macOS V2 Sandbox: Report correct sandbox profile for nacl-loader.

The nacl loader process, used only on macOS, currently tries to load an invalid profile type under the V2 sandbox. This loads the correct type. This also adds necessary IOKit resource access to the nacl sandbox profile. Bug: 892554 Tbr: dschuff@chromium.org Change-Id: Ib35c67684bfda9ef052ea62576f8277a97caefd8 Reviewed-on: https://chromium-review.googlesource.com/c/1292606 Commit-Queue: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Derek Schuff <dschuff@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#601332}

macOS V2 Sandbox: Report correct sandbox profile for nacl-loader.
The nacl loader process, used only on macOS, currently tries to load an invalid profile type under the V2 sandbox. This loads the correct type. This also adds necessary IOKit resource access to the nacl sandbox profile. Bug: 892554 Tbr: dschuff@chromium.org Change-Id: Ib35c67684bfda9ef052ea62576f8277a97caefd8 Reviewed-on: https://chromium-review.googlesource.com/c/1292606 Commit-Queue: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Derek Schuff <dschuff@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#601332}
9789adec · Greg Kerr · Commit Bot · 2152980a · 9789adec · 9789adec
Commit 9789adec authored Oct 19, 2018 by Greg Kerr Committed by Commit Bot Oct 19, 2018
7 changed files
--- a/components/nacl/loader/DEPS
+++ b/components/nacl/loader/DEPS
@@ -9,6 +9,7 @@ include_rules = [
  "+sandbox/linux/services",
  "+sandbox/linux/suid",
  "+sandbox/linux/system_headers",
+  "+sandbox/mac",
  "+sandbox/sandbox_buildflags.h",
  "+sandbox/win/src",
  "+services/service_manager/sandbox",

--- a/components/nacl/loader/nacl_main_platform_delegate_mac.mm
+++ b/components/nacl/loader/nacl_main_platform_delegate_mac.mm
@@ -6,13 +6,22 @@
 #import <Cocoa/Cocoa.h>
+#include "base/command_line.h"
 #include "base/logging.h"
 #include "components/nacl/common/nacl_switches.h"
 #include "content/public/common/sandbox_init.h"
+#include "sandbox/mac/seatbelt.h"
+#include "sandbox/mac/seatbelt_exec.h"
 #include "services/service_manager/sandbox/sandbox_type.h"
 void NaClMainPlatformDelegate::EnableSandbox(
    const content::MainFunctionParams& parameters) {
-  CHECK(content::InitializeSandbox(service_manager::SANDBOX_TYPE_NACL_LOADER))
+  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
-      << "Error initializing sandbox for " << switches::kNaClLoaderProcess;
+          sandbox::switches::kSeatbeltClientName)) {
+    // Make sure the sandbox is actually enabled if the V2 flag is present.
+    CHECK(sandbox::Seatbelt::IsSandboxed());
+  } else {
+    CHECK(content::InitializeSandbox(service_manager::SANDBOX_TYPE_NACL_LOADER))
+        << "Error initializing sandbox for " << switches::kNaClLoaderProcess;
+  }
 }
--- a/services/service_manager/sandbox/mac/common.sb
+++ b/services/service_manager/sandbox/mac/common.sb
@@ -20,6 +20,12 @@
 (define elcap-or-later "ELCAP_OR_LATER")
 (define macos-1013 "MACOS_1013")
+; Backwards compatibility for 10.9
+(if (not (defined? 'path))
+  (define path literal))
+(if (not (defined? 'iokit-registry-entry-class))
+  (define iokit-registry-entry-class iokit-user-client-class))
 ; Consumes a subpath and appends it to the user's homedir path.
 (define (user-homedir-path subpath)
  (string-append (param homedir-as-literal) subpath))

--- a/services/service_manager/sandbox/mac/nacl_loader.sb
+++ b/services/service_manager/sandbox/mac/nacl_loader.sb
@@ -12,3 +12,10 @@
 ; Allow a Native Client application to use semaphores, specifically
 ; sem_init(), et.al.
 (allow ipc-posix-sem)
+(allow iokit-get-properties
+  (iokit-registry-entry-class "IORegisterForSystemPower"))
+(allow iokit-open
+  (iokit-user-client-class "IOSurfaceSendRight")
+  (iokit-user-client-class "RootDomainUserClient"))
--- a/services/service_manager/sandbox/sandbox_type.cc
+++ b/services/service_manager/sandbox/sandbox_type.cc
@@ -126,6 +126,11 @@ SandboxType SandboxTypeFromCommandLine(const base::CommandLine& command_line) {
  if (process_type == switches::kPpapiPluginProcess)
    return SANDBOX_TYPE_PPAPI;
+#if defined(OS_MACOSX)
+  if (process_type == switches::kNaClLoaderProcess)
+    return SANDBOX_TYPE_NACL_LOADER;
+#endif
  // This is a process which we don't know about.
  return SANDBOX_TYPE_INVALID;
 }

--- a/services/service_manager/sandbox/switches.cc
+++ b/services/service_manager/sandbox/switches.cc
@@ -107,6 +107,7 @@ const char kEnableSandboxLogging[] = "enable-sandbox-logging";
 // Flags spied upon from other layers.
 const char kGpuProcess[] = "gpu-process";
+const char kNaClLoaderProcess[] = "nacl-loader";
 const char kPpapiBrokerProcess[] = "ppapi-broker";
 const char kPpapiPluginProcess[] = "ppapi";
 const char kRendererProcess[] = "renderer";

--- a/services/service_manager/sandbox/switches.h
+++ b/services/service_manager/sandbox/switches.h
@@ -59,6 +59,7 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kEnableSandboxLogging[];
 // Flags spied upon from other layers.
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuProcess[];
+SERVICE_MANAGER_SANDBOX_EXPORT extern const char kNaClLoaderProcess[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPpapiBrokerProcess[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPpapiPluginProcess[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kRendererProcess[];