Chromium Code Reviews Chromium Code Reviews
Issue 264923003:
Initial implementation of the Mac Bootstrap Sandbox. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ | |
| 6 #define SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ | |
| 7 | |
| 8 #include <mach/mach.h> | |
| 9 | |
| 10 #include <map> | |
| 11 #include <string> | |
| 12 | |
| 13 #include "base/mac/scoped_mach_port.h" | |
| 14 #include "base/memory/scoped_ptr.h" | |
| 15 #include "base/process/process_handle.h" | |
| 16 #include "base/synchronization/lock.h" | |
| 17 #include "sandbox/mac/policy.h" | |
| 18 | |
| 19 namespace sandbox { | |
| 20 | |
| 21 class LaunchdInterceptionServer; | |
| 22 | |
| 23 // The BootstrapSandbox is a second-layer sandbox for Mac. It is used to limit | |
| 24 // the bootstrap namespace attack surface of child processes. The parent | |
| 25 // process creates an instance of this class and registers policies that it | |
| 26 // can enforce on its children. | |
| 27 // | |
| 28 // With this sandbox, the bootstrap port of the parent process is replaced, so | |
| 29 // that child processes is taken over by the sandbox. Bootstrap messages from | |
| 30 // the parent are forwarded to launchd. Requests from the child that would | |
| 31 // normally go to launchd are filtered based on the specified per-process | |
| 32 // policies. If a request is permitted by the policy, it is forwarded on to | |
| 33 // launchd for servicing. If it is not, then the sandbox will reply with a | |
| 34 // primitive that does not grant additional capabilities to the receiver. | |
| 35 // | |
| 36 // Clients that which to use the sandbox must inform it of the creation and | |
| 37 // death of child processes for which the sandbox should be enforced. The | |
| 38 // client of the sandbox is intended to be an unsandboxed parent process that | |
| 39 // fork()s sandboxed (and other unsandboxed) child processes. | |
| 40 // | |
| 41 // When the parent is ready to fork a new child process with this sandbox | |
| 42 // being enforced, it should use the pair of methods PrepareToForkWithPolicy() | |
| 43 // and FinishedFork(), and call fork() between them. The first method will | |
| 44 // set the policy for the new process, and the second will finialize the | |
| 45 // association between the process ID and sandbox policy ID. | |
| 46 // | |
| 47 // All methods of this class may be called from any thread, but | |
| 48 // PrepareToForkWithPolicy() and FinishedFork() must be non-nested and balanced. | |
| 49 class BootstrapSandbox { | |
| 50 public: | |
| 51 // Creates a new sandbox manager. Returns NULL on failure. | |
| 52 static scoped_ptr<BootstrapSandbox> Create(); | |
| 53 | |
| 54 ~BootstrapSandbox(); | |
| 55 | |
| 56 // Registers a bootstrap policy associated it with an identifier. The | |
| 57 // |sandbox_policy_id| must be greater than 0. | |
| 58 void RegisterSandboxPolicy(int sandbox_policy_id, | |
| 59 const BootstrapSandboxPolicy& policy); | |
| 60 | |
| 61 // Called in the parent prior to fork()ing a child. The policy registered | |
| 62 // to |sandbox_policy_id| will be enforced on the new child. Returns true | |
| 63 // on success and false if the policy does not exist. | |
| 64 void PrepareToForkWithPolicy(int sandbox_policy_id); | |
|
Avi (use Gerrit)
2014/05/09 21:02:06
The comment talks about returning a bool, but this
Robert Sesek
2014/05/09 22:04:03
Done.
| |
| 65 | |
| 66 // Called in the parent after fork()ing a child. It records the |handle| | |
| 67 // and associates it with the specified-above |sandbox_policy_id|. | |
| 68 // If fork() failed and a new child was not created, pass kNullProcessHandle. | |
|
Mark Mentovai
2014/05/09 20:11:19
Do you want to leave a TODO somewhere (.cc file?)
Robert Sesek
2014/05/09 22:04:03
Sure, but I feel like it'll be a long-time coming.
| |
| 69 void FinishedFork(base::ProcessHandle handle); | |
| 70 | |
| 71 // Called in the parent when a process has died. It cleans up the references | |
| 72 // to the process. | |
| 73 void ChildDied(base::ProcessHandle handle); | |
| 74 | |
| 75 // Looks up the policy for a given process ID. If no policy is associated | |
| 76 // with the |pid|, this returns NULL. | |
| 77 const BootstrapSandboxPolicy* PolicyForProcess(pid_t pid) const; | |
| 78 | |
| 79 mach_port_t real_bootstrap_port() const { return real_bootstrap_port_; } | |
| 80 | |
| 81 private: | |
| 82 BootstrapSandbox(); | |
| 83 | |
| 84 // A Mach IPC message server that is used to intercept and filter bootstrap | |
| 85 // requests. | |
| 86 scoped_ptr<LaunchdInterceptionServer> server_; | |
| 87 | |
| 88 // The original bootstrap port of the process, which is connected to the | |
| 89 // real launchd server. | |
| 90 base::mac::ScopedMachPort real_bootstrap_port_; | |
| 91 | |
| 92 // The |lock_| protects all the following variables. | |
| 93 mutable base::Lock lock_; | |
| 94 | |
| 95 // The sandbox_policy_id that will be enforced for the new child. | |
| 96 int effective_policy_id_; | |
| 97 | |
| 98 // All the policies that have been registered with this sandbox manager. | |
| 99 std::map<int, const BootstrapSandboxPolicy> policies_; | |
| 100 | |
| 101 // The association between process ID and sandbox policy ID. | |
| 102 std::map<base::ProcessHandle, int> sandboxed_processes_; | |
| 103 }; | |
| 104 | |
| 105 } // namespace sandbox | |
| 106 | |
| 107 #endif // SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ | |
| OLD | NEW |
