Sandbox Worker process on the Mac.

* Add plumbing to allow multiple Sandbox profiles on OS X.
* Separate sandbox_init_wrapper into platform specific files.
* Sandbox Worker process & add plumbing to Sandbox utility process when we bring that up.
* Remove mention of stale bugs in utility process on Mac.

BUG=23582
TEST=Worker process should work.

Review URL: http://codereview.chromium.org/341033

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31089 0039d316-1c4b-4281-b951-d872f2087c98

16 files changed, 281 insertions, 70 deletions

diff --git a/chrome/app/chrome_dll_main.cc b/chrome/app/chrome_dll_main.cc
index 26b493a..bc9f4a3 100644
--- a/chrome/app/chrome_dll_main.cc
+++ b/chrome/app/chrome_dll_main.cc
@@ -482,7 +482,11 @@ int ChromeMain(int argc, char** argv) {
 #if defined(OS_WIN)
   sandbox_wrapper.SetServices(sandbox_info);
 #endif
+
+  // OS X enables sandboxing later in the startup process.
+#if !defined (OS_MACOSX)
   sandbox_wrapper.InitializeSandbox(parsed_command_line, process_type);
+#endif  // !OS_MACOSX
 
 #if defined(OS_WIN)
   _Module.Init(NULL, instance);
@@ -536,6 +540,13 @@ int ChromeMain(int argc, char** argv) {
   if (!process_type.empty())
     CommonSubprocessInit();
 
+#if defined (OS_MACOSX)
+  // On OS X the renderer sandbox needs to be initialized later in the startup
+  // sequence in RendererMainPlatformDelegate::PlatformInitialize().
+  if (process_type != switches::kRendererProcess)
+    sandbox_wrapper.InitializeSandbox(parsed_command_line, process_type);
+#endif  // OS_MACOSX
+
   startup_timer.Stop();  // End of Startup Time Measurement.
 
   MainFunctionParams main_params(parsed_command_line, sandbox_wrapper,
diff --git a/chrome/browser/utility.sb b/chrome/browser/utility.sb
new file mode 100644
index 0000000..291e677
--- /dev/null
+++ b/chrome/browser/utility.sb
@@ -0,0 +1,40 @@
+;;
+;; Copyright (c) 2009 The Chromium Authors. All rights reserved.
+;; Use of this source code is governed by a BSD-style license that can be
+;; found in the LICENSE file.
+;;
+; This is the Sandbox configuration file used for safeguarding the utility
+; process which is used for performing sandboxed operations that need to touch
+; the filesystem like decoding theme images and unpacking extensions.
+;
+; This configuration locks everything down, except access to one configurable
+; directory.  This is different from other sandbox configuration files where
+; file system access is entireley restricted.
+(version 1)
+(deny default)
+; Support for programmatically enabling verbose debugging.
+;ENABLE_LOGGING (debug deny)
+
+; Allow sending signals to self - http://crbug.com/20370
+(allow signal (target self))
+
+; Needed for full-page-zoomed controls - http://crbug.com/11325
+(allow sysctl-read)
+
+; Each line is marked with the System version that needs it.
+; This profile is tested with the following system versions:
+;     10.5.6, 10.6
+
+; Allow following symlinks
+(allow file-read-metadata)  ; 10.5.6
+
+; Loading System Libraries.
+(allow file-read-data (regex #"^/System/Library/Frameworks"))  ; 10.5.6
+(allow file-read-data (regex #"^/System/Library/PrivateFrameworks"))  ; 10.5.6
+(allow file-read-data (regex #"^/System/Library/CoreServices"))  ; 10.5.6
+
+; Needed for IPC on 10.6
+;10.6_ONLY (allow ipc-posix-shm)
+
+; Enable full access to given directory.
+(allow file-read* file-write* (regex #"^DIR_TO_ALLOW_ACCESS"))
diff --git a/chrome/browser/utility_process_host.cc b/chrome/browser/utility_process_host.cc
index af35c36..1ba7068 100644
--- a/chrome/browser/utility_process_host.cc
+++ b/chrome/browser/utility_process_host.cc
@@ -67,8 +67,8 @@ FilePath UtilityProcessHost::GetUtilityProcessCmd() {
 
 bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
 #if defined(OS_POSIX)
-  // TODO(port): We should not reach here on linux (crbug.com/22703) or
-  // MacOS (crbug.com/8102) until problems related to autoupdate are fixed.
+  // TODO(port): We should not reach here on Linux (crbug.com/22703).
+  // (crbug.com/23837) covers enabling this on Linux/OS X.
   NOTREACHED();
   return false;
 #endif
@@ -113,7 +113,7 @@ bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
     process = sandbox::StartProcessWithAccess(&cmd_line, exposed_dir);
   }
 #else
-  // TODO(port): Sandbox this on Linux/Mac.  Also, zygote this to work with
+  // TODO(port): Sandbox this on Linux.  Also, zygote this to work with
   // Linux updating.
   bool has_cmd_prefix = browser_command_line.HasSwitch(
       switches::kUtilityCmdPrefix);
@@ -124,6 +124,9 @@ bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
         switches::kUtilityCmdPrefix));
   }
 
+  cmd_line.AppendSwitchWithValue(switches::kUtilityProcessAllowedDir,
+                                 exposed_dir.value().c_str());
+
   // This code is duplicated with browser_render_process_host.cc and
   // plugin_process_host.cc, but there's not a good place to de-duplicate it.
   // Maybe we can merge this into sandbox::StartProcess which will set up
diff --git a/chrome/browser/utility_process_host_unittest.cc b/chrome/browser/utility_process_host_unittest.cc
index 3be0480..9e3a73d 100644
--- a/chrome/browser/utility_process_host_unittest.cc
+++ b/chrome/browser/utility_process_host_unittest.cc
@@ -124,9 +124,8 @@ class ProcessClosedObserver : public NotificationObserver {
   bool observed_;
 };
 
-#if !defined(OS_POSIX)
-// We should not run this on linux (crbug.com/22703) or MacOS (crbug.com/8102)
-// until problems related to autoupdate are fixed.
+#if !defined(OS_LINUX)
+// We should not run this on linux (crbug.com/22703).
 TEST_F(UtilityProcessHostTest, ExtensionUnpacker) {
   // Copy the test extension into a temp dir and install from the temp dir.
   FilePath extension_file;
diff --git a/chrome/browser/worker.sb b/chrome/browser/worker.sb
new file mode 100644
index 0000000..bc208c4
--- /dev/null
+++ b/chrome/browser/worker.sb
@@ -0,0 +1,35 @@
+;;
+;; Copyright (c) 2009 The Chromium Authors. All rights reserved.
+;; Use of this source code is governed by a BSD-style license that can be
+;; found in the LICENSE file.
+;;
+; This is the Sandbox configuration file used for safeguarding the worker
+; process which is used to run web workers in a sandboxed environment.
+;
+; This is the most restrictive sandbox profile and only enables just enough
+; to allow basic use of Cocoa.
+(version 1)
+(deny default)
+; Support for programmatically enabling verbose debugging.
+;ENABLE_LOGGING (debug deny)
+
+; Allow sending signals to self - http://crbug.com/20370
+(allow signal (target self))
+
+; Needed for full-page-zoomed controls - http://crbug.com/11325
+(allow sysctl-read)
+
+; Each line is marked with the System version that needs it.
+; This profile is tested with the following system versions:
+;     10.5.6, 10.6
+
+; Allow following symlinks
+(allow file-read-metadata)  ; 10.5.6
+
+; Loading System Libraries.
+(allow file-read-data (regex #"^/System/Library/Frameworks"))  ; 10.5.6
+(allow file-read-data (regex #"^/System/Library/PrivateFrameworks"))  ; 10.5.6
+(allow file-read-data (regex #"^/System/Library/CoreServices"))  ; 10.5.6
+
+; Needed for IPC on 10.6
+;10.6_ONLY (allow ipc-posix-shm)
diff --git a/chrome/chrome.gyp b/chrome/chrome.gyp
index c81b650..dde6002 100755
--- a/chrome/chrome.gyp
+++ b/chrome/chrome.gyp
@@ -673,8 +673,10 @@
         'common/resource_dispatcher.cc',
         'common/resource_dispatcher.h',
         'common/result_codes.h',
-        'common/sandbox_init_wrapper.cc',
         'common/sandbox_init_wrapper.h',
+        'common/sandbox_init_wrapper_linux.cc',
+        'common/sandbox_init_wrapper_mac.cc',
+        'common/sandbox_init_wrapper_win.cc',
         'common/sandbox_mac.h',
         'common/sandbox_mac.mm',
         'common/security_filter_peer.cc',
@@ -2613,6 +2615,10 @@
               '$(SDKROOT)/System/Library/Frameworks/SecurityInterface.framework',
               '$(SDKROOT)/System/Library/Frameworks/QuartzCore.framework',
             ],
+            'mac_bundle_resources': [
+              'browser/utility.sb',
+              'browser/worker.sb',
+            ],
           },
           'actions': [
             {
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index 86e9467..60736d2 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -601,6 +601,10 @@ const char kUtilityCmdPrefix[]              = "utility-cmd-prefix";
 // Causes the process to run as a utility subprocess.
 const char kUtilityProcess[]                = "utility";
 
+// The utility process is sandboxed, with access to one directory. This flag
+// specifies the directory that can be accessed.
+const char kUtilityProcessAllowedDir[]      = "utility-allowed-dir";
+
 // Will add kWaitForDebugger to every child processes. If a value is passed, it
 // will be used as a filter to determine if the child process should have the
 // kWaitForDebugger flag passed on or not.
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index 89ecf9f..2d387cd 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -169,6 +169,7 @@ extern const char kUserDataDir[];
 extern const char kUserScriptsDir[];
 extern const char kUtilityCmdPrefix[];
 extern const char kUtilityProcess[];
+extern const char kUtilityProcessAllowedDir[];
 extern const char kWaitForDebuggerChildren[];
 extern const char kWebWorkerProcessPerCore[];
 extern const char kWebWorkerShareProcesses[];
diff --git a/chrome/common/sandbox_init_wrapper.cc b/chrome/common/sandbox_init_wrapper.cc
deleted file mode 100644
index 31488f7..0000000
--- a/chrome/common/sandbox_init_wrapper.cc
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/common/sandbox_init_wrapper.h"
-
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
-
-#if defined(OS_WIN)
-
-void SandboxInitWrapper::SetServices(sandbox::SandboxInterfaceInfo* info) {
-  if (info) {
-    broker_services_ = info->broker_services;
-    target_services_ = info->target_services;
-  }
-}
-
-#endif
-
-void SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
-                                           const std::string& process_type) {
-#if defined(OS_WIN)
-  if (!target_services_)
-    return;
-#endif
-  if (!command_line.HasSwitch(switches::kNoSandbox)) {
-    if ((process_type == switches::kRendererProcess) ||
-        (process_type == switches::kWorkerProcess) ||
-        (process_type == switches::kNaClProcess) ||
-        (process_type == switches::kUtilityProcess) ||
-        (process_type == switches::kPluginProcess &&
-         command_line.HasSwitch(switches::kSafePlugins))) {
-#if defined(OS_WIN)
-      target_services_->Init();
-#elif defined(OS_MACOSX)
-      // We just cache the process type so we can configure the sandbox
-      // correctly, see renderer_main_platform_delegate_mac.cc for one of those
-      // places.
-      process_type_ = process_type;
-#endif
-    }
-  }
-}
diff --git a/chrome/common/sandbox_init_wrapper.h b/chrome/common/sandbox_init_wrapper.h
index a1c2de9..d1652d2 100644
--- a/chrome/common/sandbox_init_wrapper.h
+++ b/chrome/common/sandbox_init_wrapper.h
@@ -33,7 +33,10 @@ class SandboxInitWrapper {
 
   // Initialize the sandbox for renderer and plug-in processes, depending on
   // the command line flags. The browser process is not sandboxed.
-  void InitializeSandbox(const CommandLine& parsed_command_line,
+  // Returns true if the sandbox was initialized succesfully, false if an error
+  // occurred.  If process_type isn't one that needs sandboxing true is always
+  // returned.
+  bool InitializeSandbox(const CommandLine& parsed_command_line,
                          const std::string& process_type);
  private:
   sandbox::BrokerServices* broker_services_;
@@ -50,17 +53,12 @@ class SandboxInitWrapper {
 
   // Initialize the sandbox for renderer and plug-in processes, depending on
   // the command line flags. The browser process is not sandboxed.
-  void InitializeSandbox(const CommandLine& parsed_command_line,
+  // Returns true if the sandbox was initialized succesfully, false if an error
+  // occurred.  If process_type isn't one that needs sandboxing true is always
+  // returned.
+  bool InitializeSandbox(const CommandLine& parsed_command_line,
                          const std::string& process_type);
 
-#if defined(OS_MACOSX)
-  // We keep the process type so we can configure the sandbox as needed.
- public:
-  std::string ProcessType() const { return process_type_; }
- private:
-  std::string process_type_;
-#endif
-
  private:
   DISALLOW_COPY_AND_ASSIGN(SandboxInitWrapper);
 };
diff --git a/chrome/common/sandbox_init_wrapper_linux.cc b/chrome/common/sandbox_init_wrapper_linux.cc
new file mode 100644
index 0000000..daf02d3
--- /dev/null
+++ b/chrome/common/sandbox_init_wrapper_linux.cc
@@ -0,0 +1,14 @@
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/sandbox_init_wrapper.h"
+
+#include "base/command_line.h"
+#include "chrome/common/chrome_switches.h"
+
+bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
+                                           const std::string& process_type) {
+  // TODO(port): Does Linux need to do anything here?
+  return true;
+}
diff --git a/chrome/common/sandbox_init_wrapper_mac.cc b/chrome/common/sandbox_init_wrapper_mac.cc
new file mode 100644
index 0000000..6ce09d3
--- /dev/null
+++ b/chrome/common/sandbox_init_wrapper_mac.cc
@@ -0,0 +1,49 @@
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/sandbox_init_wrapper.h"
+
+#include "base/command_line.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/common/sandbox_mac.h"
+
+bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
+                                           const std::string& process_type) {
+  if (command_line.HasSwitch(switches::kNoSandbox))
+    return true;
+
+  sandbox::SandboxProcessType sandbox_process_type;
+  FilePath allowed_dir;  // Empty by default.
+
+  if (process_type.empty()) {
+    // Browser process isn't sandboxed.
+    return true;
+  } else if (process_type == switches::kRendererProcess) {
+    // Renderer process sandbox.
+    sandbox_process_type = sandbox::SANDBOX_TYPE_RENDERER;
+  } else if (process_type == switches::kUtilityProcess) {
+    // Utility process sandbox.
+    sandbox_process_type = sandbox::SANDBOX_TYPE_UTILITY;
+    allowed_dir = FilePath::FromWStringHack(
+          command_line.GetSwitchValue(switches::kUtilityProcessAllowedDir));
+  } else if (process_type == switches::kWorkerProcess) {
+    // Worker process sandbox.
+    sandbox_process_type = sandbox::SANDBOX_TYPE_WORKER;
+  } else if ((process_type == switches::kNaClProcess) ||
+             (process_type == switches::kPluginProcess) ||
+             (process_type == switches::kProfileImportProcess)) {
+    return true;
+  } else {
+    // Failsafe: If you hit an unreached here, is your new process type in need
+    // of sandboxing?
+    NOTREACHED();
+    return true;
+  }
+
+  // Warm up APIs before turning on the sandbox.
+  sandbox::SandboxWarmup();
+
+  // Actually sandbox the process.
+  return sandbox::EnableSandbox(sandbox_process_type, allowed_dir);
+}
diff --git a/chrome/common/sandbox_init_wrapper_win.cc b/chrome/common/sandbox_init_wrapper_win.cc
new file mode 100644
index 0000000..fe5c6df
--- /dev/null
+++ b/chrome/common/sandbox_init_wrapper_win.cc
@@ -0,0 +1,32 @@
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/sandbox_init_wrapper.h"
+
+#include "base/command_line.h"
+#include "chrome/common/chrome_switches.h"
+
+void SandboxInitWrapper::SetServices(sandbox::SandboxInterfaceInfo* info) {
+  if (info) {
+    broker_services_ = info->broker_services;
+    target_services_ = info->target_services;
+  }
+}
+
+bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
+                                           const std::string& process_type) {
+  if (command_line.HasSwitch(switches::kNoSandbox))
+    return true;
+  if ((process_type == switches::kRendererProcess) ||
+      (process_type == switches::kWorkerProcess) ||
+      (process_type == switches::kNaClProcess) ||
+      (process_type == switches::kUtilityProcess) ||
+      (process_type == switches::kPluginProcess &&
+       command_line.HasSwitch(switches::kSafePlugins))) {
+    if (!target_services_)
+      return false;
+    target_services_->Init();
+  }
+  return true;
+}
diff --git a/chrome/common/sandbox_mac.h b/chrome/common/sandbox_mac.h
index c747e20..a8a55b0 100644
--- a/chrome/common/sandbox_mac.h
+++ b/chrome/common/sandbox_mac.h
@@ -5,14 +5,37 @@
 #ifndef CHROME_COMMON_SANDBOX_MAC_H_
 #define CHROME_COMMON_SANDBOX_MAC_H_
 
+#include "base/file_path.h"
+
 namespace sandbox {
 
+enum SandboxProcessType {
+  SANDBOX_TYPE_RENDERER,
+
+  // Worker process has *everything* not needed for Cocoa locked down.
+  SANDBOX_TYPE_WORKER,
+
+  // Utility process is as restrictive as the worker process except full access
+  // is allowed to one configurable directory.
+  SANDBOX_TYPE_UTILITY,
+};
+
 // Warm up System APIs that empirically need to be accessed before the Sandbox
 // is turned on.
 void SandboxWarmup();
 
 // Turns on the OS X sandbox for this process.
-bool EnableSandbox();
+// |sandbox_type| - type of Sandbox to use.
+// |allowed_dir| - directory to allow access to, currently the only sandbox
+// profile that supports this is SANDBOX_TYPE_UTILITY .
+//
+// |allowed_dir| must be a "simple" string since it's placed as is in a regex
+// i.e. it must not contain quotation characters, escaping or any characters
+// that might have special meaning when blindly substituted into a regular
+// expression - crbug.com/26492 .
+// Returns true on success, false if an error occurred enabling the sandbox.
+bool EnableSandbox(SandboxProcessType sandbox_type,
+                   const FilePath& allowed_dir);
 
 }  // namespace sandbox
 
diff --git a/chrome/common/sandbox_mac.mm b/chrome/common/sandbox_mac.mm
index ae55b52..6eac34c 100644
--- a/chrome/common/sandbox_mac.mm
+++ b/chrome/common/sandbox_mac.mm
@@ -84,11 +84,42 @@ void SandboxWarmup() {
 }
 
 // Turns on the OS X sandbox for this process.
-bool EnableSandbox() {
-  // For the renderer, we give it a custom sandbox to lock things down as
-  // tightly as possible, while still enabling drawing.
+bool EnableSandbox(SandboxProcessType sandbox_type,
+                   const FilePath& allowed_dir) {
+  // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being
+  // passed in.
+  if (sandbox_type != SANDBOX_TYPE_UTILITY) {
+    DCHECK(allowed_dir.empty())
+        << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter.";
+  } else {
+    DCHECK(!allowed_dir.empty())
+        << "SANDBOX_TYPE_UTILITY "
+        << "needs a custom directory parameter, but an empty one was provided.";
+  }
+
+  // We use a custom sandbox definition file to lock things down as
+  // tightly as possible.
+  // TODO(jeremy): Look at using include syntax to unify common parts of sandbox
+  // definition files.
+  NSString* sandbox_config_filename = nil;
+  switch (sandbox_type) {
+    case SANDBOX_TYPE_RENDERER:
+      sandbox_config_filename = @"renderer";
+      break;
+    case SANDBOX_TYPE_WORKER:
+      sandbox_config_filename = @"worker";
+      break;
+    case SANDBOX_TYPE_UTILITY:
+      sandbox_config_filename = @"utility";
+      break;
+    default:
+      NOTREACHED();
+      return false;
+  }
+
   NSString* sandbox_profile_path =
-      [mac_util::MainAppBundle() pathForResource:@"renderer" ofType:@"sb"];
+      [mac_util::MainAppBundle() pathForResource:sandbox_config_filename
+                                          ofType:@"sb"];
   NSString* sandbox_data = [NSString
       stringWithContentsOfFile:sandbox_profile_path
       encoding:NSUTF8StringEncoding
@@ -108,6 +139,13 @@ bool EnableSandbox() {
                                   withString:@""];
   }
 
+  if (!allowed_dir.empty()) {
+    NSString* allowed_dir_ns = base::SysUTF8ToNSString(allowed_dir.value());
+    sandbox_data = [sandbox_data
+        stringByReplacingOccurrencesOfString:@"DIR_TO_ALLOW_ACCESS"
+                                  withString:allowed_dir_ns];
+  }
+
   int32 major_version, minor_version, bugfix_version;
   base::SysInfo::OperatingSystemVersionNumbers(&major_version,
       &minor_version, &bugfix_version);
diff --git a/chrome/renderer/renderer_main_platform_delegate_mac.mm b/chrome/renderer/renderer_main_platform_delegate_mac.mm
index 4a5475e..014a7d2 100644
--- a/chrome/renderer/renderer_main_platform_delegate_mac.mm
+++ b/chrome/renderer/renderer_main_platform_delegate_mac.mm
@@ -6,6 +6,8 @@
 
 #import <Cocoa/Cocoa.h>
 
+#include "base/command_line.h"
+#include "chrome/common/chrome_switches.h"
 #include "chrome/common/sandbox_mac.h"
 #include "third_party/WebKit/WebKit/mac/WebCoreSupport/WebSystemInterface.h"
 
@@ -24,9 +26,6 @@ void RendererMainPlatformDelegate::PlatformInitialize() {
   // Load WebKit system interfaces.
   InitWebCoreSystemInterface();
 
-  // Warmup APIs before turning on the Sandbox.
-  sandbox::SandboxWarmup();
-
   if (![NSThread isMultiThreaded]) {
     NSString* string = @"";
     [NSThread detachNewThreadSelector:@selector(length)
@@ -47,7 +46,10 @@ bool RendererMainPlatformDelegate::InitSandboxTests(bool no_sandbox) {
 }
 
 bool RendererMainPlatformDelegate::EnableSandbox() {
-  return sandbox::EnableSandbox();
+  CommandLine* parsed_command_line = CommandLine::ForCurrentProcess();
+  SandboxInitWrapper sandbox_wrapper;
+  return sandbox_wrapper.InitializeSandbox(*parsed_command_line,
+                                           switches::kRendererProcess);
 }
 
 void RendererMainPlatformDelegate::RunSandboxTests() {