Fix forwarding of XPC messages to launchd on 10.10 and higher.

sandbox/mac/launchd_interception_server.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/mac/launchd_interception_server.h"
 
 #include <servers/bootstrap.h>
 
 #include "base/logging.h"
 #include "base/mac/mac_util.h"
 #include "base/mac/mach_logging.h"
 #include "sandbox/mac/bootstrap_sandbox.h"
 #include "sandbox/mac/mach_message_server.h"
 #include "sandbox/mac/os_compatibility.h"
 #include "sandbox/mac/xpc_message_server.h"
 
 namespace sandbox {
 
 // The buffer size for all launchd messages. This comes from
 // sizeof(union __RequestUnion__vproc_mig_job_subsystem) in launchd, and it
 // is larger than the __ReplyUnion.
 const mach_msg_size_t kBufferSize = 2096;
 
 LaunchdInterceptionServer::LaunchdInterceptionServer(
     const BootstrapSandbox* sandbox)
     : sandbox_(sandbox),
+      xpc_launchd_(false),
       sandbox_port_(MACH_PORT_NULL),
       compat_shim_(OSCompatibility::CreateForPlatform()) {
 }
 
 LaunchdInterceptionServer::~LaunchdInterceptionServer() {
 }
 
 bool LaunchdInterceptionServer::Initialize(mach_port_t server_receive_right) {
   mach_port_t task = mach_task_self();
   kern_return_t kr;
 
   // Allocate the dummy sandbox port.
   mach_port_t port;
   if ((kr = mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE, &port)) !=
           KERN_SUCCESS) {
     MACH_LOG(ERROR, kr) << "Failed to allocate dummy sandbox port.";
     return false;
   }
   sandbox_port_.reset(port);
   if ((kr = mach_port_insert_right(task, sandbox_port_, sandbox_port_,
           MACH_MSG_TYPE_MAKE_SEND) != KERN_SUCCESS)) {
     MACH_LOG(ERROR, kr) << "Failed to allocate dummy sandbox port send right.";
     return false;
   }
   sandbox_send_port_.reset(sandbox_port_);
 
   if (base::mac::IsOSYosemiteOrLater()) {
     message_server_.reset(new XPCMessageServer(this, server_receive_right));
+    xpc_launchd_ = true;
   } else {
     message_server_.reset(
         new MachMessageServer(this, server_receive_right, kBufferSize));
   }
   return message_server_->Initialize();
 }
 
 void LaunchdInterceptionServer::DemuxMessage(IPCMessage request) {
   const uint64_t message_subsystem =
       compat_shim_->GetMessageSubsystem(request);
@@ skipping 87 matching lines @@
   // VPROC_GSK_MGR_PID and VPROC_GSK_TRANSACTIONS_ENABLED.
   if (compat_shim_->IsSwapIntegerReadOnly(request)) {
     VLOG(2) << "Forwarding vproc swap_integer message.";
     ForwardMessage(request);
   } else {
     VLOG(2) << "Rejecting non-read-only swap_integer message.";
     message_server_->RejectMessage(request, BOOTSTRAP_NOT_PRIVILEGED);
   }
 }
 void LaunchdInterceptionServer::ForwardMessage(IPCMessage request) {
+  // If launchd is using XPC, then when the request is forwarded, it must
+  // contain a valid domain port. Because the client processes are sandboxed,
+  // they have not had their launchd domains uncorked (and launchd will
+  // reject the message as being from an invalid client). Instead, provide the
+  // original bootstrap as the domain port, so launchd services the request
+  // as if it were coming from the sandbox host process (this).
+  if (xpc_launchd_) {
+    mach_port_t domain_port = sandbox_->real_bootstrap_port();
+    kern_return_t kr = mach_port_mod_refs(mach_task_self(), domain_port,

[Mark Mentovai, 2015/08/27 03:27:00]

I assume you’re doing this because xpc consumes a send right.

Is there anything set for domain-port to begin with? If so, do you need to
release it?

[Robert Sesek, 2015/08/27 14:59:52]

I thought so and several examples (in old WebKit…) I found did so. But after
checking the disassembly and it actually does the mod_refs for you. And then I
checked WebKit ToT and found this:
https://github.com/WebKit/webkit/commit/d710fe9a03d386b0abba4b8558d68644cf19701e.
Removed the mod_refs.
There shouldn't be a domain-port set to begin with. If it is, it'll be from a
sandboxed client so we shouldn't trust it. But if one were present, XPC will
release it when replacing the value (so much nicer than raw Mach).

+                                          MACH_PORT_RIGHT_SEND, 1);
+    if (kr == KERN_SUCCESS)
+      xpc_dictionary_set_mach_send(request.xpc, "domain-port", domain_port);
+    else
+      MACH_LOG(ERROR, kr) << "mach_port_mod_refs real_bootstrap_port";
+  }
+
   message_server_->ForwardMessage(request, sandbox_->real_bootstrap_port());
 }
 
 }  // namespace sandbox