Alter the design of the bootstrap sandbox to only take over the bootstrap port of children when nec…

sandbox/mac/launchd_interception_server.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/mac/launchd_interception_server.h"
 
 #include <servers/bootstrap.h>
 
 #include "base/logging.h"
 #include "base/mac/mach_logging.h"
 #include "sandbox/mac/bootstrap_sandbox.h"
 
 namespace sandbox {
 
 // The buffer size for all launchd messages. This comes from
 // sizeof(union __RequestUnion__vproc_mig_job_subsystem) in launchd, and it
 // is larger than the __ReplyUnion.
 const mach_msg_size_t kBufferSize = 2096;
 
 LaunchdInterceptionServer::LaunchdInterceptionServer(
     const BootstrapSandbox* sandbox)
     : sandbox_(sandbox),
       sandbox_port_(MACH_PORT_NULL),
       compat_shim_(GetLaunchdCompatibilityShim()) {
 }
 
 LaunchdInterceptionServer::~LaunchdInterceptionServer() {
 }
 
-bool LaunchdInterceptionServer::Initialize() {
+bool LaunchdInterceptionServer::Initialize(mach_port_t server_receive_right) {
   mach_port_t task = mach_task_self();
   kern_return_t kr;
 
   // Allocate the dummy sandbox port.
   mach_port_t port;
   if ((kr = mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE, &port)) !=
           KERN_SUCCESS) {
     MACH_LOG(ERROR, kr) << "Failed to allocate dummy sandbox port.";
     return false;
   }
   sandbox_port_.reset(port);
   if ((kr = mach_port_insert_right(task, sandbox_port_, sandbox_port_,
           MACH_MSG_TYPE_MAKE_SEND) != KERN_SUCCESS)) {
     MACH_LOG(ERROR, kr) << "Failed to allocate dummy sandbox port send right.";
     return false;
   }
   sandbox_send_port_.reset(sandbox_port_);
 
-  message_server_.reset(new MachMessageServer(this, kBufferSize));
+  message_server_.reset(
+      new MachMessageServer(this, server_receive_right, kBufferSize));
   return message_server_->Initialize();
 }
 
 void LaunchdInterceptionServer::DemuxMessage(mach_msg_header_t* request,
                                              mach_msg_header_t* reply) {
   VLOG(3) << "Incoming message #" << request->msgh_id;
 
   pid_t sender_pid = message_server_->GetMessageSenderPID(request);
   const BootstrapSandboxPolicy* policy =
       sandbox_->PolicyForProcess(sender_pid);
   if (policy == NULL) {
     // No sandbox policy is in place for the sender of this message, which
     // means it is from the sandbox host process or an unsandboxed child.

[Mark Mentovai, 2014/06/19 18:40:12]

Revise.

Will we have unsandboxed children coming through our bootstrap server now? If
not, we can tighten things up by making the default policy be deny or something
else.

[Robert Sesek, 2014/06/19 18:50:16]

Done.
I think so. There shouldn't be any unsandboxed senders anymore.

     VLOG(3) << "Message from pid " << sender_pid << " forwarded to launchd";
     ForwardMessage(request);
     return;
   }
 
   if (request->msgh_id == compat_shim_.msg_id_look_up2) {
     // Filter messages sent via bootstrap_look_up to enforce the sandbox policy
     // over the bootstrap namespace.
     HandleLookUp(request, reply, policy);
   } else if (request->msgh_id == compat_shim_.msg_id_swap_integer) {
@@ skipping 70 matching lines @@
   } else {
     VLOG(2) << "Rejecting non-read-only swap_integer message.";
     message_server_->RejectMessage(reply, BOOTSTRAP_NOT_PRIVILEGED);
   }
 }
 void LaunchdInterceptionServer::ForwardMessage(mach_msg_header_t* request) {
   message_server_->ForwardMessage(request, sandbox_->real_bootstrap_port());
 }
 
 }  // namespace sandbox