Fuchsia: Allow individual files to be cloned by launch_fuchsia.cc

The ability to propagate files affords the sandboxing policy logic
more precision in propagating the exact capabilities needed by
child processes.

Also some minor cleanup which changes the LaunchOptions interface to
use FilePaths instead of strings for representing paths.


Bug: 750938

Change-Id: I38059c39f629bc9234e4f94c0b215a39828f3665
Reviewed-on: https://chromium-review.googlesource.com/1050494
Commit-Queue: Kevin Marshall <kmarshall@chromium.org>
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558186}

base/process/launch.h

@@ -207,7 +207,7 @@ struct BASE_EXPORT LaunchOptions {
   // case child process is compromised.
   // Cannot be combined with the clone flag LP_CLONE_FDIO_NAMESPACE, which is
   // equivalent to cloning every path.
-  std::vector<std::string> paths_to_map;
+  std::vector<FilePath> paths_to_map;
 #endif  // defined(OS_FUCHSIA)
 
 #if defined(OS_POSIX) && !defined(OS_FUCHSIA)

base/process/launch_fuchsia.cc

@@ -62,7 +62,7 @@ bool GetAppOutputInternal(const CommandLine& cmd_line,
   return process.WaitForExit(exit_code);
 }
 
-bool MapPathsToLaunchpad(const std::vector<std::string> paths_to_map,
+bool MapPathsToLaunchpad(const std::vector<FilePath>& paths_to_map,
                          launchpad_t* lp) {
   zx_status_t status;
 
@@ -72,17 +72,14 @@ bool MapPathsToLaunchpad(const std::vector<std::string> paths_to_map,
   paths_c_str.reserve(paths_to_map.size());
 
   for (size_t paths_idx = 0; paths_idx < paths_to_map.size(); ++paths_idx) {
-    const std::string& next_path_str = paths_to_map[paths_idx];
-
-    base::FilePath next_path(next_path_str);
-    if (!DirectoryExists(next_path)) {
-      DLOG(ERROR) << "Directory does not exist: " << next_path;
+    const FilePath& next_path = paths_to_map[paths_idx];
+    if (!PathExists(next_path)) {
+      DLOG(ERROR) << "Path does not exist: " << next_path;
       return false;
     }
 
-    // Get a Zircon handle to the directory |next_path|.
-    base::File dir(next_path, base::File::FLAG_OPEN | base::File::FLAG_READ);
-    base::ScopedPlatformFile scoped_fd(dir.TakePlatformFile());
+    File dir(next_path, File::FLAG_OPEN | File::FLAG_READ);
+    ScopedPlatformFile scoped_fd(dir.TakePlatformFile());
     zx_handle_t handles[FDIO_MAX_HANDLES] = {};
     uint32_t types[FDIO_MAX_HANDLES] = {};
     zx_status_t num_handles =
@@ -111,14 +108,14 @@ bool MapPathsToLaunchpad(const std::vector<std::string> paths_to_map,
     // Add the handle to the child's nametable.
     // We use the macro PA_HND(..., <index>) to relate the handle to its
     // position in the nametable, which is stored as an array of path strings
-    // |paths_c_str|.
+    // |paths_str|.
     status = launchpad_add_handle(lp, scoped_handle.release(),
                                   PA_HND(PA_NS_DIR, paths_idx));
     if (status != ZX_OK) {
       ZX_LOG(ERROR, status) << "launchpad_add_handle";
       return false;
     }
-    paths_c_str.push_back(next_path_str.c_str());
+    paths_c_str.push_back(next_path.value().c_str());
   }
 
   if (!paths_c_str.empty()) {
@@ -139,8 +136,7 @@ struct LaunchpadScopedTraits {
   static void Free(launchpad_t* lp) { launchpad_destroy(lp); }
 };
 
-using ScopedLaunchpad =
-    base::ScopedGeneric<launchpad_t*, LaunchpadScopedTraits>;
+using ScopedLaunchpad = ScopedGeneric<launchpad_t*, LaunchpadScopedTraits>;
 
 }  // namespace
 
@@ -197,7 +193,7 @@ Process LaunchProcess(const std::vector<std::string>& argv,
     environ_modifications["PWD"] = options.current_directory.value();
   } else {
     FilePath cwd;
-    base::GetCurrentDirectory(&cwd);
+    GetCurrentDirectory(&cwd);
     environ_modifications["PWD"] = cwd.value();
   }
 

base/process/process_util_unittest.cc

@@ -247,7 +247,7 @@ TEST_F(ProcessUtilTest, SelectivelyClonedDir) {
   remove(signal_file.c_str());
 
   LaunchOptions options;
-  options.paths_to_map.push_back("/tmp");
+  options.paths_to_map.push_back(base::FilePath("/tmp"));
   options.clone_flags = LP_CLONE_FDIO_STDIO;
 
   Process process(SpawnChildWithOptions("CheckTmpFileExists", options));
@@ -269,8 +269,8 @@ TEST_F(ProcessUtilTest, CloneAlternateDir) {
   remove(signal_file.c_str());
 
   LaunchOptions options;
-  options.paths_to_map.push_back("/tmp");
-  options.paths_to_map.push_back("/data");
+  options.paths_to_map.push_back(base::FilePath("/tmp"));
+  options.paths_to_map.push_back(base::FilePath("/data"));
   options.clone_flags = LP_CLONE_FDIO_STDIO;
 
   Process process(SpawnChildWithOptions("CheckTmpFileExists", options));

content/common/sandbox_policy_fuchsia.cc

@@ -27,10 +27,10 @@ void UpdateLaunchOptionsForSandbox(service_manager::SandboxType type,
   if (type != service_manager::SANDBOX_TYPE_NO_SANDBOX) {
     // Map /pkg (read-only files deployed from the package) and /tmp into the
     // child's namespace.
-    options->paths_to_map.push_back(base::GetPackageRoot().AsUTF8Unsafe());
+    options->paths_to_map.push_back(base::GetPackageRoot());
     base::FilePath temp_dir;
     base::GetTempDir(&temp_dir);
-    options->paths_to_map.push_back(temp_dir.AsUTF8Unsafe());
+    options->paths_to_map.push_back(temp_dir);
 
     // Clear environmental variables to better isolate the child from
     // this process.