Dedupe the sandbox related switches
Makes services/service_manager/sandbox/switches.h the only place for sandbox related switches, removing the dupped ones in content and changing all call sites. Tbr: bradnelson@chromium.org Bug: 831846 Change-Id: I08928c664e0e2340ac5168d6fd94a07bbeb81266 Reviewed-on: https://chromium-review.googlesource.com/1012986 Commit-Queue: Jay Civelli <jcivelli@chromium.org> Reviewed-by: Alexander Timin <altimin@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#551448}
This commit is contained in:
Jay Civelli
apps
chrome
components/nacl
browser
common
loader
zygote
content
DEPS
app
browser
child_process_launcher_helper_android.ccchild_process_launcher_helper_mac.cc
gpu
linux_ipc_browsertest.ccppapi_plugin_process_host.ccrenderer_host
sandbox_parameters_mac.mmutility_process_host.cczygote_host
common
public
renderer
test
zygote
headless
services/service_manager/sandbox
@ -26,5 +26,7 @@ specific_include_rules = {
|
||||
# Pieces of the extensions system that need to move to src/extensions.
|
||||
# See http://crbug.com/162530 for details.
|
||||
"+chrome/browser/extensions/api/file_system/file_system_api.h",
|
||||
# To access sandbox includes.
|
||||
"+services/service_manager/sandbox",
|
||||
]
|
||||
}
|
||||
|
||||
@ -20,6 +20,7 @@
|
||||
#include "content/public/test/test_launcher.h"
|
||||
#include "extensions/browser/extension_registry.h"
|
||||
#include "extensions/test/extension_test_message_listener.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
using extensions::PlatformAppBrowserTest;
|
||||
|
||||
@ -28,8 +29,7 @@ namespace apps {
|
||||
namespace {
|
||||
|
||||
const char* kSwitchesToCopy[] = {
|
||||
switches::kUserDataDir,
|
||||
switches::kNoSandbox,
|
||||
service_manager::switches::kNoSandbox, switches::kUserDataDir,
|
||||
};
|
||||
|
||||
constexpr char kTestExtensionId[] = "behllobkkfkfnphdnhnkndlbkcpglgmj";
|
||||
|
||||
@ -209,6 +209,7 @@ if (!is_android && !is_mac) {
|
||||
"//content/public/common:static_switches",
|
||||
"//crypto",
|
||||
"//sandbox",
|
||||
"//services/service_manager/sandbox",
|
||||
"//third_party/breakpad:breakpad_handler",
|
||||
"//third_party/breakpad:breakpad_sender",
|
||||
]
|
||||
|
||||
@ -44,6 +44,7 @@
|
||||
#include "content/public/app/sandbox_helper_win.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "sandbox/win/src/sandbox.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
namespace {
|
||||
// The entry point signature of chrome.dll.
|
||||
@ -180,7 +181,8 @@ int MainDllLoader::Launch(HINSTANCE instance,
|
||||
// Initialize the sandbox services.
|
||||
sandbox::SandboxInterfaceInfo sandbox_info = {0};
|
||||
const bool is_browser = process_type_.empty();
|
||||
const bool is_sandboxed = !cmd_line.HasSwitch(switches::kNoSandbox);
|
||||
const bool is_sandboxed =
|
||||
!cmd_line.HasSwitch(service_manager::switches::kNoSandbox);
|
||||
if (is_browser || is_sandboxed) {
|
||||
// For child processes that are running as --no-sandbox, don't initialize
|
||||
// the sandbox info, otherwise they'll be treated as brokers (as if they
|
||||
|
||||
@ -76,10 +76,12 @@ void DeriveCommandLine(const GURL& start_url,
|
||||
DCHECK_NE(&base_command_line, command_line);
|
||||
|
||||
static const char* const kForwardSwitches[] = {
|
||||
service_manager::switches::kDisableGpuSandbox,
|
||||
service_manager::switches::kDisableSeccompFilterSandbox,
|
||||
service_manager::switches::kDisableSetuidSandbox,
|
||||
service_manager::switches::kGpuSandboxAllowSysVShm,
|
||||
service_manager::switches::kGpuSandboxFailuresFatal,
|
||||
service_manager::switches::kNoSandbox,
|
||||
::switches::kBlinkSettings,
|
||||
::switches::kDisable2dCanvasImageChromium,
|
||||
::switches::kDisableAccelerated2dCanvas,
|
||||
@ -105,7 +107,6 @@ void DeriveCommandLine(const GURL& start_url,
|
||||
::switches::kDisableTouchDragDrop,
|
||||
::switches::kDisableZeroCopy,
|
||||
::switches::kEnableBlinkFeatures,
|
||||
::switches::kDisableGpuSandbox,
|
||||
::switches::kEnableGpuMemoryBufferVideoFrames,
|
||||
::switches::kEnableGpuRasterization,
|
||||
::switches::kEnableLogging,
|
||||
@ -137,7 +138,6 @@ void DeriveCommandLine(const GURL& start_url,
|
||||
::switches::kGpuRasterizationMSAASampleCount,
|
||||
::switches::kGpuStartupDialog,
|
||||
::switches::kGpuSandboxStartEarly,
|
||||
::switches::kNoSandbox,
|
||||
::switches::kNumRasterThreads,
|
||||
::switches::kPpapiFlashArgs,
|
||||
::switches::kPpapiFlashPath,
|
||||
|
||||
@ -44,18 +44,17 @@
|
||||
#include "chrome/browser/ui/startup/obsolete_system_infobar_delegate.h"
|
||||
#include "chrome/browser/ui/tabs/tab_strip_model.h"
|
||||
#include "chrome/browser/ui/test/test_browser_ui.h"
|
||||
#include "chrome/common/chrome_switches.h"
|
||||
#include "chrome/grit/generated_resources.h"
|
||||
#include "chrome/test/base/in_process_browser_test.h"
|
||||
#include "chrome/test/base/ui_test_utils.h"
|
||||
#include "components/infobars/core/infobar.h"
|
||||
#include "components/nacl/common/buildflags.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "extensions/browser/extension_dialog_auto_confirm.h"
|
||||
#include "extensions/browser/extension_registry.h"
|
||||
#include "extensions/browser/extension_system.h"
|
||||
#include "extensions/browser/test_extension_registry_observer.h"
|
||||
#include "net/test/embedded_test_server/embedded_test_server.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "ui/base/l10n/l10n_util.h"
|
||||
#include "ui/base/ui_features.h"
|
||||
|
||||
@ -352,7 +351,7 @@ void InfoBarUiTest::ShowUi(const std::string& name) {
|
||||
case IBD::BAD_FLAGS_INFOBAR_DELEGATE:
|
||||
chrome::ShowBadFlagsInfoBar(GetWebContents(),
|
||||
IDS_BAD_FLAGS_WARNING_MESSAGE,
|
||||
switches::kNoSandbox);
|
||||
service_manager::switches::kNoSandbox);
|
||||
break;
|
||||
|
||||
case IBD::DEFAULT_BROWSER_INFOBAR_DELEGATE:
|
||||
|
||||
@ -56,6 +56,7 @@ static const char* kBadFlags[] = {
|
||||
service_manager::switches::kDisableGpuSandbox,
|
||||
service_manager::switches::kDisableSeccompFilterSandbox,
|
||||
service_manager::switches::kDisableSetuidSandbox,
|
||||
service_manager::switches::kNoSandbox,
|
||||
#if defined(OS_WIN)
|
||||
service_manager::switches::kAllowThirdPartyModules,
|
||||
#endif
|
||||
@ -63,7 +64,7 @@ static const char* kBadFlags[] = {
|
||||
#if BUILDFLAG(ENABLE_NACL)
|
||||
switches::kNaClDangerousNoSandboxNonSfi,
|
||||
#endif
|
||||
switches::kNoSandbox, switches::kSingleProcess,
|
||||
switches::kSingleProcess,
|
||||
|
||||
// These flags disable or undermine the Same Origin Policy.
|
||||
translate::switches::kTranslateSecurityOrigin,
|
||||
|
||||
@ -13,6 +13,7 @@
|
||||
#include "chrome/browser/ui/views/harmony/chrome_layout_provider.h"
|
||||
#include "chrome/browser/ui/views/ime_driver/ime_driver_mus.h"
|
||||
#include "components/constrained_window/constrained_window_views.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
#if defined(USE_AURA)
|
||||
#include "base/run_loop.h"
|
||||
@ -147,7 +148,7 @@ void ChromeBrowserMainExtraPartsViews::PreProfileInit() {
|
||||
|
||||
const base::CommandLine& command_line =
|
||||
*base::CommandLine::ForCurrentProcess();
|
||||
if (command_line.HasSwitch(switches::kNoSandbox))
|
||||
if (command_line.HasSwitch(service_manager::switches::kNoSandbox))
|
||||
return;
|
||||
|
||||
base::string16 title = l10n_util::GetStringFUTF16(
|
||||
|
||||
@ -57,6 +57,7 @@
|
||||
#include "services/service_manager/runner/host/service_process_launcher.h"
|
||||
#include "services/service_manager/runner/host/service_process_launcher_factory.h"
|
||||
#include "services/service_manager/sandbox/sandbox_type.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "services/service_manager/service_manager.h"
|
||||
#include "ui/base/ui_base_switches.h"
|
||||
|
||||
@ -464,7 +465,7 @@ bool ServiceUtilityProcessHost::Launch(base::CommandLine* cmd_line,
|
||||
parent_handle = named_pair.PassServerHandle();
|
||||
named_pair.PrepareToPassClientHandleToChildProcess(cmd_line);
|
||||
|
||||
cmd_line->AppendSwitch(switches::kNoSandbox);
|
||||
cmd_line->AppendSwitch(service_manager::switches::kNoSandbox);
|
||||
process_ = base::LaunchProcess(*cmd_line, base::LaunchOptions());
|
||||
success = process_.IsValid();
|
||||
}
|
||||
|
||||
@ -25,6 +25,7 @@
|
||||
#include "components/nacl/browser/nacl_browser.h"
|
||||
#include "components/nacl/common/nacl_switches.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
#if defined(OS_WIN)
|
||||
#include "base/win/windows_version.h"
|
||||
@ -272,7 +273,7 @@ class NaClBrowserTestPnaclDebug : public NaClBrowserTestPnacl {
|
||||
// On windows, the debug stub requires --no-sandbox:
|
||||
// crbug.com/265624
|
||||
#if defined(OS_WIN)
|
||||
command_line->AppendSwitch(switches::kNoSandbox);
|
||||
command_line->AppendSwitch(service_manager::switches::kNoSandbox);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
@ -8,4 +8,5 @@ include_rules = [
|
||||
"+ppapi/host",
|
||||
"+ppapi/proxy",
|
||||
"+ppapi/shared_impl",
|
||||
"+services/service_manager/sandbox",
|
||||
]
|
||||
|
||||
@ -63,6 +63,7 @@
|
||||
#include "ppapi/proxy/ppapi_messages.h"
|
||||
#include "ppapi/shared_impl/ppapi_constants.h"
|
||||
#include "ppapi/shared_impl/ppapi_nacl_plugin_args.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
#if BUILDFLAG(USE_ZYGOTE_HANDLE)
|
||||
#include "content/public/common/zygote_handle.h"
|
||||
@ -361,7 +362,7 @@ void NaClProcessHost::Launch(
|
||||
const base::CommandLine* cmd = base::CommandLine::ForCurrentProcess();
|
||||
#if defined(OS_WIN)
|
||||
if (cmd->HasSwitch(switches::kEnableNaClDebug) &&
|
||||
!cmd->HasSwitch(switches::kNoSandbox)) {
|
||||
!cmd->HasSwitch(service_manager::switches::kNoSandbox)) {
|
||||
// We don't switch off sandbox automatically for security reasons.
|
||||
SendErrorToRenderer("NaCl's GDB debug stub requires --no-sandbox flag"
|
||||
" on Windows. See crbug.com/265624.");
|
||||
|
||||
@ -8,6 +8,7 @@
|
||||
#include "build/build_config.h"
|
||||
#include "components/nacl/common/nacl_switches.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
namespace nacl {
|
||||
|
||||
@ -19,7 +20,7 @@ void CopyNaClCommandLineArguments(base::CommandLine* cmd_line) {
|
||||
// with any associated values) if present in the browser command line.
|
||||
// TODO(gregoryd): check which flags of those below can be supported.
|
||||
static const char* const kSwitchNames[] = {
|
||||
switches::kNoSandbox,
|
||||
service_manager::switches::kNoSandbox,
|
||||
switches::kDisableBreakpad,
|
||||
switches::kFullMemoryCrashReport,
|
||||
switches::kEnableLogging,
|
||||
@ -27,7 +28,7 @@ void CopyNaClCommandLineArguments(base::CommandLine* cmd_line) {
|
||||
switches::kLoggingLevel,
|
||||
switches::kNoErrorDialogs,
|
||||
#if defined(OS_MACOSX)
|
||||
switches::kEnableSandboxLogging,
|
||||
service_manager::switches::kEnableSandboxLogging,
|
||||
#endif
|
||||
};
|
||||
cmd_line->CopySwitchesFrom(browser_command_line, kSwitchNames,
|
||||
|
||||
@ -12,9 +12,9 @@
|
||||
#include "build/build_config.h"
|
||||
#include "components/nacl/loader/nacl_listener.h"
|
||||
#include "components/nacl/loader/nacl_main_platform_delegate.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "content/public/common/main_function_params.h"
|
||||
#include "mojo/edk/embedder/embedder.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
// main() routine for the NaCl loader process.
|
||||
int NaClMain(const content::MainFunctionParams& parameters) {
|
||||
@ -35,7 +35,8 @@ int NaClMain(const content::MainFunctionParams& parameters) {
|
||||
#if defined(OS_WIN) || defined(OS_MACOSX) || defined(OS_LINUX) || \
|
||||
defined(OS_ANDROID)
|
||||
NaClMainPlatformDelegate platform;
|
||||
bool no_sandbox = parsed_command_line.HasSwitch(switches::kNoSandbox);
|
||||
bool no_sandbox =
|
||||
parsed_command_line.HasSwitch(service_manager::switches::kNoSandbox);
|
||||
|
||||
#if defined(OS_POSIX)
|
||||
// The number of cores must be obtained before the invocation of
|
||||
|
||||
@ -222,9 +222,9 @@ void NaClForkDelegate::Init(const int sandboxdesc,
|
||||
static constexpr const char* kForwardSwitches[] = {
|
||||
service_manager::switches::kAllowSandboxDebugging,
|
||||
service_manager::switches::kDisableSeccompFilterSandbox,
|
||||
service_manager::switches::kNoSandbox,
|
||||
switches::kEnableNaClDebug,
|
||||
switches::kNaClDangerousNoSandboxNonSfi,
|
||||
switches::kNoSandbox,
|
||||
};
|
||||
const base::CommandLine& current_cmd_line =
|
||||
*base::CommandLine::ForCurrentProcess();
|
||||
|
||||
@ -46,6 +46,7 @@ include_rules = [
|
||||
"+sandbox",
|
||||
"+services/proxy_resolver/public/mojom",
|
||||
"+services/service_manager/embedder",
|
||||
"+services/service_manager/sandbox",
|
||||
"+skia",
|
||||
|
||||
# In general, content/ should not rely on google_apis, since URLs
|
||||
|
||||
@ -59,6 +59,7 @@
|
||||
#include "ppapi/buildflags/buildflags.h"
|
||||
#include "services/service_manager/embedder/switches.h"
|
||||
#include "services/service_manager/sandbox/sandbox_type.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "ui/base/ui_base_paths.h"
|
||||
#include "ui/base/ui_base_switches.h"
|
||||
#include "ui/display/display_switches.h"
|
||||
@ -314,7 +315,7 @@ void InitializeZygoteSandboxForBrowserProcess(
|
||||
SandboxHostLinux::GetInstance()->Init();
|
||||
|
||||
if (parsed_command_line.HasSwitch(switches::kNoZygote) &&
|
||||
!parsed_command_line.HasSwitch(switches::kNoSandbox)) {
|
||||
!parsed_command_line.HasSwitch(service_manager::switches::kNoSandbox)) {
|
||||
LOG(ERROR) << "--no-sandbox should be used together with --no--zygote";
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
@ -20,6 +20,7 @@
|
||||
#include "content/public/common/content_descriptors.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "jni/ChildProcessLauncherHelper_jni.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
using base::android::AttachCurrentThread;
|
||||
using base::android::JavaParamRef;
|
||||
@ -55,7 +56,7 @@ void ChildProcessLauncherHelper::BeforeLaunchOnClientThread() {
|
||||
|
||||
// Non-sandboxed utility or renderer process are currently not supported.
|
||||
DCHECK(process_type == switches::kGpuProcess ||
|
||||
!command_line()->HasSwitch(switches::kNoSandbox));
|
||||
!command_line()->HasSwitch(service_manager::switches::kNoSandbox));
|
||||
}
|
||||
|
||||
mojo::edk::ScopedPlatformHandle
|
||||
|
||||
@ -31,6 +31,7 @@
|
||||
#include "services/service_manager/sandbox/mac/utility.sb.h"
|
||||
#include "services/service_manager/sandbox/sandbox.h"
|
||||
#include "services/service_manager/sandbox/sandbox_type.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
namespace content {
|
||||
namespace internal {
|
||||
@ -66,8 +67,9 @@ bool ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
|
||||
auto sandbox_type =
|
||||
service_manager::SandboxTypeFromCommandLine(*command_line_);
|
||||
|
||||
bool no_sandbox = command_line_->HasSwitch(switches::kNoSandbox) ||
|
||||
service_manager::IsUnsandboxedSandboxType(sandbox_type);
|
||||
bool no_sandbox =
|
||||
command_line_->HasSwitch(service_manager::switches::kNoSandbox) ||
|
||||
service_manager::IsUnsandboxedSandboxType(sandbox_type);
|
||||
|
||||
// TODO(kerrnel): Delete this switch once the V2 sandbox is always enabled.
|
||||
bool v2_process = false;
|
||||
|
||||
@ -122,6 +122,8 @@ static const char* const kSwitchNames[] = {
|
||||
service_manager::switches::kDisableSeccompFilterSandbox,
|
||||
service_manager::switches::kGpuSandboxAllowSysVShm,
|
||||
service_manager::switches::kGpuSandboxFailuresFatal,
|
||||
service_manager::switches::kDisableGpuSandbox,
|
||||
service_manager::switches::kNoSandbox,
|
||||
#if defined(OS_WIN)
|
||||
service_manager::switches::kAddGpuAppContainerCaps,
|
||||
service_manager::switches::kDisableGpuAppContainer,
|
||||
@ -130,7 +132,6 @@ static const char* const kSwitchNames[] = {
|
||||
#endif // defined(OS_WIN)
|
||||
switches::kDisableBreakpad,
|
||||
switches::kDisableGpuRasterization,
|
||||
switches::kDisableGpuSandbox,
|
||||
switches::kDisableGLExtensions,
|
||||
switches::kDisableLogging,
|
||||
switches::kDisableShaderNameHashing,
|
||||
@ -149,7 +150,6 @@ static const char* const kSwitchNames[] = {
|
||||
switches::kLoggingLevel,
|
||||
switches::kEnableLowEndDeviceMode,
|
||||
switches::kDisableLowEndDeviceMode,
|
||||
switches::kNoSandbox,
|
||||
switches::kRunAllCompositorStagesBeforeDraw,
|
||||
switches::kTestGLLib,
|
||||
switches::kTraceToConsole,
|
||||
@ -158,10 +158,10 @@ static const char* const kSwitchNames[] = {
|
||||
switches::kV,
|
||||
switches::kVModule,
|
||||
#if defined(OS_MACOSX)
|
||||
service_manager::switches::kEnableSandboxLogging,
|
||||
switches::kDisableAVFoundationOverlays,
|
||||
switches::kDisableMacOverlays,
|
||||
switches::kDisableRemoteCoreAnimation,
|
||||
switches::kEnableSandboxLogging,
|
||||
switches::kShowMacOverlayBorders,
|
||||
#endif
|
||||
#if defined(USE_OZONE)
|
||||
@ -343,7 +343,7 @@ class GpuSandboxedProcessLauncherDelegate
|
||||
|
||||
service_manager::SandboxType GetSandboxType() override {
|
||||
#if defined(OS_WIN)
|
||||
if (cmd_line_.HasSwitch(switches::kDisableGpuSandbox)) {
|
||||
if (cmd_line_.HasSwitch(service_manager::switches::kDisableGpuSandbox)) {
|
||||
DVLOG(1) << "GPU sandbox is disabled";
|
||||
return service_manager::SANDBOX_TYPE_NO_SANDBOX;
|
||||
}
|
||||
@ -1233,7 +1233,7 @@ bool GpuProcessHost::LaunchGpuProcess() {
|
||||
#endif // defined(OS_WIN)
|
||||
|
||||
if (kind_ == GPU_PROCESS_KIND_UNSANDBOXED)
|
||||
cmd_line->AppendSwitch(switches::kDisableGpuSandbox);
|
||||
cmd_line->AppendSwitch(service_manager::switches::kDisableGpuSandbox);
|
||||
|
||||
// TODO(penghuang): Replace all GPU related switches with GpuPreferences.
|
||||
// https://crbug.com/590825
|
||||
|
||||
@ -13,6 +13,7 @@
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "content/public/test/content_browser_test.h"
|
||||
#include "content/public/test/content_browser_test_utils.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "testing/gmock/include/gmock/gmock-matchers.h"
|
||||
#include "testing/gmock/include/gmock/gmock.h"
|
||||
#include "testing/gtest/include/gtest/gtest.h"
|
||||
@ -32,8 +33,8 @@ class LinuxIPCBrowserTest : public ContentBrowserTest,
|
||||
void SetUpCommandLine(base::CommandLine* command_line) override {
|
||||
ContentBrowserTest::SetUpCommandLine(command_line);
|
||||
if (GetParam() == "no-zygote") {
|
||||
command_line->AppendSwitch(service_manager::switches::kNoSandbox);
|
||||
command_line->AppendSwitch(switches::kNoZygote);
|
||||
command_line->AppendSwitch(switches::kNoSandbox);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -367,10 +367,10 @@ bool PpapiPluginProcessHost::Init(const PepperPluginInfo& info) {
|
||||
if (!is_broker_) {
|
||||
static const char* const kPluginForwardSwitches[] = {
|
||||
service_manager::switches::kDisableSeccompFilterSandbox,
|
||||
service_manager::switches::kNoSandbox,
|
||||
#if defined(OS_MACOSX)
|
||||
switches::kEnableSandboxLogging,
|
||||
service_manager::switches::kEnableSandboxLogging,
|
||||
#endif
|
||||
switches::kNoSandbox,
|
||||
switches::kPpapiStartupDialog,
|
||||
};
|
||||
cmd_line->CopySwitchesFrom(browser_command_line, kPluginForwardSwitches,
|
||||
|
||||
@ -2654,6 +2654,11 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
|
||||
network::switches::kNoReferrers,
|
||||
service_manager::switches::kDisableInProcessStackTraces,
|
||||
service_manager::switches::kDisableSeccompFilterSandbox,
|
||||
service_manager::switches::kNoSandbox,
|
||||
#if defined(OS_MACOSX)
|
||||
// Allow this to be set when invoking the browser and relayed along.
|
||||
service_manager::switches::kEnableSandboxLogging,
|
||||
#endif
|
||||
switches::kAgcStartupMinVolume,
|
||||
switches::kAecRefinedAdaptiveFilter,
|
||||
switches::kAllowLoopbackInPeerConnection,
|
||||
@ -2744,7 +2749,6 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
|
||||
switches::kMaxUntiledLayerHeight,
|
||||
switches::kMSEAudioBufferSizeLimit,
|
||||
switches::kMSEVideoBufferSizeLimit,
|
||||
switches::kNoSandbox,
|
||||
switches::kNoZygote,
|
||||
switches::kOverridePluginPowerSaverForTesting,
|
||||
switches::kPassiveListenersDefault,
|
||||
@ -2818,10 +2822,6 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
|
||||
switches::kOrderfileMemoryOptimization,
|
||||
switches::kRendererWaitForJavaDebugger,
|
||||
#endif
|
||||
#if defined(OS_MACOSX)
|
||||
// Allow this to be set when invoking the browser and relayed along.
|
||||
switches::kEnableSandboxLogging,
|
||||
#endif
|
||||
#if defined(OS_WIN)
|
||||
service_manager::switches::kDisableWin32kLockDown,
|
||||
switches::kEnableWin7WebRtcHWH264Decoding,
|
||||
@ -2896,8 +2896,8 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
|
||||
// --no-sandbox in official builds because that would bypass the bad_flgs
|
||||
// prompt.
|
||||
if (renderer_cmd->HasSwitch(switches::kRendererStartupDialog) &&
|
||||
!renderer_cmd->HasSwitch(switches::kNoSandbox)) {
|
||||
renderer_cmd->AppendSwitch(switches::kNoSandbox);
|
||||
!renderer_cmd->HasSwitch(service_manager::switches::kNoSandbox)) {
|
||||
renderer_cmd->AppendSwitch(service_manager::switches::kNoSandbox);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
@ -22,6 +22,7 @@
|
||||
#include "content/public/common/pepper_plugin_info.h"
|
||||
#include "sandbox/mac/seatbelt_exec.h"
|
||||
#include "services/service_manager/sandbox/mac/sandbox_mac.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
namespace content {
|
||||
|
||||
@ -48,7 +49,7 @@ void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client) {
|
||||
const base::CommandLine* command_line =
|
||||
base::CommandLine::ForCurrentProcess();
|
||||
bool enable_logging =
|
||||
command_line->HasSwitch(switches::kEnableSandboxLogging);
|
||||
command_line->HasSwitch(service_manager::switches::kEnableSandboxLogging);
|
||||
|
||||
CHECK(client->SetBooleanParameter(
|
||||
service_manager::SandboxMac::kSandboxEnableLogging, enable_logging));
|
||||
|
||||
@ -33,6 +33,7 @@
|
||||
#include "services/network/public/cpp/network_switches.h"
|
||||
#include "services/service_manager/public/cpp/interface_provider.h"
|
||||
#include "services/service_manager/sandbox/sandbox_type.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "ui/base/ui_base_switches.h"
|
||||
#include "ui/gl/gl_switches.h"
|
||||
|
||||
@ -267,13 +268,13 @@ bool UtilityProcessHost::StartProcess() {
|
||||
network::switches::kIgnoreCertificateErrorsSPKIList,
|
||||
network::switches::kLogNetLog,
|
||||
network::switches::kNoReferrers,
|
||||
service_manager::switches::kNoSandbox,
|
||||
#if defined(OS_MACOSX)
|
||||
service_manager::switches::kEnableSandboxLogging,
|
||||
#endif
|
||||
switches::kIgnoreCertificateErrors,
|
||||
switches::kNoSandbox,
|
||||
switches::kOverrideUseSoftwareGLForTests,
|
||||
switches::kProxyServer,
|
||||
#if defined(OS_MACOSX)
|
||||
switches::kEnableSandboxLogging,
|
||||
#endif
|
||||
switches::kUseFakeDeviceForMediaStream,
|
||||
switches::kUseFileForFakeVideoCapture,
|
||||
switches::kUseMockCertVerifierForTesting,
|
||||
|
||||
@ -72,7 +72,7 @@ ZygoteHostImpl* ZygoteHostImpl::GetInstance() {
|
||||
}
|
||||
|
||||
void ZygoteHostImpl::Init(const base::CommandLine& command_line) {
|
||||
if (command_line.HasSwitch(switches::kNoSandbox)) {
|
||||
if (command_line.HasSwitch(service_manager::switches::kNoSandbox)) {
|
||||
return;
|
||||
}
|
||||
|
||||
@ -85,7 +85,8 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) {
|
||||
uid_t uid = 0;
|
||||
gid_t gid = 0;
|
||||
if (!sandbox::Credentials::GetRESIds(&uid, &gid) || uid == 0) {
|
||||
LOG(ERROR) << "Running as root without --" << switches::kNoSandbox
|
||||
LOG(ERROR) << "Running as root without --"
|
||||
<< service_manager::switches::kNoSandbox
|
||||
<< " is not supported. See https://crbug.com/638180.";
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
@ -96,7 +97,8 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) {
|
||||
sandbox_binary_ = setuid_sandbox_host->GetSandboxBinaryPath().value();
|
||||
}
|
||||
|
||||
if (!command_line.HasSwitch(switches::kDisableNamespaceSandbox) &&
|
||||
if (!command_line.HasSwitch(
|
||||
service_manager::switches::kDisableNamespaceSandbox) &&
|
||||
sandbox::Credentials::CanCreateProcessInNewUserNS()) {
|
||||
use_namespace_sandbox_ = true;
|
||||
|
||||
@ -128,7 +130,7 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) {
|
||||
"developing with the SUID sandbox. "
|
||||
"If you want to live dangerously and need an immediate workaround, "
|
||||
"you can try using --"
|
||||
<< switches::kNoSandbox << ".";
|
||||
<< service_manager::switches::kNoSandbox << ".";
|
||||
}
|
||||
}
|
||||
|
||||
@ -200,7 +202,7 @@ pid_t ZygoteHostImpl::LaunchZygote(
|
||||
CHECK_GT(boot_pid, 1)
|
||||
<< "Received invalid process ID for zygote; kernel might be too old? "
|
||||
"See crbug.com/357670 or try using --"
|
||||
<< switches::kNoSandbox << " to workaround.";
|
||||
<< service_manager::switches::kNoSandbox << " to workaround.";
|
||||
|
||||
// Now receive the message that the zygote's ready to go, along with the
|
||||
// main zygote process's ID.
|
||||
|
||||
@ -13,12 +13,14 @@
|
||||
#include "base/process/launch.h"
|
||||
#include "base/process/process.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
namespace content {
|
||||
|
||||
void UpdateLaunchOptionsForSandbox(service_manager::SandboxType type,
|
||||
base::LaunchOptions* options) {
|
||||
if (base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kNoSandbox)) {
|
||||
if (base::CommandLine::ForCurrentProcess()->HasSwitch(
|
||||
service_manager::switches::kNoSandbox)) {
|
||||
type = service_manager::SANDBOX_TYPE_NO_SANDBOX;
|
||||
}
|
||||
|
||||
|
||||
@ -169,9 +169,6 @@ const char kDisableGpuProcessCrashLimit[] = "disable-gpu-process-crash-limit";
|
||||
// during fast scrolling especially on slower devices.
|
||||
const char kDisableLowResTiling[] = "disable-low-res-tiling";
|
||||
|
||||
// Disable the GPU process sandbox.
|
||||
const char kDisableGpuSandbox[] = "disable-gpu-sandbox";
|
||||
|
||||
// Disable the thread that crashes the GPU process if it stops responding to
|
||||
// messages.
|
||||
const char kDisableGpuWatchdog[] = "disable-gpu-watchdog";
|
||||
@ -206,9 +203,6 @@ const char kDisableLogging[] = "disable-logging";
|
||||
// Disables using CODECAPI_AVLowLatencyMode when creating DXVA decoders.
|
||||
const char kDisableLowLatencyDxva[] = "disable-low-latency-dxva";
|
||||
|
||||
// Disables usage of the namespace sandbox.
|
||||
const char kDisableNamespaceSandbox[] = "disable-namespace-sandbox";
|
||||
|
||||
// Disables clearing the rendering output of a renderer when it didn't commit
|
||||
// new output for a while after a top-frame navigation.
|
||||
const char kDisableNewContentRenderingTimeout[] =
|
||||
@ -404,10 +398,6 @@ const char kEnableRGBA4444Textures[] = "enable-rgba-4444-textures";
|
||||
// Set options to cache V8 data. (off, preparse data, or code)
|
||||
const char kV8CacheOptions[] = "v8-cache-options";
|
||||
|
||||
// Cause the OS X sandbox write to syslog every time an access to a resource
|
||||
// is denied by the sandbox.
|
||||
const char kEnableSandboxLogging[] = "enable-sandbox-logging";
|
||||
|
||||
// Enables the Skia benchmarking extension
|
||||
const char kEnableSkiaBenchmarking[] = "enable-skia-benchmarking";
|
||||
|
||||
@ -607,9 +597,6 @@ const char kMHTMLSkipNostoreAll[] = "skip-nostore-all";
|
||||
// Use a Mojo-based LocalStorage implementation.
|
||||
const char kMojoLocalStorage[] = "mojo-local-storage";
|
||||
|
||||
// Disables the sandbox for all process types that are normally sandboxed.
|
||||
const char kNoSandbox[] = "no-sandbox";
|
||||
|
||||
// Disables the use of a zygote process for forking child processes. Instead,
|
||||
// child processes will be forked and exec'd directly. Note that --no-sandbox
|
||||
// should also be used together with this flag because the sandbox needs the
|
||||
@ -736,8 +723,8 @@ const char kRendererProcess[] = "renderer";
|
||||
const char kRendererProcessLimit[] = "renderer-process-limit";
|
||||
|
||||
// Causes the renderer process to display a dialog on launch. Passing this flag
|
||||
// also adds kNoSandbox on Windows non-official builds, since that's needed to
|
||||
// show a dialog.
|
||||
// also adds service_manager::kNoSandbox on Windows non-official builds, since
|
||||
// that's needed to show a dialog.
|
||||
const char kRendererStartupDialog[] = "renderer-startup-dialog";
|
||||
|
||||
// Reduce the default `referer` header's granularity.
|
||||
|
||||
@ -58,7 +58,6 @@ CONTENT_EXPORT extern const char kDisableGpuEarlyInit[];
|
||||
CONTENT_EXPORT extern const char kDisableGpuMemoryBufferCompositorResources[];
|
||||
CONTENT_EXPORT extern const char kDisableGpuMemoryBufferVideoFrames[];
|
||||
extern const char kDisableGpuProcessCrashLimit[];
|
||||
CONTENT_EXPORT extern const char kDisableGpuSandbox[];
|
||||
CONTENT_EXPORT extern const char kDisableGpuWatchdog[];
|
||||
CONTENT_EXPORT extern const char kDisableImageAnimationResync[];
|
||||
CONTENT_EXPORT extern const char kDisableJavaScriptHarmonyShipping[];
|
||||
@ -71,7 +70,6 @@ CONTENT_EXPORT extern const char kDisablePreferCompositingToLCDText[];
|
||||
CONTENT_EXPORT extern const char kDisableKillAfterBadIPC[];
|
||||
CONTENT_EXPORT extern const char kDisableLocalStorage[];
|
||||
CONTENT_EXPORT extern const char kDisableLogging[];
|
||||
CONTENT_EXPORT extern const char kDisableNamespaceSandbox[];
|
||||
CONTENT_EXPORT extern const char kDisableNewContentRenderingTimeout[];
|
||||
CONTENT_EXPORT extern const char kDisableNotifications[];
|
||||
CONTENT_EXPORT extern const char kDisableOriginTrialControlledBlinkFeatures[];
|
||||
@ -127,7 +125,6 @@ CONTENT_EXPORT extern const char kEnablePluginPlaceholderTesting[];
|
||||
CONTENT_EXPORT extern const char kEnablePreciseMemoryInfo[];
|
||||
CONTENT_EXPORT extern const char kEnablePrintBrowser[];
|
||||
CONTENT_EXPORT extern const char kEnableRGBA4444Textures[];
|
||||
CONTENT_EXPORT extern const char kEnableSandboxLogging[];
|
||||
extern const char kEnableSkiaBenchmarking[];
|
||||
CONTENT_EXPORT extern const char kEnableSlimmingPaintV175[];
|
||||
CONTENT_EXPORT extern const char kEnableSlimmingPaintV2[];
|
||||
@ -182,7 +179,6 @@ CONTENT_EXPORT extern const char kMHTMLGeneratorOption[];
|
||||
CONTENT_EXPORT extern const char kMHTMLSkipNostoreMain[];
|
||||
CONTENT_EXPORT extern const char kMHTMLSkipNostoreAll[];
|
||||
CONTENT_EXPORT extern const char kMojoLocalStorage[];
|
||||
CONTENT_EXPORT extern const char kNoSandbox[];
|
||||
CONTENT_EXPORT extern const char kNoZygote[];
|
||||
CONTENT_EXPORT extern const char kEnableAppContainer[];
|
||||
CONTENT_EXPORT extern const char kDisableAppContainer[];
|
||||
|
||||
@ -33,6 +33,7 @@
|
||||
#include "content/renderer/renderer_main_platform_delegate.h"
|
||||
#include "media/media_buildflags.h"
|
||||
#include "ppapi/buildflags/buildflags.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "third_party/blink/public/platform/scheduler/web_main_thread_scheduler.h"
|
||||
#include "third_party/skia/include/core/SkGraphics.h"
|
||||
#include "ui/base/ui_base_switches.h"
|
||||
@ -185,7 +186,8 @@ int RendererMain(const MainFunctionParams& parameters) {
|
||||
|
||||
base::PlatformThread::SetName("CrRendererMain");
|
||||
|
||||
bool no_sandbox = command_line.HasSwitch(switches::kNoSandbox);
|
||||
bool no_sandbox =
|
||||
command_line.HasSwitch(service_manager::switches::kNoSandbox);
|
||||
|
||||
#if defined(OS_ANDROID)
|
||||
// If we have any pending LibraryLoader histograms, record them.
|
||||
|
||||
@ -15,11 +15,11 @@
|
||||
#include "base/win/windows_version.h"
|
||||
#include "content/child/dwrite_font_proxy/dwrite_font_proxy_init_impl_win.h"
|
||||
#include "content/child/font_warmup_win.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "content/public/common/injection_test_win.h"
|
||||
#include "content/public/renderer/render_thread.h"
|
||||
#include "content/renderer/render_thread_impl.h"
|
||||
#include "sandbox/win/src/sandbox.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "third_party/blink/public/platform/web_runtime_features.h"
|
||||
#include "third_party/blink/public/web/win/web_font_rendering.h"
|
||||
#include "third_party/icu/source/i18n/unicode/timezone.h"
|
||||
@ -41,7 +41,8 @@ void RendererMainPlatformDelegate::PlatformInitialize() {
|
||||
|
||||
// Be mindful of what resources you acquire here. They can be used by
|
||||
// malicious code if the renderer gets compromised.
|
||||
bool no_sandbox = command_line.HasSwitch(switches::kNoSandbox);
|
||||
bool no_sandbox =
|
||||
command_line.HasSwitch(service_manager::switches::kNoSandbox);
|
||||
|
||||
if (!no_sandbox) {
|
||||
// ICU DateFormat class (used in base/time_format.cc) needs to get the
|
||||
|
||||
@ -26,6 +26,7 @@
|
||||
#include "content/public/test/test_utils.h"
|
||||
#include "content/shell/browser/shell.h"
|
||||
#include "content/shell/common/shell_switches.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "testing/gtest/include/gtest/gtest.h"
|
||||
|
||||
namespace content {
|
||||
@ -81,7 +82,7 @@ IN_PROC_BROWSER_TEST_F(ContentBrowserTest, RendererCrashCallStack) {
|
||||
#if defined(THREAD_SANITIZER)
|
||||
// TSan appears to not be able to report intentional crashes from sandboxed
|
||||
// renderer processes.
|
||||
new_test.AppendSwitch(switches::kNoSandbox);
|
||||
new_test.AppendSwitch(service_manager::switches::kNoSandbox);
|
||||
#endif
|
||||
|
||||
std::string output;
|
||||
|
||||
@ -12,6 +12,7 @@
|
||||
#include "content/public/test/content_browser_test.h"
|
||||
#include "content/public/test/content_browser_test_utils.h"
|
||||
#include "content/shell/browser/shell.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
|
||||
namespace content {
|
||||
|
||||
@ -49,7 +50,7 @@ class LinuxZygoteDisabledBrowserTest : public ContentBrowserTest {
|
||||
void SetUpCommandLine(base::CommandLine* command_line) override {
|
||||
ContentBrowserTest::SetUpCommandLine(command_line);
|
||||
command_line->AppendSwitch(switches::kNoZygote);
|
||||
command_line->AppendSwitch(switches::kNoSandbox);
|
||||
command_line->AppendSwitch(service_manager::switches::kNoSandbox);
|
||||
}
|
||||
|
||||
private:
|
||||
|
||||
@ -33,7 +33,6 @@
|
||||
#include "content/common/zygote_commands_linux.h"
|
||||
#include "content/public/common/common_sandbox_support_linux.h"
|
||||
#include "content/public/common/content_descriptors.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "content/public/common/zygote_fork_delegate_linux.h"
|
||||
#include "content/zygote/zygote_linux.h"
|
||||
#include "sandbox/linux/services/credentials.h"
|
||||
@ -45,6 +44,7 @@
|
||||
#include "services/service_manager/sandbox/linux/sandbox_debug_handling_linux.h"
|
||||
#include "services/service_manager/sandbox/linux/sandbox_linux.h"
|
||||
#include "services/service_manager/sandbox/sandbox.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "third_party/icu/source/i18n/unicode/timezone.h"
|
||||
|
||||
namespace content {
|
||||
@ -184,7 +184,7 @@ bool ZygoteMain(
|
||||
|
||||
// Skip pre-initializing sandbox under --no-sandbox for crbug.com/444900.
|
||||
if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
|
||||
switches::kNoSandbox)) {
|
||||
service_manager::switches::kNoSandbox)) {
|
||||
// This will pre-initialize the various sandboxes that need it.
|
||||
linux_sandbox->PreinitializeSandbox();
|
||||
}
|
||||
|
||||
@ -26,4 +26,5 @@ include_rules = [
|
||||
"+ui/ozone/public",
|
||||
"+sandbox/win/src",
|
||||
"+services/service_manager/public",
|
||||
"+services/service_manager/sandbox",
|
||||
]
|
||||
|
||||
@ -27,6 +27,7 @@
|
||||
#include "headless/lib/headless_crash_reporter_client.h"
|
||||
#include "headless/lib/headless_macros.h"
|
||||
#include "headless/lib/utility/headless_content_utility_client.h"
|
||||
#include "services/service_manager/sandbox/switches.h"
|
||||
#include "ui/base/resource/resource_bundle.h"
|
||||
#include "ui/base/ui_base_switches.h"
|
||||
#include "ui/gfx/switches.h"
|
||||
@ -86,7 +87,7 @@ bool HeadlessContentMainDelegate::BasicStartupComplete(int* exit_code) {
|
||||
command_line->AppendSwitch(switches::kSingleProcess);
|
||||
|
||||
if (browser_->options()->disable_sandbox)
|
||||
command_line->AppendSwitch(switches::kNoSandbox);
|
||||
command_line->AppendSwitch(service_manager::switches::kNoSandbox);
|
||||
|
||||
if (!browser_->options()->enable_resource_scheduler)
|
||||
command_line->AppendSwitch(switches::kDisableResourceScheduler);
|
||||
|
||||
@ -45,6 +45,12 @@ const char kAllowSandboxDebugging[] = "allow-sandbox-debugging";
|
||||
// Disable appcontainer/lowbox for renderer on Win8+ platforms.
|
||||
const char kDisableAppContainer[] = "disable-appcontainer";
|
||||
|
||||
// Disables the GPU process sandbox.
|
||||
const char kDisableGpuSandbox[] = "disable-gpu-sandbox";
|
||||
|
||||
// Disables usage of the namespace sandbox.
|
||||
const char kDisableNamespaceSandbox[] = "disable-namespace-sandbox";
|
||||
|
||||
// Disable the seccomp filter sandbox (seccomp-bpf) (Linux only).
|
||||
const char kDisableSeccompFilterSandbox[] = "disable-seccomp-filter-sandbox";
|
||||
|
||||
@ -63,6 +69,9 @@ const char kGpuSandboxAllowSysVShm[] = "gpu-sandbox-allow-sysv-shm";
|
||||
// Makes GPU sandbox failures fatal.
|
||||
const char kGpuSandboxFailuresFatal[] = "gpu-sandbox-failures-fatal";
|
||||
|
||||
// Disables the sandbox for all process types that are normally sandboxed.
|
||||
const char kNoSandbox[] = "no-sandbox";
|
||||
|
||||
#if defined(OS_WIN)
|
||||
// Allows third party modules to inject by disabling the BINARY_SIGNATURE
|
||||
// mitigation policy on Win10+. Also has other effects in ELF.
|
||||
@ -79,6 +88,15 @@ const char kDisableGpuLpac[] = "disable-gpu-lpac";
|
||||
|
||||
// Enables AppContainer sandbox on the GPU process.
|
||||
const char kEnableGpuAppContainer[] = "enable-gpu-appcontainer";
|
||||
|
||||
// Disables the sandbox and gives the process elevated privileges.
|
||||
const char kNoSandboxAndElevatedPrivileges[] = "no-sandbox-and-elevated";
|
||||
#endif
|
||||
|
||||
#if defined(OS_MACOSX)
|
||||
// Cause the OS X sandbox write to syslog every time an access to a resource
|
||||
// is denied by the sandbox.
|
||||
const char kEnableSandboxLogging[] = "enable-sandbox-logging";
|
||||
#endif
|
||||
|
||||
// Flags spied upon from other layers.
|
||||
@ -87,12 +105,6 @@ const char kPpapiBrokerProcess[] = "ppapi-broker";
|
||||
const char kPpapiPluginProcess[] = "ppapi";
|
||||
const char kRendererProcess[] = "renderer";
|
||||
const char kUtilityProcess[] = "utility";
|
||||
const char kDisableGpuSandbox[] = "disable-gpu-sandbox";
|
||||
const char kNoSandbox[] = "no-sandbox";
|
||||
#if defined(OS_WIN)
|
||||
const char kNoSandboxAndElevatedPrivileges[] = "no-sandbox-and-elevated";
|
||||
#endif
|
||||
const char kEnableSandboxLogging[] = "enable-sandbox-logging";
|
||||
|
||||
} // namespace switches
|
||||
|
||||
|
||||
@ -32,18 +32,26 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kProfilingSandbox[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAllowNoSandboxJob[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAllowSandboxDebugging[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableAppContainer[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableGpuSandbox[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableNamespaceSandbox[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableSeccompFilterSandbox[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableSetuidSandbox[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableWin32kLockDown[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kEnableAppContainer[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuSandboxAllowSysVShm[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuSandboxFailuresFatal[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kNoSandbox[];
|
||||
#if defined(OS_WIN)
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAllowThirdPartyModules[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAddGpuAppContainerCaps[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableGpuAppContainer[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableGpuLpac[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kEnableGpuAppContainer[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char
|
||||
kNoSandboxAndElevatedPrivileges[];
|
||||
#endif
|
||||
#if defined(OS_MACOSX)
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kEnableSandboxLogging[];
|
||||
#endif
|
||||
|
||||
// Flags spied upon from other layers.
|
||||
@ -52,13 +60,6 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPpapiBrokerProcess[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPpapiPluginProcess[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kRendererProcess[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kUtilityProcess[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableGpuSandbox[];
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kNoSandbox[];
|
||||
#if defined(OS_WIN)
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char
|
||||
kNoSandboxAndElevatedPrivileges[];
|
||||
#endif
|
||||
SERVICE_MANAGER_SANDBOX_EXPORT extern const char kEnableSandboxLogging[];
|
||||
|
||||
} // namespace switches
|
||||
|
||||
|
||||
Reference in New Issue
Block a user