chromium/src
0
Fork 0
Code Activity

Refactor sandbox_policy.cc so that it doesn't contain the sandbox policies for all processes. Instead have whoever creates a sandboxed process set this data. This allows us to clean a few NaCl related changes in content:

Browse Source 
-remove NaCl sandbox rules from content
-remove the hack for ifdef'ing out the GPU policy since it didn't link for nacl64.exe
-remove the 1GB memory reservation for the NaCl loader process out of content

Other cleanup:
-renamed sandbox_policy.* to sandbox_win.* to match the other platform-specific sandbox files
-moved BrokerGetFileHandleForProcess to internal content files since it's not called from outside
-remove AddGpuDllEvictionPolicy since it was redundant (the one dll it removed was already listed in the generic list)

There's still more cleanup to be done in the sandbox code (i.e. remove chrome frame switch, nacl process type switch etc). I will do that in future changes.

BUG=191682
Review URL: https://codereview.chromium.org/12805004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@189175 0039d316-1c4b-4281-b951-d872f2087c98
This commit is contained in:
jam@chromium.org
2013-03-20 00:30:18 +00:00
parent 13ee68abf3
commit 34f4868ad6
36 changed files with 556 additions and 339 deletions

28
chrome/browser/chrome_content_browser_client.cc

@ -125,6 +125,7 @@
#if defined(OS_WIN)
#include "chrome/browser/chrome_browser_main_win.h"
#include "sandbox/win/src/sandbox_policy.h"
#elif defined(OS_MACOSX)
#include "chrome/browser/chrome_browser_main_mac.h"
#include "chrome/browser/spellchecker/spellcheck_message_filter_mac.h"
@ -2093,6 +2094,33 @@ void ChromeContentBrowserClient::GetAdditionalMappedFilesForChildProcess(
const wchar_t* ChromeContentBrowserClient::GetResourceDllName() {
return chrome::kBrowserResourcesDll;
}
void ChromeContentBrowserClient::PreSpawnRenderer(
sandbox::TargetPolicy* policy,
bool* success) {
// This code is duplicated in nacl_exe_win_64.cc.
// Allow the server side of a pipe restricted to the "chrome.nacl."
// namespace so that it cannot impersonate other system or other chrome
// service pipes.
sandbox::ResultCode result = policy->AddRule(
sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\chrome.nacl.*");
if (result != sandbox::SBOX_ALL_OK) {
*success = false;
return;
}
// Renderers need to send named pipe handles and shared memory
// segment handles to NaCl loader processes.
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_ANY,
L"File");
if (result != sandbox::SBOX_ALL_OK) {
*success = false;
return;
}
}
#endif
#if defined(USE_NSS)

2
chrome/browser/chrome_content_browser_client.h

@ -227,6 +227,8 @@ class ChromeContentBrowserClient : public content::ContentBrowserClient {
#endif
#if defined(OS_WIN)
virtual const wchar_t* GetResourceDllName() OVERRIDE;
virtual void PreSpawnRenderer(sandbox::TargetPolicy* policy,
bool* success) OVERRIDE;
#endif
#if defined(USE_NSS)
virtual

2
chrome/browser/nacl_host/nacl_broker_host_win.cc

@ -47,7 +47,7 @@ bool NaClBrokerHost::Init() {
if (logging::DialogsAreSuppressed())
cmd_line->AppendSwitch(switches::kNoErrorDialogs);
process_->Launch(base::FilePath(), cmd_line);
process_->Launch(NULL, cmd_line);
return true;
}

35
chrome/browser/nacl_host/nacl_process_host.cc

@ -61,6 +61,7 @@
#include "chrome/browser/nacl_host/nacl_broker_service_win.h"
#include "chrome/common/nacl_debug_exception_handler_win.h"
#include "content/public/common/sandbox_init.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#endif
using content::BrowserThread;
@ -75,7 +76,36 @@ bool RunningOnWOW64() {
return (base::win::OSInfo::GetInstance()->wow64_status() ==
base::win::OSInfo::WOW64_ENABLED);
}
#endif
// NOTE: changes to this class need to be reviewed by the security team.
class NaClSandboxedProcessLauncherDelegate
: public content::SandboxedProcessLauncherDelegate {
public:
NaClSandboxedProcessLauncherDelegate() {}
virtual ~NaClSandboxedProcessLauncherDelegate() {}
virtual void PostSpawnTarget(base::ProcessHandle process) {
#if !defined(NACL_WIN64)
// For Native Client sel_ldr processes on 32-bit Windows, reserve 1 GB of
// address space to prevent later failure due to address space fragmentation
// from .dll loading. The NaCl process will attempt to locate this space by
// scanning the address space using VirtualQuery.
// TODO(bbudge) Handle the --no-sandbox case.
// http://code.google.com/p/nativeclient/issues/detail?id=2131
const SIZE_T kOneGigabyte = 1 << 30;
void* nacl_mem = VirtualAllocEx(process,
NULL,
kOneGigabyte,
MEM_RESERVE,
PAGE_NOACCESS);
if (!nacl_mem) {
DLOG(WARNING) << "Failed to reserve address space for Native Client";
}
#endif // !defined(NACL_WIN64)
}
};
#endif // OS_WIN
void SetCloseOnExec(NaClHandle fd) {
#if defined(OS_POSIX)
@ -572,7 +602,8 @@ bool NaClProcessHost::LaunchSelLdr() {
return false;
}
} else {
process_->Launch(base::FilePath(), cmd_line.release());
process_->Launch(new NaClSandboxedProcessLauncherDelegate,
cmd_line.release());
}
#elif defined(OS_POSIX)
process_->Launch(nacl_loader_prefix.empty(), // use_zygote

2
chrome/chrome_exe.gypi

@ -556,7 +556,7 @@
'../content/app/startup_helper_win.cc',
'../content/common/debug_flags.cc', # Needed for sandbox_policy.cc
'../content/common/sandbox_init_win.cc',
'../content/common/sandbox_policy.cc',
'../content/common/sandbox_win.cc',
'../content/public/common/content_switches.cc',
'<(SHARED_INTERMEDIATE_DIR)/chrome_version/nacl64_exe_version.rc',
],

19
chrome/nacl/nacl_broker_listener.cc

@ -18,6 +18,7 @@
#include "content/public/common/sandbox_init.h"
#include "ipc/ipc_channel.h"
#include "ipc/ipc_switches.h"
#include "sandbox/win/src/sandbox_policy.h"
namespace {
@ -45,6 +46,21 @@ void NaClBrokerListener::Listen() {
MessageLoop::current()->Run();
}
// NOTE: changes to this method need to be reviewed by the security team.
void NaClBrokerListener::PreSpawnTarget(sandbox::TargetPolicy* policy,
bool* success) {
// This code is duplicated in chrome_content_browser_client.cc.
// Allow the server side of a pipe restricted to the "chrome.nacl."
// namespace so that it cannot impersonate other system or other chrome
// service pipes.
sandbox::ResultCode result = policy->AddRule(
sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\chrome.nacl.*");
*success = (result == sandbox::SBOX_ALL_OK);
}
void NaClBrokerListener::OnChannelConnected(int32 peer_pid) {
bool res = base::OpenProcessHandle(peer_pid, &browser_handle_);
CHECK(res);
@ -87,8 +103,7 @@ void NaClBrokerListener::OnLaunchLoaderThroughBroker(
cmd_line->AppendSwitchASCII(switches::kProcessChannelID,
loader_channel_id);
loader_process =
content::StartProcessWithAccess(cmd_line, base::FilePath());
loader_process = content::StartSandboxedProcess(this, cmd_line);
if (loader_process) {
DuplicateHandle(::GetCurrentProcess(), loader_process,
browser_handle_, &loader_handle_in_browser,

8
chrome/nacl/nacl_broker_listener.h

@ -8,6 +8,7 @@
#include "base/memory/scoped_ptr.h"
#include "base/process.h"
#include "chrome/common/nacl_types.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#include "ipc/ipc_listener.h"
namespace IPC {
@ -16,13 +17,18 @@ class Channel;
// The BrokerThread class represents the thread that handles the messages from
// the browser process and starts NaCl loader processes.
class NaClBrokerListener : public IPC::Listener {
class NaClBrokerListener : public content::SandboxedProcessLauncherDelegate,
public IPC::Listener {
public:
NaClBrokerListener();
~NaClBrokerListener();
void Listen();
// content::SandboxedProcessLauncherDelegate implementation:
virtual void PreSpawnTarget(sandbox::TargetPolicy* policy,
bool* success) OVERRIDE;
// IPC::Listener implementation.
virtual void OnChannelConnected(int32 peer_pid) OVERRIDE;
virtual bool OnMessageReceived(const IPC::Message& msg) OVERRIDE;

28
chrome/service/service_utility_process_host.cc

@ -27,8 +27,31 @@
#include "base/files/file_path.h"
#include "base/memory/scoped_ptr.h"
#include "base/win/scoped_handle.h"
#include "content/public/common/sandbox_init.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#include "printing/emf_win.h"
#endif
namespace {
// NOTE: changes to this class need to be reviewed by the security team.
class ServiceSandboxedProcessLauncherDelegate
: public content::SandboxedProcessLauncherDelegate {
public:
explicit ServiceSandboxedProcessLauncherDelegate(
const base::FilePath& exposed_dir)
: exposed_dir_(exposed_dir) {
}
virtual void PreSandbox(bool* disable_default_policy,
base::FilePath* exposed_dir) OVERRIDE {
*exposed_dir = exposed_dir_;
}
private:
base::FilePath exposed_dir_;
};
}
#endif // OS_WIN
using content::ChildProcessHost;
@ -138,7 +161,8 @@ bool ServiceUtilityProcessHost::Launch(CommandLine* cmd_line,
cmd_line->AppendSwitch(switches::kNoSandbox);
base::LaunchProcess(*cmd_line, base::LaunchOptions(), &handle_);
} else {
handle_ = content::StartProcessWithAccess(cmd_line, exposed_dir);
ServiceSandboxedProcessLauncherDelegate delegate(exposed_dir);
handle_ = content::StartSandboxedProcess(&delegate, cmd_line);
}
return (handle_ != base::kNullProcessHandle);
#endif // !defined(OS_WIN)

3
chrome_frame/test/net/fake_external_tab.cc

@ -967,8 +967,7 @@ int main(int argc, char** argv) {
watchdog.AddObserver(&credentials, "Windows Security", "");
sandbox::SandboxInterfaceInfo sandbox_info = {0};
// This would normally be done, but is probably not needed for these tests.
// content::InitializeSandboxInfo(&sandbox_info);
content::InitializeSandboxInfo(&sandbox_info);
FakeMainDelegate delegate;
content::ContentMain(
reinterpret_cast<HINSTANCE>(GetModuleHandle(NULL)),

10
content/browser/browser_child_process_host_impl.cc

@ -130,7 +130,7 @@ void BrowserChildProcessHostImpl::TerminateAll() {
void BrowserChildProcessHostImpl::Launch(
#if defined(OS_WIN)
const base::FilePath& exposed_dir,
SandboxedProcessLauncherDelegate* delegate,
#elif defined(OS_POSIX)
bool use_zygote,
const base::EnvironmentVector& environ,
@ -143,22 +143,22 @@ void BrowserChildProcessHostImpl::Launch(
const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess();
static const char* kForwardSwitches[] = {
#if defined(OS_POSIX)
switches::kChildCleanExit,
#endif
switches::kDisableLogging,
switches::kEnableDCHECK,
switches::kEnableLogging,
switches::kLoggingLevel,
switches::kV,
switches::kVModule,
#if defined(OS_POSIX)
switches::kChildCleanExit,
#endif
};
cmd_line->CopySwitchesFrom(browser_command_line, kForwardSwitches,
arraysize(kForwardSwitches));
child_process_.reset(new ChildProcessLauncher(
#if defined(OS_WIN)
exposed_dir,
delegate,
#elif defined(OS_POSIX)
use_zygote,
environ,

2
content/browser/browser_child_process_host_impl.h

@ -42,7 +42,7 @@ class CONTENT_EXPORT BrowserChildProcessHostImpl
virtual bool Send(IPC::Message* message) OVERRIDE;
virtual void Launch(
#if defined(OS_WIN)
const base::FilePath& exposed_dir,
SandboxedProcessLauncherDelegate* delegate,
#elif defined(OS_POSIX)
bool use_zygote,
const base::EnvironmentVector& environ,

2
content/browser/browser_main_loop.cc

@ -68,7 +68,7 @@
#include <shellapi.h>
#include "content/browser/system_message_window_win.h"
#include "content/common/sandbox_policy.h"
#include "content/common/sandbox_win.h"
#include "net/base/winsock_init.h"
#include "ui/base/l10n/l10n_util_win.h"
#endif

16
content/browser/child_process_launcher.cc

@ -23,8 +23,9 @@
#if defined(OS_WIN)
#include "base/files/file_path.h"
#include "content/common/sandbox_policy.h"
#include "content/common/sandbox_win.h"
#include "content/public/common/sandbox_init.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#elif defined(OS_MACOSX)
#include "content/browser/mach_broker_mac.h"
#elif defined(OS_ANDROID)
@ -68,7 +69,7 @@ class ChildProcessLauncher::Context
void Launch(
#if defined(OS_WIN)
const base::FilePath& exposed_dir,
SandboxedProcessLauncherDelegate* delegate,
#elif defined(OS_ANDROID)
int ipcfd,
#elif defined(OS_POSIX)
@ -97,7 +98,7 @@ class ChildProcessLauncher::Context
client_thread_id_,
child_process_id,
#if defined(OS_WIN)
exposed_dir,
delegate,
#elif defined(OS_ANDROID)
ipcfd,
#elif defined(OS_POSIX)
@ -180,7 +181,7 @@ class ChildProcessLauncher::Context
BrowserThread::ID client_thread_id,
int child_process_id,
#if defined(OS_WIN)
const base::FilePath& exposed_dir,
SandboxedProcessLauncherDelegate* delegate,
#elif defined(OS_ANDROID)
int ipcfd,
#elif defined(OS_POSIX)
@ -193,7 +194,8 @@ class ChildProcessLauncher::Context
base::TimeTicks begin_launch_time = base::TimeTicks::Now();
#if defined(OS_WIN)
base::ProcessHandle handle = StartProcessWithAccess(cmd_line, exposed_dir);
scoped_ptr<SandboxedProcessLauncherDelegate> delegate_deleter(delegate);
base::ProcessHandle handle = StartSandboxedProcess(delegate, cmd_line);
#elif defined(OS_ANDROID)
// Android WebView runs in single process, ensure that we never get here
// when running in single process mode.
@ -409,7 +411,7 @@ class ChildProcessLauncher::Context
ChildProcessLauncher::ChildProcessLauncher(
#if defined(OS_WIN)
const base::FilePath& exposed_dir,
SandboxedProcessLauncherDelegate* delegate,
#elif defined(OS_POSIX)
bool use_zygote,
const base::EnvironmentVector& environ,
@ -421,7 +423,7 @@ ChildProcessLauncher::ChildProcessLauncher(
context_ = new Context();
context_->Launch(
#if defined(OS_WIN)
exposed_dir,
delegate,
#elif defined(OS_ANDROID)
ipcfd,
#elif defined(OS_POSIX)

3
content/browser/child_process_launcher.h

@ -13,6 +13,7 @@
class CommandLine;
namespace content {
class SandboxedProcessLauncherDelegate;
// Launches a process asynchronously and notifies the client of the process
// handle when it's available. It's used to avoid blocking the calling thread
@ -36,7 +37,7 @@ class CONTENT_EXPORT ChildProcessLauncher {
// Takes ownership of cmd_line.
ChildProcessLauncher(
#if defined(OS_WIN)
const base::FilePath& exposed_dir,
SandboxedProcessLauncherDelegate* delegate,
#elif defined(OS_POSIX)
bool use_zygote,
const base::EnvironmentVector& environ,

123
content/browser/gpu/gpu_process_host.cc

@ -10,6 +10,7 @@
#include "base/bind_helpers.h"
#include "base/command_line.h"
#include "base/debug/trace_event.h"
#include "base/logging.h"
#include "base/memory/ref_counted.h"
#include "base/metrics/histogram.h"
#include "base/process_util.h"
@ -46,6 +47,10 @@
#endif
#if defined(OS_WIN)
#include "base/win/windows_version.h"
#include "content/common/sandbox_win.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#include "sandbox/win/src/sandbox_policy.h"
#include "ui/surface/accelerated_surface_win.h"
#endif
@ -163,6 +168,114 @@ void AcceleratedSurfaceBuffersSwappedCompleted(int host_id,
AcceleratedSurfaceBuffersSwappedCompletedForRenderer(surface_id, timebase,
interval);
}
// NOTE: changes to this class need to be reviewed by the security team.
class GpuSandboxedProcessLauncherDelegate
: public SandboxedProcessLauncherDelegate {
public:
explicit GpuSandboxedProcessLauncherDelegate(CommandLine* cmd_line)
: cmd_line_(cmd_line) {}
virtual ~GpuSandboxedProcessLauncherDelegate() {}
virtual void PreSandbox(bool* disable_default_policy,
base::FilePath* exposed_dir) OVERRIDE {
*disable_default_policy = true;
}
// For the GPU process we gotten as far as USER_LIMITED. The next level
// which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL
// backend. Note that the GPU process is connected to the interactive
// desktop.
virtual void PreSpawnTarget(sandbox::TargetPolicy* policy,
bool* success) {
if (base::win::GetVersion() > base::win::VERSION_XP) {
if (cmd_line_->GetSwitchValueASCII(switches::kUseGL) ==
gfx::kGLImplementationDesktopName) {
// Open GL path.
policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_LIMITED);
SetJobLevel(*cmd_line_, sandbox::JOB_UNPROTECTED, 0, policy);
policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
} else {
if (cmd_line_->GetSwitchValueASCII(switches::kUseGL) ==
gfx::kGLImplementationSwiftShaderName ||
cmd_line_->HasSwitch(switches::kReduceGpuSandbox) ||
cmd_line_->HasSwitch(switches::kDisableImageTransportSurface)) {
// Swiftshader path.
policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_LIMITED);
} else {
// Angle + DirectX path.
policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_RESTRICTED);
// This is a trick to keep the GPU out of low-integrity processes. It
// starts at low-integrity for UIPI to work, then drops below
// low-integrity after warm-up.
policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
}
// UI restrictions break when we access Windows from outside our job.
// However, we don't want a proxy window in this process because it can
// introduce deadlocks where the renderer blocks on the gpu, which in
// turn blocks on the browser UI thread. So, instead we forgo a window
// message pump entirely and just add job restrictions to prevent child
// processes.
SetJobLevel(*cmd_line_,
sandbox::JOB_LIMITED_USER,
JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS |
JOB_OBJECT_UILIMIT_DESKTOP |
JOB_OBJECT_UILIMIT_EXITWINDOWS |
JOB_OBJECT_UILIMIT_DISPLAYSETTINGS,
policy);
policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
}
} else {
SetJobLevel(*cmd_line_, sandbox::JOB_UNPROTECTED, 0, policy);
policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
sandbox::USER_LIMITED);
}
// Allow the server side of GPU sockets, which are pipes that have
// the "chrome.gpu" namespace and an arbitrary suffix.
sandbox::ResultCode result = policy->AddRule(
sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\chrome.gpu.*");
if (result != sandbox::SBOX_ALL_OK) {
*success = false;
return;
}
#ifdef USE_AURA
// GPU also needs to add sections to the browser for aura
// TODO(jschuh): refactor the GPU channel to remove this. crbug.com/128786
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_BROKER,
L"Section");
if (result != sandbox::SBOX_ALL_OK) {
*success = false;
return;
}
#endif
if (cmd_line_->HasSwitch(switches::kEnableLogging)) {
string16 log_file_path = logging::GetLogFileFullPath();
if (!log_file_path.empty()) {
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
log_file_path.c_str());
if (result != sandbox::SBOX_ALL_OK) {
*success = false;
return;
}
}
}
}
private:
CommandLine* cmd_line_;
};
#endif // defined(OS_WIN)
} // anonymous namespace
@ -1061,6 +1174,7 @@ bool GpuProcessHost::LaunchGpuProcess(const std::string& channel_id) {
switches::kReduceGpuSandbox,
switches::kTestGLLib,
switches::kTraceStartup,
switches::kUseExynosVda,
switches::kV,
switches::kVModule,
#if defined(OS_MACOSX)
@ -1069,7 +1183,6 @@ bool GpuProcessHost::LaunchGpuProcess(const std::string& channel_id) {
#if defined(USE_AURA)
switches::kUIPrioritizeInGpuProcess,
#endif
switches::kUseExynosVda,
};
cmd_line->CopySwitchesFrom(browser_command_line, kSwitchNames,
arraysize(kSwitchNames));
@ -1091,19 +1204,13 @@ bool GpuProcessHost::LaunchGpuProcess(const std::string& channel_id) {
UMA_HISTOGRAM_BOOLEAN("GPU.GPUProcessSoftwareRendering", software_rendering_);
#if defined(OS_WIN)
// Make GoogleDesktopNetwork3.dll think that the GPU process is a renderer
// process so the DLL unloads itself. http://crbug/129884
cmd_line->AppendSwitchASCII("ignored", " --type=renderer ");
#endif
// If specified, prepend a launcher program to the command line.
if (!gpu_launcher.empty())
cmd_line->PrependWrapper(gpu_launcher);
process_->Launch(
#if defined(OS_WIN)
base::FilePath(),
new GpuSandboxedProcessLauncherDelegate(cmd_line),
#elif defined(OS_POSIX)
false,
base::EnvironmentVector(),

2
content/browser/plugin_process_host.cc

@ -237,7 +237,7 @@ bool PluginProcessHost::Init(const webkit::WebPluginInfo& info) {
process_->Launch(
#if defined(OS_WIN)
base::FilePath(),
NULL,
#elif defined(OS_POSIX)
false,
env,

29
content/browser/ppapi_plugin_process_host.cc

@ -26,8 +26,35 @@
#include "ui/base/ui_base_switches.h"
#include "webkit/plugins/plugin_switches.h"
#if defined(OS_WIN)
#include "content/common/sandbox_win.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#include "sandbox/win/src/sandbox_policy.h"
#endif
namespace content {
#if defined(OS_WIN)
// NOTE: changes to this class need to be reviewed by the security team.
class PpapiPluginSandboxedProcessLauncherDelegate
: public content::SandboxedProcessLauncherDelegate {
public:
PpapiPluginSandboxedProcessLauncherDelegate() {}
virtual ~PpapiPluginSandboxedProcessLauncherDelegate() {}
virtual void PreSpawnTarget(sandbox::TargetPolicy* policy,
bool* success) {
// The Pepper process as locked-down as a renderer execpt that it can
// create the server side of chrome pipes.
sandbox::ResultCode result;
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\chrome.*");
*success = (result == sandbox::SBOX_ALL_OK);
}
};
#endif // OS_WIN
class PpapiPluginProcessHost::PluginNetworkObserver
: public net::NetworkChangeNotifier::IPAddressObserver,
public net::NetworkChangeNotifier::ConnectionTypeObserver {
@ -284,7 +311,7 @@ bool PpapiPluginProcessHost::Init(const PepperPluginInfo& info) {
#endif // OS_POSIX
process_->Launch(
#if defined(OS_WIN)
base::FilePath(),
is_broker_ ? NULL : new PpapiPluginSandboxedProcessLauncherDelegate,
#elif defined(OS_POSIX)
use_zygote,
base::EnvironmentVector(),

20
content/browser/renderer_host/render_process_host_impl.cc

@ -129,6 +129,8 @@
#if defined(OS_WIN)
#include "base/win/scoped_com_initializer.h"
#include "content/common/font_cache_dispatcher_win.h"
#include "content/common/sandbox_win.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#endif
#include "third_party/skia/include/core/SkBitmap.h"
@ -284,6 +286,22 @@ SiteProcessMap* GetSiteProcessMapForBrowserContext(BrowserContext* context) {
return map;
}
#if defined(OS_WIN)
// NOTE: changes to this class need to be reviewed by the security team.
class RendererSandboxedProcessLauncherDelegate
: public content::SandboxedProcessLauncherDelegate {
public:
RendererSandboxedProcessLauncherDelegate() {}
virtual ~RendererSandboxedProcessLauncherDelegate() {}
virtual void PreSpawnTarget(sandbox::TargetPolicy* policy,
bool* success) {
AddBaseHandleClosePolicy(policy);
GetContentClient()->browser()->PreSpawnRenderer(policy, success);
}
};
#endif // OS_WIN
} // namespace
// Stores the maximum number of renderer processes the content module can
@ -488,7 +506,7 @@ bool RenderProcessHostImpl::Init() {
// at this stage.
child_process_launcher_.reset(new ChildProcessLauncher(
#if defined(OS_WIN)
base::FilePath(),
new RendererSandboxedProcessLauncherDelegate,
#elif defined(OS_POSIX)
renderer_prefix.empty(),
base::EnvironmentVector(),

25
content/browser/utility_process_host_impl.cc

@ -20,8 +20,31 @@
#include "ui/base/ui_base_switches.h"
#include "webkit/plugins/plugin_switches.h"
#if defined(OS_WIN)
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#endif
namespace content {
#if defined(OS_WIN)
// NOTE: changes to this class need to be reviewed by the security team.
class UtilitySandboxedProcessLauncherDelegate
: public SandboxedProcessLauncherDelegate {
public:
explicit UtilitySandboxedProcessLauncherDelegate(
const base::FilePath& exposed_dir) : exposed_dir_(exposed_dir) {}
virtual ~UtilitySandboxedProcessLauncherDelegate() {}
virtual void PreSandbox(bool* disable_default_policy,
base::FilePath* exposed_dir) OVERRIDE {
*exposed_dir = exposed_dir_;
}
private:
base::FilePath exposed_dir_;
};
#endif
UtilityProcessHost* UtilityProcessHost::Create(
UtilityProcessHostClient* client,
base::SequencedTaskRunner* client_task_runner) {
@ -170,7 +193,7 @@ bool UtilityProcessHostImpl::StartProcess() {
process_->Launch(
#if defined(OS_WIN)
exposed_dir_,
new UtilitySandboxedProcessLauncherDelegate(exposed_dir_),
#elif defined(OS_POSIX)
use_zygote,
env_,

23
content/browser/worker_host/worker_process_host.cc

@ -35,7 +35,6 @@
#include "content/browser/worker_host/worker_message_filter.h"
#include "content/browser/worker_host/worker_service_impl.h"
#include "content/common/child_process_host_impl.h"
#include "content/common/debug_flags.h"
#include "content/common/view_messages.h"
#include "content/common/worker_messages.h"
#include "content/public/browser/browser_thread.h"
@ -52,9 +51,29 @@
#include "webkit/fileapi/sandbox_mount_point_provider.h"
#include "webkit/glue/resource_type.h"
#if defined(OS_WIN)
#include "content/common/sandbox_win.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#endif
namespace content {
namespace {
#if defined(OS_WIN)
// NOTE: changes to this class need to be reviewed by the security team.
class WorkerSandboxedProcessLauncherDelegate
: public content::SandboxedProcessLauncherDelegate {
public:
WorkerSandboxedProcessLauncherDelegate() {}
virtual ~WorkerSandboxedProcessLauncherDelegate() {}
virtual void PreSpawnTarget(sandbox::TargetPolicy* policy,
bool* success) {
AddBaseHandleClosePolicy(policy);
}
};
#endif // OS_WIN
// Helper class that we pass to SocketStreamDispatcherHost so that it can find
// the right net::URLRequestContext for a request.
class URLRequestContextSelector
@ -191,7 +210,7 @@ bool WorkerProcessHost::Init(int render_process_id) {
process_->Launch(
#if defined(OS_WIN)
base::FilePath(),
new WorkerSandboxedProcessLauncherDelegate,
#elif defined(OS_POSIX)
use_zygote,
base::EnvironmentVector(),

40
content/common/sandbox_init_win.cc

@ -6,7 +6,7 @@
#include "base/command_line.h"
#include "base/logging.h"
#include "content/common/sandbox_policy.h"
#include "content/common/sandbox_win.h"
#include "content/public/common/content_switches.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_types.h"
@ -18,24 +18,22 @@ bool InitializeSandbox(sandbox::SandboxInterfaceInfo* sandbox_info) {
std::string process_type =
command_line.GetSwitchValueASCII(switches::kProcessType);
sandbox::BrokerServices* broker_services = sandbox_info->broker_services;
if (broker_services && !InitBrokerServices(broker_services))
return false;
if (broker_services) {
if (!InitBrokerServices(broker_services))
return false;
if (process_type.empty() || process_type == switches::kNaClBrokerProcess) {
// IMPORTANT: This piece of code needs to run as early as possible in the
// process because it will initialize the sandbox broker, which requires the
// process to swap its window station. During this time all the UI will be
// broken. This has to run before threads and windows are created.
if (broker_services) {
if (!command_line.HasSwitch(switches::kNoSandbox)) {
bool use_winsta = !command_line.HasSwitch(
switches::kDisableAltWinstation);
// Precreate the desktop and window station used by the renderers.
sandbox::TargetPolicy* policy = broker_services->CreatePolicy();
sandbox::ResultCode result = policy->CreateAlternateDesktop(use_winsta);
CHECK(sandbox::SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION != result);
policy->Release();
}
if (!command_line.HasSwitch(switches::kNoSandbox)) {
bool use_winsta = !command_line.HasSwitch(
switches::kDisableAltWinstation);
// Precreate the desktop and window station used by the renderers.
sandbox::TargetPolicy* policy = broker_services->CreatePolicy();
sandbox::ResultCode result = policy->CreateAlternateDesktop(use_winsta);
CHECK(sandbox::SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION != result);
policy->Release();
}
return true;
}
@ -44,20 +42,6 @@ bool InitializeSandbox(sandbox::SandboxInterfaceInfo* sandbox_info) {
return true;
sandbox::TargetServices* target_services = sandbox_info->target_services;
if ((process_type == switches::kRendererProcess) ||
(process_type == switches::kWorkerProcess) ||
(process_type == switches::kNaClLoaderProcess) ||
(process_type == switches::kUtilityProcess)) {
// The above five process types must be sandboxed unless --no-sandbox
// is present in the command line.
if (!target_services)
return false;
} else {
// Other process types might or might not be sandboxed.
// TODO(cpu): clean this mess.
if (!target_services)
return true;
}
return InitTargetServices(target_services);
}

21
content/common/sandbox_policy.h

@ -1,21 +0,0 @@
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_COMMON_SANDBOX_POLICY_H_
#define CONTENT_COMMON_SANDBOX_POLICY_H_
namespace sandbox {
class BrokerServices;
class TargetServices;
}
namespace content {
bool InitBrokerServices(sandbox::BrokerServices* broker_services);
bool InitTargetServices(sandbox::TargetServices* target_services);
} // namespace content
#endif // CONTENT_COMMON_SANDBOX_POLICY_H_

4
content/public/common/sandbox_init.cc → content/common/sandbox_util.cc

@ -2,12 +2,14 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/public/common/sandbox_init.h"
#include "content/common/sandbox_util.h"
#if defined(OS_POSIX)
#include <unistd.h>
#endif
#include "content/public/common/sandbox_init.h"
namespace content {
IPC::PlatformFileForTransit BrokerGetFileHandleForProcess(

26
content/common/sandbox_util.h Normal file

@ -0,0 +1,26 @@
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_COMMON_SANDBOX_UTIL_H_
#define CONTENT_COMMON_SANDBOX_UTIL_H_
#include "base/process.h"
#include "ipc/ipc_platform_file.h"
// This file contains cross-platform sandbox code internal to content.
namespace content {
// Platform neutral wrapper for making an exact copy of a handle for use in
// the target process. On Windows this wraps BrokerDuplicateHandle() with the
// DUPLICATE_SAME_ACCESS flag. On posix it behaves essentially the same as
// IPC::GetFileHandleForProcess()
IPC::PlatformFileForTransit BrokerGetFileHandleForProcess(
base::PlatformFile handle,
base::ProcessId target_process_id,
bool should_close_source);
} // namespace content
#endif // CONTENT_COMMON_SANDBOX_UTIL_H_

272
content/common/sandbox_policy.cc → content/common/sandbox_win.cc

@ -2,7 +2,7 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/common/sandbox_policy.h"
#include "content/common/sandbox_win.h"
#include <string>
@ -10,8 +10,6 @@
#include "base/debug/debugger.h"
#include "base/debug/trace_event.h"
#include "base/file_util.h"
#include "base/lazy_instance.h"
#include "base/logging.h"
#include "base/path_service.h"
#include "base/process_util.h"
#include "base/string_util.h"
@ -25,15 +23,16 @@
#include "content/public/common/content_switches.h"
#include "content/public/common/process_type.h"
#include "content/public/common/sandbox_init.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
#include "sandbox/win/src/process_mitigations.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_nt_util.h"
#include "sandbox/win/src/win_utils.h"
#include "ui/gl/gl_switches.h"
static sandbox::BrokerServices* g_broker_services = NULL;
static sandbox::TargetServices* g_target_services = NULL;
namespace content {
namespace {
// The DLLs listed here are known (or under strong suspicion) of causing crashes
@ -111,12 +110,6 @@ const wchar_t* const kTroublesomeDlls[] = {
L"winstylerthemehelper.dll" // Tuneup utilities 2006.
};
// The DLLs listed here are known (or under strong suspicion) of causing crashes
// when they are loaded in the GPU process.
const wchar_t* const kTroublesomeGpuDlls[] = {
L"cmsetac.dll", // Unknown (suspected malware).
};
// Adds the policy rules for the path and path\ with the semantic |access|.
// If |children| is set to true, we need to add the wildcard rules to also
// apply the rule to the subfiles and subfolders.
@ -232,14 +225,6 @@ void AddGenericDllEvictionPolicy(sandbox::TargetPolicy* policy) {
BlacklistAddOneDll(kTroublesomeDlls[ix], true, policy);
}
// Same as AddGenericDllEvictionPolicy but specifically for the GPU process.
// In this we add the blacklisted dlls even if they are not loaded in this
// process.
void AddGpuDllEvictionPolicy(sandbox::TargetPolicy* policy) {
for (int ix = 0; ix != arraysize(kTroublesomeGpuDlls); ++ix)
BlacklistAddOneDll(kTroublesomeGpuDlls[ix], false, policy);
}
// Returns the object path prepended with the current logon session.
string16 PrependWindowsSessionPath(const char16* object) {
// Cache this because it can't change after process creation.
@ -291,30 +276,18 @@ bool ShouldSetJobLevel(const CommandLine& cmd_line) {
return false;
}
void SetJobLevel(const CommandLine& cmd_line,
sandbox::JobLevel job_level,
uint32 ui_exceptions,
sandbox::TargetPolicy* policy) {
if (ShouldSetJobLevel(cmd_line))
policy->SetJobLevel(job_level, ui_exceptions);
else
policy->SetJobLevel(sandbox::JOB_NONE, 0);
}
// Closes handles that are opened at process creation and initialization.
void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
// Being able to manipulate anything BaseNamedObjects is bad.
string16 object_path = PrependWindowsSessionPath(L"\\BaseNamedObjects");
policy->AddKernelObjectToClose(L"Directory", object_path.data());
object_path = PrependWindowsSessionPath(
L"\\BaseNamedObjects\\windows_shell_global_counters");
policy->AddKernelObjectToClose(L"Section", object_path.data());
}
// Adds the generic policy rules to a sandbox TargetPolicy.
bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
sandbox::ResultCode result;
// Renderers need to copy sections for plugin DIBs and GPU.
// GPU needs to copy sections to renderers.
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_ANY,
L"Section");
if (result != sandbox::SBOX_ALL_OK)
return false;
// Add the policy for the client side of a pipe. It is just a file
// in the \pipe\ namespace. We restrict it to pipes that start with
// "chrome." so the sandboxed process cannot connect to system services.
@ -323,14 +296,7 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
L"\\??\\pipe\\chrome.*");
if (result != sandbox::SBOX_ALL_OK)
return false;
// Allow the server side of a pipe restricted to the "chrome.nacl."
// namespace so that it cannot impersonate other system or other chrome
// service pipes.
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\chrome.nacl.*");
if (result != sandbox::SBOX_ALL_OK)
return false;
// Allow the server side of sync sockets, which are pipes that have
// the "chrome.sync" namespace and a randomly generated suffix.
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
@ -360,116 +326,14 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
if (result != sandbox::SBOX_ALL_OK)
return false;
#endif // NDEBUG
return true;
}
// For the GPU process we gotten as far as USER_LIMITED. The next level
// which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL
// backend. Note that the GPU process is connected to the interactive
// desktop.
// TODO(cpu): Lock down the sandbox more if possible.
bool AddPolicyForGPU(CommandLine* cmd_line, sandbox::TargetPolicy* policy) {
#if !defined(NACL_WIN64) // We don't need this code on win nacl64.
if (base::win::GetVersion() > base::win::VERSION_XP) {
if (cmd_line->GetSwitchValueASCII(switches::kUseGL) ==
gfx::kGLImplementationDesktopName) {
// Open GL path.
policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_LIMITED);
SetJobLevel(*cmd_line, sandbox::JOB_UNPROTECTED, 0, policy);
policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
} else {
if (cmd_line->GetSwitchValueASCII(switches::kUseGL) ==
gfx::kGLImplementationSwiftShaderName ||
cmd_line->HasSwitch(switches::kReduceGpuSandbox) ||
cmd_line->HasSwitch(switches::kDisableImageTransportSurface)) {
// Swiftshader path.
policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_LIMITED);
} else {
// Angle + DirectX path.
policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_RESTRICTED);
// This is a trick to keep the GPU out of low-integrity processes. It
// starts at low-integrity for UIPI to work, then drops below
// low-integrity after warm-up.
policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
}
// UI restrictions break when we access Windows from outside our job.
// However, we don't want a proxy window in this process because it can
// introduce deadlocks where the renderer blocks on the gpu, which in
// turn blocks on the browser UI thread. So, instead we forgo a window
// message pump entirely and just add job restrictions to prevent child
// processes.
SetJobLevel(*cmd_line,
sandbox::JOB_LIMITED_USER,
JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS |
JOB_OBJECT_UILIMIT_DESKTOP |
JOB_OBJECT_UILIMIT_EXITWINDOWS |
JOB_OBJECT_UILIMIT_DISPLAYSETTINGS,
policy);
policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
}
} else {
SetJobLevel(*cmd_line, sandbox::JOB_UNPROTECTED, 0, policy);
policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
sandbox::USER_LIMITED);
}
// Allow the server side of GPU sockets, which are pipes that have
// the "chrome.gpu" namespace and an arbitrary suffix.
sandbox::ResultCode result = policy->AddRule(
sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\chrome.gpu.*");
if (result != sandbox::SBOX_ALL_OK)
return false;
// GPU needs to copy sections to renderers.
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_ANY,
L"Section");
if (result != sandbox::SBOX_ALL_OK)
return false;
#ifdef USE_AURA
// GPU also needs to add sections to the browser for aura
// TODO(jschuh): refactor the GPU channel to remove this. crbug.com/128786
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_BROKER,
L"Section");
if (result != sandbox::SBOX_ALL_OK)
return false;
#endif
AddGenericDllEvictionPolicy(policy);
AddGpuDllEvictionPolicy(policy);
if (cmd_line->HasSwitch(switches::kEnableLogging)) {
string16 log_file_path = logging::GetLogFileFullPath();
if (!log_file_path.empty()) {
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
log_file_path.c_str());
if (result != sandbox::SBOX_ALL_OK)
return false;
}
}
#endif
return true;
}
bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
// Renderers need to copy sections for plugin DIBs and GPU.
bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
sandbox::ResultCode result;
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_ANY,
L"Section");
if (result != sandbox::SBOX_ALL_OK)
return false;
// Renderers need to share events with plugins.
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_ANY,
@ -477,14 +341,6 @@ bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
if (result != sandbox::SBOX_ALL_OK)
return false;
// Renderers need to send named pipe handles and shared memory
// segment handles to NaCl loader processes.
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_ANY,
L"File");
if (result != sandbox::SBOX_ALL_OK)
return false;
sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
if (base::win::GetVersion() > base::win::VERSION_XP) {
// On 2003/Vista the initial token has to be restricted if the main
@ -503,21 +359,9 @@ bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
DLOG(WARNING) << "Failed to apply desktop security to the renderer";
}
AddGenericDllEvictionPolicy(policy);
return true;
}
// The Pepper process as locked-down as a renderer execpt that it can
// create the server side of chrome pipes.
bool AddPolicyForPepperPlugin(sandbox::TargetPolicy* policy) {
sandbox::ResultCode result;
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\chrome.*");
return result == sandbox::SBOX_ALL_OK;
}
// This code is test only, and attempts to catch unsafe uses of
// DuplicateHandle() that copy privileged handles into sandboxed processes.
#ifndef OFFICIAL_BUILD
@ -618,7 +462,26 @@ BOOL WINAPI DuplicateHandlePatch(HANDLE source_process_handle,
} // namespace
namespace content {
void SetJobLevel(const CommandLine& cmd_line,
sandbox::JobLevel job_level,
uint32 ui_exceptions,
sandbox::TargetPolicy* policy) {
if (ShouldSetJobLevel(cmd_line))
policy->SetJobLevel(job_level, ui_exceptions);
else
policy->SetJobLevel(sandbox::JOB_NONE, 0);
}
// TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
// Just have to figure out what needs to be warmed up first.
void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
// Being able to manipulate anything BaseNamedObjects is bad.
string16 object_path = PrependWindowsSessionPath(L"\\BaseNamedObjects");
policy->AddKernelObjectToClose(L"Directory", object_path.data());
object_path = PrependWindowsSessionPath(
L"\\BaseNamedObjects\\windows_shell_global_counters");
policy->AddKernelObjectToClose(L"Section", object_path.data());
}
bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
// TODO(abarth): DCHECK(CalledOnValidThread());
@ -628,7 +491,7 @@ bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
sandbox::ResultCode result = broker_services->Init();
g_broker_services = broker_services;
// In non-official builds warn about dangerous uses of DuplicateHandle.
// In non-official builds warn about dangerous uses of DuplicateHandle.
BOOL is_in_job = FALSE;
#ifdef NACL_WIN64
CHECK(::IsProcessInJob(::GetCurrentProcess(), NULL, &is_in_job));
@ -662,8 +525,9 @@ bool InitTargetServices(sandbox::TargetServices* target_services) {
return sandbox::SBOX_ALL_OK == result;
}
base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
const base::FilePath& exposed_dir) {
base::ProcessHandle StartSandboxedProcess(
SandboxedProcessLauncherDelegate* delegate,
CommandLine* cmd_line) {
const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess();
ProcessType type;
std::string type_str = cmd_line->GetSwitchValueASCII(switches::kProcessType);
@ -773,30 +637,19 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy);
if (type == PROCESS_TYPE_GPU) {
if (!AddPolicyForGPU(cmd_line, policy))
return 0;
} else {
if (!AddPolicyForRenderer(policy))
return 0;
// TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
// Just have to figure out what needs to be warmed up first.
if (type == PROCESS_TYPE_RENDERER ||
type == PROCESS_TYPE_WORKER) {
AddBaseHandleClosePolicy(policy);
// Pepper uses the renderer's policy, whith some tweaks.
} else if (type == PROCESS_TYPE_PPAPI_PLUGIN) {
if (!AddPolicyForPepperPlugin(policy))
return 0;
}
bool disable_default_policy = false;
base::FilePath exposed_dir;
if (delegate)
delegate->PreSandbox(&disable_default_policy, &exposed_dir);
if (!disable_default_policy && !AddPolicyForSandboxedProcess(policy))
return 0;
if (type_str != switches::kRendererProcess) {
// Hack for Google Desktop crash. Trick GD into not injecting its DLL into
// this subprocess. See
// http://code.google.com/p/chromium/issues/detail?id=25580
cmd_line->AppendSwitchASCII("ignored", " --type=renderer ");
}
if (type_str != switches::kRendererProcess) {
// Hack for Google Desktop crash. Trick GD into not injecting its DLL into
// this subprocess. See
// http://code.google.com/p/chromium/issues/detail?id=25580
cmd_line->AppendSwitchASCII("ignored", " --type=renderer ");
}
sandbox::ResultCode result;
@ -827,6 +680,13 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
policy->SetStderrHandle(GetStdHandle(STD_ERROR_HANDLE));
}
if (delegate) {
bool success = true;
delegate->PreSpawnTarget(policy, &success);
if (!success)
return 0;
}
TRACE_EVENT_BEGIN_ETW("StartProcessWithAccess::LAUNCHPROCESS", 0, 0);
result = g_broker_services->SpawnTarget(
@ -842,25 +702,9 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
return 0;
}
#if !defined(NACL_WIN64)
// For Native Client sel_ldr processes on 32-bit Windows, reserve 1 GB of
// address space to prevent later failure due to address space fragmentation
// from .dll loading. The NaCl process will attempt to locate this space by
// scanning the address space using VirtualQuery.
// TODO(bbudge) Handle the --no-sandbox case.
// http://code.google.com/p/nativeclient/issues/detail?id=2131
if (type == PROCESS_TYPE_NACL_LOADER) {
const SIZE_T kOneGigabyte = 1 << 30;
void* nacl_mem = VirtualAllocEx(target.process_handle(),
NULL,
kOneGigabyte,
MEM_RESERVE,
PAGE_NOACCESS);
if (!nacl_mem) {
DLOG(WARNING) << "Failed to reserve address space for Native Client";
}
}
#endif // !defined(NACL_WIN64)
if (delegate)
delegate->PostSpawnTarget(target.process_handle());
ResumeThread(target.thread_handle());

36
content/common/sandbox_win.h Normal file

@ -0,0 +1,36 @@
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_COMMON_SANDBOX_WIN_H_
#define CONTENT_COMMON_SANDBOX_WIN_H_
#include "sandbox/win/src/security_level.h"
class CommandLine;
namespace sandbox {
class BrokerServices;
class TargetPolicy;
class TargetServices;
}
namespace content {
// Wrapper around sandbox::TargetPolicy::SetJobLevel that checks if the sandbox
// should be let to run without a job object assigned.
void SetJobLevel(const CommandLine& cmd_line,
sandbox::JobLevel job_level,
uint32 ui_exceptions,
sandbox::TargetPolicy* policy);
// Closes handles that are opened at process creation and initialization.
void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy);
bool InitBrokerServices(sandbox::BrokerServices* broker_services);
bool InitTargetServices(sandbox::TargetServices* target_services);
} // namespace content
#endif // CONTENT_COMMON_SANDBOX_WIN_H_

14
content/content_common.gypi

@ -79,10 +79,10 @@
'public/common/resource_response.h',
'public/common/result_codes.h',
'public/common/result_codes_list.h',
'public/common/sandbox_init.cc',
'public/common/sandbox_init.h',
'public/common/sandbox_linux.h',
'public/common/sandbox_type_mac.h',
'public/common/sandboxed_process_launcher_delegate.h',
'public/common/security_style.h',
'public/common/show_desktop_notification_params.cc',
'public/common/show_desktop_notification_params.h',
@ -349,10 +349,12 @@
'common/sandbox_mac.mm',
'common/sandbox_linux.h',
'common/sandbox_linux.cc',
'common/sandbox_policy.cc',
'common/sandbox_policy.h',
'common/sandbox_seccomp_bpf_linux.cc',
'common/sandbox_seccomp_bpf_linux.h',
'common/sandbox_util.cc',
'common/sandbox_util.h',
'common/sandbox_win.cc',
'common/sandbox_win.h',
'common/savable_url_schemes.cc',
'common/savable_url_schemes.h',
'common/set_process_title.cc',
@ -435,12 +437,6 @@
'../webkit/support/webkit_support.gyp:webkit_storage',
],
}],
['OS!="win"', {
'sources!': [
'common/sandbox_policy.cc',
'common/sandbox_policy.h',
],
}],
['OS=="android"',{
'link_settings': {
'libraries': [

1
content/ppapi_plugin/ppapi_thread.cc

@ -17,6 +17,7 @@
#include "base/utf_string_conversions.h"
#include "content/common/child_process.h"
#include "content/common/child_process_messages.h"
#include "content/common/sandbox_util.h"
#include "content/ppapi_plugin/broker_process_dispatcher.h"
#include "content/ppapi_plugin/plugin_process_dispatcher.h"
#include "content/ppapi_plugin/ppapi_webkitplatformsupport_impl.h"

5
content/public/browser/browser_child_process_host.h

@ -22,6 +22,7 @@ namespace content {
class BrowserChildProcessHostDelegate;
class ChildProcessHost;
class SandboxedProcessLauncherDelegate;
struct ChildProcessData;
// This represents child processes of the browser process, i.e. plugins. They
@ -36,10 +37,10 @@ class CONTENT_EXPORT BrowserChildProcessHost : public IPC::Sender {
virtual ~BrowserChildProcessHost() {}
// Derived classes call this to launch the child process asynchronously.
// Takes ownership of |cmd_line|.
// Takes ownership of |cmd_line| and |delegate|.
virtual void Launch(
#if defined(OS_WIN)
const base::FilePath& exposed_dir,
SandboxedProcessLauncherDelegate* delegate,
#elif defined(OS_POSIX)
bool use_zygote,
const base::EnvironmentVector& environ,

19
content/public/browser/content_browser_client.h

@ -33,11 +33,6 @@ class GURL;
namespace base {
class FilePath;
}
namespace webkit_glue {
struct WebPreferences;
}
namespace crypto {
class CryptoModuleBlockingPasswordDelegate;
}
@ -58,10 +53,18 @@ class URLRequestContextGetter;
class X509Certificate;
}
namespace sandbox {
class TargetPolicy;
}
namespace ui {
class SelectFilePolicy;
}
namespace webkit_glue {
struct WebPreferences;
}
namespace content {
class AccessTokenStore;
@ -500,6 +503,12 @@ class CONTENT_EXPORT ContentBrowserClient {
#if defined(OS_WIN)
// Returns the name of the dll that contains cursors and other resources.
virtual const wchar_t* GetResourceDllName();
// This is called on the PROCESS_LAUNCHER thread before the renderer process
// is launched. It gives the embedder a chance to add loosen the sandbox
// policy.
virtual void PreSpawnRenderer(sandbox::TargetPolicy* policy,
bool* success) {}
#endif
#if defined(USE_NSS)

21
content/public/common/sandbox_init.h

@ -8,7 +8,6 @@
#include "base/process.h"
#include "build/build_config.h"
#include "content/common/content_export.h"
#include "ipc/ipc_platform_file.h"
class CommandLine;
@ -21,6 +20,7 @@ struct SandboxInterfaceInfo;
}
namespace content {
class SandboxedProcessLauncherDelegate;
#if defined(OS_WIN)
@ -53,11 +53,11 @@ CONTENT_EXPORT bool BrokerDuplicateHandle(HANDLE source_handle,
// false otherwise.
CONTENT_EXPORT bool BrokerAddTargetPeer(HANDLE peer_process);
// Starts a sandboxed process with the given directory unsandboxed
// and returns a handle to it.
CONTENT_EXPORT base::ProcessHandle StartProcessWithAccess(
CommandLine* cmd_line,
const base::FilePath& exposed_dir);
// Launch a sandboxed process. |delegate| may be NULL. If |delegate| is non-NULL
// then it just has to outlive this method call.
CONTENT_EXPORT base::ProcessHandle StartSandboxedProcess(
SandboxedProcessLauncherDelegate* delegate,
CommandLine* cmd_line);
#elif defined(OS_MACOSX)
@ -93,15 +93,6 @@ CONTENT_EXPORT bool InitializeSandbox();
#endif
// Platform neutral wrapper for making an exact copy of a handle for use in
// the target process. On Windows this wraps BrokerDuplicateHandle() with the
// DUPLICATE_SAME_ACCESS flag. On posix it behaves essentially the same as
// IPC::GetFileHandleForProcess()
CONTENT_EXPORT IPC::PlatformFileForTransit BrokerGetFileHandleForProcess(
base::PlatformFile handle,
base::ProcessId target_process_id,
bool should_close_source);
} // namespace content
#endif // CONTENT_PUBLIC_COMMON_SANDBOX_INIT_H_

44
content/public/common/sandboxed_process_launcher_delegate.h Normal file

@ -0,0 +1,44 @@
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_PUBLIC_COMMON_SANDBOXED_PROCESS_LAUNCHER_DELEGATE_H_
#define CONTENT_PUBLIC_COMMON_SANDBOXED_PROCESS_LAUNCHER_DELEGATE_H_
#include "base/process.h"
namespace base {
class FilePath;
}
namespace sandbox {
class TargetPolicy;
}
namespace content {
// Allows a caller of StartSandboxedProcess to control the sandbox policy, i.e.
// to loosen it if needed.
// The methods below will be called on the PROCESS_LAUNCHER thread.
class SandboxedProcessLauncherDelegate {
public:
virtual ~SandboxedProcessLauncherDelegate() {}
// Called before the default sandbox is applied. If the default policy is too
// restrictive, the caller should set |disable_default_policy| to true and
// apply their policy in PreSpawnTarget. |exposed_dir| is used to allow a
//directory through the sandbox.
virtual void PreSandbox(bool* disable_default_policy,
base::FilePath* exposed_dir) {}
// Called right before spawning the process.
virtual void PreSpawnTarget(sandbox::TargetPolicy* policy,
bool* success) {}
// Called right after the process is launched, but before its thread is run.
virtual void PostSpawnTarget(base::ProcessHandle process) {}
};
} // namespace content
#endif // CONTENT_PUBLIC_COMMON_SANDBOXED_PROCESS_LAUNCHER_DELEGATE_H_

2
content/public/test/test_launcher.cc

@ -33,7 +33,7 @@
#if defined(OS_WIN)
#include "base/base_switches.h"
#include "content/common/sandbox_policy.h"
#include "content/common/sandbox_win.h"
#include "sandbox/win/src/sandbox_factory.h"
#include "sandbox/win/src/sandbox_types.h"
#elif defined(OS_MACOSX)

4
content/renderer/pepper/pepper_plugin_delegate_impl.cc

@ -28,12 +28,12 @@
#include "content/common/pepper_messages.h"
#include "content/common/pepper_plugin_registry.h"
#include "content/common/quota_dispatcher.h"
#include "content/common/sandbox_util.h"
#include "content/common/view_messages.h"
#include "content/public/common/content_switches.h"
#include "content/public/common/context_menu_params.h"
#include "content/public/common/media_stream_request.h"
#include "content/public/common/referrer.h"
#include "content/public/common/sandbox_init.h"
#include "content/public/renderer/content_renderer_client.h"
#include "content/public/renderer/renderer_restrict_dispatch_group.h"
#include "content/renderer/gamepad_shared_memory_reader.h"
@ -1613,7 +1613,7 @@ IPC::PlatformFileForTransit PepperPluginDelegateImpl::ShareHandleWithRemote(
base::PlatformFile handle,
base::ProcessId target_process_id,
bool should_close_source) const {
return content::BrokerGetFileHandleForProcess(
return BrokerGetFileHandleForProcess(
handle,
target_process_id,
should_close_source);

2
content/renderer/pepper/pepper_proxy_channel_delegate_impl.cc

@ -5,7 +5,7 @@
#include "content/renderer/pepper/pepper_proxy_channel_delegate_impl.h"
#include "content/common/child_process.h"
#include "content/public/common/sandbox_init.h"
#include "content/common/sandbox_util.h"
namespace content {

2
sandbox/win/src/security_level.h

@ -5,6 +5,8 @@
#ifndef SANDBOX_SRC_SECURITY_LEVEL_H_
#define SANDBOX_SRC_SECURITY_LEVEL_H_
#include "base/basictypes.h"
namespace sandbox {
// List of all the integrity levels supported in the sandbox. This is used