Chromium Code Reviews Chromium Code Reviews
Issue 341073005:
Define a bootstrap sandbox policy for renderer processes and enable it. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: content/browser/bootstrap_sandbox_mac.cc |
| diff --git a/content/browser/bootstrap_sandbox_mac.cc b/content/browser/bootstrap_sandbox_mac.cc |
| index 347114a4b7d1e32b2a829bdd7354304e673bc1a8..ac8a95761b20d22931e7eb989d4a2541643ca8f2 100644 |
| --- a/content/browser/bootstrap_sandbox_mac.cc |
| +++ b/content/browser/bootstrap_sandbox_mac.cc |
| @@ -8,9 +8,16 @@ |
| #include "base/mac/mac_util.h" |
| #include "base/memory/scoped_ptr.h" |
| #include "base/memory/singleton.h" |
| +#include "content/browser/mach_broker_mac.h" |
| #include "content/common/sandbox_init_mac.h" |
| #include "content/public/browser/browser_child_process_observer.h" |
| #include "content/public/browser/child_process_data.h" |
| +#include "content/public/browser/notification_details.h" |
| +#include "content/public/browser/notification_observer.h" |
| +#include "content/public/browser/notification_registrar.h" |
| +#include "content/public/browser/notification_service.h" |
| +#include "content/public/browser/notification_types.h" |
| +#include "content/public/browser/render_process_host.h" |
| #include "content/public/common/sandbox_type_mac.h" |
| #include "sandbox/mac/bootstrap_sandbox.h" |
| @@ -20,7 +27,8 @@ namespace { |
| // This class is responsible for creating the BootstrapSandbox global |
| // singleton, as well as registering all associated policies with it. |
| -class BootstrapSandboxPolicy : public BrowserChildProcessObserver { |
| +class BootstrapSandboxPolicy : public BrowserChildProcessObserver, |
| + public NotificationObserver { |
| public: |
| static BootstrapSandboxPolicy* GetInstance(); |
| @@ -34,12 +42,22 @@ class BootstrapSandboxPolicy : public BrowserChildProcessObserver { |
| virtual void BrowserChildProcessCrashed( |
| const ChildProcessData& data) OVERRIDE; |
| + // NotificationObserver: |
| + virtual void Observe(int type, |
| + const NotificationSource& source, |
| + const NotificationDetails& details) OVERRIDE; |
| + |
| private: |
| friend struct DefaultSingletonTraits<BootstrapSandboxPolicy>; |
| BootstrapSandboxPolicy(); |
| virtual ~BootstrapSandboxPolicy(); |
| void RegisterSandboxPolicies(); |
| + void RegisterRendererPolicy(); |
| + |
| + void AddBaselinePolicy(sandbox::BootstrapSandboxPolicy* policy); |
| + |
| + NotificationRegistrar notification_registrar_; |
| scoped_ptr<sandbox::BootstrapSandbox> sandbox_; |
| }; |
| @@ -58,10 +76,26 @@ void BootstrapSandboxPolicy::BrowserChildProcessCrashed( |
| sandbox()->ChildDied(data.handle); |
| } |
| +void BootstrapSandboxPolicy::Observe(int type, |
| + const NotificationSource& source, |
| + const NotificationDetails& details) { |
| + switch (type) { |
| + case NOTIFICATION_RENDERER_PROCESS_CLOSED: |
| + sandbox()->ChildDied( |
| + Details<RenderProcessHost::RendererClosedDetails>(details)->handle); |
| + break; |
| + default: |
| + NOTREACHED() << "Unexpected notification " << type; |
| + break; |
| + } |
| +} |
| + |
| BootstrapSandboxPolicy::BootstrapSandboxPolicy() |
| : sandbox_(sandbox::BootstrapSandbox::Create()) { |
| CHECK(sandbox_.get()); |
| BrowserChildProcessObserver::Add(this); |
| + notification_registrar_.Add(this, NOTIFICATION_RENDERER_PROCESS_CLOSED, |
| + NotificationService::AllBrowserContextsAndSources()); |
| RegisterSandboxPolicies(); |
| } |
| @@ -70,6 +104,38 @@ BootstrapSandboxPolicy::~BootstrapSandboxPolicy() { |
| } |
| void BootstrapSandboxPolicy::RegisterSandboxPolicies() { |
| + RegisterRendererPolicy(); |
| +} |
| + |
| +void BootstrapSandboxPolicy::RegisterRendererPolicy() { |
| + sandbox::BootstrapSandboxPolicy policy; |
| + AddBaselinePolicy(&policy); |
| + |
| + // Permit font queries. |
| + policy.rules["com.apple.FontServer"] = sandbox::Rule(sandbox::POLICY_ALLOW); |
| + policy.rules["com.apple.FontObjectsServer"] = |
| + sandbox::Rule(sandbox::POLICY_ALLOW); |
| + |
| + // Return a fake port to the windowserver, otherwise CoreGraphics will log |
| + // an error. On 10.6, returning an error (the default) is required instead |
| + // of a dummy port. |
| + if (!base::mac::IsOSSnowLeopard()) { |
| + policy.rules["com.apple.windowserver.active"] = |
| + sandbox::Rule(sandbox::POLICY_DENY_DUMMY_PORT); |
| + } |
| + |
| + sandbox_->RegisterSandboxPolicy(SANDBOX_TYPE_RENDERER, policy); |
| +} |
| + |
| +void BootstrapSandboxPolicy::AddBaselinePolicy( |
|
Avi (use Gerrit)
2014/06/19 23:59:47
This is eventually going to be called by other pol
Robert Sesek
2014/06/20 14:47:20
Yes. Utility and PPAPI types will both have polici
|
| + sandbox::BootstrapSandboxPolicy* policy) { |
| + auto& rules = policy->rules; |
| + |
| + // Allow connecting to the MachBroker to get the new child's task port. |
| + rules[MachBroker::GetMachPortName()] = sandbox::Rule(sandbox::POLICY_ALLOW); |
| + |
| + // Allow logging to the syslog. |
| + rules["com.apple.system.logger"] = sandbox::Rule(sandbox::POLICY_ALLOW); |
| } |
| } // namespace |
