sandbox/mac/bootstrap_sandbox.h - Issue 264923003: Initial implementation of the Mac Bootstrap Sandbox.

Side by Side Diff: sandbox/mac/bootstrap_sandbox.h

Issue 264923003: Initial implementation of the Mac Bootstrap Sandbox. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright 2014 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #ifndef SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_

	6 #define SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_

	7

	8 #include <mach/mach.h>

	9

	10 #include <map>

	11 #include <string>

	12

	13 #include "base/memory/scoped_ptr.h"

	14 #include "base/process/process_handle.h"

	15 #include "base/synchronization/lock.h"

	16 #include "sandbox/mac/policy.h"

	17

	18 namespace sandbox {

	19

	20 class LaunchdInterceptionServer;

	21

	22 // The BootstrapSandbox is a second-layer sandbox for Mac. It is used to limit

	23 // the bootstrap namespace attack surface of child processes. The parent

	24 // process creates an instance of this class and registers policies that it

	25 // can enforce on its children.

	26 //

	27 // With this sandbox, the bootstrap port of the parent process is replaced, so

	28 // that child processes is taken over by the sandbox. Bootstrap messages from

	29 // the parent are forwarded to launchd. Requests from the child that would

	30 // normally go to launchd are filtered based on the specified per-process

	31 // policies. If a request is permitted by the policy, it is forwarded on to

	32 // launchd for servicing. If it is not, then the sandbox will reply with a

	33 // primitive that does not grant additional capabilities to the receiver.

	34 //

	35 // When the parent is ready to fork a new child process with this sandbox

	36 // being enforced, it should use the pair of methods PrepareToForkWithPolicy()

	37 // and FinishedFork(), and call fork() between them. The first method will

	38 // set the policy for the new process, and the second will finialize the

	39 // association between the process ID and sandbox policy ID.

	40 //

	41 // All methods of this class may be called from any thread, but

	42 // PrepareToForkWithPolicy() and FinishedFork() must be non-nested and balanced.
	Mark Mentovai 2014/05/06 20:51:50 An alternative would be to make PrepareToForkWithP An alternative would be to make PrepareToForkWithPolicy return some handle that the caller would need to supply to FinishedFork, to not limit the nestiness and balanciness of things. Robert Sesek 2014/05/08 20:58:12 I need to limit the nestiness and balanciness of t Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > An alternative would be to make PrepareToForkWithPolicy return some handle that > the caller would need to supply to FinishedFork, to not limit the nestiness and > balanciness of things. I need to limit the nestiness and balanciness of things because you don't know what policy to apply if there are multiple simultaneous sandbox fork()s, until the PID is associated with a policy. And the child can and does start executing sometime in that window (base::LaunchProcess handles both the fork and the exec), making bootstrap requests.
	43 class BootstrapSandbox {

	44 public:

	45 // Creates a new sandbox manager. Returns NULL on failure.
	Mark Mentovai 2014/05/06 20:51:50 Isn’t it more normal to have a constructor and, fo Isn’t it more normal to have a constructor and, for initialization work that can fail, an Initialize method? Robert Sesek 2014/05/08 20:58:12 They're both acceptable in Chromium. I generally p Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > Isn’t it more normal to have a constructor and, for initialization work that can > fail, an Initialize method? They're both acceptable in Chromium. I generally prefer this for public interfaces because it doesn't mean you can have an object in an inconsistent state.
	46 static scoped_ptr<BootstrapSandbox> Create();

	47

	48 ~BootstrapSandbox();

	49

	50 // Registers a bootstrap policy associated it with an identifier. The

	51 // \|sandbox_policy_id\| must be greater than 0.

	52 void RegisterSandboxPolicy(int sandbox_policy_id,
	Mark Mentovai 2014/05/06 20:51:50 This requires callers to come up with fixed and un This requires callers to come up with fixed and unique IDs, in addition to supplying the policy object? That seems a unnecessary. Why not have this function return the policy ID to the caller as an opaque handle kind of type? Robert Sesek 2014/05/08 20:58:12 Yes, I chose this because we already have sandbox- Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > This requires callers to come up with fixed and unique IDs, in addition to > supplying the policy object? That seems a unnecessary. Why not have this > function return the policy ID to the caller as an opaque handle kind of type? Yes, I chose this because we already have sandbox-type enums that we will likely want to re-use.
	53 const BootstrapSandboxPolicy& policy);

	54

	55 // Called in the parent prior to fork()ing a child. The policy registered
	Mark Mentovai 2014/05/06 20:51:50 The comments on this function and the two that fol The comments on this function and the two that follow say “called in the parent” which doesn’t make it clear that the client code is supposed to call this. It could also mean that your sandbox calls these functions. Robert Sesek 2014/05/08 20:58:12 Clarified this in the class-level comment. Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > The comments on this function and the two that follow say “called in the > parent” which doesn’t make it clear that the client code is supposed to call > this. It could also mean that your sandbox calls these functions. Clarified this in the class-level comment.
	56 // to \|sandbox_policy_id\| will be enforced on the new child. Returns true

	57 // on success and false if the policy does not exist.

	58 bool PrepareToForkWithPolicy(int sandbox_policy_id);

	59 // Called in the parent after fork()ing a child. It records the \|handle\|
	Mark Mentovai 2014/05/06 20:51:50 Blank line before, otherwise PrepareToForkWithPoli Blank line before, otherwise PrepareToForkWithPolicy gets lost. Robert Sesek 2014/05/08 20:58:12 Done. Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > Blank line before, otherwise PrepareToForkWithPolicy gets lost. Done.
	60 // and associates it with the specified-above \|sandbox_policy_id\|.
	Mark Mentovai 2014/05/06 20:51:50 What’s the caller supposed to do if they call Prep What’s the caller supposed to do if they call PrepareToForkWithPolicy and then fork, but the fork fails? Robert Sesek 2014/05/08 20:58:12 Done. Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > What’s the caller supposed to do if they call PrepareToForkWithPolicy and then > fork, but the fork fails? Done.
	61 void FinishedFork(base::ProcessHandle handle);

	62

	63 // Called in the parent when a process has died. It cleans up the references

	64 // to the process.

	65 void ChildDied(base::ProcessHandle handle);

	66

	67 // Looks up the policy for a given process ID. If no policy is associated

	68 // with the \|pid\|, this returns NULL.

	69 const BootstrapSandboxPolicy* PolicyForProcess(pid_t pid) const;

	70

	71 mach_port_t real_bootstrap_port() const { return real_bootstrap_port_; }

	72

	73 private:

	74 BootstrapSandbox();

	75

	76 // A Mach IPC message server that is used to intercept and filter bootstrap

	77 // requests.

	78 scoped_ptr<LaunchdInterceptionServer> server_;

	79

	80 // The original bootstrap port of the process, which is connected to the

	81 // real launchd server.

	82 mach_port_t real_bootstrap_port_;

	83

	84 // The \|lock_\| protects all proceeding variables.
	Mark Mentovai 2014/05/06 20:51:50 It’s spelled preceding, but the comment is wrong, It’s spelled preceding, but the comment is wrong, because the lock is protecting all following variables. Robert Sesek 2014/05/08 20:58:12 Done. Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > It’s spelled preceding, but the comment is wrong, because the lock is protecting > all following variables. Done.
	85 mutable base::Lock lock_;

	86

	87 // Used to track if multiple threads are trying to fork() with the sandbox

	88 // simultaneously.

	89 bool is_across_fork_;
	Mark Mentovai 2014/05/06 20:51:50 Blank line after this. Blank line after this. Mark Mentovai 2014/05/06 20:51:50 A better name would be prepared_to_fork_—something A better name would be prepared_to_fork_—something that makes clearer that PrepareToForkWithPolicy was called but FinishedFork wasn’t. Robert Sesek 2014/05/08 20:58:12 Done. Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > Blank line after this. Done. Robert Sesek 2014/05/08 20:58:12 Removed, see other comment. Show quoted text On 2014/05/06 20:51:50, Mark Mentovai wrote: > A better name would be prepared_to_fork_—something that makes clearer that > PrepareToForkWithPolicy was called but FinishedFork wasn’t. Removed, see other comment.
	90 // The sandbox_policy_id that will be enforced for the new child.

	91 int effective_policy_id_;

	92

	93 // All the policies that have been registered with this sandbox manager.

	94 std::map<int, const BootstrapSandboxPolicy> policies_;

	95

	96 // The association between process ID and sandbox policy ID.

	97 std::map<base::ProcessHandle, int> sandboxed_processes_;

	98 };

	99

	100 } // namespace content

	101

	102 #endif // SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_

OLD	NEW

« no previous file with comments | « no previous file | sandbox/mac/bootstrap_sandbox.cc » ('j') | sandbox/mac/bootstrap_sandbox.cc » ('J')