chrome/app/chrome_exe_main_mac.cc - Issue 2921733002: Add flags for v2 sandbox to Chrome and Helper executable.

Side by Side Diff: chrome/app/chrome_exe_main_mac.cc

Issue 2921733002: Add flags for v2 sandbox to Chrome and Helper executable. (Closed)

Patch Set: Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // The entry point for all Mac Chromium processes, including the outer app	5 // The entry point for all Mac Chromium processes, including the outer app

6 // bundle (browser) and helper app (renderer, plugin, and friends).	6 // bundle (browser) and helper app (renderer, plugin, and friends).

7	7

8 #include <dlfcn.h>	8 #include <dlfcn.h>

9 #include <errno.h>	9 #include <errno.h>

10 #include <libgen.h>	10 #include <libgen.h>

(...skipping 14 matching lines...) Expand all Loading...
25 #include "sandbox/mac/seatbelt_exec.h"	25 #include "sandbox/mac/seatbelt_exec.h"

26 #endif // defined(HELPER_EXECUTABLE)	26 #endif // defined(HELPER_EXECUTABLE)

27	27

28 namespace {	28 namespace {

29	29

30 typedef int (ChromeMainPtr)(int, char*);	30 typedef int (ChromeMainPtr)(int, char*);

31	31

32 #if defined(HELPER_EXECUTABLE)	32 #if defined(HELPER_EXECUTABLE)

33 // The command line parameter to engage the v2 sandbox.	33 // The command line parameter to engage the v2 sandbox.

34 constexpr char v2_sandbox_arg[] = "--v2-sandbox";	34 constexpr char v2_sandbox_arg[] = "--v2-sandbox";

	35 // The command line paramter indicating that the v2 sandbox is enabled. This

	36 // must be different than the "v2-sandbox" flag to avoid endless re-executing.

	37 // The flag tells the sandbox initialization code inside Chrome that the sandbox

	38 // should already be enabled.

	39 char v2_sandbox_enabled_arg[] = "--v2-sandbox-enabled";
	Robert Sesek 2017/06/01 22:07:49 constexpr? constexpr? Robert Sesek 2017/06/01 22:07:49 Since "enabled" is so overloaded for features, I t Since "enabled" is so overloaded for features, I think maybe "--v2-sandbox-did-exec" or something more explicit? Also, I wonder if it'd be better to negate this? I.e., the browser launches with --v2-sandbox-exec and then the flag is removed from the argv before execv. Not sure it makes a difference, other than all running child processes then won't have the --v2-sandbox-exec flag in the args. Greg K 2017/06/01 22:10:40 The reason I make it a positive for now is because Show quoted text On 2017/06/01 22:07:49, Robert Sesek wrote: > Since "enabled" is so overloaded for features, I think maybe > "--v2-sandbox-did-exec" or something more explicit? > > Also, I wonder if it'd be better to negate this? I.e., the browser launches with > --v2-sandbox-exec and then the flag is removed from the argv before execv. Not > sure it makes a difference, other than all running child processes then won't > have the --v2-sandbox-exec flag in the args. The reason I make it a positive for now is because we're transitioning one process type at a time, so this means all processes will have some --not-v2-sandbox flag. I think we should use a positive flag and then flip that around once the migration is complete? Robert Sesek 2017/06/01 22:12:28 That's true, unless you propagated the --v2-sandbo Show quoted text On 2017/06/01 22:10:40, Greg K wrote: > On 2017/06/01 22:07:49, Robert Sesek wrote: > > Since "enabled" is so overloaded for features, I think maybe > > "--v2-sandbox-did-exec" or something more explicit? > > > > Also, I wonder if it'd be better to negate this? I.e., the browser launches > with > > --v2-sandbox-exec and then the flag is removed from the argv before execv. Not > > sure it makes a difference, other than all running child processes then won't > > have the --v2-sandbox-exec flag in the args. > > The reason I make it a positive for now is because we're transitioning one > process type at a time, so this means all processes will have some > --not-v2-sandbox flag. I think we should use a positive flag and then flip that > around once the migration is complete? That's true, unless you propagated the --v2-sandbox flag rather than dropping it in the new process. It's fine to keep it positive until the transition is complete. Maybe leave a TODO for this? Greg K 2017/06/01 22:13:22 Yes. I don't want to re-add the new flag because i Show quoted text On 2017/06/01 22:12:28, Robert Sesek wrote: > On 2017/06/01 22:10:40, Greg K wrote: > > On 2017/06/01 22:07:49, Robert Sesek wrote: > > > Since "enabled" is so overloaded for features, I think maybe > > > "--v2-sandbox-did-exec" or something more explicit? > > > > > > Also, I wonder if it'd be better to negate this? I.e., the browser launches > > with > > > --v2-sandbox-exec and then the flag is removed from the argv before execv. > Not > > > sure it makes a difference, other than all running child processes then > won't > > > have the --v2-sandbox-exec flag in the args. > > > > The reason I make it a positive for now is because we're transitioning one > > process type at a time, so this means all processes will have some > > --not-v2-sandbox flag. I think we should use a positive flag and then flip > that > > around once the migration is complete? > > That's true, unless you propagated the --v2-sandbox flag rather than dropping it > in the new process. It's fine to keep it positive until the transition is > complete. Maybe leave a TODO for this? Yes. I don't want to re-add the new flag because it gets confusing as it can cause an endless re-exec cycle, unless it's add just before entering ChromeMain. I'll add a TODO, thanks. Greg K 2017/06/01 22:23:56 I don't actually know a better way to do this. The Show quoted text On 2017/06/01 22:07:49, Robert Sesek wrote: > constexpr? I don't actually know a better way to do this. The execv() API takes a "char* const" of all things, not even a const char, so if this is constexpr, the only way to pass it along is to throw away the const qualifier. Do you know a better way? Greg K* 2017/06/01 22:26:11 For what it's worth, these are document as constan Show quoted text On 2017/06/01 22:23:56, Greg K wrote: > On 2017/06/01 22:07:49, Robert Sesek wrote: > > constexpr? > > I don't actually know a better way to do this. The execv() API takes a "char* > const" of all things, not even a const char*, so if this is constexpr, the only > way to pass it along is to throw away the const qualifier. > > Do you know a better way? For what it's worth, these are document as constants but kept non-const in declaration to avoid breaking old code. I am fine using a const_cast<> in this case: http://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
35 // The command line parameter for the file descriptor used to receive the	40 // The command line parameter for the file descriptor used to receive the

36 // sandbox policy.	41 // sandbox policy.

37 constexpr char fd_mapping_arg[] = "--fd_mapping=";	42 constexpr char fd_mapping_arg[] = "--fd_mapping=";

38	43

39 __attribute__((noreturn)) void SandboxExec(const char* exec_path,	44 __attribute__((noreturn)) void SandboxExec(const char* exec_path,

40 int argc,	45 int argc,

41 char* argv[],	46 char* argv[],

42 int fd_mapping) {	47 int fd_mapping) {

43 char rp[MAXPATHLEN];	48 char rp[MAXPATHLEN];

44 if (realpath(exec_path, rp) == NULL) {	49 if (realpath(exec_path, rp) == NULL) {

(...skipping 19 matching lines...) Expand all Loading...
64 abort();	69 abort();

65 }	70 }

66	71

67 std::vector<char*> new_argv;	72 std::vector<char*> new_argv;

68 for (int i = 1; i < argc; ++i) {	73 for (int i = 1; i < argc; ++i) {

69 if (strcmp(argv[i], v2_sandbox_arg) != 0 &&	74 if (strcmp(argv[i], v2_sandbox_arg) != 0 &&

70 strncmp(argv[i], fd_mapping_arg, strlen(fd_mapping_arg)) != 0) {	75 strncmp(argv[i], fd_mapping_arg, strlen(fd_mapping_arg)) != 0) {

71 new_argv.push_back(argv[i]);	76 new_argv.push_back(argv[i]);

72 }	77 }

73 }	78 }

	79 // Tell Chrome that the sandbox should already be enabled.

	80 new_argv.push_back(v2_sandbox_enabled_arg);

74 new_argv.push_back(nullptr);	81 new_argv.push_back(nullptr);

75	82

76 // The helper executable re-executes itself under the sandbox.	83 // The helper executable re-executes itself under the sandbox.

77 execv(exec_path, new_argv.data());	84 execv(exec_path, new_argv.data());

78 perror("execve");	85 perror("execve");

79 abort();	86 abort();

80 }	87 }

81 #endif // defined(HELPER_EXECUTABLE)	88 #endif // defined(HELPER_EXECUTABLE)

82	89

83 } // namespace	90 } // namespace

(...skipping 72 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
156 if (!chrome_main) {	163 if (!chrome_main) {

157 fprintf(stderr, "dlsym ChromeMain: %s\n", dlerror());	164 fprintf(stderr, "dlsym ChromeMain: %s\n", dlerror());

158 abort();	165 abort();

159 }	166 }

160 rv = chrome_main(argc, argv);	167 rv = chrome_main(argc, argv);

161	168

162 // exit, don't return from main, to avoid the apparent removal of main from	169 // exit, don't return from main, to avoid the apparent removal of main from

163 // stack backtraces under tail call optimization.	170 // stack backtraces under tail call optimization.

164 exit(rv);	171 exit(rv);

165 }	172 }

OLD	NEW

« no previous file with comments | « no previous file | content/common/sandbox_init_mac.cc » ('j') | no next file with comments »