This change replaces protobuf with a custom serialization routine.
Some of the utilities for encoding ints and blobs are lifted from
IndexedDB code.
The change also:
- deletes CompileAndApplyProfile, which was only used in unit tests.
The tests are updated to verify production code instead, so test
coverage is better.
- Renames SandboxCompiler to SandboxSerializer. This is more
accurate as "compiling" is a separate step provided by Mac system
utilities.
- Co-locates all serialization and de-serialization code in
SandboxSerializer, making it easier to understand and, if
desired, modify. Previously, these steps were spread across
SandboxCompiler and sandbox_exec.cc.
Bug: 328417294
Change-Id: I41bdffdb5331a0bfd979942b079fe5dd3670fe53
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6208630
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Evan Stade <estade@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1414452}
NaCL was disabled on Mac at the end of 2023 and PPAPI was disabled
shortly after. They are no longer supported on macOS.
The NaCL loader and PPAPI sandbox profiles are removed, as are all references to both technologies within Mac-specific code.
Fixed: 335686683
Change-Id: Ide63bd7d8e683317ddc8bd697b38e4ff2b512831
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5770897
Reviewed-by: Will Harris <wfh@chromium.org>
Auto-Submit: Mark Rowe <markrowe@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1338913}
For a while base::StringPiece has been merely an alias to string_view.
This CL removes all the uses of base::StringPiece and its variants from
//content/browser
Bug: 40506050
Change-Id: I658c76ac954e2e476201615252d670b0a6a66dc3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5555576
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: Claudio DeSouza <cdesouza@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1309279}
Crashpad is not yet updated for the new location, so leave a
forwarding header to be removed later.
Skipping trybots. This is a Mac change, and it’s passing all
trybots except for android_optional_gpu_tests_rel that is
repeatedly failing on an unrelated issue.
NOTRY=true
Bug: 1444927
Cq-Include-Trybots: luci.chrome.try:mac-chrome
Change-Id: Iad0c903187b0e1e5584c68f2eb00b5b026085596
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4790744
Owners-Override: Avi Drissman <avi@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Auto-Submit: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1185029}
Since at least as far back as macOS 10.13, CoreText and fontd transparently issue a sandbox extension when an application attempts to use a font that is outside of its sandbox. This means it is not necessary for the browser process to load a font on behalf of the render process.
Change-Id: I8ba957ccd616ffde73543f95c885be87c361dbd8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4205854
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Mark Rowe <markrowe@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1099914}
In the future, this will let profiles be pre-compiled and reused across
multiple process launches. This adds the support to the SandboxCompiler
and SeatbeltExec classes.
Bug: 1315988
Change-Id: I32a4f0b9adbc9c7c96f94afae7a643add0457452
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4079319
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1079413}
Previously, SeatbeltExecClient would build up the policy proto itself,
without using the SandboxCompiler. This plumbs the change through
//content so that parameter specification now happens on the
SandboxCompiler, rather than the SeatbeltExecClient.
Bug: 1315988
Change-Id: I08f5bb39ab7bf7f05ef16f5290e4c45bcd9ffc1e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4072565
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1079238}
As PluginService will only be accessible on the UI thread in the near
future, the Mac-only caller in SetupPPAPISandboxParameters() can no
longer call it directly on the process launcher thread. Instead, this CL
updates ChildProcessLauncher to call GetInternalPlugins() on the UI
thread, and pass the results to ChildProcessLauncherHelper, which then
passes it into SetupPPAPISandboxParameters().
Bug: 990013
Change-Id: I2e8e144d3982cd498726a6b3125f2ee75d7e9178
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3933904
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1057218}
This creates a utility sandbox that locks down as much as possible but
does allow dynamic code execution from within the sandbox. Its initial
purpose will be to host the AuctionWorkletService which runs web
supplied javascript and wasm but otherwise does not need access to
system resources.
Bug: 1272034
Tests: content_browsertests
Change-Id: I0cb626008b9662a8696a6fcf5b837f1c47d4b2fa
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3331179
Reviewed-by: Wez <wez@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#953168}
sandbox.mojom.Sandbox can now be used as the sandbox type so we
replace it everywhere.
The guts of the change are in //sandbox/policy/sandbox_type.h where
SandboxType is now deleted, and //sandbox/policy/mojom/sandbox.mojom
where sandbox types that are not already used in mojom ServiceSandbox
attributes are added.
Some cascading changes:-
- kService wasn't implemented on Mac (as it is equivalent to kUtility).
As we cannot alias enum fields in mojo like we can in C++ I have added
kService for Mac. The alternative is to define platform specific
ServiceSandbox attributes for all kService interfaces which seems to
put this complexity in the wrong place.
- sandbox_type.h included a number of buildflag headers that other files
then relied on. As sandbox_type.h is no longer needed in many places
and no longer needs these defines, they have been introduced where
required.
- sandbox::mojom::Sandbox is forward declared in a couple of headers
that are widely imported, hopefully reducing the number of times the
mojom.h is included but not used.
- some build deps must be modified.
- LibAssistantService needs a sandbox to be defined even when hosted
in process, so has kNoSandbox now when enable_cros_libassistant is
false.
Bug: 1210301
Change-Id: I13fa4fa8cbbb3090a38806fe5532787bbdf1e2fb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3213677
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Sean Topping <seantopping@chromium.org>
Reviewed-by: Filip Gorski <fgorski@chromium.org>
Reviewed-by: Derek Schuff <dschuff@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Reviewed-by: Tao Wu <wutao@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: David Dorwin <ddorwin@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#934126}
This change removes calls to base::ASCIIToUTF16 in //content and //ui
with a single-line string literal and replaces them with a u"..."
literal instead. Files where this change would cause compilation errors
were not changed.
This is a mechanical change:
$ git grep -lw ASCIIToUTF16 content ui | xargs \
sed -i 's/\(base::\)\?ASCIIToUTF16(\("\(\\.\|[^\\"]\)*"\))/u\2/g'
$ git cl format
Bug: 1189439
Change-Id: I0d5601dc15324c43012b8d26260405f1efdca07e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2780265
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Auto-Submit: Jan Wilken Dörrie <jdoerrie@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#865766}
The default sandbox for the Print Backend service causes interactions to
fail due to access denied errors when trying to interact with the
operating system and printer drivers.
Adjust some of the sandbox settings for each desktop OS so that the
necessary calls can operate as needed.
Bug: 809738
Change-Id: I8bc987b9e9235ec6427e999eb7a44797c457fa9d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2422324
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Rebekah Potter <rbpotter@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Alan Screen <awscreen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#859155}
This allows reading the Managed Preferences equivalent of the existing
preference path allow rules in common.sb.
This also allows reading ~/Library/Preferences/com.apple.security.plist
in network.sb.
Bug: 1134449
Change-Id: I42d414e5133c5931907d38c2bdb26d1431f837e7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2535650
Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#826992}
Originally the sandbox policies lived in //content, but with
servicification this would create unwanted dependencies between
//services and //content. Instead, create a new //sandbox/policy
library to hold the sandbox integration code. This library can depend
on the low-level //sandbox routines, but not nice versa.
Tbr: ajgo@chromium.org (mechanical change rule)
Bug: 1097376
Change-Id: I1ca9ac0015a625197f2d3aae104e8f7aa78dcfd9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2272609
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#786385}
This CL renames CreateAndOpenTemporaryFile{,InDir} to
CreateAndOpenTemporaryStream{,InDir} and changes the return type to a
ScopedFILE. As a result, the name "CreateAndOpenTemporaryFile" is now
available for a future function that returns a base::File.
BUG=1075917
TBR=jam@chromium.org
Change-Id: Ib79613ed63e552df5c13d2e4e7078e0c16b42b5d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2166175
Commit-Queue: Greg Thompson <grt@chromium.org>
Reviewed-by: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#764175}
The out-of-process font loader, now that it has moved to using
CTFontManagerCreateFontDescriptorFromData, does not need to create a
full CTFontRef anymore, but can instead wrap the out-of-process font
data into a CTFontDescriptorRef built from data. Doing that avoids
creating an extra CTFont copy in font_platform_data_mac, as we can merge
the data descriptor with the cascade list attributes, and only then
create the CTFontRef from it.
Bug: 1033478
Change-Id: I025c265caf472578fd77a11acbc4b23a1d8fffb2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2013289
Commit-Queue: Dominik Röttsches <drott@chromium.org>
Auto-Submit: Dominik Röttsches <drott@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Elly Fong-Jones <ellyjones@chromium.org>
Cr-Commit-Position: refs/heads/master@{#735353}
Removes unused kNaClLoader (was PROCESS_TYPE_NACL_LOADER)
from Windows as these are in fact Ppapi (PPAPI) sandbox types.
Removes unused values from SandboxType enum and replaces default cases.
SandboxType is not used for iteration so these boundary values are removed
from the SandboxType enum.
The kInvalid SandboxType is retained as it is used as an error case in
a couple of places. It might be possible to remove this in the future.
This removes default cases from switch statements where it might make
sense to have a notification in future when new sandbox types are added.
In these cases the default case is replaced with all otherwise
unchecked cases, so retaining the existing behavior.
Change-Id: I76ffc8ae617f3f8fa9aa68236551ebcfa4cce32f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1938076
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#723425}
This reverts commit 8c36510cc3.
Reason for revert: Added missing include on ChromeOS.
Original change's description:
> Revert "[base] Remove base::SharedMemory and base::SharedMemoryHandle"
>
> This reverts commit fa7e8cc73e.
>
> Reason for revert: It looks like there was at least one missed instance of transitively including file_util. Sample build log: https://ci.chromium.org/p/chrome/builders/ci/chromeos-kevin-google-rel/4373
>
> Original change's description:
> > [base] Remove base::SharedMemory and base::SharedMemoryHandle
> >
> > There are no users of the deprecated shared memory left, so its code
> > can safely removed.
> >
> > To use shared memory in Chrome, please refer to
> > base::WritableSharedMemoryRegion and base::ReadOnlySharedMemoryRegion
> > classes.
> >
> > This CL removes all remaining #includes of
> > "base/memory/shared_memory.h" and
> > "base/memory/shared_memory_handle.h". They are replaced by new shared
> > memory includes when needed.
> >
> > It also appears that "base/files/file_util.h" and
> > "base/posix/eintr_wrapper.h" were transitively included in many places
> > through the removed files. This CL includes them explicitly in all
> > those files.
> >
> > TBR: wfh@chromium.org
> > Bug: 795291
> > Change-Id: I97ecac4b529c0ad6498b6e5ccf01515f750448ad
> > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1919152
> > Commit-Queue: Alex Ilin <alexilin@chromium.org>
> > Reviewed-by: Daniel Cheng <dcheng@chromium.org>
> > Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#717588}
>
> TBR=dcheng@chromium.org,jochen@chromium.org,alexilin@chromium.org
>
> Change-Id: I16c6e4c2ada01240d577706478cf739ce1061ee5
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: 795291
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1929252
> Reviewed-by: Tommy Martino <tmartino@chromium.org>
> Commit-Queue: Tommy Martino <tmartino@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#717644}
TBR=dcheng@chromium.org,tmartino@chromium.org,jochen@chromium.org,alexilin@chromium.org
Change-Id: I437cf7f93965858840170eb49b2d611b37e79b25
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 795291
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1929221
Reviewed-by: Alex Ilin <alexilin@chromium.org>
Commit-Queue: Alex Ilin <alexilin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#717663}
This reverts commit fa7e8cc73e.
Reason for revert: It looks like there was at least one missed instance of transitively including file_util. Sample build log: https://ci.chromium.org/p/chrome/builders/ci/chromeos-kevin-google-rel/4373
Original change's description:
> [base] Remove base::SharedMemory and base::SharedMemoryHandle
>
> There are no users of the deprecated shared memory left, so its code
> can safely removed.
>
> To use shared memory in Chrome, please refer to
> base::WritableSharedMemoryRegion and base::ReadOnlySharedMemoryRegion
> classes.
>
> This CL removes all remaining #includes of
> "base/memory/shared_memory.h" and
> "base/memory/shared_memory_handle.h". They are replaced by new shared
> memory includes when needed.
>
> It also appears that "base/files/file_util.h" and
> "base/posix/eintr_wrapper.h" were transitively included in many places
> through the removed files. This CL includes them explicitly in all
> those files.
>
> TBR: wfh@chromium.org
> Bug: 795291
> Change-Id: I97ecac4b529c0ad6498b6e5ccf01515f750448ad
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1919152
> Commit-Queue: Alex Ilin <alexilin@chromium.org>
> Reviewed-by: Daniel Cheng <dcheng@chromium.org>
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#717588}
TBR=dcheng@chromium.org,jochen@chromium.org,alexilin@chromium.org
Change-Id: I16c6e4c2ada01240d577706478cf739ce1061ee5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 795291
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1929252
Reviewed-by: Tommy Martino <tmartino@chromium.org>
Commit-Queue: Tommy Martino <tmartino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#717644}
There are no users of the deprecated shared memory left, so its code
can safely removed.
To use shared memory in Chrome, please refer to
base::WritableSharedMemoryRegion and base::ReadOnlySharedMemoryRegion
classes.
This CL removes all remaining #includes of
"base/memory/shared_memory.h" and
"base/memory/shared_memory_handle.h". They are replaced by new shared
memory includes when needed.
It also appears that "base/files/file_util.h" and
"base/posix/eintr_wrapper.h" were transitively included in many places
through the removed files. This CL includes them explicitly in all
those files.
TBR: wfh@chromium.org
Bug: 795291
Change-Id: I97ecac4b529c0ad6498b6e5ccf01515f750448ad
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1919152
Commit-Queue: Alex Ilin <alexilin@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#717588}
- The V1 common.sb file is merged into the V1 gpu.sb file. The GPU
sandbox will be moved to V2 as part of https://crbug.com/915934.
- common_v2.sb, renderer_v2.sb, and ppapi_v2.sb all lose their "_v2"
suffix and replace the V1 file by the same name.
- sandbox_mac.mm is thinned out to only support the V1 GPU sandbox.
No intended behavior change.
Bug: 689306
Change-Id: Icfc36c5a7b1907e0c93d6a87bdd1d0ffe18cf616
Reviewed-on: https://chromium-review.googlesource.com/c/1380554
Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#617638}
This converts the V1 unit test, checking pasteboard access in sandboxed
processes, to the V2 sandbox.
Bug: 902597
Change-Id: Id11e2c597a55f9e66f45d1edf6b7c7bcb8396f57
Reviewed-on: https://chromium-review.googlesource.com/c/1327545
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#611202}
