Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(87)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/mac/bootstrap_sandbox.h

Issue 264923003: Initial implementation of the Mac Bootstrap Sandbox. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Address comments Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | sandbox/mac/bootstrap_sandbox.cc » ('j') | sandbox/mac/launchd_interception_server.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_
6 #define SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_
7
8 #include <mach/mach.h>
9
10 #include <map>
11 #include <string>
12
13 #include "base/mac/scoped_mach_port.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "base/process/process_handle.h"
16 #include "base/synchronization/lock.h"
17 #include "sandbox/mac/policy.h"
18
19 namespace sandbox {
20
21 class LaunchdInterceptionServer;
22
23 // The BootstrapSandbox is a second-layer sandbox for Mac. It is used to limit
24 // the bootstrap namespace attack surface of child processes. The parent
25 // process creates an instance of this class and registers policies that it
26 // can enforce on its children.
27 //
28 // With this sandbox, the bootstrap port of the parent process is replaced, so
29 // that child processes is taken over by the sandbox. Bootstrap messages from
30 // the parent are forwarded to launchd. Requests from the child that would
31 // normally go to launchd are filtered based on the specified per-process
32 // policies. If a request is permitted by the policy, it is forwarded on to
33 // launchd for servicing. If it is not, then the sandbox will reply with a
34 // primitive that does not grant additional capabilities to the receiver.
35 //
36 // Clients that which to use the sandbox must inform it of the creation and
37 // death of child processes for which the sandbox should be enforced. The
38 // client of the sandbox is intended to be an unsandboxed parent process that
39 // fork()s sandboxed (and other unsandboxed) child processes.
40 //
41 // When the parent is ready to fork a new child process with this sandbox
42 // being enforced, it should use the pair of methods PrepareToForkWithPolicy()
43 // and FinishedFork(), and call fork() between them. The first method will
44 // set the policy for the new process, and the second will finialize the
45 // association between the process ID and sandbox policy ID.
46 //
47 // All methods of this class may be called from any thread, but
48 // PrepareToForkWithPolicy() and FinishedFork() must be non-nested and balanced.
49 class BootstrapSandbox {
50 public:
51 // Creates a new sandbox manager. Returns NULL on failure.
52 static scoped_ptr<BootstrapSandbox> Create();
53
54 ~BootstrapSandbox();
55
56 // Registers a bootstrap policy associated it with an identifier. The
57 // |sandbox_policy_id| must be greater than 0.
58 void RegisterSandboxPolicy(int sandbox_policy_id,
59 const BootstrapSandboxPolicy& policy);
60
61 // Called in the parent prior to fork()ing a child. The policy registered
62 // to |sandbox_policy_id| will be enforced on the new child. This must be
63 // followed by a call to FinishedFork().
64 void PrepareToForkWithPolicy(int sandbox_policy_id);
65
66 // Called in the parent after fork()ing a child. It records the |handle|
67 // and associates it with the specified-above |sandbox_policy_id|.
68 // If fork() failed and a new child was not created, pass kNullProcessHandle.
69 void FinishedFork(base::ProcessHandle handle);
70
71 // Called in the parent when a process has died. It cleans up the references
72 // to the process.
73 void ChildDied(base::ProcessHandle handle);
74
75 // Looks up the policy for a given process ID. If no policy is associated
76 // with the |pid|, this returns NULL.
77 const BootstrapSandboxPolicy* PolicyForProcess(pid_t pid) const;
78
79 mach_port_t real_bootstrap_port() const { return real_bootstrap_port_; }
80
81 private:
82 BootstrapSandbox();
83
84 // A Mach IPC message server that is used to intercept and filter bootstrap
85 // requests.
86 scoped_ptr<LaunchdInterceptionServer> server_;
87
88 // The original bootstrap port of the process, which is connected to the
89 // real launchd server.
90 base::mac::ScopedMachPort real_bootstrap_port_;
91
92 // The |lock_| protects all the following variables.
93 mutable base::Lock lock_;
94
95 // The sandbox_policy_id that will be enforced for the new child.
96 int effective_policy_id_;
97
98 // All the policies that have been registered with this sandbox manager.
99 std::map<int, const BootstrapSandboxPolicy> policies_;
100
101 // The association between process ID and sandbox policy ID.
102 std::map<base::ProcessHandle, int> sandboxed_processes_;
103 };
104
105 } // namespace sandbox
106
107 #endif // SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_
OLDNEW
« no previous file with comments | « no previous file | sandbox/mac/bootstrap_sandbox.cc » ('j') | sandbox/mac/launchd_interception_server.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698