Make sure only the main browser process and service proceses are allowed to create the profile directory.

This patch lets Chrome start with profile located on a network share on
Windows Vista and newer.

BUG=120388
TEST=Start Chrome with --user-data-dir pointing to a network share location and try to navigate to a web page. This should not lead to a hang of the renderer.


Review URL: http://codereview.chromium.org/10306009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@135321 0039d316-1c4b-4281-b951-d872f2087c98

10 files changed, 73 insertions, 11 deletions

diff --git a/base/path_service.cc b/base/path_service.cc
index 46f394c..a3b882c 100644
--- a/base/path_service.cc
+++ b/base/path_service.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -222,18 +222,29 @@ bool PathService::Get(int key, FilePath* result) {
 }
 
 bool PathService::Override(int key, const FilePath& path) {
+  // Just call the full function with true for the value of |create|.
+  return OverrideAndCreateIfNeeded(key, path, true);
+}
+
+bool PathService::OverrideAndCreateIfNeeded(int key,
+                                            const FilePath& path,
+                                            bool create) {
   PathData* path_data = GetPathData();
   DCHECK(path_data);
   DCHECK_GT(key, base::DIR_CURRENT) << "invalid path key";
 
   FilePath file_path = path;
 
-  // Make sure the directory exists. We need to do this before we translate
-  // this to the absolute path because on POSIX, AbsolutePath fails if called
-  // on a non-existent path.
-  if (!file_util::PathExists(file_path) &&
-      !file_util::CreateDirectory(file_path))
-    return false;
+  // For some locations this will fail if called from inside the sandbox there-
+  // fore we protect this call with a flag.
+  if (create) {
+    // Make sure the directory exists. We need to do this before we translate
+    // this to the absolute path because on POSIX, AbsolutePath fails if called
+    // on a non-existent path.
+    if (!file_util::PathExists(file_path) &&
+        !file_util::CreateDirectory(file_path))
+      return false;
+  }
 
   // We need to have an absolute path, as extensions and plugins don't like
   // relative paths, and will gladly crash the browser in CHECK()s if they get a
diff --git a/base/path_service.h b/base/path_service.h
index 4b29738..03e4b44 100644
--- a/base/path_service.h
+++ b/base/path_service.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -40,6 +40,13 @@ class BASE_EXPORT PathService {
   // over the lifetime of the app, so this method should be used with caution.
   static bool Override(int key, const FilePath& path);
 
+  // This function does the same as PathService::Override but it takes an extra
+  // parameter |create| which guides whether the directory to be overriden must
+  // be created in case it doesn't exist already.
+  static bool OverrideAndCreateIfNeeded(int key,
+                                        const FilePath& path,
+                                        bool create);
+
   // To extend the set of supported keys, you can register a path provider,
   // which is just a function mirroring PathService::Get.  The ProviderFunc
   // returns false if it cannot provide a non-empty path for the given key.
diff --git a/chrome/app/chrome_main_delegate.cc b/chrome/app/chrome_main_delegate.cc
index f1d4fde..063c156 100644
--- a/chrome/app/chrome_main_delegate.cc
+++ b/chrome/app/chrome_main_delegate.cc
@@ -567,8 +567,12 @@ void ChromeMainDelegate::PreSandboxStartup() {
 #if defined(OS_MACOSX) || defined(OS_WIN)
   CheckUserDataDirPolicy(&user_data_dir);
 #endif
-  if (!user_data_dir.empty())
-    CHECK(PathService::Override(chrome::DIR_USER_DATA, user_data_dir));
+  if (!user_data_dir.empty()) {
+    CHECK(PathService::OverrideAndCreateIfNeeded(
+        chrome::DIR_USER_DATA,
+        user_data_dir,
+        chrome::ProcessNeedsProfileDir(process_type)));
+  }
 
   startup_timer_.reset(new base::StatsScope<base::StatsCounterTimer>
                        (content::Counters::chrome_main()));
diff --git a/chrome/chrome.gyp b/chrome/chrome.gyp
index 6fbf61e..c7825bd 100644
--- a/chrome/chrome.gyp
+++ b/chrome/chrome.gyp
@@ -1055,6 +1055,10 @@
             'tools/crash_service/crash_service.cc',
             'tools/crash_service/crash_service.h',
             'tools/crash_service/main.cc',
+            '../content/public/common/content_switches.cc',
+          ],
+          'defines': [
+            'COMPILE_CONTENT_STATICALLY',
           ],
           'msvs_settings': {
             'VCLinkerTool': {
diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc
index 37d1d92..03aca08 100644
--- a/chrome/common/chrome_paths.cc
+++ b/chrome/common/chrome_paths.cc
@@ -15,6 +15,7 @@
 #include "chrome/common/chrome_constants.h"
 #include "chrome/common/chrome_paths_internal.h"
 #include "chrome/common/chrome_switches.h"
+#include "content/public/common/content_switches.h"
 
 #if defined(OS_MACOSX)
 #include "base/mac/mac_util.h"
@@ -144,6 +145,9 @@ bool PathProvider(int key, FilePath* result) {
   FilePath cur;
   switch (key) {
     case chrome::DIR_USER_DATA:
+      CHECK(ProcessNeedsProfileDir(
+          CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+              switches::kProcessType)));
       if (!GetDefaultUserDataDirectory(&cur)) {
         NOTREACHED();
         return false;
diff --git a/chrome/common/chrome_paths_internal.h b/chrome/common/chrome_paths_internal.h
index d4a1151..0e60ce1 100644
--- a/chrome/common/chrome_paths_internal.h
+++ b/chrome/common/chrome_paths_internal.h
@@ -6,6 +6,8 @@
 #define CHROME_COMMON_CHROME_PATHS_INTERNAL_H_
 #pragma once
 
+#include <string>
+
 #include "build/build_config.h"
 
 #if defined(OS_MACOSX)
@@ -85,6 +87,9 @@ NSBundle* OuterAppBundle();
 
 #endif  // OS_MACOSX
 
+// Checks if the |process_type| has the rights to access the profile.
+bool ProcessNeedsProfileDir(const std::string& process_type);
+
 }  // namespace chrome
 
 #endif  // CHROME_COMMON_CHROME_PATHS_INTERNAL_H_
diff --git a/chrome/common/chrome_paths_linux.cc b/chrome/common/chrome_paths_linux.cc
index acfebc1..b8987cf 100644
--- a/chrome/common/chrome_paths_linux.cc
+++ b/chrome/common/chrome_paths_linux.cc
@@ -103,4 +103,11 @@ bool GetUserDesktop(FilePath* result) {
   return true;
 }
 
+bool ProcessNeedsProfileDir(const std::string& process_type) {
+  // For now we have no reason to forbid this on Linux as we don't
+  // have the roaming profile troubles there. Moreover the Linux breakpad needs
+  // profile dir access in all process if enabled on Linux.
+  return true;
+}
+
 }  // namespace chrome
diff --git a/chrome/common/chrome_paths_mac.mm b/chrome/common/chrome_paths_mac.mm
index f3783e0..284b3dd 100644
--- a/chrome/common/chrome_paths_mac.mm
+++ b/chrome/common/chrome_paths_mac.mm
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -199,4 +199,10 @@ NSBundle* OuterAppBundle() {
   return bundle;
 }
 
+bool ProcessNeedsProfileDir(const std::string& process_type) {
+  // For now we have no reason to forbid this on other MacOS as we don't
+  // have the roaming profile troubles there.
+  return true;
+}
+
 }  // namespace chrome
diff --git a/chrome/common/chrome_paths_win.cc b/chrome/common/chrome_paths_win.cc
index 5eefb78..1a2f02ae 100644
--- a/chrome/common/chrome_paths_win.cc
+++ b/chrome/common/chrome_paths_win.cc
@@ -16,6 +16,7 @@
 #include "base/win/scoped_co_mem.h"
 #include "chrome/common/chrome_constants.h"
 #include "chrome/installer/util/browser_distribution.h"
+#include "content/public/common/content_switches.h"
 
 namespace chrome {
 
@@ -97,4 +98,16 @@ bool GetUserDesktop(FilePath* result) {
   return true;
 }
 
+bool ProcessNeedsProfileDir(const std::string& process_type) {
+  // On windows we don't want subprocesses other than the browser process and
+  // service processes to be able to use the profile directory because if it
+  // lies on a network share the sandbox will prevent us from accessing it.
+  // TODO(pastarmovj): For no gpu processes are whitelisted too because they do
+  // use the profile dir in some way but this must be investigated and fixed if
+  // possible.
+  return process_type.empty() ||
+         process_type == switches::kServiceProcess ||
+         process_type == switches::kGpuProcess;
+}
+
 }  // namespace chrome
diff --git a/chrome/common_constants.gypi b/chrome/common_constants.gypi
index 48ff259a..4762e1e 100644
--- a/chrome/common_constants.gypi
+++ b/chrome/common_constants.gypi
@@ -86,6 +86,7 @@
           ],
           'defines': [
             '<@(nacl_win64_defines)',
+            'COMPILE_CONTENT_STATICALLY',
           ],
           'configurations': {
             'Common_Base': {