| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_mac.h" | 5 #include "content/common/sandbox_mac.h" |
| 6 | 6 |
| 7 #import <Cocoa/Cocoa.h> | 7 #import <Cocoa/Cocoa.h> |
| 8 #include <stddef.h> | 8 #include <stddef.h> |
| 9 #include <stdint.h> | 9 #include <stdint.h> |
| 10 | 10 |
| (...skipping 341 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 352 | 352 |
| 353 // Allow the process to continue without a LaunchServices ASN. The | 353 // Allow the process to continue without a LaunchServices ASN. The |
| 354 // INIT_Process function in HIServices will abort if it cannot connect to | 354 // INIT_Process function in HIServices will abort if it cannot connect to |
| 355 // launchservicesd to get an ASN. By setting this flag, HIServices skips | 355 // launchservicesd to get an ASN. By setting this flag, HIServices skips |
| 356 // that. | 356 // that. |
| 357 SetApplicationIsDaemon(true); | 357 SetApplicationIsDaemon(true); |
| 358 } | 358 } |
| 359 } | 359 } |
| 360 | 360 |
| 361 // Load the appropriate template for the given sandbox type. | 361 // Load the appropriate template for the given sandbox type. |
| 362 // Returns the template as an NSString or nil on error. | 362 // Returns the template as a string or an empty string on error. |
| 363 NSString* LoadSandboxTemplate(int sandbox_type) { | 363 std::string LoadSandboxTemplate(int sandbox_type) { |
| 364 // We use a custom sandbox definition to lock things down as tightly as | 364 // We use a custom sandbox definition to lock things down as tightly as |
| 365 // possible. | 365 // possible. |
| 366 int sandbox_profile_resource_id = -1; | 366 int sandbox_profile_resource_id = -1; |
| 367 | 367 |
| 368 // Find resource id for sandbox profile to use for the specific sandbox type. | 368 // Find resource id for sandbox profile to use for the specific sandbox type. |
| 369 for (size_t i = 0; | 369 for (size_t i = 0; |
| 370 i < arraysize(kDefaultSandboxTypeToResourceIDMapping); | 370 i < arraysize(kDefaultSandboxTypeToResourceIDMapping); |
| 371 ++i) { | 371 ++i) { |
| 372 if (kDefaultSandboxTypeToResourceIDMapping[i].sandbox_type == | 372 if (kDefaultSandboxTypeToResourceIDMapping[i].sandbox_type == |
| 373 sandbox_type) { | 373 sandbox_type) { |
| 374 sandbox_profile_resource_id = | 374 sandbox_profile_resource_id = |
| 375 kDefaultSandboxTypeToResourceIDMapping[i].sandbox_profile_resource_id; | 375 kDefaultSandboxTypeToResourceIDMapping[i].sandbox_profile_resource_id; |
| 376 break; | 376 break; |
| 377 } | 377 } |
| 378 } | 378 } |
| 379 if (sandbox_profile_resource_id == -1) { | 379 if (sandbox_profile_resource_id == -1) { |
| 380 // Check if the embedder knows about this sandbox process type. | 380 // Check if the embedder knows about this sandbox process type. |
| 381 bool sandbox_type_found = | 381 bool sandbox_type_found = |
| 382 GetContentClient()->GetSandboxProfileForSandboxType( | 382 GetContentClient()->GetSandboxProfileForSandboxType( |
| 383 sandbox_type, &sandbox_profile_resource_id); | 383 sandbox_type, &sandbox_profile_resource_id); |
| 384 CHECK(sandbox_type_found) << "Unknown sandbox type " << sandbox_type; | 384 CHECK(sandbox_type_found) << "Unknown sandbox type " << sandbox_type; |
| 385 } | 385 } |
| 386 | 386 |
| 387 base::StringPiece sandbox_definition = | 387 base::StringPiece sandbox_definition = |
| 388 GetContentClient()->GetDataResource( | 388 GetContentClient()->GetDataResource( |
| 389 sandbox_profile_resource_id, ui::SCALE_FACTOR_NONE); | 389 sandbox_profile_resource_id, ui::SCALE_FACTOR_NONE); |
| 390 if (sandbox_definition.empty()) { | 390 if (sandbox_definition.empty()) { |
| 391 LOG(FATAL) << "Failed to load the sandbox profile (resource id " | 391 LOG(FATAL) << "Failed to load the sandbox profile (resource id " |
| 392 << sandbox_profile_resource_id << ")"; | 392 << sandbox_profile_resource_id << ")"; |
| 393 return nil; | 393 return std::string(); |
| 394 } | 394 } |
| 395 | 395 |
| 396 base::StringPiece common_sandbox_definition = | 396 base::StringPiece common_sandbox_definition = |
| 397 GetContentClient()->GetDataResource( | 397 GetContentClient()->GetDataResource( |
| 398 IDR_COMMON_SANDBOX_PROFILE, ui::SCALE_FACTOR_NONE); | 398 IDR_COMMON_SANDBOX_PROFILE, ui::SCALE_FACTOR_NONE); |
| 399 if (common_sandbox_definition.empty()) { | 399 if (common_sandbox_definition.empty()) { |
| 400 LOG(FATAL) << "Failed to load the common sandbox profile"; | 400 LOG(FATAL) << "Failed to load the common sandbox profile"; |
| 401 return nil; | 401 return std::string(); |
| 402 } | 402 } |
| 403 | 403 |
| 404 base::scoped_nsobject<NSString> common_sandbox_prefix_data( | |
| 405 [[NSString alloc] initWithBytes:common_sandbox_definition.data() | |
| 406 length:common_sandbox_definition.length() | |
| 407 encoding:NSUTF8StringEncoding]); | |
| 408 | |
| 409 base::scoped_nsobject<NSString> sandbox_data( | |
| 410 [[NSString alloc] initWithBytes:sandbox_definition.data() | |
| 411 length:sandbox_definition.length() | |
| 412 encoding:NSUTF8StringEncoding]); | |
| 413 | |
| 414 // Prefix sandbox_data with common_sandbox_prefix_data. | 404 // Prefix sandbox_data with common_sandbox_prefix_data. |
| 415 return [common_sandbox_prefix_data stringByAppendingString:sandbox_data]; | 405 std::string sandbox_profile = common_sandbox_definition.as_string(); |
| 406 sandbox_definition.AppendToString(&sandbox_profile); |
| 407 return sandbox_profile; |
| 416 } | 408 } |
| 417 | 409 |
| 418 // Turns on the OS X sandbox for this process. | 410 // Turns on the OS X sandbox for this process. |
| 419 | 411 |
| 420 // static | 412 // static |
| 421 bool Sandbox::EnableSandbox(int sandbox_type, | 413 bool Sandbox::EnableSandbox(int sandbox_type, |
| 422 const base::FilePath& allowed_dir) { | 414 const base::FilePath& allowed_dir) { |
| 423 // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being | 415 // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being |
| 424 // passed in. | 416 // passed in. |
| 425 if (sandbox_type < SANDBOX_TYPE_AFTER_LAST_TYPE && | 417 if (sandbox_type < SANDBOX_TYPE_AFTER_LAST_TYPE && |
| 426 sandbox_type != SANDBOX_TYPE_UTILITY) { | 418 sandbox_type != SANDBOX_TYPE_UTILITY) { |
| 427 DCHECK(allowed_dir.empty()) | 419 DCHECK(allowed_dir.empty()) |
| 428 << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter."; | 420 << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter."; |
| 429 } | 421 } |
| 430 | 422 |
| 431 NSString* sandbox_data = LoadSandboxTemplate(sandbox_type); | 423 std::string sandbox_data = LoadSandboxTemplate(sandbox_type); |
| 432 if (!sandbox_data) { | 424 if (sandbox_data.empty()) { |
| 433 return false; | 425 return false; |
| 434 } | 426 } |
| 435 | 427 |
| 436 SandboxCompiler compiler([sandbox_data UTF8String]); | 428 SandboxCompiler compiler(sandbox_data); |
| 437 | 429 |
| 438 if (!allowed_dir.empty()) { | 430 if (!allowed_dir.empty()) { |
| 439 // Add the sandbox parameters necessary to access the given directory. | 431 // Add the sandbox parameters necessary to access the given directory. |
| 440 base::FilePath allowed_dir_canonical = GetCanonicalSandboxPath(allowed_dir); | 432 base::FilePath allowed_dir_canonical = GetCanonicalSandboxPath(allowed_dir); |
| 441 std::string regex; | 433 std::string regex; |
| 442 if (!QuoteStringForRegex(allowed_dir_canonical.value(), ®ex)) { | 434 if (!QuoteStringForRegex(allowed_dir_canonical.value(), ®ex)) { |
| 443 FatalStringQuoteException(allowed_dir_canonical.value()); | 435 FatalStringQuoteException(allowed_dir_canonical.value()); |
| 444 return false; | 436 return false; |
| 445 } | 437 } |
| 446 if (!compiler.InsertStringParam("PERMITTED_DIR", regex)) | 438 if (!compiler.InsertStringParam("PERMITTED_DIR", regex)) |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 508 if (HANDLE_EINTR(fcntl(fd.get(), F_GETPATH, canonical_path)) != 0) { | 500 if (HANDLE_EINTR(fcntl(fd.get(), F_GETPATH, canonical_path)) != 0) { |
| 509 DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: " | 501 DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: " |
| 510 << path.value(); | 502 << path.value(); |
| 511 return path; | 503 return path; |
| 512 } | 504 } |
| 513 | 505 |
| 514 return base::FilePath(canonical_path); | 506 return base::FilePath(canonical_path); |
| 515 } | 507 } |
| 516 | 508 |
| 517 } // namespace content | 509 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2581743002:
Remove unnecessary NSString conversions in sandbox_mac.mm. (Closed)
