diff options
| -rw-r--r-- | chrome/browser/sandbox_policy.h | 2 | ||||
| -rwxr-xr-x | chrome/chrome.gyp | 2 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.cc | 6 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.h | 4 | ||||
| -rw-r--r-- | chrome/common/sandbox_mac.h | 19 | ||||
| -rw-r--r-- | chrome/common/sandbox_mac.mm | 145 | ||||
| -rw-r--r-- | chrome/renderer/renderer.sb | 12 | ||||
| -rw-r--r-- | chrome/renderer/renderer_main_platform_delegate_mac.mm | 103 |
8 files changed, 187 insertions, 106 deletions
diff --git a/chrome/browser/sandbox_policy.h b/chrome/browser/sandbox_policy.h index 664f279..bb2e6d7 100644 --- a/chrome/browser/sandbox_policy.h +++ b/chrome/browser/sandbox_policy.h @@ -20,6 +20,6 @@ base::ProcessHandle StartProcess(CommandLine* cmd_line); base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, const FilePath& exposed_dir); -} // namespace sandbox; +} // namespace sandbox #endif // CHROME_BROWSER_SANDBOX_POLICY_H_ diff --git a/chrome/chrome.gyp b/chrome/chrome.gyp index cd9138d..3e156fc 100755 --- a/chrome/chrome.gyp +++ b/chrome/chrome.gyp @@ -640,6 +640,8 @@ 'common/result_codes.h', 'common/sandbox_init_wrapper.cc', 'common/sandbox_init_wrapper.h', + 'common/sandbox_mac.h', + 'common/sandbox_mac.mm', 'common/security_filter_peer.cc', 'common/security_filter_peer.h', 'common/nacl_messages.h', diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc index 7d0076b..ae52818 100644 --- a/chrome/common/chrome_switches.cc +++ b/chrome/common/chrome_switches.cc @@ -585,6 +585,12 @@ const wchar_t kEnableSessionStorage[] = L"enable-session-storage"; // Allows debugging of sandboxed processes (see zygote_main_linux.cc). const wchar_t kAllowSandboxDebugging[] = L"allow-sandbox-debugging"; +#if defined(OS_MACOSX) +// Cause the OS X sandbox write to syslog every time an access to a resource +// is denied by the sandbox. +const wchar_t kEnableSandboxLogging[] = L"enable-sandbox-logging"; +#endif + // Enable the seccomp sandbox (Linux only) const wchar_t kEnableSeccompSandbox[] = L"enable-seccomp-sandbox"; diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h index 4fa6ace..8c43fc5 100644 --- a/chrome/common/chrome_switches.h +++ b/chrome/common/chrome_switches.h @@ -225,6 +225,10 @@ extern const wchar_t kEnableSessionStorage[]; extern const wchar_t kAllowSandboxDebugging[]; +#if defined(OS_MACOSX) +extern const wchar_t kEnableSandboxLogging[]; +#endif + extern const wchar_t kEnableSeccompSandbox[]; extern const wchar_t kDiagnostics[]; diff --git a/chrome/common/sandbox_mac.h b/chrome/common/sandbox_mac.h new file mode 100644 index 0000000..c747e20 --- /dev/null +++ b/chrome/common/sandbox_mac.h @@ -0,0 +1,19 @@ +// Copyright (c) 2009 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROME_COMMON_SANDBOX_MAC_H_ +#define CHROME_COMMON_SANDBOX_MAC_H_ + +namespace sandbox { + +// Warm up System APIs that empirically need to be accessed before the Sandbox +// is turned on. +void SandboxWarmup(); + +// Turns on the OS X sandbox for this process. +bool EnableSandbox(); + +} // namespace sandbox + +#endif // CHROME_COMMON_SANDBOX_MAC_H_ diff --git a/chrome/common/sandbox_mac.mm b/chrome/common/sandbox_mac.mm new file mode 100644 index 0000000..5ffe0d4 --- /dev/null +++ b/chrome/common/sandbox_mac.mm @@ -0,0 +1,145 @@ +// Copyright (c) 2009 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chrome/common/sandbox_mac.h" + +#include "base/debug_util.h" + +#import <Cocoa/Cocoa.h> +extern "C" { +#include <sandbox.h> +} + +#include "base/basictypes.h" +#include "base/command_line.h" +#include "base/mac_util.h" +#include "base/scoped_cftyperef.h" +#include "base/scoped_nsautorelease_pool.h" +#include "base/string16.h" +#include "base/string_escape.h" +#include "base/sys_info.h" +#include "base/sys_string_conversions.h" +#include "chrome/common/chrome_switches.h" + +namespace sandbox { + +// Warm up System APIs that empirically need to be accessed before the Sandbox +// is turned on. +// This method is layed out in blocks, each one containing a separate function +// that needs to be warmed up. The OS version on which we found the need to +// enable the function is also noted. +// This function is tested on the following OS versions: +// 10.5.6, 10.6.0 +void SandboxWarmup() { + base::ScopedNSAutoreleasePool scoped_pool; + + { // CGColorSpaceCreateWithName(), CGBitmapContextCreate() - 10.5.6 + scoped_cftyperef<CGColorSpaceRef> rgb_colorspace( + CGColorSpaceCreateWithName(kCGColorSpaceGenericRGB)); + + // Allocate a 1x1 image. + char data[4]; + scoped_cftyperef<CGContextRef> context( + CGBitmapContextCreate(data, 1, 1, 8, 1 * 4, + rgb_colorspace, + kCGImageAlphaPremultipliedFirst | + kCGBitmapByteOrder32Host)); + + // Load in the color profiles we'll need (as a side effect). + (void) mac_util::GetSRGBColorSpace(); + (void) mac_util::GetSystemColorSpace(); + + // CGColorSpaceCreateSystemDefaultCMYK - 10.6 + scoped_cftyperef<CGColorSpaceRef> cmyk_colorspace( + CGColorSpaceCreateWithName(kCGColorSpaceGenericCMYK)); + } + + { // [-NSColor colorUsingColorSpaceName] - 10.5.6 + NSColor* color = [NSColor controlTextColor]; + [color colorUsingColorSpaceName:NSCalibratedRGBColorSpace]; + } + + { // localtime() - 10.5.6 + time_t tv = {0}; + localtime(&tv); + } + + { // Gestalt() tries to read /System/Library/CoreServices/SystemVersion.plist + // on 10.5.6 + int32 tmp; + base::SysInfo::OperatingSystemVersionNumbers(&tmp, &tmp, &tmp); + } + + { // CGImageSourceGetStatus() - 10.6 + // Create a png with just enough data to get everything warmed up... + char png_header[] = {0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A}; + NSData* data = [NSData dataWithBytes:png_header + length:arraysize(png_header)]; + scoped_cftyperef<CGImageSourceRef> img( + CGImageSourceCreateWithData((CFDataRef)data, + NULL)); + CGImageSourceGetStatus(img); + } +} + +// Turns on the OS X sandbox for this process. +bool EnableSandbox() { + // For the renderer, we give it a custom sandbox to lock things down as + // tightly as possible, while still enabling drawing. + NSString* sandbox_profile_path = + [mac_util::MainAppBundle() pathForResource:@"renderer" ofType:@"sb"]; + NSString* sandbox_data = [NSString + stringWithContentsOfFile:sandbox_profile_path + encoding:NSUTF8StringEncoding + error:nil]; + + if (!sandbox_data) { + LOG(ERROR) << "Failed to find the sandbox profile on disk"; + return false; + } + + // Enable verbose logging if enabled on the command line. + // (see renderer.sb for details). + const CommandLine *command_line = CommandLine::ForCurrentProcess(); + if (command_line->HasSwitch(switches::kEnableSandboxLogging)) { + sandbox_data = [sandbox_data + stringByReplacingOccurrencesOfString:@";ENABLE_LOGGING" + withString:@""]; + } + + int32 major_version, minor_version, bugfix_version; + base::SysInfo::OperatingSystemVersionNumbers(&major_version, + &minor_version, &bugfix_version); + + if (major_version > 10 || (major_version == 10 && minor_version >= 6)) { + // 10.6-only Sandbox rules. + sandbox_data = [sandbox_data + stringByReplacingOccurrencesOfString:@";10.6_ONLY" + withString:@""]; + // Splice the path of the user's home directory into the sandbox profile + // (see renderer.sb for details). + // This code is in the 10.6-only block because the sandbox syntax we use + // for this "subdir" is only supported on 10.6. + // If we ever need this on pre-10.6 OSs then we'll have to rethink the + // surrounding sandbox syntax. + string16 home_dir = base::SysNSStringToUTF16(NSHomeDirectory()); + std::string home_dir_escaped; + string_escape::JsonDoubleQuote(home_dir, false, &home_dir_escaped); + NSString* home_dir_escaped_ns = base::SysUTF8ToNSString(home_dir_escaped); + sandbox_data = [sandbox_data + stringByReplacingOccurrencesOfString:@"USER_HOMEDIR" + withString:home_dir_escaped_ns]; + } + + char* error_buff = NULL; + int error = sandbox_init([sandbox_data UTF8String], 0, &error_buff); + bool success = (error == 0 && error_buff == NULL); + if (error == -1) { + LOG(ERROR) << "Failed to Initialize Sandbox: " << error_buff; + } + sandbox_free_error(error_buff); + return success; +} + +} // namespace sandbox diff --git a/chrome/renderer/renderer.sb b/chrome/renderer/renderer.sb index 42ca75d..e9f6094 100644 --- a/chrome/renderer/renderer.sb +++ b/chrome/renderer/renderer.sb @@ -5,6 +5,8 @@ ;; (version 1) (deny default) +; Support for programmatically enabling verbose debugging. +;ENABLE_LOGGING (debug deny) ; Allow sending signals to self - http://crbug.com/20370 (allow signal (target self)) @@ -14,7 +16,7 @@ ; Each line is marked with the System version that needs it. ; This profile is tested with the following system versions: -; 10.5.6, 10.6 seed release +; 10.5.6, 10.6 ; Allow following symlinks (allow file-read-metadata) ; 10.5.6 @@ -26,12 +28,12 @@ ; Needed for Fonts. (allow file-read-data (regex #"^/System/Library/Fonts")) ; 10.5.6 -(allow file-read-data (regex #"^/Library/Fonts")) ; 10.6 seed release +;10.6_ONLY (allow file-read-data (regex #"^/Library/Fonts")) ; 10.6 (allow mach-lookup (global-name "com.apple.FontObjectsServer")) ; 10.5.6 -(allow mach-lookup (global-name "com.apple.FontServer")) ; 10.6 seed release +;10.6_ONLY (allow mach-lookup (global-name "com.apple.FontServer")) ; 10.6 ; USER_HOMEDIR is substitued at runtime - http://crbug.com/11269 -(allow file-read-data (regex #"^USER_HOMEDIR/Library/Fonts")) ; 10.6 seed release +;10.6_ONLY (allow file-read-data (subpath "USER_HOMEDIR/Library/Fonts")) ; 10.6 ; Needed for IPC on 10.6 -(allow ipc-posix-shm) +;10.6_ONLY (allow ipc-posix-shm) diff --git a/chrome/renderer/renderer_main_platform_delegate_mac.mm b/chrome/renderer/renderer_main_platform_delegate_mac.mm index 247c261..4a5475e 100644 --- a/chrome/renderer/renderer_main_platform_delegate_mac.mm +++ b/chrome/renderer/renderer_main_platform_delegate_mac.mm @@ -4,20 +4,9 @@ #include "chrome/renderer/renderer_main_platform_delegate.h" -#include "base/debug_util.h" - -#import <Foundation/Foundation.h> -#import <ApplicationServices/ApplicationServices.h> #import <Cocoa/Cocoa.h> -extern "C" { -#include <sandbox.h> -} -#include "base/mac_util.h" -#include "base/scoped_cftyperef.h" -#include "base/scoped_nsautorelease_pool.h" -#include "base/sys_info.h" -#include "chrome/common/chrome_switches.h" +#include "chrome/common/sandbox_mac.h" #include "third_party/WebKit/WebKit/mac/WebCoreSupport/WebSystemInterface.h" RendererMainPlatformDelegate::RendererMainPlatformDelegate( @@ -28,65 +17,6 @@ RendererMainPlatformDelegate::RendererMainPlatformDelegate( RendererMainPlatformDelegate::~RendererMainPlatformDelegate() { } -// Warmup System APIs that empirically need to be accessed before the Sandbox -// is turned on. -// This method is layed out in blocks, each one containing a separate function -// that needs to be warmed up. The OS version on which we found the need to -// enable the function is also noted. -// This function is tested on the following OS versions: -// 10.5.6, 10.6 seed release -void SandboxWarmup() { - base::ScopedNSAutoreleasePool scoped_pool; - - { // CGColorSpaceCreateWithName(), CGBitmapContextCreate() - 10.5.6 - scoped_cftyperef<CGColorSpaceRef> rgb_colorspace( - CGColorSpaceCreateWithName(kCGColorSpaceGenericRGB)); - - // Allocate a 1x1 image. - char data[4]; - scoped_cftyperef<CGContextRef> context( - CGBitmapContextCreate(data, 1, 1, 8, 1 * 4, - rgb_colorspace, - kCGImageAlphaPremultipliedFirst | - kCGBitmapByteOrder32Host)); - - // Load in the color profiles we'll need (as a side effect). - (void) mac_util::GetSRGBColorSpace(); - (void) mac_util::GetSystemColorSpace(); - - // CGColorSpaceCreateSystemDefaultCMYK - 10.6 - scoped_cftyperef<CGColorSpaceRef> cmyk_colorspace( - CGColorSpaceCreateWithName(kCGColorSpaceGenericCMYK)); - } - - { // [-NSColor colorUsingColorSpaceName] - 10.5.6 - NSColor* color = [NSColor controlTextColor]; - [color colorUsingColorSpaceName:NSCalibratedRGBColorSpace]; - } - - { // localtime() - 10.5.6 - time_t tv = {0}; - localtime(&tv); - } - - { // Gestalt() tries to read /System/Library/CoreServices/SystemVersion.plist - // on 10.5.6 - int32 tmp; - base::SysInfo::OperatingSystemVersionNumbers(&tmp, &tmp, &tmp); - } - - { // CGImageSourceGetStatus() - 10.6 seed release. - // Create a png with just enough data to get everything warmed up... - char png_header[] = {0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A}; - NSData* data = [NSData dataWithBytes:png_header - length:arraysize(png_header)]; - scoped_cftyperef<CGImageSourceRef> img( - CGImageSourceCreateWithData((CFDataRef)data, - NULL)); - CGImageSourceGetStatus(img); - } -} - // TODO(mac-port): Any code needed to initialize a process for // purposes of running a renderer needs to also be reflected in // chrome_dll_main.cc for --single-process support. @@ -95,7 +25,7 @@ void RendererMainPlatformDelegate::PlatformInitialize() { InitWebCoreSystemInterface(); // Warmup APIs before turning on the Sandbox. - SandboxWarmup(); + sandbox::SandboxWarmup(); if (![NSThread isMultiThreaded]) { NSString* string = @""; @@ -117,34 +47,7 @@ bool RendererMainPlatformDelegate::InitSandboxTests(bool no_sandbox) { } bool RendererMainPlatformDelegate::EnableSandbox() { - // For the renderer, we give it a custom sandbox to lock things down as - // tightly as possible, while still enabling drawing. - NSString* sandbox_profile_path = - [mac_util::MainAppBundle() pathForResource:@"renderer" ofType:@"sb"]; - NSString* sandbox_data = [NSString - stringWithContentsOfFile:sandbox_profile_path - encoding:NSUTF8StringEncoding - error:nil]; - - if (!sandbox_data) { - LOG(ERROR) << "Failed to find the sandbox profile on disk"; - return false; - } - - // Splice the path of the user's home directory into the sandbox profile - // (see renderer.sb for details). - sandbox_data = [sandbox_data - stringByReplacingOccurrencesOfString:@"USER_HOMEDIR" - withString:NSHomeDirectory()]; - - char* error_buff = NULL; - int error = sandbox_init([sandbox_data UTF8String], 0, &error_buff); - bool success = (error == 0 && error_buff == NULL); - if (error == -1) { - LOG(ERROR) << "Failed to Initialize Sandbox: " << error_buff; - } - sandbox_free_error(error_buff); - return success; + return sandbox::EnableSandbox(); } void RendererMainPlatformDelegate::RunSandboxTests() { |