0

macOS V2 Sandbox: Sandbox PPAPI Processes.

This launches PPAPI processes under the new macOS V2 sandbox.

Bug: 689306
Change-Id: I56877dd163d5120f251ad6a791c83383814c641e
Reviewed-on: https://chromium-review.googlesource.com/830976
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Mike Pinkerton <pinkerton@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#525475}
This commit is contained in:
Greg Kerr
2017-12-20 21:49:57 +00:00
committed by Commit Bot
parent df0fefb2ed
commit 159fc4ac77
8 changed files with 73 additions and 38 deletions

@ -22,9 +22,11 @@
#include "mojo/edk/embedder/scoped_platform_handle.h"
#include "sandbox/mac/seatbelt_exec.h"
#include "services/service_manager/sandbox/mac/common_v2.sb.h"
#include "services/service_manager/sandbox/mac/ppapi_v2.sb.h"
#include "services/service_manager/sandbox/mac/renderer_v2.sb.h"
#include "services/service_manager/sandbox/mac/utility.sb.h"
#include "services/service_manager/sandbox/sandbox.h"
#include "services/service_manager/sandbox/sandbox_type.h"
namespace content {
namespace internal {
@ -63,8 +65,9 @@ void ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
bool no_sandbox = command_line_->HasSwitch(switches::kNoSandbox) ||
service_manager::IsUnsandboxedSandboxType(sandbox_type);
bool v2_process = GetProcessType() == switches::kRendererProcess ||
GetProcessType() == switches::kUtilityProcess;
bool v2_process = sandbox_type == service_manager::SANDBOX_TYPE_PPAPI ||
sandbox_type == service_manager::SANDBOX_TYPE_RENDERER ||
sandbox_type == service_manager::SANDBOX_TYPE_UTILITY;
bool use_v2 =
v2_process && base::FeatureList::IsEnabled(features::kMacV2Sandbox);
@ -74,9 +77,11 @@ void ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
std::string profile =
std::string(service_manager::kSeatbeltPolicyString_common_v2);
if (GetProcessType() == switches::kRendererProcess) {
if (sandbox_type == service_manager::SANDBOX_TYPE_PPAPI) {
profile += service_manager::kSeatbeltPolicyString_ppapi_v2;
} else if (sandbox_type == service_manager::SANDBOX_TYPE_RENDERER) {
profile += service_manager::kSeatbeltPolicyString_renderer_v2;
} else if (GetProcessType() == switches::kUtilityProcess) {
} else if (sandbox_type == service_manager::SANDBOX_TYPE_UTILITY) {
profile += service_manager::kSeatbeltPolicyString_utility;
}
@ -87,9 +92,10 @@ void ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
seatbelt_exec_client_ = std::make_unique<sandbox::SeatbeltExecClient>();
seatbelt_exec_client_->SetProfile(profile);
if (GetProcessType() == switches::kRendererProcess) {
SetupRendererSandboxParameters(seatbelt_exec_client_.get());
} else {
if (sandbox_type == service_manager::SANDBOX_TYPE_RENDERER ||
sandbox_type == service_manager::SANDBOX_TYPE_PPAPI) {
SetupCommonSandboxParameters(seatbelt_exec_client_.get());
} else if (sandbox_type == service_manager::SANDBOX_TYPE_UTILITY) {
SetupUtilitySandboxParameters(seatbelt_exec_client_.get(),
*command_line_.get());
}

@ -18,7 +18,7 @@ namespace content {
// All of the below functions populate the |client| with the parameters that the
// sandbox needs to resolve information that cannot be known at build time, such
// as the user's home directory.
void SetupRendererSandboxParameters(sandbox::SeatbeltExecClient* client);
void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client);
void SetupUtilitySandboxParameters(sandbox::SeatbeltExecClient* client,
const base::CommandLine& command_line);

@ -39,6 +39,8 @@ std::string GetOSVersion() {
return std::to_string(final_os_version);
}
} // namespace
void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client) {
const base::CommandLine* command_line =
base::CommandLine::ForCurrentProcess();
@ -89,12 +91,6 @@ void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client) {
service_manager::SandboxMac::kSandboxHomedirAsLiteral, homedir));
}
} // namespace
void SetupRendererSandboxParameters(sandbox::SeatbeltExecClient* client) {
SetupCommonSandboxParameters(client);
}
void SetupUtilitySandboxParameters(sandbox::SeatbeltExecClient* client,
const base::CommandLine& command_line) {
SetupCommonSandboxParameters(client);

@ -456,10 +456,14 @@ void PpapiThread::OnLoadPlugin(const base::FilePath& path,
}
} else {
#if defined(OS_MACOSX)
// We need to do this after getting |PPP_GetInterface()| (or presumably
// doing something nontrivial with the library), else the sandbox
// intercedes.
CHECK(InitializeSandbox());
// TODO(kerrnel): Delete this once the V2 sandbox is default.
const base::CommandLine* cmdline = base::CommandLine::ForCurrentProcess();
if (!cmdline->HasSwitch(switches::kEnableV2Sandbox)) {
// We need to do this after getting |PPP_GetInterface()| (or presumably
// doing something nontrivial with the library), else the sandbox
// intercedes.
CHECK(InitializeSandbox());
}
#endif
#if BUILDFLAG(ENABLE_CDM_HOST_VERIFICATION)

@ -11,6 +11,7 @@ action_foreach("package_sb_files") {
"gpu.sb",
"nacl_loader.sb",
"ppapi.sb",
"ppapi_v2.sb",
"renderer.sb",
"renderer_v2.sb",
"utility.sb",

@ -43,6 +43,25 @@
(define (user-homedir-path subpath)
(string-append (param homedir-as-literal) subpath))
; A function that specific profiles (i.e. renderer) can call to allow
; font rendering.
(define (allow-font-access)
(begin
(allow file-read-data
(subpath "/Library/Fonts")
(subpath "/System/Library/Fonts")
(subpath (user-homedir-path "/Library/Fonts")))
(allow mach-lookup
(global-name "com.apple.fonts")
; crbug.com/756145, crbug.com/786615
(global-name "com.apple.FontObjectsServer"))
(if (< os-version 1012)
(allow mach-lookup (global-name "com.apple.FontServer")))
; To allow accessing downloaded and other hidden fonts in
; /System/Library/Asssets/com_apple_MobileAsset_Font*.
; (https://crbug.com/662686)
(allow file-read* (extension "com.apple.app-sandbox.read"))))
; Allow logging for all processes.
(allow file-write*
(require-all
@ -99,7 +118,11 @@
; Reads from /Library.
(allow file-read-data
(path "/Library/Preferences/.GlobalPreferences.plist")
(path "/Library/Preferences/.GlobalPreferences.plist"))
; Reads from /System.
(allow file-read-data
(path "/System/Library/CoreServices/checkfixlist")
(path "/System/Library/CoreServices/SystemVersion.plist"))
; Reads from /usr.

@ -0,0 +1,21 @@
; Copyright 2017 The Chromium Authors. All rights reserved.
; Use of this source code is governed by a BSD-style license that can be
; found in the LICENSE file.
; --- The contents of common.sb implicitly included here. ---
; Needed for Fonts.
(allow-font-access)
; IOKit
(allow iokit-open
(iokit-registry-entry-class "IOSurfaceRootUserClient"))
; Reads from home dir.
(allow file-read-data
(path (user-homedir-path "/Library/Preferences/com.apple.universalaccess.plist")))
; Reads from /System.
(allow file-read-data
(subpath "/System/Library/CoreServices/SystemAppearance.bundle")
(path "/System/Library/Colors/System.clr/System.clr"))

@ -11,8 +11,7 @@
; Reads from the home directory.
(allow file-read-data
(path (user-homedir-path "/.CFUserTextEncoding"))
(path (user-homedir-path "/Library/Preferences/com.apple.universalaccess.plist"))
(subpath (user-homedir-path "/Library/Fonts")))
(path (user-homedir-path "/Library/Preferences/com.apple.universalaccess.plist")))
; Reads of /dev devices.
(allow file-read-data
@ -24,19 +23,17 @@
(path "/dev/null")
(vnode-type CHARACTER-DEVICE)))
; Reads from /Library.
(allow file-read-data (subpath "/Library/Fonts"))
; Needed for Fonts.
(allow-font-access)
; Reads from /System.
(allow file-read-data
(path "/System/Library/CoreServices/checkfixlist")
(path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist")
(path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
(path "/System/Library/Preferences/Logging/Subsystems/com.apple.SkyLight.plist")
(subpath "/System/Library/ColorSync/Profiles")
(subpath "/System/Library/CoreServices/SystemAppearance.bundle")
(subpath "/System/Library/CoreServices/SystemVersion.bundle")
(subpath "/System/Library/Fonts")
(subpath "/System/Library/LinguisticData"))
; IOKit
@ -55,20 +52,7 @@
(allow mach-lookup
; crbug.com/792257
(global-name "com.apple.distributed_notifications@Uv3")
(global-name "com.apple.fonts")
; crbug.com/756145, crbug.com/786615
(global-name "com.apple.FontObjectsServer")
(global-name "com.apple.lsd.mapdb")
; crbug.com/792217
(global-name "com.apple.system.notification_center")
(global-name "com.apple.windowserver.active"))
; MacOS dropped FontServer to replace it with the (XPC based) com.apple.fonts,
; but 10.9 through 10.11 use FontServer.
(if (< os-version 1012)
(allow mach-lookup (global-name "com.apple.FontServer")))
; To allow accessing downloaded and other hidden fonts in
; /System/Library/Asssets/com_apple_MobileAsset_Font*.
; (https://crbug.com/662686)
(allow file-read* (extension "com.apple.app-sandbox.read"))