summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--chrome/app/chrome_dll_main.cc11
-rw-r--r--chrome/browser/utility.sb40
-rw-r--r--chrome/browser/utility_process_host.cc9
-rw-r--r--chrome/browser/utility_process_host_unittest.cc5
-rw-r--r--chrome/browser/worker.sb35
-rwxr-xr-xchrome/chrome.gyp8
-rw-r--r--chrome/common/chrome_switches.cc4
-rw-r--r--chrome/common/chrome_switches.h1
-rw-r--r--chrome/common/sandbox_init_wrapper.cc44
-rw-r--r--chrome/common/sandbox_init_wrapper.h18
-rw-r--r--chrome/common/sandbox_init_wrapper_linux.cc14
-rw-r--r--chrome/common/sandbox_init_wrapper_mac.cc49
-rw-r--r--chrome/common/sandbox_init_wrapper_win.cc32
-rw-r--r--chrome/common/sandbox_mac.h25
-rw-r--r--chrome/common/sandbox_mac.mm46
-rw-r--r--chrome/renderer/renderer_main_platform_delegate_mac.mm10
16 files changed, 70 insertions, 281 deletions
diff --git a/chrome/app/chrome_dll_main.cc b/chrome/app/chrome_dll_main.cc
index bc9f4a3..26b493a 100644
--- a/chrome/app/chrome_dll_main.cc
+++ b/chrome/app/chrome_dll_main.cc
@@ -482,11 +482,7 @@ int ChromeMain(int argc, char** argv) {
#if defined(OS_WIN)
sandbox_wrapper.SetServices(sandbox_info);
#endif
-
- // OS X enables sandboxing later in the startup process.
-#if !defined (OS_MACOSX)
sandbox_wrapper.InitializeSandbox(parsed_command_line, process_type);
-#endif // !OS_MACOSX
#if defined(OS_WIN)
_Module.Init(NULL, instance);
@@ -540,13 +536,6 @@ int ChromeMain(int argc, char** argv) {
if (!process_type.empty())
CommonSubprocessInit();
-#if defined (OS_MACOSX)
- // On OS X the renderer sandbox needs to be initialized later in the startup
- // sequence in RendererMainPlatformDelegate::PlatformInitialize().
- if (process_type != switches::kRendererProcess)
- sandbox_wrapper.InitializeSandbox(parsed_command_line, process_type);
-#endif // OS_MACOSX
-
startup_timer.Stop(); // End of Startup Time Measurement.
MainFunctionParams main_params(parsed_command_line, sandbox_wrapper,
diff --git a/chrome/browser/utility.sb b/chrome/browser/utility.sb
deleted file mode 100644
index 291e677..0000000
--- a/chrome/browser/utility.sb
+++ /dev/null
@@ -1,40 +0,0 @@
-;;
-;; Copyright (c) 2009 The Chromium Authors. All rights reserved.
-;; Use of this source code is governed by a BSD-style license that can be
-;; found in the LICENSE file.
-;;
-; This is the Sandbox configuration file used for safeguarding the utility
-; process which is used for performing sandboxed operations that need to touch
-; the filesystem like decoding theme images and unpacking extensions.
-;
-; This configuration locks everything down, except access to one configurable
-; directory. This is different from other sandbox configuration files where
-; file system access is entireley restricted.
-(version 1)
-(deny default)
-; Support for programmatically enabling verbose debugging.
-;ENABLE_LOGGING (debug deny)
-
-; Allow sending signals to self - http://crbug.com/20370
-(allow signal (target self))
-
-; Needed for full-page-zoomed controls - http://crbug.com/11325
-(allow sysctl-read)
-
-; Each line is marked with the System version that needs it.
-; This profile is tested with the following system versions:
-; 10.5.6, 10.6
-
-; Allow following symlinks
-(allow file-read-metadata) ; 10.5.6
-
-; Loading System Libraries.
-(allow file-read-data (regex #"^/System/Library/Frameworks")) ; 10.5.6
-(allow file-read-data (regex #"^/System/Library/PrivateFrameworks")) ; 10.5.6
-(allow file-read-data (regex #"^/System/Library/CoreServices")) ; 10.5.6
-
-; Needed for IPC on 10.6
-;10.6_ONLY (allow ipc-posix-shm)
-
-; Enable full access to given directory.
-(allow file-read* file-write* (regex #"^DIR_TO_ALLOW_ACCESS"))
diff --git a/chrome/browser/utility_process_host.cc b/chrome/browser/utility_process_host.cc
index 1ba7068..af35c36 100644
--- a/chrome/browser/utility_process_host.cc
+++ b/chrome/browser/utility_process_host.cc
@@ -67,8 +67,8 @@ FilePath UtilityProcessHost::GetUtilityProcessCmd() {
bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
#if defined(OS_POSIX)
- // TODO(port): We should not reach here on Linux (crbug.com/22703).
- // (crbug.com/23837) covers enabling this on Linux/OS X.
+ // TODO(port): We should not reach here on linux (crbug.com/22703) or
+ // MacOS (crbug.com/8102) until problems related to autoupdate are fixed.
NOTREACHED();
return false;
#endif
@@ -113,7 +113,7 @@ bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
process = sandbox::StartProcessWithAccess(&cmd_line, exposed_dir);
}
#else
- // TODO(port): Sandbox this on Linux. Also, zygote this to work with
+ // TODO(port): Sandbox this on Linux/Mac. Also, zygote this to work with
// Linux updating.
bool has_cmd_prefix = browser_command_line.HasSwitch(
switches::kUtilityCmdPrefix);
@@ -124,9 +124,6 @@ bool UtilityProcessHost::StartProcess(const FilePath& exposed_dir) {
switches::kUtilityCmdPrefix));
}
- cmd_line.AppendSwitchWithValue(switches::kUtilityProcessAllowedDir,
- exposed_dir.value().c_str());
-
// This code is duplicated with browser_render_process_host.cc and
// plugin_process_host.cc, but there's not a good place to de-duplicate it.
// Maybe we can merge this into sandbox::StartProcess which will set up
diff --git a/chrome/browser/utility_process_host_unittest.cc b/chrome/browser/utility_process_host_unittest.cc
index 9e3a73d..3be0480 100644
--- a/chrome/browser/utility_process_host_unittest.cc
+++ b/chrome/browser/utility_process_host_unittest.cc
@@ -124,8 +124,9 @@ class ProcessClosedObserver : public NotificationObserver {
bool observed_;
};
-#if !defined(OS_LINUX)
-// We should not run this on linux (crbug.com/22703).
+#if !defined(OS_POSIX)
+// We should not run this on linux (crbug.com/22703) or MacOS (crbug.com/8102)
+// until problems related to autoupdate are fixed.
TEST_F(UtilityProcessHostTest, ExtensionUnpacker) {
// Copy the test extension into a temp dir and install from the temp dir.
FilePath extension_file;
diff --git a/chrome/browser/worker.sb b/chrome/browser/worker.sb
deleted file mode 100644
index bc208c4..0000000
--- a/chrome/browser/worker.sb
+++ /dev/null
@@ -1,35 +0,0 @@
-;;
-;; Copyright (c) 2009 The Chromium Authors. All rights reserved.
-;; Use of this source code is governed by a BSD-style license that can be
-;; found in the LICENSE file.
-;;
-; This is the Sandbox configuration file used for safeguarding the worker
-; process which is used to run web workers in a sandboxed environment.
-;
-; This is the most restrictive sandbox profile and only enables just enough
-; to allow basic use of Cocoa.
-(version 1)
-(deny default)
-; Support for programmatically enabling verbose debugging.
-;ENABLE_LOGGING (debug deny)
-
-; Allow sending signals to self - http://crbug.com/20370
-(allow signal (target self))
-
-; Needed for full-page-zoomed controls - http://crbug.com/11325
-(allow sysctl-read)
-
-; Each line is marked with the System version that needs it.
-; This profile is tested with the following system versions:
-; 10.5.6, 10.6
-
-; Allow following symlinks
-(allow file-read-metadata) ; 10.5.6
-
-; Loading System Libraries.
-(allow file-read-data (regex #"^/System/Library/Frameworks")) ; 10.5.6
-(allow file-read-data (regex #"^/System/Library/PrivateFrameworks")) ; 10.5.6
-(allow file-read-data (regex #"^/System/Library/CoreServices")) ; 10.5.6
-
-; Needed for IPC on 10.6
-;10.6_ONLY (allow ipc-posix-shm)
diff --git a/chrome/chrome.gyp b/chrome/chrome.gyp
index dde6002..c81b650 100755
--- a/chrome/chrome.gyp
+++ b/chrome/chrome.gyp
@@ -673,10 +673,8 @@
'common/resource_dispatcher.cc',
'common/resource_dispatcher.h',
'common/result_codes.h',
+ 'common/sandbox_init_wrapper.cc',
'common/sandbox_init_wrapper.h',
- 'common/sandbox_init_wrapper_linux.cc',
- 'common/sandbox_init_wrapper_mac.cc',
- 'common/sandbox_init_wrapper_win.cc',
'common/sandbox_mac.h',
'common/sandbox_mac.mm',
'common/security_filter_peer.cc',
@@ -2615,10 +2613,6 @@
'$(SDKROOT)/System/Library/Frameworks/SecurityInterface.framework',
'$(SDKROOT)/System/Library/Frameworks/QuartzCore.framework',
],
- 'mac_bundle_resources': [
- 'browser/utility.sb',
- 'browser/worker.sb',
- ],
},
'actions': [
{
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index 60736d2..86e9467 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -601,10 +601,6 @@ const char kUtilityCmdPrefix[] = "utility-cmd-prefix";
// Causes the process to run as a utility subprocess.
const char kUtilityProcess[] = "utility";
-// The utility process is sandboxed, with access to one directory. This flag
-// specifies the directory that can be accessed.
-const char kUtilityProcessAllowedDir[] = "utility-allowed-dir";
-
// Will add kWaitForDebugger to every child processes. If a value is passed, it
// will be used as a filter to determine if the child process should have the
// kWaitForDebugger flag passed on or not.
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index 2d387cd..89ecf9f 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -169,7 +169,6 @@ extern const char kUserDataDir[];
extern const char kUserScriptsDir[];
extern const char kUtilityCmdPrefix[];
extern const char kUtilityProcess[];
-extern const char kUtilityProcessAllowedDir[];
extern const char kWaitForDebuggerChildren[];
extern const char kWebWorkerProcessPerCore[];
extern const char kWebWorkerShareProcesses[];
diff --git a/chrome/common/sandbox_init_wrapper.cc b/chrome/common/sandbox_init_wrapper.cc
new file mode 100644
index 0000000..31488f7
--- /dev/null
+++ b/chrome/common/sandbox_init_wrapper.cc
@@ -0,0 +1,44 @@
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/sandbox_init_wrapper.h"
+
+#include "base/command_line.h"
+#include "chrome/common/chrome_switches.h"
+
+#if defined(OS_WIN)
+
+void SandboxInitWrapper::SetServices(sandbox::SandboxInterfaceInfo* info) {
+ if (info) {
+ broker_services_ = info->broker_services;
+ target_services_ = info->target_services;
+ }
+}
+
+#endif
+
+void SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
+ const std::string& process_type) {
+#if defined(OS_WIN)
+ if (!target_services_)
+ return;
+#endif
+ if (!command_line.HasSwitch(switches::kNoSandbox)) {
+ if ((process_type == switches::kRendererProcess) ||
+ (process_type == switches::kWorkerProcess) ||
+ (process_type == switches::kNaClProcess) ||
+ (process_type == switches::kUtilityProcess) ||
+ (process_type == switches::kPluginProcess &&
+ command_line.HasSwitch(switches::kSafePlugins))) {
+#if defined(OS_WIN)
+ target_services_->Init();
+#elif defined(OS_MACOSX)
+ // We just cache the process type so we can configure the sandbox
+ // correctly, see renderer_main_platform_delegate_mac.cc for one of those
+ // places.
+ process_type_ = process_type;
+#endif
+ }
+ }
+}
diff --git a/chrome/common/sandbox_init_wrapper.h b/chrome/common/sandbox_init_wrapper.h
index d1652d2..a1c2de9 100644
--- a/chrome/common/sandbox_init_wrapper.h
+++ b/chrome/common/sandbox_init_wrapper.h
@@ -33,10 +33,7 @@ class SandboxInitWrapper {
// Initialize the sandbox for renderer and plug-in processes, depending on
// the command line flags. The browser process is not sandboxed.
- // Returns true if the sandbox was initialized succesfully, false if an error
- // occurred. If process_type isn't one that needs sandboxing true is always
- // returned.
- bool InitializeSandbox(const CommandLine& parsed_command_line,
+ void InitializeSandbox(const CommandLine& parsed_command_line,
const std::string& process_type);
private:
sandbox::BrokerServices* broker_services_;
@@ -53,12 +50,17 @@ class SandboxInitWrapper {
// Initialize the sandbox for renderer and plug-in processes, depending on
// the command line flags. The browser process is not sandboxed.
- // Returns true if the sandbox was initialized succesfully, false if an error
- // occurred. If process_type isn't one that needs sandboxing true is always
- // returned.
- bool InitializeSandbox(const CommandLine& parsed_command_line,
+ void InitializeSandbox(const CommandLine& parsed_command_line,
const std::string& process_type);
+#if defined(OS_MACOSX)
+ // We keep the process type so we can configure the sandbox as needed.
+ public:
+ std::string ProcessType() const { return process_type_; }
+ private:
+ std::string process_type_;
+#endif
+
private:
DISALLOW_COPY_AND_ASSIGN(SandboxInitWrapper);
};
diff --git a/chrome/common/sandbox_init_wrapper_linux.cc b/chrome/common/sandbox_init_wrapper_linux.cc
deleted file mode 100644
index daf02d3..0000000
--- a/chrome/common/sandbox_init_wrapper_linux.cc
+++ /dev/null
@@ -1,14 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/common/sandbox_init_wrapper.h"
-
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
-
-bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
- const std::string& process_type) {
- // TODO(port): Does Linux need to do anything here?
- return true;
-}
diff --git a/chrome/common/sandbox_init_wrapper_mac.cc b/chrome/common/sandbox_init_wrapper_mac.cc
deleted file mode 100644
index 6ce09d3..0000000
--- a/chrome/common/sandbox_init_wrapper_mac.cc
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/common/sandbox_init_wrapper.h"
-
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
-#include "chrome/common/sandbox_mac.h"
-
-bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
- const std::string& process_type) {
- if (command_line.HasSwitch(switches::kNoSandbox))
- return true;
-
- sandbox::SandboxProcessType sandbox_process_type;
- FilePath allowed_dir; // Empty by default.
-
- if (process_type.empty()) {
- // Browser process isn't sandboxed.
- return true;
- } else if (process_type == switches::kRendererProcess) {
- // Renderer process sandbox.
- sandbox_process_type = sandbox::SANDBOX_TYPE_RENDERER;
- } else if (process_type == switches::kUtilityProcess) {
- // Utility process sandbox.
- sandbox_process_type = sandbox::SANDBOX_TYPE_UTILITY;
- allowed_dir = FilePath::FromWStringHack(
- command_line.GetSwitchValue(switches::kUtilityProcessAllowedDir));
- } else if (process_type == switches::kWorkerProcess) {
- // Worker process sandbox.
- sandbox_process_type = sandbox::SANDBOX_TYPE_WORKER;
- } else if ((process_type == switches::kNaClProcess) ||
- (process_type == switches::kPluginProcess) ||
- (process_type == switches::kProfileImportProcess)) {
- return true;
- } else {
- // Failsafe: If you hit an unreached here, is your new process type in need
- // of sandboxing?
- NOTREACHED();
- return true;
- }
-
- // Warm up APIs before turning on the sandbox.
- sandbox::SandboxWarmup();
-
- // Actually sandbox the process.
- return sandbox::EnableSandbox(sandbox_process_type, allowed_dir);
-}
diff --git a/chrome/common/sandbox_init_wrapper_win.cc b/chrome/common/sandbox_init_wrapper_win.cc
deleted file mode 100644
index fe5c6df..0000000
--- a/chrome/common/sandbox_init_wrapper_win.cc
+++ /dev/null
@@ -1,32 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/common/sandbox_init_wrapper.h"
-
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
-
-void SandboxInitWrapper::SetServices(sandbox::SandboxInterfaceInfo* info) {
- if (info) {
- broker_services_ = info->broker_services;
- target_services_ = info->target_services;
- }
-}
-
-bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
- const std::string& process_type) {
- if (command_line.HasSwitch(switches::kNoSandbox))
- return true;
- if ((process_type == switches::kRendererProcess) ||
- (process_type == switches::kWorkerProcess) ||
- (process_type == switches::kNaClProcess) ||
- (process_type == switches::kUtilityProcess) ||
- (process_type == switches::kPluginProcess &&
- command_line.HasSwitch(switches::kSafePlugins))) {
- if (!target_services_)
- return false;
- target_services_->Init();
- }
- return true;
-}
diff --git a/chrome/common/sandbox_mac.h b/chrome/common/sandbox_mac.h
index a8a55b0..c747e20 100644
--- a/chrome/common/sandbox_mac.h
+++ b/chrome/common/sandbox_mac.h
@@ -5,37 +5,14 @@
#ifndef CHROME_COMMON_SANDBOX_MAC_H_
#define CHROME_COMMON_SANDBOX_MAC_H_
-#include "base/file_path.h"
-
namespace sandbox {
-enum SandboxProcessType {
- SANDBOX_TYPE_RENDERER,
-
- // Worker process has *everything* not needed for Cocoa locked down.
- SANDBOX_TYPE_WORKER,
-
- // Utility process is as restrictive as the worker process except full access
- // is allowed to one configurable directory.
- SANDBOX_TYPE_UTILITY,
-};
-
// Warm up System APIs that empirically need to be accessed before the Sandbox
// is turned on.
void SandboxWarmup();
// Turns on the OS X sandbox for this process.
-// |sandbox_type| - type of Sandbox to use.
-// |allowed_dir| - directory to allow access to, currently the only sandbox
-// profile that supports this is SANDBOX_TYPE_UTILITY .
-//
-// |allowed_dir| must be a "simple" string since it's placed as is in a regex
-// i.e. it must not contain quotation characters, escaping or any characters
-// that might have special meaning when blindly substituted into a regular
-// expression - crbug.com/26492 .
-// Returns true on success, false if an error occurred enabling the sandbox.
-bool EnableSandbox(SandboxProcessType sandbox_type,
- const FilePath& allowed_dir);
+bool EnableSandbox();
} // namespace sandbox
diff --git a/chrome/common/sandbox_mac.mm b/chrome/common/sandbox_mac.mm
index 6eac34c..ae55b52 100644
--- a/chrome/common/sandbox_mac.mm
+++ b/chrome/common/sandbox_mac.mm
@@ -84,42 +84,11 @@ void SandboxWarmup() {
}
// Turns on the OS X sandbox for this process.
-bool EnableSandbox(SandboxProcessType sandbox_type,
- const FilePath& allowed_dir) {
- // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being
- // passed in.
- if (sandbox_type != SANDBOX_TYPE_UTILITY) {
- DCHECK(allowed_dir.empty())
- << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter.";
- } else {
- DCHECK(!allowed_dir.empty())
- << "SANDBOX_TYPE_UTILITY "
- << "needs a custom directory parameter, but an empty one was provided.";
- }
-
- // We use a custom sandbox definition file to lock things down as
- // tightly as possible.
- // TODO(jeremy): Look at using include syntax to unify common parts of sandbox
- // definition files.
- NSString* sandbox_config_filename = nil;
- switch (sandbox_type) {
- case SANDBOX_TYPE_RENDERER:
- sandbox_config_filename = @"renderer";
- break;
- case SANDBOX_TYPE_WORKER:
- sandbox_config_filename = @"worker";
- break;
- case SANDBOX_TYPE_UTILITY:
- sandbox_config_filename = @"utility";
- break;
- default:
- NOTREACHED();
- return false;
- }
-
+bool EnableSandbox() {
+ // For the renderer, we give it a custom sandbox to lock things down as
+ // tightly as possible, while still enabling drawing.
NSString* sandbox_profile_path =
- [mac_util::MainAppBundle() pathForResource:sandbox_config_filename
- ofType:@"sb"];
+ [mac_util::MainAppBundle() pathForResource:@"renderer" ofType:@"sb"];
NSString* sandbox_data = [NSString
stringWithContentsOfFile:sandbox_profile_path
encoding:NSUTF8StringEncoding
@@ -139,13 +108,6 @@ bool EnableSandbox(SandboxProcessType sandbox_type,
withString:@""];
}
- if (!allowed_dir.empty()) {
- NSString* allowed_dir_ns = base::SysUTF8ToNSString(allowed_dir.value());
- sandbox_data = [sandbox_data
- stringByReplacingOccurrencesOfString:@"DIR_TO_ALLOW_ACCESS"
- withString:allowed_dir_ns];
- }
-
int32 major_version, minor_version, bugfix_version;
base::SysInfo::OperatingSystemVersionNumbers(&major_version,
&minor_version, &bugfix_version);
diff --git a/chrome/renderer/renderer_main_platform_delegate_mac.mm b/chrome/renderer/renderer_main_platform_delegate_mac.mm
index 014a7d2..4a5475e 100644
--- a/chrome/renderer/renderer_main_platform_delegate_mac.mm
+++ b/chrome/renderer/renderer_main_platform_delegate_mac.mm
@@ -6,8 +6,6 @@
#import <Cocoa/Cocoa.h>
-#include "base/command_line.h"
-#include "chrome/common/chrome_switches.h"
#include "chrome/common/sandbox_mac.h"
#include "third_party/WebKit/WebKit/mac/WebCoreSupport/WebSystemInterface.h"
@@ -26,6 +24,9 @@ void RendererMainPlatformDelegate::PlatformInitialize() {
// Load WebKit system interfaces.
InitWebCoreSystemInterface();
+ // Warmup APIs before turning on the Sandbox.
+ sandbox::SandboxWarmup();
+
if (![NSThread isMultiThreaded]) {
NSString* string = @"";
[NSThread detachNewThreadSelector:@selector(length)
@@ -46,10 +47,7 @@ bool RendererMainPlatformDelegate::InitSandboxTests(bool no_sandbox) {
}
bool RendererMainPlatformDelegate::EnableSandbox() {
- CommandLine* parsed_command_line = CommandLine::ForCurrentProcess();
- SandboxInitWrapper sandbox_wrapper;
- return sandbox_wrapper.InitializeSandbox(*parsed_command_line,
- switches::kRendererProcess);
+ return sandbox::EnableSandbox();
}
void RendererMainPlatformDelegate::RunSandboxTests() {