Define a bootstrap sandbox policy for renderer processes and enable it.

BUG=367863
R=avi@chromium.org, mark@chromium.org

Review URL: https://codereview.chromium.org/341073005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@278831 0039d316-1c4b-4281-b951-d872f2087c98

content/browser/bootstrap_sandbox_mac.cc

@@ -8,9 +8,16 @@
 #include "base/mac/mac_util.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
+#include "content/browser/mach_broker_mac.h"
 #include "content/common/sandbox_init_mac.h"
 #include "content/public/browser/browser_child_process_observer.h"
 #include "content/public/browser/child_process_data.h"
+#include "content/public/browser/notification_details.h"
+#include "content/public/browser/notification_observer.h"
+#include "content/public/browser/notification_registrar.h"
+#include "content/public/browser/notification_service.h"
+#include "content/public/browser/notification_types.h"
+#include "content/public/browser/render_process_host.h"
 #include "content/public/common/sandbox_type_mac.h"
 #include "sandbox/mac/bootstrap_sandbox.h"
 
@@ -20,7 +27,8 @@ namespace {
 
 // This class is responsible for creating the BootstrapSandbox global
 // singleton, as well as registering all associated policies with it.
-class BootstrapSandboxPolicy : public BrowserChildProcessObserver {
+class BootstrapSandboxPolicy : public BrowserChildProcessObserver,
+                               public NotificationObserver {
  public:
   static BootstrapSandboxPolicy* GetInstance();
 
@@ -34,12 +42,22 @@ class BootstrapSandboxPolicy : public BrowserChildProcessObserver {
   virtual void BrowserChildProcessCrashed(
       const ChildProcessData& data) OVERRIDE;
 
+  // NotificationObserver:
+  virtual void Observe(int type,
+                       const NotificationSource& source,
+                       const NotificationDetails& details) OVERRIDE;
+
  private:
   friend struct DefaultSingletonTraits<BootstrapSandboxPolicy>;
   BootstrapSandboxPolicy();
   virtual ~BootstrapSandboxPolicy();
 
   void RegisterSandboxPolicies();
+  void RegisterRendererPolicy();
+
+  void AddBaselinePolicy(sandbox::BootstrapSandboxPolicy* policy);
+
+  NotificationRegistrar notification_registrar_;
 
   scoped_ptr<sandbox::BootstrapSandbox> sandbox_;
 };
@@ -58,10 +76,26 @@ void BootstrapSandboxPolicy::BrowserChildProcessCrashed(
   sandbox()->ChildDied(data.handle);
 }
 
+void BootstrapSandboxPolicy::Observe(int type,
+                                     const NotificationSource& source,
+                                     const NotificationDetails& details) {
+  switch (type) {
+    case NOTIFICATION_RENDERER_PROCESS_CLOSED:
+      sandbox()->ChildDied(
+          Details<RenderProcessHost::RendererClosedDetails>(details)->handle);
+      break;
+    default:
+      NOTREACHED() << "Unexpected notification " << type;
+      break;
+  }
+}
+
 BootstrapSandboxPolicy::BootstrapSandboxPolicy()
     : sandbox_(sandbox::BootstrapSandbox::Create()) {
   CHECK(sandbox_.get());
   BrowserChildProcessObserver::Add(this);
+  notification_registrar_.Add(this, NOTIFICATION_RENDERER_PROCESS_CLOSED,
+      NotificationService::AllBrowserContextsAndSources());
   RegisterSandboxPolicies();
 }
 
@@ -70,13 +104,42 @@ BootstrapSandboxPolicy::~BootstrapSandboxPolicy() {
 }
 
 void BootstrapSandboxPolicy::RegisterSandboxPolicies() {
+  RegisterRendererPolicy();
+}
+
+void BootstrapSandboxPolicy::RegisterRendererPolicy() {
+  sandbox::BootstrapSandboxPolicy policy;
+  AddBaselinePolicy(&policy);
+
+  // Permit font queries.
+  policy.rules["com.apple.FontServer"] = sandbox::Rule(sandbox::POLICY_ALLOW);
+  policy.rules["com.apple.FontObjectsServer"] =
+      sandbox::Rule(sandbox::POLICY_ALLOW);
+
+  // Allow access to the windowserver. This is needed to get the colorspace
+  // during sandbox warmup. Since NSColorSpace conforms to NSCoding, this
+  // should be plumbed over IPC instead <http://crbug.com/265709>.
+  policy.rules["com.apple.windowserver.active"] =
+      sandbox::Rule(sandbox::POLICY_ALLOW);
+
+  sandbox_->RegisterSandboxPolicy(SANDBOX_TYPE_RENDERER, policy);
+}
+
+void BootstrapSandboxPolicy::AddBaselinePolicy(
+    sandbox::BootstrapSandboxPolicy* policy) {
+  auto& rules = policy->rules;
+
+  // Allow the child to send its task port to the MachBroker.
+  rules[MachBroker::GetMachPortName()] = sandbox::Rule(sandbox::POLICY_ALLOW);
+
+  // Allow logging to the syslog.
+  rules["com.apple.system.logger"] = sandbox::Rule(sandbox::POLICY_ALLOW);
 }
 
 }  // namespace
 
 bool ShouldEnableBootstrapSandbox() {
-  return base::mac::IsOSMountainLionOrEarlier() ||
-         base::mac::IsOSMavericks();
+  return base::mac::IsOSMavericksOrEarlier();
 }
 
 sandbox::BootstrapSandbox* GetBootstrapSandbox() {

content/browser/mach_broker_mac.h

@@ -44,6 +44,10 @@ class CONTENT_EXPORT MachBroker : public base::ProcessMetrics::PortProvider,
   // and false if otherwise.
   static bool ChildSendTaskPortToParent();
 
+  // Returns the Mach port name to use when sending or receiving messages.
+  // Does the Right Thing in the browser and in child processes.
+  static std::string GetMachPortName();
+
   // Returns the global MachBroker.
   static MachBroker* GetInstance();
 
@@ -93,9 +97,6 @@ class CONTENT_EXPORT MachBroker : public base::ProcessMetrics::PortProvider,
   // Removes all mappings belonging to |pid| from the broker.
   void InvalidatePid(base::ProcessHandle pid);
 
-  // Returns the Mach port name to use when sending or receiving messages.
-  // Does the Right Thing in the browser and in child processes.
-  static std::string GetMachPortName();
   // Callback used to register notifications on the UI thread.
   void RegisterNotifications();
 

content/browser/mach_broker_mac.mm

@@ -132,6 +132,7 @@ class MachListenerThreadDelegate : public base::PlatformThread::Delegate {
   DISALLOW_COPY_AND_ASSIGN(MachListenerThreadDelegate);
 };
 
+// static
 bool MachBroker::ChildSendTaskPortToParent() {
   // Look up the named MachBroker port that's been registered with the
   // bootstrap server.
@@ -167,6 +168,17 @@ bool MachBroker::ChildSendTaskPortToParent() {
   return true;
 }
 
+// static
+std::string MachBroker::GetMachPortName() {
+  const CommandLine* command_line = CommandLine::ForCurrentProcess();
+  const bool is_child = command_line->HasSwitch(switches::kProcessType);
+
+  // In non-browser (child) processes, use the parent's pid.
+  const pid_t pid = is_child ? getppid() : getpid();
+  return base::StringPrintf("%s.rohitfork.%d", base::mac::BaseBundleID(), pid);
+}
+
+// static
 MachBroker* MachBroker::GetInstance() {
   return Singleton<MachBroker, LeakySingletonTraits<MachBroker> >::get();
 }
@@ -274,16 +286,6 @@ void MachBroker::InvalidatePid(base::ProcessHandle pid) {
   mach_map_.erase(it);
 }
 
-// static
-std::string MachBroker::GetMachPortName() {
-  const CommandLine* command_line = CommandLine::ForCurrentProcess();
-  const bool is_child = command_line->HasSwitch(switches::kProcessType);
-
-  // In non-browser (child) processes, use the parent's pid.
-  const pid_t pid = is_child ? getppid() : getpid();
-  return base::StringPrintf("%s.rohitfork.%d", base::mac::BaseBundleID(), pid);
-}
-
 void MachBroker::RegisterNotifications() {
   registrar_.Add(this, NOTIFICATION_RENDERER_PROCESS_CLOSED,
                  NotificationService::AllBrowserContextsAndSources());

content/browser/renderer_host/render_process_host_impl.cc

@@ -170,6 +170,10 @@
 #include "ui/gfx/win/dpi.h"
 #endif
 
+#if defined(OS_MACOSX)
+#include "content/public/common/sandbox_type_mac.h"
+#endif
+
 #if defined(ENABLE_WEBRTC)
 #include "content/browser/media/webrtc_internals.h"
 #include "content/browser/renderer_host/media/media_stream_track_metrics_host.h"
@@ -329,6 +333,11 @@ class RendererSandboxedProcessLauncherDelegate
   virtual int GetIpcFd() OVERRIDE {
     return ipc_fd_;
   }
+#if defined(OS_MACOSX)
+  virtual SandboxType GetSandboxType() OVERRIDE {
+    return SANDBOX_TYPE_RENDERER;
+  }
+#endif
 #endif  // OS_WIN
 
  private: