Define a bootstrap sandbox policy for renderer processes and enable it.

content/browser/bootstrap_sandbox_mac.cc

Index: content/browser/bootstrap_sandbox_mac.cc
diff --git a/content/browser/bootstrap_sandbox_mac.cc b/content/browser/bootstrap_sandbox_mac.cc
index 347114a4b7d1e32b2a829bdd7354304e673bc1a8..e9c000b55bfe9a761416726985120b82b0e99449 100644
--- a/content/browser/bootstrap_sandbox_mac.cc
+++ b/content/browser/bootstrap_sandbox_mac.cc
@@ -8,9 +8,16 @@
 #include "base/mac/mac_util.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
+#include "content/browser/mach_broker_mac.h"
 #include "content/common/sandbox_init_mac.h"
 #include "content/public/browser/browser_child_process_observer.h"
 #include "content/public/browser/child_process_data.h"
+#include "content/public/browser/notification_details.h"
+#include "content/public/browser/notification_observer.h"
+#include "content/public/browser/notification_registrar.h"
+#include "content/public/browser/notification_service.h"
+#include "content/public/browser/notification_types.h"
+#include "content/public/browser/render_process_host.h"
 #include "content/public/common/sandbox_type_mac.h"
 #include "sandbox/mac/bootstrap_sandbox.h"
 
@@ -20,7 +27,8 @@ namespace {
 
 // This class is responsible for creating the BootstrapSandbox global
 // singleton, as well as registering all associated policies with it.
-class BootstrapSandboxPolicy : public BrowserChildProcessObserver {
+class BootstrapSandboxPolicy : public BrowserChildProcessObserver,
+                               public NotificationObserver {
  public:
   static BootstrapSandboxPolicy* GetInstance();
 
@@ -34,12 +42,22 @@ class BootstrapSandboxPolicy : public BrowserChildProcessObserver {
   virtual void BrowserChildProcessCrashed(
       const ChildProcessData& data) OVERRIDE;
 
+  // NotificationObserver:
+  virtual void Observe(int type,
+                       const NotificationSource& source,
+                       const NotificationDetails& details) OVERRIDE;
+
  private:
   friend struct DefaultSingletonTraits<BootstrapSandboxPolicy>;
   BootstrapSandboxPolicy();
   virtual ~BootstrapSandboxPolicy();
 
   void RegisterSandboxPolicies();
+  void RegisterRendererPolicy();
+
+  void AddBaselinePolicy(sandbox::BootstrapSandboxPolicy* policy);
+
+  NotificationRegistrar notification_registrar_;
 
   scoped_ptr<sandbox::BootstrapSandbox> sandbox_;
 };
@@ -58,10 +76,26 @@ void BootstrapSandboxPolicy::BrowserChildProcessCrashed(
   sandbox()->ChildDied(data.handle);
 }
 
+void BootstrapSandboxPolicy::Observe(int type,
+                                     const NotificationSource& source,
+                                     const NotificationDetails& details) {
+  switch (type) {
+    case NOTIFICATION_RENDERER_PROCESS_CLOSED:
+      sandbox()->ChildDied(
+          Details<RenderProcessHost::RendererClosedDetails>(details)->handle);
+      break;
+    default:
+      NOTREACHED() << "Unexpected notification " << type;
+      break;
+  }
+}
+
 BootstrapSandboxPolicy::BootstrapSandboxPolicy()
     : sandbox_(sandbox::BootstrapSandbox::Create()) {
   CHECK(sandbox_.get());
   BrowserChildProcessObserver::Add(this);
+  notification_registrar_.Add(this, NOTIFICATION_RENDERER_PROCESS_CLOSED,
+      NotificationService::AllBrowserContextsAndSources());
   RegisterSandboxPolicies();
 }
 
@@ -70,13 +104,44 @@ BootstrapSandboxPolicy::~BootstrapSandboxPolicy() {
 }
 
 void BootstrapSandboxPolicy::RegisterSandboxPolicies() {
+  RegisterRendererPolicy();
+}
+
+void BootstrapSandboxPolicy::RegisterRendererPolicy() {
+  sandbox::BootstrapSandboxPolicy policy;
+  AddBaselinePolicy(&policy);
+
+  // Permit font queries.
+  policy.rules["com.apple.FontServer"] = sandbox::Rule(sandbox::POLICY_ALLOW);
+  policy.rules["com.apple.FontObjectsServer"] =
+      sandbox::Rule(sandbox::POLICY_ALLOW);
+
+  // Return a fake port to the windowserver, otherwise CoreGraphics will log
+  // an error. On 10.6, returning an error (the default) is required instead
+  // of a dummy port.
+  if (!base::mac::IsOSSnowLeopard()) {
+    policy.rules["com.apple.windowserver.active"] =
+        sandbox::Rule(sandbox::POLICY_DENY_DUMMY_PORT);
+  }
+
+  sandbox_->RegisterSandboxPolicy(SANDBOX_TYPE_RENDERER, policy);
+}
+
+void BootstrapSandboxPolicy::AddBaselinePolicy(
+    sandbox::BootstrapSandboxPolicy* policy) {
+  auto& rules = policy->rules;
+
+  // Allow connecting to the MachBroker to get the new child's task port.

[Mark Mentovai, 2014/06/20 16:05:57]

Because this function is concerned with setting up the sandbox policy for a
child process, this comment is sort of misleading. It makes it sound like the
child needs to connect to the MachBroker to get its own task port. In reality,
it needs to talk to the MachBroker so that the browser can get the child’s task
port.

[Robert Sesek, 2014/06/20 17:32:19]

Done.

+  rules[MachBroker::GetMachPortName()] = sandbox::Rule(sandbox::POLICY_ALLOW);

[Mark Mentovai, 2014/06/20 16:05:57]

For the future, it might be nice to have something like
sandbox::POLICY_ALLOW_ONCE, which would allow just one lookup, and deny future
ones from the process. This rule would be a good place for that policy.

[Robert Sesek, 2014/06/20 17:32:19]

That's an interesting idea. Would require a separate book keeping table in the
sandbox, though.

+
+  // Allow logging to the syslog.
+  rules["com.apple.system.logger"] = sandbox::Rule(sandbox::POLICY_ALLOW);
 }
 
 }  // namespace
 
 bool ShouldEnableBootstrapSandbox() {
-  return base::mac::IsOSMountainLionOrEarlier() ||
-         base::mac::IsOSMavericks();
+  return base::mac::IsOSMavericksOrEarlier();
 }
 
 sandbox::BootstrapSandbox* GetBootstrapSandbox() {