Network Service:Make network service process a privileged process

On Android, regular utility process is sandboxed, and won't be able to access network. This CL parses the sandbox type from the commandline, and make the process a privileged process if the sandbox type is network. BUG=715630 Change-Id: I5ed3edcf45de13aba838f7bbf3e0faf5e39568fb Reviewed-on: https://chromium-review.googlesource.com/807152Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Min Qin <qinmin@chromium.org> Cr-Commit-Position: refs/heads/master@{#521781}

Network Service:Make network service process a privileged process
On Android, regular utility process is sandboxed, and won't be able to access network. This CL parses the sandbox type from the commandline, and make the process a privileged process if the sandbox type is network. BUG=715630 Change-Id: I5ed3edcf45de13aba838f7bbf3e0faf5e39568fb Reviewed-on: https://chromium-review.googlesource.com/807152Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Min Qin <qinmin@chromium.org> Cr-Commit-Position: refs/heads/master@{#521781}
2508f44b · Min Qin · Commit Bot · d12dba3c · 2508f44b · 2508f44b
Commit 2508f44b authored Dec 05, 2017 by Min Qin Committed by Commit Bot Dec 05, 2017
4 changed files
--- a/content/public/android/java/src/org/chromium/content/browser/ChildProcessLauncherHelper.java
+++ b/content/public/android/java/src/org/chromium/content/browser/ChildProcessLauncherHelper.java
@@ -192,6 +192,12 @@ public class ChildProcessLauncherHelper {
            } else {
                // We only support sandboxed utility processes now.
                assert ContentSwitches.SWITCH_UTILITY_PROCESS.equals(processType);
+
+                // Remove sandbox restriction on network service process.
+                if (ContentSwitches.NETWORK_SANDBOX_TYPE.equals(ContentSwitches.getSwitchValue(
+                            commandLine, ContentSwitches.SWITCH_SERVICE_SANDBOX_TYPE))) {
+                    sandboxed = false;
+                }
            }
        }


--- a/content/public/android/java/src/org/chromium/content/common/ContentSwitches.java
+++ b/content/public/android/java/src/org/chromium/content/common/ContentSwitches.java
@@ -71,6 +71,12 @@ public abstract class ContentSwitches {
    // Native switch kHostResolverRules
    public static final String HOST_RESOLVER_RULES = "host-resolver-rules";

+    // Native switch kServiceSandboxType
+    public static final String SWITCH_SERVICE_SANDBOX_TYPE = "service-sandbox-type";
+
+    // Native switch value kNetworkSandbox
+    public static final String NETWORK_SANDBOX_TYPE = "network";
+
    // Prevent instantiation.
    private ContentSwitches() {}


--- a/net/android/java/src/org/chromium/net/X509Util.java
+++ b/net/android/java/src/org/chromium/net/X509Util.java
@@ -17,6 +17,7 @@ import android.util.Pair;

 import org.chromium.base.ContextUtils;
 import org.chromium.base.annotations.JNINamespace;
+import org.chromium.base.metrics.RecordHistogram;

 import java.io.ByteArrayInputStream;
 import java.io.File;
@@ -243,8 +244,12 @@ public class X509Util {
                // Could not load AndroidCAStore. Continue anyway; isKnownRoot will always
                // return false.
            }
-            if (!sDisableNativeCodeForTest) {
-                nativeRecordCertVerifyCapabilitiesHistogram(sSystemKeyStore != null);
+            if (!sDisableNativeCodeForTest
+                    && Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
+                // Only record the histogram for 4.2 and up. Before 4.2, the platform doesn't
+                // return the certificate chain anyway.
+                RecordHistogram.recordBooleanHistogram(
+                        "Net.FoundSystemTrustRootsAndroid", sSystemKeyStore != null);
            }
            sLoadedSystemKeyStore = true;
        }
@@ -561,11 +566,4 @@ public class X509Util {
     * Notify the native net::CertDatabase instance that the system database has been updated.
     */
    private static native void nativeNotifyKeyChainChanged();
-
-    /**
-     * Record histograms on the platform's certificate verification capabilities.
-     */
-    private static native void nativeRecordCertVerifyCapabilitiesHistogram(
-            boolean foundSystemTrustRoots);
-
 }
--- a/net/cert/x509_util_android.cc
+++ b/net/cert/x509_util_android.cc
@@ -2,8 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-#include "base/android/build_info.h"
-#include "base/metrics/histogram_macros.h"
 #include "jni/X509Util_jni.h"
 #include "net/cert/cert_database.h"

@@ -16,16 +14,4 @@ void JNI_X509Util_NotifyKeyChainChanged(JNIEnv* env,
  CertDatabase::GetInstance()->OnAndroidKeyChainChanged();
 }

-void JNI_X509Util_RecordCertVerifyCapabilitiesHistogram(
-    JNIEnv* env,
-    const JavaParamRef<jclass>& clazz,
-    jboolean found_system_trust_roots) {
-  // Only record the histogram for 4.2 and up. Before 4.2, the platform doesn't
-  // return the certificate chain anyway.
-  if (base::android::BuildInfo::GetInstance()->sdk_int() >= 17) {
-    UMA_HISTOGRAM_BOOLEAN("Net.FoundSystemTrustRootsAndroid",
-                          found_system_trust_roots);
-  }
-}
-
 }  // namespace net