Initial implementation of the Mac Bootstrap Sandbox.

sandbox/mac/launchd_interception_server.h

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_MAC_LAUNCHD_INTERCEPTION_SERVER_H_
+#define SANDBOX_MAC_LAUNCHD_INTERCEPTION_SERVER_H_
+
+#include <dispatch/dispatch.h>
+#include <mach/mach.h>
+
+#include "base/mac/scoped_mach_port.h"
+#include "sandbox/mac/os_compatibility.h"
+
+namespace sandbox {
+
+class BootstrapSandbox;
+
+// This class is used to run a Mach IPC message server. This server can
+// hold the receive right for a bootstrap_port of a process, and it filters
+// a subset of the launchd/bootstrap IPC call set for sandboxing. It permits
+// or rejects requests based on the per-process policy specified in the
+// BootstrapSandbox.
+class LaunchdInterceptionServer {
+ public:
+  LaunchdInterceptionServer(const BootstrapSandbox* sandbox);

[Mark Mentovai, 2014/05/06 20:51:50]

explicit

[Robert Sesek, 2014/05/08 20:58:12]

Done.

+  ~LaunchdInterceptionServer();
+
+  // Initializes the class and starts running the message server.
+  bool Initialize();

[Mark Mentovai, 2014/05/06 20:51:50]

Yeah, see, here you used Initialize instead of having a static Create method.

[Robert Sesek, 2014/05/08 20:58:12]

Yes, because this class is only instantiated by the Create method. If I liked
big files, this and bootstrap_sandbox would be one in the same.

+
+  mach_port_t server_port() const { return server_port_.get(); }
+
+ private:
+  // Event handler for the |server_source_| that reads a message from the queue
+  // and processes it.
+  void ReceiveMessage();
+
+  // Decodes a message header and handles it by either servicing the request
+  // itself, forwarding the message on to the real launchd, or rejecting the
+  // message with an error.
+  void DemuxMessage(mach_msg_header_t* request, mach_msg_header_t* reply);
+
+  // Given a look_up2 request message, this looks up the appropriate sandbox
+  // policy for the service name then formulates and sends the reply message.
+  void HandleLookUp(mach_msg_header_t* request_header,
+                    mach_msg_header_t* reply_header,
+                    pid_t sender_pid);
+
+  // Sends a reply message.
+  void SendReply(mach_msg_header_t* reply);
+
+  // Forwards the original |request| on to real bootstrap server for handling.
+  void ForwardMessage(mach_msg_header_t* request, mach_msg_header_t* reply);
+
+  // Replies to the message with the specified |error_code| as a MIG
+  // error_reply RetCode.
+  void RejectMessage(mach_msg_header_t* request,
+                     mach_msg_header_t* reply,
+                     int error_code);
+
+  // The sandbox for which this message server is running.
+  const BootstrapSandbox* sandbox_;
+
+  // The Mach port on which the server is receiving requests.
+  base::mac::ScopedMachPort server_port_;
+
+  // The dispatch queue used to service the server_source_.
+  dispatch_queue_t server_queue_;
+
+  // A MACH_RECV dispatch source for the server_port_.
+  dispatch_source_t server_source_;
+
+  // The Mach port handed out in reply to denied look up requests. All denied
+  // requests share the same port, though nothing reads messages from it.
+  base::mac::ScopedMachPort sandbox_port_;
+
+  // The compatiblity shim that handles differences in message header IDs and
+  // request/reply structures between different OS X versions.
+  const LaunchdCompatibilityShim compat_shim_;
+};
+
+}  // namespace sandbox
+
+#endif  // SANDBOX_MAC_LAUNCHD_INTERCEPTION_SERVER_H_