Define a bootstrap sandbox policy for renderer processes and enable it.

content/browser/bootstrap_sandbox_mac.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/bootstrap_sandbox_mac.h"
 
 #include "base/logging.h"
 #include "base/mac/mac_util.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
+#include "content/browser/mach_broker_mac.h"
 #include "content/common/sandbox_init_mac.h"
 #include "content/public/browser/browser_child_process_observer.h"
 #include "content/public/browser/child_process_data.h"
+#include "content/public/browser/notification_details.h"
+#include "content/public/browser/notification_observer.h"
+#include "content/public/browser/notification_registrar.h"
+#include "content/public/browser/notification_service.h"
+#include "content/public/browser/notification_types.h"
+#include "content/public/browser/render_process_host.h"
 #include "content/public/common/sandbox_type_mac.h"
 #include "sandbox/mac/bootstrap_sandbox.h"
 
 namespace content {
 
 namespace {
 
 // This class is responsible for creating the BootstrapSandbox global
 // singleton, as well as registering all associated policies with it.
-class BootstrapSandboxPolicy : public BrowserChildProcessObserver {
+class BootstrapSandboxPolicy : public BrowserChildProcessObserver,
+                               public NotificationObserver {
  public:
   static BootstrapSandboxPolicy* GetInstance();
 
   sandbox::BootstrapSandbox* sandbox() const {
     return sandbox_.get();
   }
 
   // BrowserChildProcessObserver:
   virtual void BrowserChildProcessHostDisconnected(
       const ChildProcessData& data) OVERRIDE;
   virtual void BrowserChildProcessCrashed(
       const ChildProcessData& data) OVERRIDE;
 
+  // NotificationObserver:
+  virtual void Observe(int type,
+                       const NotificationSource& source,
+                       const NotificationDetails& details) OVERRIDE;
+
  private:
   friend struct DefaultSingletonTraits<BootstrapSandboxPolicy>;
   BootstrapSandboxPolicy();
   virtual ~BootstrapSandboxPolicy();
 
   void RegisterSandboxPolicies();
+  void RegisterRendererPolicy();
+
+  void AddBaselinePolicy(sandbox::BootstrapSandboxPolicy* policy);
+
+  NotificationRegistrar notification_registrar_;
 
   scoped_ptr<sandbox::BootstrapSandbox> sandbox_;
 };
 
 BootstrapSandboxPolicy* BootstrapSandboxPolicy::GetInstance() {
   return Singleton<BootstrapSandboxPolicy>::get();
 }
 
 void BootstrapSandboxPolicy::BrowserChildProcessHostDisconnected(
       const ChildProcessData& data) {
   sandbox()->ChildDied(data.handle);
 }
 
 void BootstrapSandboxPolicy::BrowserChildProcessCrashed(
       const ChildProcessData& data) {
   sandbox()->ChildDied(data.handle);
 }
 
+void BootstrapSandboxPolicy::Observe(int type,
+                                     const NotificationSource& source,
+                                     const NotificationDetails& details) {
+  switch (type) {
+    case NOTIFICATION_RENDERER_PROCESS_CLOSED:
+      sandbox()->ChildDied(
+          Details<RenderProcessHost::RendererClosedDetails>(details)->handle);
+      break;
+    default:
+      NOTREACHED() << "Unexpected notification " << type;
+      break;
+  }
+}
+
 BootstrapSandboxPolicy::BootstrapSandboxPolicy()
     : sandbox_(sandbox::BootstrapSandbox::Create()) {
   CHECK(sandbox_.get());
   BrowserChildProcessObserver::Add(this);
+  notification_registrar_.Add(this, NOTIFICATION_RENDERER_PROCESS_CLOSED,
+      NotificationService::AllBrowserContextsAndSources());
   RegisterSandboxPolicies();
 }
 
 BootstrapSandboxPolicy::~BootstrapSandboxPolicy() {
   BrowserChildProcessObserver::Remove(this);
 }
 
 void BootstrapSandboxPolicy::RegisterSandboxPolicies() {
+  RegisterRendererPolicy();
+}
+
+void BootstrapSandboxPolicy::RegisterRendererPolicy() {
+  sandbox::BootstrapSandboxPolicy policy;
+  AddBaselinePolicy(&policy);
+
+  // Permit font queries.
+  policy.rules["com.apple.FontServer"] = sandbox::Rule(sandbox::POLICY_ALLOW);
+  policy.rules["com.apple.FontObjectsServer"] =
+      sandbox::Rule(sandbox::POLICY_ALLOW);
+
+  // Return a fake port to the windowserver, otherwise CoreGraphics will log
+  // an error. On 10.6, returning an error (the default) is required instead
+  // of a dummy port.
+  if (!base::mac::IsOSSnowLeopard()) {
+    policy.rules["com.apple.windowserver.active"] =
+        sandbox::Rule(sandbox::POLICY_DENY_DUMMY_PORT);
+  }
+
+  sandbox_->RegisterSandboxPolicy(SANDBOX_TYPE_RENDERER, policy);
+}
+
+void BootstrapSandboxPolicy::AddBaselinePolicy(
+    sandbox::BootstrapSandboxPolicy* policy) {
+  auto& rules = policy->rules;
+
+  // Allow connecting to the MachBroker to get the new child's task port.

[Mark Mentovai, 2014/06/20 16:05:57]

Because this function is concerned with setting up the sandbox policy for a
child process, this comment is sort of misleading. It makes it sound like the
child needs to connect to the MachBroker to get its own task port. In reality,
it needs to talk to the MachBroker so that the browser can get the child’s task
port.

[Robert Sesek, 2014/06/20 17:32:19]

Done.

+  rules[MachBroker::GetMachPortName()] = sandbox::Rule(sandbox::POLICY_ALLOW);

[Mark Mentovai, 2014/06/20 16:05:57]

For the future, it might be nice to have something like
sandbox::POLICY_ALLOW_ONCE, which would allow just one lookup, and deny future
ones from the process. This rule would be a good place for that policy.

[Robert Sesek, 2014/06/20 17:32:19]

That's an interesting idea. Would require a separate book keeping table in the
sandbox, though.

+
+  // Allow logging to the syslog.
+  rules["com.apple.system.logger"] = sandbox::Rule(sandbox::POLICY_ALLOW);
 }
 
 }  // namespace
 
 bool ShouldEnableBootstrapSandbox() {
-  return base::mac::IsOSMountainLionOrEarlier() ||
-         base::mac::IsOSMavericks();
+  return base::mac::IsOSMavericksOrEarlier();
 }
 
 sandbox::BootstrapSandbox* GetBootstrapSandbox() {
   return BootstrapSandboxPolicy::GetInstance()->sandbox();
 }
 
 }  // namespace content