Chromium Code Reviews Chromium Code Reviews
Issue 347783002:
Alter the design of the bootstrap sandbox to only take over the bootstrap port of children when nec… (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ | 5 #ifndef SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ |
| 6 #define SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ | 6 #define SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ |
| 7 | 7 |
| 8 #include <mach/mach.h> | 8 #include <mach/mach.h> |
| 9 | 9 |
| 10 #include <map> | 10 #include <map> |
| 11 #include <string> | 11 #include <string> |
| 12 | 12 |
| 13 #include "base/mac/scoped_mach_port.h" | 13 #include "base/mac/scoped_mach_port.h" |
| 14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
| 15 #include "base/process/process_handle.h" | 15 #include "base/process/process_handle.h" |
| 16 #include "base/synchronization/lock.h" | 16 #include "base/synchronization/lock.h" |
| 17 #include "sandbox/mac/policy.h" | 17 #include "sandbox/mac/policy.h" |
| 18 #include "sandbox/sandbox_export.h" | 18 #include "sandbox/sandbox_export.h" |
| 19 | 19 |
| 20 namespace sandbox { | 20 namespace sandbox { |
| 21 | 21 |
| 22 class LaunchdInterceptionServer; | 22 class LaunchdInterceptionServer; |
| 23 | 23 |
| 24 // The BootstrapSandbox is a second-layer sandbox for Mac. It is used to limit | 24 // The BootstrapSandbox is a second-layer sandbox for Mac. It is used to limit |
| 25 // the bootstrap namespace attack surface of child processes. The parent | 25 // the bootstrap namespace attack surface of child processes. The parent |
| 26 // process creates an instance of this class and registers policies that it | 26 // process creates an instance of this class and registers policies that it |
| 27 // can enforce on its children. | 27 // can enforce on its children. |
| 28 // | 28 // |
| 29 // With this sandbox, the bootstrap port of the parent process is replaced, so | 29 // With this sandbox, the bootstrap port of the parent process is replaced, so |
|
Mark Mentovai
2014/06/19 18:40:12
Revise.
Robert Sesek
2014/06/19 18:50:16
Done.
| |
| 30 // that child processes is taken over by the sandbox. Bootstrap messages from | 30 // that child processes is taken over by the sandbox. Bootstrap messages from |
| 31 // the parent are forwarded to launchd. Requests from the child that would | 31 // the parent are forwarded to launchd. Requests from the child that would |
| 32 // normally go to launchd are filtered based on the specified per-process | 32 // normally go to launchd are filtered based on the specified per-process |
| 33 // policies. If a request is permitted by the policy, it is forwarded on to | 33 // policies. If a request is permitted by the policy, it is forwarded on to |
| 34 // launchd for servicing. If it is not, then the sandbox will reply with a | 34 // launchd for servicing. If it is not, then the sandbox will reply with a |
| 35 // primitive that does not grant additional capabilities to the receiver. | 35 // primitive that does not grant additional capabilities to the receiver. |
| 36 // | 36 // |
| 37 // Clients that which to use the sandbox must inform it of the creation and | 37 // Clients that which to use the sandbox must inform it of the creation and |
| 38 // death of child processes for which the sandbox should be enforced. The | 38 // death of child processes for which the sandbox should be enforced. The |
| 39 // client of the sandbox is intended to be an unsandboxed parent process that | 39 // client of the sandbox is intended to be an unsandboxed parent process that |
| (...skipping 30 matching lines...) Expand all Loading... | |
| 70 void FinishedFork(base::ProcessHandle handle); | 70 void FinishedFork(base::ProcessHandle handle); |
| 71 | 71 |
| 72 // Called in the parent when a process has died. It cleans up the references | 72 // Called in the parent when a process has died. It cleans up the references |
| 73 // to the process. | 73 // to the process. |
| 74 void ChildDied(base::ProcessHandle handle); | 74 void ChildDied(base::ProcessHandle handle); |
| 75 | 75 |
| 76 // Looks up the policy for a given process ID. If no policy is associated | 76 // Looks up the policy for a given process ID. If no policy is associated |
| 77 // with the |pid|, this returns NULL. | 77 // with the |pid|, this returns NULL. |
| 78 const BootstrapSandboxPolicy* PolicyForProcess(pid_t pid) const; | 78 const BootstrapSandboxPolicy* PolicyForProcess(pid_t pid) const; |
| 79 | 79 |
| 80 std::string server_bootstrap_name() const { return server_bootstrap_name_; } | |
| 80 mach_port_t real_bootstrap_port() const { return real_bootstrap_port_; } | 81 mach_port_t real_bootstrap_port() const { return real_bootstrap_port_; } |
| 81 | 82 |
| 82 private: | 83 private: |
| 83 BootstrapSandbox(); | 84 BootstrapSandbox(); |
| 84 | 85 |
| 85 // A Mach IPC message server that is used to intercept and filter bootstrap | 86 // A Mach IPC message server that is used to intercept and filter bootstrap |
| 86 // requests. | 87 // requests. |
| 87 scoped_ptr<LaunchdInterceptionServer> server_; | 88 scoped_ptr<LaunchdInterceptionServer> server_; |
| 88 | 89 |
| 90 // The name in the system bootstrap server by which the |server_|'s port | |
| 91 // is known. | |
| 92 const std::string server_bootstrap_name_; | |
| 93 | |
| 89 // The original bootstrap port of the process, which is connected to the | 94 // The original bootstrap port of the process, which is connected to the |
| 90 // real launchd server. | 95 // real launchd server. |
| 91 base::mac::ScopedMachSendRight real_bootstrap_port_; | 96 base::mac::ScopedMachSendRight real_bootstrap_port_; |
| 92 | 97 |
| 93 // The |lock_| protects all the following variables. | 98 // The |lock_| protects all the following variables. |
| 94 mutable base::Lock lock_; | 99 mutable base::Lock lock_; |
| 95 | 100 |
| 96 // The sandbox_policy_id that will be enforced for the new child. | 101 // The sandbox_policy_id that will be enforced for the new child. |
| 97 int effective_policy_id_; | 102 int effective_policy_id_; |
| 98 | 103 |
| 99 // All the policies that have been registered with this sandbox manager. | 104 // All the policies that have been registered with this sandbox manager. |
| 100 std::map<int, const BootstrapSandboxPolicy> policies_; | 105 std::map<int, const BootstrapSandboxPolicy> policies_; |
| 101 | 106 |
| 102 // The association between process ID and sandbox policy ID. | 107 // The association between process ID and sandbox policy ID. |
| 103 std::map<base::ProcessHandle, int> sandboxed_processes_; | 108 std::map<base::ProcessHandle, int> sandboxed_processes_; |
| 104 }; | 109 }; |
| 105 | 110 |
| 106 } // namespace sandbox | 111 } // namespace sandbox |
| 107 | 112 |
| 108 #endif // SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ | 113 #endif // SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_ |
| OLD | NEW |
