator i = subpaths.rbegin();
-       i != subpaths.rend();
-       ++i) {
-    std::string subdir_escaped;
-    if (!QuotePlainString(i->value(), &subdir_escaped)) {
-      FatalStringQuoteException(i->value());
-      return nil;
-    }
-
-    NSString* subdir_escaped_ns =
-        base::SysUTF8ToNSString(subdir_escaped.c_str());
-    sandbox_command =
-        [sandbox_command stringByAppendingFormat:@"(literal \"%@\")",
-            subdir_escaped_ns];
+  profile =
+      sandbox_compile_string(profile_str_.c_str(), params, &error_internal);
+  if (!profile) {
+    error->assign(error_internal);
+    FreeSandboxResources(profile, params, error_internal);
+    return false;
   }
 
-  return [sandbox_command stringByAppendingString:@")"];
+  int result = sandbox_apply(profile);
+  FreeSandboxResources(profile, params, error_internal);
+  return result == 0;
 }
 
 // static
 bool Sandbox::QuotePlainString(const std::string& src_utf8, std::string* dst) {
   dst->clear();
 
   const char* src = src_utf8.c_str();
   int32_t length = src_utf8.length();
   int32_t position = 0;
   while (position < length) {
@@ skipping 182 matching lines @@
     // Shutting down the connection requires connecting to WindowServer,
     // so do this before actually engaging the sandbox. This is only done on
     // 10.8 and higher because doing it on earlier OSes causes layout tests to
     // fail <http://crbug.com/397642#c48>. This may cause two log messages to
     // be printed to the system logger on certain OS versions.
     CGSSetDenyWindowServerConnections(true);
     CGSShutdownServerConnections();
   }
 }
 
-// static
-NSString* Sandbox::BuildAllowDirectoryAccessSandboxString(
-    const base::FilePath& allowed_dir,
-    SandboxVariableSubstitions* substitutions) {
-  // A whitelist is used to determine which directories can be statted
-  // This means that in the case of an /a/b/c/d/ directory, we may be able to
-  // stat the leaf directory, but not its parent.
-  // The extension code in Chrome calls realpath() which fails if it can't call
-  // stat() on one of the parent directories in the path.
-  // The solution to this is to allow statting the parent directories themselves
-  // but not their contents.  We need to add a separate rule for each parent
-  // directory.
-
-  // The sandbox only understands "real" paths.  This resolving step is
-  // needed so the caller doesn't need to worry about things like /var
-  // being a link to /private/var (like in the paths CreateNewTempDirectory()
-  // returns).
-  base::FilePath allowed_dir_canonical = GetCanonicalSandboxPath(allowed_dir);
-
-  NSString* sandbox_command = AllowMetadataForPath(allowed_dir_canonical);
-  sandbox_command = [sandbox_command
-      substringToIndex:[sandbox_command length] - 1];  // strip trailing ')'
-
-  // Finally append the leaf directory.  Unlike its parents (for which only
-  // stat() should be allowed), the leaf directory needs full access.
-  (*substitutions)["ALLOWED_DIR"] =
-      SandboxSubstring(allowed_dir_canonical.value(),
-                       SandboxSubstring::REGEX);
-  sandbox_command =
-      [sandbox_command
-          stringByAppendingString:@") (allow file-read* file-write*"
-                                   " (regex #\"@ALLOWED_DIR@\") )"];
-  return sandbox_command;
-}
-
 // Load the appropriate template for the given sandbox type.
 // Returns the template as an NSString or nil on error.
 NSString* LoadSandboxTemplate(int sandbox_type) {
   // We use a custom sandbox definition to lock things down as tightly as
   // possible.
   int sandbox_profile_resource_id = -1;
 
   // Find resource id for sandbox profile to use for the specific sandbox type.
   for (size_t i = 0;
        i < arraysize(kDefaultSandboxTypeToResourceIDMapping);
@@ skipping 37 matching lines @@
 
   base::scoped_nsobject<NSString> sandbox_data(
       [[NSString alloc] initWithBytes:sandbox_definition.data()
                                length:sandbox_definition.length()
                              encoding:NSUTF8StringEncoding]);
 
   // Prefix sandbox_data with common_sandbox_prefix_data.
   return [common_sandbox_prefix_data stringByAppendingString:sandbox_data];
 }
 
-// static
-bool Sandbox::PostProcessSandboxProfile(
-        NSString* sandbox_template,
-        NSArray* comments_to_remove,
-        SandboxVariableSubstitions& substitutions,
-        std::string *final_sandbox_profile_str) {
-  NSString* sandbox_data = [[sandbox_template copy] autorelease];
-
-  // Remove comments, e.g. ;10.7_OR_ABOVE .
-  for (NSString* to_remove in comments_to_remove) {
-    sandbox_data = [sandbox_data stringByReplacingOccurrencesOfString:to_remove
-                                                           withString:@""];
-  }
-
-  // Split string on "@" characters.
-  std::vector<std::string> raw_sandbox_pieces = base::SplitString(
-      [sandbox_data UTF8String], "@", base::KEEP_WHITESPACE,
-      base::SPLIT_WANT_NONEMPTY);
-  if (raw_sandbox_pieces.empty()) {
-    DLOG(FATAL) << "Bad Sandbox profile, should contain at least one token ("
-                << [sandbox_data UTF8String]
-                << ")";
-    return false;
-  }
-
-  // Iterate over string pieces and substitute variables, escaping as necessary.
-  size_t output_string_length = 0;
-  std::vector<std::string> processed_sandbox_pieces(raw_sandbox_pieces.size());
-  for (std::vector<std::string>::iterator it = raw_sandbox_pieces.begin();
-       it != raw_sandbox_pieces.end();
-       ++it) {
-    std::string new_piece;
-    SandboxVariableSubstitions::iterator replacement_it =
-        substitutions.find(*it);
-    if (replacement_it == substitutions.end()) {
-      new_piece = *it;
-    } else {
-      // Found something to substitute.
-      SandboxSubstring& replacement = replacement_it->second;
-      switch (replacement.type()) {
-        case SandboxSubstring::PLAIN:
-          new_piece = replacement.value();
-          break;
-
-        case SandboxSubstring::LITERAL:
-          if (!QuotePlainString(replacement.value(), &new_piece))
-            FatalStringQuoteException(replacement.value());
-          break;
-
-        case SandboxSubstring::REGEX:
-          if (!QuoteStringForRegex(replacement.value(), &new_piece))
-            FatalStringQuoteException(replacement.value());
-          break;
-      }
-    }
-    output_string_length += new_piece.size();
-    processed_sandbox_pieces.push_back(new_piece);
-  }
-
-  // Build final output string.
-  final_sandbox_profile_str->reserve(output_string_length);
-
-  for (std::vector<std::string>::iterator it = processed_sandbox_pieces.begin();
-       it != processed_sandbox_pieces.end();
-       ++it) {
-    final_sandbox_profile_str->append(*it);
-  }
-  return true;
-}
-
-
 // Turns on the OS X sandbox for this process.
 
 // static
 bool Sandbox::EnableSandbox(int sandbox_type,
                             const base::FilePath& allowed_dir) {
   // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being
   // passed in.
   if (sandbox_type < SANDBOX_TYPE_AFTER_LAST_TYPE &&
       sandbox_type != SANDBOX_TYPE_UTILITY) {
     DCHECK(allowed_dir.empty())
         << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter.";
   }
 
   NSString* sandbox_data = LoadSandboxTemplate(sandbox_type);
   if (!sandbox_data) {
     return false;
   }
 
-  SandboxVariableSubstitions substitutions;
+  SandboxCompiler compiler([sandbox_data UTF8String]);
+
   if (!allowed_dir.empty()) {
-    // Add the sandbox commands necessary to access the given directory.
-    // Note: this function must be called before PostProcessSandboxProfile()
-    // since the string it inserts contains variables that need substitution.
-    NSString* allowed_dir_sandbox_command =
-        BuildAllowDirectoryAccessSandboxString(allowed_dir, &substitutions);
-
-    if (allowed_dir_sandbox_command) {  // May be nil if function fails.
-      sandbox_data = [sandbox_data
-          stringByReplacingOccurrencesOfString:@";ENABLE_DIRECTORY_ACCESS"
-                                    withString:allowed_dir_sandbox_command];
+    // Add the sandbox parameters necessary to access the given directory.
+    base::FilePath allowed_dir_canonical = GetCanonicalSandboxPath(allowed_dir);
+    std::string regex;
+    if (!QuoteStringForRegex(allowed_dir_canonical.value(), &regex)) {
+      FatalStringQuoteException(allowed_dir_canonical.value());
+      return false;
     }
+    if (!compiler.InsertStringParam("PERMITTED_DIR", regex))
+      return false;
   }
 
-  NSMutableArray* tokens_to_remove = [NSMutableArray array];
-
   // Enable verbose logging if enabled on the command line. (See common.sb
   // for details).
   const base::CommandLine* command_line =
       base::CommandLine::ForCurrentProcess();
   bool enable_logging =
       command_line->HasSwitch(switches::kEnableSandboxLogging);;
-  if (enable_logging) {
-    [tokens_to_remove addObject:@";ENABLE_LOGGING"];
-  }
-
-  bool lion_or_later = base::mac::IsOSLionOrLater();
+  if (!compiler.InsertBooleanParam("ENABLE_LOGGING", enable_logging))
+    return false;
 
   // Without this, the sandbox will print a message to the system log every
   // time it denies a request.  This floods the console with useless spew.
-  if (!enable_logging) {
-    substitutions["DISABLE_SANDBOX_DENIAL_LOGGING"] =
-        SandboxSubstring("(with no-log)");
-  } else {
-    substitutions["DISABLE_SANDBOX_DENIAL_LOGGING"] = SandboxSubstring("");
-  }
+  if (!compiler.InsertBooleanParam("DISABLE_SANDBOX_DENIAL_LOGGING",
+                                   !enable_logging))
+    return false;
 
   // Splice the path of the user's home directory into the sandbox profile
   // (see renderer.sb for details).
   std::string home_dir = [NSHomeDirectory() fileSystemRepresentation];
 
   base::FilePath home_dir_canonical =
       GetCanonicalSandboxPath(base::FilePath(home_dir));
 
-  substitutions["USER_HOMEDIR_AS_LITERAL"] =
-      SandboxSubstring(home_dir_canonical.value(),
-          SandboxSubstring::LITERAL);
-
-  if (lion_or_later) {
-    // >=10.7 Sandbox rules.
-    [tokens_to_remove addObject:@";10.7_OR_ABOVE"];
+  std::string quoted_home_dir;
+  if (!QuotePlainString(home_dir_canonical.value(), &quoted_home_dir)) {
+    FatalStringQuoteException(home_dir_canonical.value());
+    return false;
   }
 
-  substitutions["COMPONENT_BUILD_WORKAROUND"] = SandboxSubstring("");
+  if (!compiler.InsertStringParam("USER_HOMEDIR_AS_LITERAL", quoted_home_dir))
+    return false;
+
+  bool lion_or_later = base::mac::IsOSLionOrLater();
+  if (!compiler.InsertBooleanParam("LION_OR_LATER", lion_or_later))
+    return false;
+
 #if defined(COMPONENT_BUILD)
   // dlopen() fails without file-read-metadata access if the executable image
   // contains LC_RPATH load commands. The components build uses those.
   // See http://crbug.com/127465
   if (base::mac::IsOSSnowLeopard()) {
-    base::FilePath bundle_executable = base::mac::NSStringToFilePath(
-        [base::mac::MainBundle() executablePath]);
-    NSString* sandbox_command = AllowMetadataForPath(
-        GetCanonicalSandboxPath(bundle_executable));
-    substitutions["COMPONENT_BUILD_WORKAROUND"] =
-        SandboxSubstring(base::SysNSStringToUTF8(sandbox_command));
+    if (!compiler.InsertBooleanParam("COMPONENT_BUILD_WORKAROUND", true))
+      return false;
   }
 #endif
 
-  // All information needed to assemble the final profile has been collected.
-  // Merge it all together.
-  std::string final_sandbox_profile_str;
-  if (!PostProcessSandboxProfile(sandbox_data, tokens_to_remove, substitutions,
-                                 &final_sandbox_profile_str)) {
-    return false;
-  }
-
   // Initialize sandbox.
-  char* error_buff = NULL;
-  int error = sandbox_init(final_sandbox_profile_str.c_str(), 0, &error_buff);
-  bool success = (error == 0 && error_buff == NULL);
-  DLOG_IF(FATAL, !success) << "Failed to initialize sandbox: "
-                           << error
-                           << " "
-                           << error_buff;
-  sandbox_free_error(error_buff);
+  std::string error_str;
+  bool success = compiler.CompileAndApplyProfile(&error_str);
+  DLOG_IF(FATAL, !success) << "Failed to initialize sandbox: " << error_str;
   gSandboxIsActive = success;
   return success;
 }
 
 // static
 bool Sandbox::SandboxIsCurrentlyActive() {
   return gSandboxIsActive;
 }
 
 // static
 base::FilePath Sandbox::GetCanonicalSandboxPath(const base::FilePath& path) {
   base::ScopedFD fd(HANDLE_EINTR(open(path.value().c_str(), O_RDONLY)));
   if (!fd.is_valid()) {
     DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "
                  << path.value();
     return path;
   }
 
   base::FilePath::CharType canonical_path[MAXPATHLEN];
   if (HANDLE_EINTR(fcntl(fd.get(), F_GETPATH, canonical_path)) != 0) {
     DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "
                  << path.value();
     return path;
   }
 
   return base::FilePath(canonical_path);
 }
 
 }  // namespace content