diff options
| author | reveman <reveman@chromium.org> | 2015-06-03 18:27:08 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-06-04 01:27:49 +0000 |
| commit | 7c45b308edffa29d63d752fef7f7bf759a465a64 (patch) | |
| tree | e2ccc57470c2117672276c2b778440fa89f85cc6 /gpu | |
| parent | 32506eb27f1c9452c2bd9d0eb222b47a3dbc8ea8 (diff) | |
| download | chromium_src-7c45b308edffa29d63d752fef7f7bf759a465a64.zip chromium_src-7c45b308edffa29d63d752fef7f7bf759a465a64.tar.gz chromium_src-7c45b308edffa29d63d752fef7f7bf759a465a64.tar.bz2 | |
content: Pass IOSurface references using Mach IPC.
This removes the use of global IOSurfaces and instead passes
ownership between processes using Mach IPC.
The IOSurface GpuMemoryBuffer factory instance in the GPU
process sends a synchronous Mach message to the browser
process to register each IOSurface it creates. IOSurface
registration messages are handled by the
BrowserIOSurfaceManager class and child processes can use
a Mach message to acquire a reference to an IOSurface that
has been registered with the manager.
The BrowserIOSurfaceManager class keeps track of the
ownership of each IOSurface and prevents a child process
from acquiring a reference to an IOSurface that it doesn't
own. A unique unguessable token is generated for each child
process that is allowed to use IOSurfaces. The token
restricts what IOSurfaces a child process has access to
and prevents a malicious process from gaining access to
IOSurfaces it doesn't own.
Security Considerations
-----------------------
In general, this is a major improvement to security as it
provides proper sand-boxing of IOSurfaces. Prior to this
change, IOSurfaces were global and any process on the
system (including all renderer processes) had access to
all IOSurfaces. The renderer who owns the IOSurface is
the only process (except for the browser and GPU) that
has access to the IOSurface as a result of this change.
Passing of IOSurface references to child processes require
a Mach port to be open in the child process sandbox for
sending messages to the browser. As a result, Mach message
handling in the browser process
(BrowserIOSurfaceManager::Handle*Request) requires
validation and proper error handling to prevent a
malicious renderer from exploiting this channel.
BUG=323304
TEST=content_unittests --gtest_filter=GpuMemoryBuffer*/1, content_unittests --gtest_filter=BrowserIOSurfaceManagerTest.*, content_shell --enable-native-gpu-memory-buffers
Review URL: https://codereview.chromium.org/1137453002
Cr-Commit-Position: refs/heads/master@{#332757}
Diffstat (limited to 'gpu')
| -rw-r--r-- | gpu/command_buffer/common/mailbox.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/gpu/command_buffer/common/mailbox.h b/gpu/command_buffer/common/mailbox.h index a45c91f..67b023e 100644 --- a/gpu/command_buffer/common/mailbox.h +++ b/gpu/command_buffer/common/mailbox.h @@ -18,6 +18,8 @@ namespace gpu { struct GPU_EXPORT Mailbox { + using Name = int8_t[GL_MAILBOX_SIZE_CHROMIUM]; + Mailbox(); bool IsZero() const; void SetZero(); @@ -31,7 +33,8 @@ struct GPU_EXPORT Mailbox { // check, only to catch bugs where clients forgot to call Mailbox::Generate. bool Verify() const; - int8_t name[GL_MAILBOX_SIZE_CHROMIUM]; + Name name; + bool operator<(const Mailbox& other) const { return memcmp(this, &other, sizeof other) < 0; } |