content/common/sandbox_mac.mm - Issue 2931173003: Implement the V2 sandbox in the process launcher.

Side by Side Diff: content/common/sandbox_mac.mm

Issue 2931173003: Implement the V2 sandbox in the process launcher. (Closed)

Patch Set: Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/common/sandbox_mac.h"	5 #include "content/common/sandbox_mac.h"

6	6

7 #import <Cocoa/Cocoa.h>	7 #import <Cocoa/Cocoa.h>

8 #include <stddef.h>	8 #include <stddef.h>

9 #include <stdint.h>	9 #include <stdint.h>

10	10

(...skipping 55 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
66 { SANDBOX_TYPE_GPU, IDR_GPU_SANDBOX_PROFILE },	66 { SANDBOX_TYPE_GPU, IDR_GPU_SANDBOX_PROFILE },

67 { SANDBOX_TYPE_PPAPI, IDR_PPAPI_SANDBOX_PROFILE },	67 { SANDBOX_TYPE_PPAPI, IDR_PPAPI_SANDBOX_PROFILE },

68 };	68 };

69	69

70 static_assert(arraysize(kDefaultSandboxTypeToResourceIDMapping) == \	70 static_assert(arraysize(kDefaultSandboxTypeToResourceIDMapping) == \

71 size_t(SANDBOX_TYPE_AFTER_LAST_TYPE), \	71 size_t(SANDBOX_TYPE_AFTER_LAST_TYPE), \

72 "sandbox type to resource id mapping incorrect");	72 "sandbox type to resource id mapping incorrect");

73	73

74 } // namespace	74 } // namespace

75	75

	76 // Static variable declarations.

	77 const char* Sandbox::kSandboxEnableLogging = "ENABLE_LOGGING";

	78 const char* Sandbox::kSandboxDisableDenialLogging =

	79 "DISABLE_SANDBOX_DENIAL_LOGGING";

	80 const char* Sandbox::kSandboxHomedirAsLiteral = "USER_HOMEDIR_AS_LITERAL";

	81 const char* Sandbox::kSandboxElCapOrLater = "ELCAP_OR_LATER";

	82 const char* Sandbox::kSandboxPermittedDir = "PERMITTED_DIR";

	83 const char* Sandbox::kSandboxBundlePath = "BUNDLE_PATH";

	84 const char* Sandbox::kSandboxLoggingPathAsLiteral = "LOG_FILE_PATH";

	85 const char* Sandbox::kSandboxChromeBundleId = "BUNDLE_ID";

	86 const char* Sandbox::kSandboxComponentPath = "COMPONENT_PATH";

	87 const char* Sandbox::kSandboxChromePID = "CHROMIUM_PID";

	88

76 // Warm up System APIs that empirically need to be accessed before the Sandbox	89 // Warm up System APIs that empirically need to be accessed before the Sandbox

77 // is turned on.	90 // is turned on.

78 // This method is layed out in blocks, each one containing a separate function	91 // This method is layed out in blocks, each one containing a separate function

79 // that needs to be warmed up. The OS version on which we found the need to	92 // that needs to be warmed up. The OS version on which we found the need to

80 // enable the function is also noted.	93 // enable the function is also noted.

81 // This function is tested on the following OS versions:	94 // This function is tested on the following OS versions:

82 // 10.5.6, 10.6.0	95 // 10.5.6, 10.6.0

83	96

84 // static	97 // static

85 void Sandbox::SandboxWarmup(int sandbox_type) {	98 void Sandbox::SandboxWarmup(int sandbox_type) {

(...skipping 157 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
243 std::string sandbox_data = LoadSandboxTemplate(sandbox_type);	256 std::string sandbox_data = LoadSandboxTemplate(sandbox_type);

244 if (sandbox_data.empty()) {	257 if (sandbox_data.empty()) {

245 return false;	258 return false;

246 }	259 }

247	260

248 sandbox::SandboxCompiler compiler(sandbox_data);	261 sandbox::SandboxCompiler compiler(sandbox_data);

249	262

250 if (!allowed_dir.empty()) {	263 if (!allowed_dir.empty()) {

251 // Add the sandbox parameters necessary to access the given directory.	264 // Add the sandbox parameters necessary to access the given directory.

252 base::FilePath allowed_dir_canonical = GetCanonicalSandboxPath(allowed_dir);	265 base::FilePath allowed_dir_canonical = GetCanonicalSandboxPath(allowed_dir);

253 if (!compiler.InsertStringParam("PERMITTED_DIR",	266 if (!compiler.InsertStringParam(kSandboxPermittedDir,

254 allowed_dir_canonical.value()))	267 allowed_dir_canonical.value()))

255 return false;	268 return false;

256 }	269 }

257	270

258 // Enable verbose logging if enabled on the command line. (See common.sb	271 // Enable verbose logging if enabled on the command line. (See common.sb

259 // for details).	272 // for details).

260 const base::CommandLine* command_line =	273 const base::CommandLine* command_line =

261 base::CommandLine::ForCurrentProcess();	274 base::CommandLine::ForCurrentProcess();

262 bool enable_logging =	275 bool enable_logging =

263 command_line->HasSwitch(switches::kEnableSandboxLogging);;	276 command_line->HasSwitch(switches::kEnableSandboxLogging);;

264 if (!compiler.InsertBooleanParam("ENABLE_LOGGING", enable_logging))	277 if (!compiler.InsertBooleanParam(kSandboxEnableLogging, enable_logging))

265 return false;	278 return false;

266	279

267 // Without this, the sandbox will print a message to the system log every	280 // Without this, the sandbox will print a message to the system log every

268 // time it denies a request. This floods the console with useless spew.	281 // time it denies a request. This floods the console with useless spew.

269 if (!compiler.InsertBooleanParam("DISABLE_SANDBOX_DENIAL_LOGGING",	282 if (!compiler.InsertBooleanParam(kSandboxDisableDenialLogging,

270 !enable_logging))	283 !enable_logging))

271 return false;	284 return false;

272	285

273 // Splice the path of the user's home directory into the sandbox profile	286 // Splice the path of the user's home directory into the sandbox profile

274 // (see renderer.sb for details).	287 // (see renderer.sb for details).

275 std::string home_dir = [NSHomeDirectory() fileSystemRepresentation];	288 std::string home_dir = [NSHomeDirectory() fileSystemRepresentation];

276	289

277 base::FilePath home_dir_canonical =	290 base::FilePath home_dir_canonical =

278 GetCanonicalSandboxPath(base::FilePath(home_dir));	291 GetCanonicalSandboxPath(base::FilePath(home_dir));

279	292

280 if (!compiler.InsertStringParam("USER_HOMEDIR_AS_LITERAL",	293 if (!compiler.InsertStringParam(kSandboxHomedirAsLiteral,

281 home_dir_canonical.value()))	294 home_dir_canonical.value()))

282 return false;	295 return false;

283	296

284 bool elcap_or_later = base::mac::IsAtLeastOS10_11();	297 bool elcap_or_later = base::mac::IsAtLeastOS10_11();

285 if (!compiler.InsertBooleanParam("ELCAP_OR_LATER", elcap_or_later))	298 if (!compiler.InsertBooleanParam(kSandboxElCapOrLater, elcap_or_later))

286 return false;	299 return false;

287	300

288 // Initialize sandbox.	301 // Initialize sandbox.

289 std::string error_str;	302 std::string error_str;

290 bool success = compiler.CompileAndApplyProfile(&error_str);	303 bool success = compiler.CompileAndApplyProfile(&error_str);

291 DLOG_IF(FATAL, !success) << "Failed to initialize sandbox: " << error_str;	304 DLOG_IF(FATAL, !success) << "Failed to initialize sandbox: " << error_str;

292 gSandboxIsActive = success;	305 gSandboxIsActive = success;

293 return success;	306 return success;

294 }	307 }

295	308

(...skipping 15 matching lines...) Expand all Loading...
311 if (HANDLE_EINTR(fcntl(fd.get(), F_GETPATH, canonical_path)) != 0) {	324 if (HANDLE_EINTR(fcntl(fd.get(), F_GETPATH, canonical_path)) != 0) {

312 DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "	325 DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "

313 << path.value();	326 << path.value();

314 return path;	327 return path;

315 }	328 }

316	329

317 return base::FilePath(canonical_path);	330 return base::FilePath(canonical_path);

318 }	331 }

319	332

320 } // namespace content	333 } // namespace content

OLD	NEW

« content/browser/child_process_launcher_helper_mac.cc ('K') | « content/common/sandbox_mac.h ('k') | no next file » | no next file with comments »