TBR:mark

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31090 0039d316-1c4b-4281-b951-d872f2087c98

16 files changed, 70 insertions, 281 deletions

diff --git a/chrome/app/chrome_dll_main.cc b/chrome/app/chrome_dll_main.cc
index bc9f4a3..26b493a 100644
--- a/chrome/app/chrome_dll_main.cc
+++ b/chrome/app/chrome_dll_main.cc
@@ -482,11 +482,7 @@ int ChromeMain(int argc, char** argv) {
 #if defined(OS_WIN)
   sandbox_wrapper.SetServices(sandbox_info);
 #endif
-
-  // OS X enables sandboxing later in the startup process.
-#if !defined (OS_MACOSX)
   sandbox_wrapper.InitializeSandbox(parsed_command_line, process_type);
-#endif  // !OS_MACOSX
 
 #if defined(OS_WIN)
   _Module.Init(NULL, instance);
@@ -540,13 +536,6 @@ int ChromeMain(int argc, char** argv) {
   if (!process_type.empty())
     CommonSubprocessInit();
 
-#if defined (OS_MACOSX)
-  // On OS X the renderer sandbox needs to be initialized later in the startup
-  // sequence in RendererMainPlatformDelegate::PlatformInitialize().
-  if (process_type != switches::kRendererProcess)
-    sandbox_wrapper.InitializeSandbox(parsed_command_line, process_type);
-#endif  // OS_MACOSX
-
   startup_timer.Stop();  // End of Startup Time Measurement.
 
   MainFunctionParams main_params(parsed_command_line, sandbox_wrapper,
diff --git a/chrome/browser/utility.sb b/chrome/browser/utility.sb
deleted file mode 100644
index 291e677..0000000
--- a/chrome/browser/utility.sb
+++ /dev/null
@@ -1,40 +0,0 @@
-;;
-;; Copyright (c) 2009 The Chromium Authors. All rights reserved.
-;; Use of this source code is governed by a BSD-style license that can be
-;; found in the LICENSE file.
-;;
-; This is the Sandbox configuration file used for safeguarding the utility
-; process which is used for performing sandboxed operations that need to touch
-; the filesystem like decoding theme images and unpacking extensions.
-;
-; This configuration locks everything down, except access to one configurable
-; directory.  This is different from other sandbox configuration files where
-; file system access is entireley restricted.
-(version 1)
-(deny default)
-; Support for programmatically enabling verbose debugging.
-;ENABLE_LOGGING (debug deny)
-
-; Allow sending signals to self - http://crbug.com/20370
-(allow signal (target self))
-
-; Needed for full-page-zoomed controls - http://crbug.com/11325
-(allow sysctl-read)
-
-; Each line is marked with the System version that needs it.
-; This profile is tested with the following system versions:
-;     10.5.6, 10.6
-
-; Allow following symlinks
-(allow file-read-metadata)  ; 10.5.6
-
-; Loading System Libraries.
-(allow file-read-data (regex #"^/System/Library/Frameworks"))  ; 10.5.6
-(allow file-read-data (regex #"^/System/Library/PrivateFrameworks"))  ; 10.5.6
-(allow file-read-data (regex #"^/System/Library/CoreServices"))  ; 10.5.6
-
-; Needed for IPC on 10.6
-;10.6_ONLY (allow ipc-posix-shm)
-
-; Enable full access to given directory.
-(allow file-read* file-write* (regex #"^DIR_TO_ALLOW_ACCESS"))
diff --git a/chrome/browser/utility_process_host.cc b/chrome/browser/utility_process_host.cc
index 1ba7068..af35c36 100644
--- a/chrome/browser/utility_process_host.cc
+++ b/chrome/browser/utility_process_host.cc
@@ -67,8 +67,8 @@ FilePath UtilityProcessHost::GetUtilityProcessCmd() {
 
 bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
 #if defined(OS_POSIX)
-  // TODO(port): We should not reach here on Linux (crbug.com/22703).
-  // (crbug.com/23837) covers enabling this on Linux/OS X.
+  // TODO(port): We should not reach here on linux (crbug.com/22703) or
+  // MacOS (crbug.com/8102) until problems related to autoupdate are fixed.
   NOTREACHED();
   return false;
 #endif
@@ -113,7 +113,7 @@ bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
     process = sandbox::StartProcessWithAccess(&cmd_line, exposed_dir);
   }
 #else
-  // TODO(port): Sandbox this on Linux.  Also, zygote this to work with
+  // TODO(port): Sandbox this on Linux/Mac.  Also, zygote this to work with
   // Linux updating.
   bool has_cmd_prefix = browser_command_line.HasSwitch(
       switches::kUtilityCmdPrefix);
@@ -124,9 +124,6 @@ bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
         switches::kUtilityCmdPrefix));
   }
 
-  cmd_line.AppendSwitchWithValue(switches::kUtilityProcessAllowedDir,
-                                 exposed_dir.value().c_str());
-
   // This code is duplicated with browser_render_process_host.cc and
   // plugin_process_host.cc, but there's not a good place to de-duplicate it.
   // Maybe we can merge this into sandbox::StartProcess which will set up
diff --git a/chrome/browser/utility_process_host_unittest.cc b/chrome/browser/utility_process_host_unittest.cc
index 9e3a73d..3be0480 100644
--- a/chrome/browser/utility_process_host_unittest.cc
+++ b/chrome/browser/utility_process_host_unittest.cc
@@ -124,8 +124,9 @@ class ProcessClosedObserver : public NotificationObserver {
   bool observed_;
 };
 
-#if !defined(OS_LINUX)
-// We should not run this on linux (crbug.com/22703).
+#if !defined(OS_POSIX)
+// We should not run this on linux (crbug.com/22703) or MacOS (crbug.com/8102)
+// until problems related to autoupdate are fixed.
 TEST_F(UtilityProcessHostTest, ExtensionUnpacker) {
   // Copy the test extension into a temp dir and install from the temp dir.
   FilePath extension_file;
diff --git a/chrome/browser/worker.sb b/chrome/browser/worker.sb
deleted file mode 100644
index bc208c4..0000000
--- a/chrome/browser/worker.sb
+++ /dev/null
@@ -1,35 +0,0 @@
-;;
-;; Copyright (c) 2009 The Chromium Authors. All rights reserved.
-;; Use of this source code is governed by a BSD-style license that can be
-;; found in the LICENSE file.
-;;
-; This is the Sandbox configuration file used for safeguarding the worker
-; process which is used to run web workers in a sandboxed environment.
-;
-; This is the most restrictive sandbox profile and only enables just enough
-; to allow basic use of Cocoa.
-(version 1)
-(deny default)
-; Support for programmatically enabling verbose debugging.
-;ENABLE_LOGGING (debug deny)
-
-; Allow sending signals to self - http://crbug.com/20370
-(allow signal (target self))
-
-; Needed for full-page-zoomed controls - http://crbug.com/11325
-(allow sysctl-read)
-
-; Each line is marked with the System version that needs it.
-; This profile is tested with the following system versions:
-;     10.5.6, 10.6
-
-; Allow following symlinks
-(allow file-read-metadata)  ; 10.5.6
-
-; Loading System Libraries.
-(allow file-read-data (regex #"^/System/Library/Frameworks"))  ; 10.5.6
-(allow file-read-data (regex #"^/System/Library/PrivateFrameworks"))  ; 10.5.6
-(allow file-read-data (regex #"^/System/Library/CoreServices"))  ; 10.5.6
-
-; Needed for IPC on 10.6
-;10.6_ONLY (allow ipc-posix-shm)
diff --git a/chrome/chrome.gyp b/chrome/chrome.gyp
index dde6002..c81b650 100755
--- a/chrome/chrome.gyp
+++ b/chrome/chrome.gyp
@@ -673,10 +673,8 @@
         'common/resource_dispatcher.cc',
         'common/resource_dispatcher.h',
         'common/result_codes.h',
+        'common/sandbox_init_wrapper.cc',
         'common/sandbox_init_wrapper.h',
-        'common/sandbox_init_wrapper_linux.cc',
-        'common/sandbox_init_wrapper_mac.cc',
-        'common/sandbox_init_wrapper_win.cc',
         'common/sandbox_mac.h',
         'common/sandbox_mac.mm',
         'common/security_filter_peer.cc',
@@ -2615,10 +2613,6 @@
               '$(SDKROOT)/System/Library/Frameworks/SecurityInterface.framework',
               '$(SDKROOT)/System/Library/Frameworks/QuartzCore.framework',
             ],
-            'mac_bundle_resources': [
-              'browser/utility.sb',
-              'browser/worker.sb',
-            ],
           },
           'actions': [
             {
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index 60736d2..86e9467 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -601,10 +601,6 @@ const char kUtilityCmdPrefix[]              = "utility-cmd-prefix";
 // Causes the process to run as a utility subprocess.
 const char kUtilityProcess[]                = "utility";
 
-// The utility process is sandboxed, with access to one directory. This flag
-// specifies the directory that can be accessed.
-const char kUtilityProcessAllowedDir[]      = "utility-allowed-dir";
-
 // Will add kWaitForDebugger to every child processes. If a value is passed, it
 // will be used as a filter to determine if the child process should have the
 // kWaitForDebugger flag passed on or not.
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index 2d387cd..89ecf9f 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -169,7 +169,6 @@ extern const char kUserDataDir[];
 extern const char kUserScriptsDir[];
 extern const char kUtilityCmdPrefix[];
 extern const char kUtilityProcess[];
-extern const char kUtilityProcessAllowedDir[];
 extern const char kWaitForDebuggerChildren[];
 extern const char kWebWorkerProcessPerCore[];
 extern const char kWebWorkerShareProcesses[];
diff --git a/chrome/common/sandbox_init_wrapper.cc b/chrome/common/sandbox_init_wrapper.cc
new file mode 100644
index 0000000..31488f7
--- /dev/null
+++ b/chrome/common/sandbox_init_wrapper.cc
@@ -0,0 +1,44 @@
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/sandbox_init_wrapper.h"
+
+#include "base/command_line.h"
+#include "chrome/common/chrome_switches.h"
+
+#if defined(OS_WIN)
+
+void SandboxInitWrapper::SetServices(sandbox::SandboxInterfaceInfo* info) {
+  if (info) {
+    broker_services_ = info->broker_services;
+    target_services_ = info->target_services;
+  }
+}
+
+#endif
+
+void SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
+                                           const std::string& process_type) {
+#if defined(OS_WIN)
+  if (!target_services_)
+    return;
+#endif
+  if (!command_line.HasSwitch(switches::kNoSandbox)) {
+    if ((process_type == switches::kRendererProcess) ||
+        (process_type == switches::kWorkerProcess) ||
+        (process_type == switches::kNaClProcess) ||
+        (process_type == switches::kUtilityProcess) ||
+        (process_type == switches::kPluginProcess &&
+         command_line.HasSwitch(switches::kSafePlugins))) {
+#if defined(OS_WIN)
+      target_services_->Init();
+#elif defined(OS_MACOSX)
+      // We just cache the process type so we can configure the sandbox
+      // correctly, see renderer_main_platform_delegate_mac.cc for one of those
+      // places.
+      process_type_ = process_type;
+#endif
+    }
+  }
+}
diff --git a/chrome/common/sandbox_init_wrapper.h b/chrome/common/sandbox_init_wrapper.h
index d1652d2..a1c2de9 100644
--- a/chrome/common/sandbox_init_wrapper.h
+++ b/chrome/common/sandbox_init_wrapper.h
@@ -33,10 +33,7 @@ class SandboxInitWrapper {
 
   // Initialize the sandbox for renderer and plug-in processes, depending on
   // the command line flags. The browser process is not sandboxed.
-  // Returns true if the sandbox was initialized succesfully, false if an error
-  // occurred.  If process_type isn't one that needs sandboxing true is always
-  // returned.
-  bool InitializeSandbox(const CommandLine& parsed_command_line,
+  void InitializeSandbox(const CommandLine& parsed_command_line,
                          const std::string& process_type);
  private:
   sandbox::BrokerServices* broker_services_;
@@ -53,12 +50,17 @@ class SandboxInitWrapper {
 
   // Initialize the sandbox for renderer and plug-in processes, depending on
   // the command line flags. The browser process is not sandboxed.
-  // Returns true if the sandbox was initialized succesfully, false if an error
-  // occurred.  If process_type isn't one that needs sandboxing true is always
-  // returned.
-  bool InitializeSandbox(const CommandLine& parsed_command_line,
+  void InitializeSandbox(const CommandLine& parsed_command_line,
                          const std::string& process_type);
 
+#if defined(OS_MACOSX)
+  // We keep the process type so we can configure the sandbox as needed.
+ public:
+  std::string ProcessType() const { return process_type_; }
+ private:
+  std::string process_type_;
+#endif
+
  private:
   DISALLOW_COPY_AND_ASSIGN(SandboxInitWrapper);
 };
diff --git a/chrome/common/sandbox_init_wrapper_linux.cc b/chrome/common/sandbox_init_wrapper_linux.cc
deleted file mode 100644
index daf02d3..0000000
--- a/chrome/common/sandbox_init_wrapper_linux.cc
+++ /dev/null
@@ -1,14 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/common/sandbox_init_wrapper.h"
-
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
-
-bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
-                                           const std::string& process_type) {
-  // TODO(port): Does Linux need to do anything here?
-  return true;
-}
diff --git a/chrome/common/sandbox_init_wrapper_mac.cc b/chrome/common/sandbox_init_wrapper_mac.cc
deleted file mode 100644
index 6ce09d3..0000000
--- a/chrome/common/sandbox_init_wrapper_mac.cc
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/common/sandbox_init_wrapper.h"
-
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
-#include "chrome/common/sandbox_mac.h"
-
-bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
-                                           const std::string& process_type) {
-  if (command_line.HasSwitch(switches::kNoSandbox))
-    return true;
-
-  sandbox::SandboxProcessType sandbox_process_type;
-  FilePath allowed_dir;  // Empty by default.
-
-  if (process_type.empty()) {
-    // Browser process isn't sandboxed.
-    return true;
-  } else if (process_type == switches::kRendererProcess) {
-    // Renderer process sandbox.
-    sandbox_process_type = sandbox::SANDBOX_TYPE_RENDERER;
-  } else if (process_type == switches::kUtilityProcess) {
-    // Utility process sandbox.
-    sandbox_process_type = sandbox::SANDBOX_TYPE_UTILITY;
-    allowed_dir = FilePath::FromWStringHack(
-          command_line.GetSwitchValue(switches::kUtilityProcessAllowedDir));
-  } else if (process_type == switches::kWorkerProcess) {
-    // Worker process sandbox.
-    sandbox_process_type = sandbox::SANDBOX_TYPE_WORKER;
-  } else if ((process_type == switches::kNaClProcess) ||
-             (process_type == switches::kPluginProcess) ||
-             (process_type == switches::kProfileImportProcess)) {
-    return true;
-  } else {
-    // Failsafe: If you hit an unreached here, is your new process type in need
-    // of sandboxing?
-    NOTREACHED();
-    return true;
-  }
-
-  // Warm up APIs before turning on the sandbox.
-  sandbox::SandboxWarmup();
-
-  // Actually sandbox the process.
-  return sandbox::EnableSandbox(sandbox_process_type, allowed_dir);
-}
diff --git a/chrome/common/sandbox_init_wrapper_win.cc b/chrome/common/sandbox_init_wrapper_win.cc
deleted file mode 100644
index fe5c6df..0000000
--- a/chrome/common/sandbox_init_wrapper_win.cc
+++ /dev/null
@@ -1,32 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/common/sandbox_init_wrapper.h"
-
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
-
-void SandboxInitWrapper::SetServices(sandbox::SandboxInterfaceInfo* info) {
-  if (info) {
-    broker_services_ = info->broker_services;
-    target_services_ = info->target_services;
-  }
-}
-
-bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
-                                           const std::string& process_type) {
-  if (command_line.HasSwitch(switches::kNoSandbox))
-    return true;
-  if ((process_type == switches::kRendererProcess) ||
-      (process_type == switches::kWorkerProcess) ||
-      (process_type == switches::kNaClProcess) ||
-      (process_type == switches::kUtilityProcess) ||
-      (process_type == switches::kPluginProcess &&
-       command_line.HasSwitch(switches::kSafePlugins))) {
-    if (!target_services_)
-      return false;
-    target_services_->Init();
-  }
-  return true;
-}
diff --git a/chrome/common/sandbox_mac.h b/chrome/common/sandbox_mac.h
index a8a55b0..c747e20 100644
--- a/chrome/common/sandbox_mac.h
+++ b/chrome/common/sandbox_mac.h
@@ -5,37 +5,14 @@
 #ifndef CHROME_COMMON_SANDBOX_MAC_H_
 #define CHROME_COMMON_SANDBOX_MAC_H_
 
-#include "base/file_path.h"
-
 namespace sandbox {
 
-enum SandboxProcessType {
-  SANDBOX_TYPE_RENDERER,
-
-  // Worker process has *everything* not needed for Cocoa locked down.
-  SANDBOX_TYPE_WORKER,
-
-  // Utility process is as restrictive as the worker process except full access
-  // is allowed to one configurable directory.
-  SANDBOX_TYPE_UTILITY,
-};
-
 // Warm up System APIs that empirically need to be accessed before the Sandbox
 // is turned on.
 void SandboxWarmup();
 
 // Turns on the OS X sandbox for this process.
-// |sandbox_type| - type of Sandbox to use.
-// |allowed_dir| - directory to allow access to, currently the only sandbox
-// profile that supports this is SANDBOX_TYPE_UTILITY .
-//
-// |allowed_dir| must be a "simple" string since it's placed as is in a regex
-// i.e. it must not contain quotation characters, escaping or any characters
-// that might have special meaning when blindly substituted into a regular
-// expression - crbug.com/26492 .
-// Returns true on success, false if an error occurred enabling the sandbox.
-bool EnableSandbox(SandboxProcessType sandbox_type,
-                   const FilePath& allowed_dir);
+bool EnableSandbox();
 
 }  // namespace sandbox
 
diff --git a/chrome/common/sandbox_mac.mm b/chrome/common/sandbox_mac.mm
index 6eac34c..ae55b52 100644
--- a/chrome/common/sandbox_mac.mm
+++ b/chrome/common/sandbox_mac.mm
@@ -84,42 +84,11 @@ void SandboxWarmup() {
 }
 
 // Turns on the OS X sandbox for this process.
-bool EnableSandbox(SandboxProcessType sandbox_type,
-                   const FilePath& allowed_dir) {
-  // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being
-  // passed in.
-  if (sandbox_type != SANDBOX_TYPE_UTILITY) {
-    DCHECK(allowed_dir.empty())
-        << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter.";
-  } else {
-    DCHECK(!allowed_dir.empty())
-        << "SANDBOX_TYPE_UTILITY "
-        << "needs a custom directory parameter, but an empty one was provided.";
-  }
-
-  // We use a custom sandbox definition file to lock things down as
-  // tightly as possible.
-  // TODO(jeremy): Look at using include syntax to unify common parts of sandbox
-  // definition files.
-  NSString* sandbox_config_filename = nil;
-  switch (sandbox_type) {
-    case SANDBOX_TYPE_RENDERER:
-      sandbox_config_filename = @"renderer";
-      break;
-    case SANDBOX_TYPE_WORKER:
-      sandbox_config_filename = @"worker";
-      break;
-    case SANDBOX_TYPE_UTILITY:
-      sandbox_config_filename = @"utility";
-      break;
-    default:
-      NOTREACHED();
-      return false;
-  }
-
+bool EnableSandbox() {
+  // For the renderer, we give it a custom sandbox to lock things down as
+  // tightly as possible, while still enabling drawing.
   NSString* sandbox_profile_path =
-      [mac_util::MainAppBundle() pathForResource:sandbox_config_filename
-                                          ofType:@"sb"];
+      [mac_util::MainAppBundle() pathForResource:@"renderer" ofType:@"sb"];
   NSString* sandbox_data = [NSString
       stringWithContentsOfFile:sandbox_profile_path
       encoding:NSUTF8StringEncoding
@@ -139,13 +108,6 @@ bool EnableSandbox(SandboxProcessType sandbox_type,
                                   withString:@""];
   }
 
-  if (!allowed_dir.empty()) {
-    NSString* allowed_dir_ns = base::SysUTF8ToNSString(allowed_dir.value());
-    sandbox_data = [sandbox_data
-        stringByReplacingOccurrencesOfString:@"DIR_TO_ALLOW_ACCESS"
-                                  withString:allowed_dir_ns];
-  }
-
   int32 major_version, minor_version, bugfix_version;
   base::SysInfo::OperatingSystemVersionNumbers(&major_version,
       &minor_version, &bugfix_version);
diff --git a/chrome/renderer/renderer_main_platform_delegate_mac.mm b/chrome/renderer/renderer_main_platform_delegate_mac.mm
index 014a7d2..4a5475e 100644
--- a/chrome/renderer/renderer_main_platform_delegate_mac.mm
+++ b/chrome/renderer/renderer_main_platform_delegate_mac.mm
@@ -6,8 +6,6 @@
 
 #import <Cocoa/Cocoa.h>
 
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
 #include "chrome/common/sandbox_mac.h"
 #include "third_party/WebKit/WebKit/mac/WebCoreSupport/WebSystemInterface.h"
 
@@ -26,6 +24,9 @@ void RendererMainPlatformDelegate::PlatformInitialize() {
   // Load WebKit system interfaces.
   InitWebCoreSystemInterface();
 
+  // Warmup APIs before turning on the Sandbox.
+  sandbox::SandboxWarmup();
+
   if (![NSThread isMultiThreaded]) {
     NSString* string = @"";
     [NSThread detachNewThreadSelector:@selector(length)
@@ -46,10 +47,7 @@ bool RendererMainPlatformDelegate::InitSandboxTests(bool no_sandbox) {
 }
 
 bool RendererMainPlatformDelegate::EnableSandbox() {
-  CommandLine* parsed_command_line = CommandLine::ForCurrentProcess();
-  SandboxInitWrapper sandbox_wrapper;
-  return sandbox_wrapper.InitializeSandbox(*parsed_command_line,
-                                           switches::kRendererProcess);
+  return sandbox::EnableSandbox();
 }
 
 void RendererMainPlatformDelegate::RunSandboxTests() {