Fix forwarding of XPC messages to launchd on 10.10 and higher.

sandbox/mac/launchd_interception_server.cc

Index: sandbox/mac/launchd_interception_server.cc
diff --git a/sandbox/mac/launchd_interception_server.cc b/sandbox/mac/launchd_interception_server.cc
index 3b6dcb9daf60295334cccb2ffebfa6580d6cb800..7558933efaaf57208e923e7067b3835df85f4f08 100644
--- a/sandbox/mac/launchd_interception_server.cc
+++ b/sandbox/mac/launchd_interception_server.cc
@@ -24,6 +24,7 @@ const mach_msg_size_t kBufferSize = 2096;
 LaunchdInterceptionServer::LaunchdInterceptionServer(
     const BootstrapSandbox* sandbox)
     : sandbox_(sandbox),
+      xpc_launchd_(false),
       sandbox_port_(MACH_PORT_NULL),
       compat_shim_(OSCompatibility::CreateForPlatform()) {
 }
@@ -52,6 +53,7 @@ bool LaunchdInterceptionServer::Initialize(mach_port_t server_receive_right) {
 
   if (base::mac::IsOSYosemiteOrLater()) {
     message_server_.reset(new XPCMessageServer(this, server_receive_right));
+    xpc_launchd_ = true;
   } else {
     message_server_.reset(
         new MachMessageServer(this, server_receive_right, kBufferSize));
@@ -159,6 +161,22 @@ void LaunchdInterceptionServer::HandleSwapInteger(IPCMessage request) {
   }
 }
 void LaunchdInterceptionServer::ForwardMessage(IPCMessage request) {
+  // If launchd is using XPC, then when the request is forwarded, it must
+  // contain a valid domain port. Because the client processes are sandboxed,
+  // they have not had their launchd domains uncorked (and launchd will
+  // reject the message as being from an invalid client). Instead, provide the
+  // original bootstrap as the domain port, so launchd services the request
+  // as if it were coming from the sandbox host process (this).
+  if (xpc_launchd_) {
+    mach_port_t domain_port = sandbox_->real_bootstrap_port();
+    kern_return_t kr = mach_port_mod_refs(mach_task_self(), domain_port,

[Mark Mentovai, 2015/08/27 03:27:00]

I assume you’re doing this because xpc consumes a send right.

Is there anything set for domain-port to begin with? If so, do you need to
release it?

[Robert Sesek, 2015/08/27 14:59:52]

I thought so and several examples (in old WebKit…) I found did so. But after
checking the disassembly and it actually does the mod_refs for you. And then I
checked WebKit ToT and found this:
https://github.com/WebKit/webkit/commit/d710fe9a03d386b0abba4b8558d68644cf19701e.
Removed the mod_refs.
There shouldn't be a domain-port set to begin with. If it is, it'll be from a
sandboxed client so we shouldn't trust it. But if one were present, XPC will
release it when replacing the value (so much nicer than raw Mach).

+                                          MACH_PORT_RIGHT_SEND, 1);
+    if (kr == KERN_SUCCESS)
+      xpc_dictionary_set_mach_send(request.xpc, "domain-port", domain_port);
+    else
+      MACH_LOG(ERROR, kr) << "mach_port_mod_refs real_bootstrap_port";
+  }
+
   message_server_->ForwardMessage(request, sandbox_->real_bootstrap_port());
 }