1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/browser/plugin_process_host.h"
6
7 #if defined(OS_WIN)
8 #include <windows.h>
9 #elif defined(OS_POSIX)
10 #include <utility> // for pair<>
11 #endif
12
13 #include <vector>
14
15 #include "base/base_switches.h"
16 #include "base/bind.h"
17 #include "base/command_line.h"
18 #include "base/files/file_path.h"
19 #include "base/lazy_instance.h"
20 #include "base/logging.h"
21 #include "base/metrics/histogram.h"
22 #include "base/path_service.h"
23 #include "base/strings/string_number_conversions.h"
24 #include "base/strings/string_util.h"
25 #include "base/strings/utf_string_conversions.h"
26 #include "base/synchronization/lock.h"
27 #include "content/browser/browser_child_process_host_impl.h"
28 #include "content/browser/loader/resource_message_filter.h"
29 #include "content/browser/gpu/gpu_data_manager_impl.h"
30 #include "content/browser/plugin_service_impl.h"
31 #include "content/common/child_process_host_impl.h"
32 #include "content/common/plugin_process_messages.h"
33 #include "content/common/resource_messages.h"
34 #include "content/public/browser/browser_thread.h"
35 #include "content/public/browser/content_browser_client.h"
36 #include "content/public/browser/notification_types.h"
37 #include "content/public/browser/plugin_service.h"
38 #include "content/public/browser/resource_context.h"
39 #include "content/public/common/content_switches.h"
40 #include "content/public/common/process_type.h"
41 #include "content/public/common/sandboxed_process_launcher_delegate.h"
42 #include "ipc/ipc_switches.h"
43 #include "net/url_request/url_request_context_getter.h"
44 #include "ui/base/ui_base_switches.h"
45 #include "ui/gfx/native_widget_types.h"
46 #include "ui/gfx/switches.h"
47 #include "ui/gl/gl_switches.h"
48
49 #if defined(OS_MACOSX)
50 #include "base/mac/mac_util.h"
51 #include "ui/gfx/rect.h"
52 #endif
53
54 #if defined(OS_WIN)
55 #include "base/win/windows_version.h"
56 #include "content/common/plugin_constants_win.h"
57 #endif
58
59 namespace content {
60
61 namespace {
62
63 base::LazyInstance<std::map<base::ProcessId, WebPluginInfo> >
64 g_process_webplugin_info = LAZY_INSTANCE_INITIALIZER;
65 base::LazyInstance<base::Lock>::Leaky
66 g_process_webplugin_info_lock = LAZY_INSTANCE_INITIALIZER;
67 }
68
GetWebPluginInfoFromPluginPid(base::ProcessId pid,WebPluginInfo * info)69 bool PluginProcessHost::GetWebPluginInfoFromPluginPid(base::ProcessId pid,
70 WebPluginInfo* info) {
71 base::AutoLock lock(g_process_webplugin_info_lock.Get());
72 if (!g_process_webplugin_info.Get().count(pid))
73 return false;
74
75 *info = g_process_webplugin_info.Get()[pid];
76 return true;
77 }
78
79 #if defined(OS_WIN)
OnPluginWindowDestroyed(HWND window,HWND parent)80 void PluginProcessHost::OnPluginWindowDestroyed(HWND window, HWND parent) {
81 // The window is destroyed at this point, we just care about its parent, which
82 // is the intermediate window we created.
83 std::set<HWND>::iterator window_index =
84 plugin_parent_windows_set_.find(parent);
85 if (window_index == plugin_parent_windows_set_.end())
86 return;
87
88 plugin_parent_windows_set_.erase(window_index);
89 PostMessage(parent, WM_CLOSE, 0, 0);
90 }
91
AddWindow(HWND window)92 void PluginProcessHost::AddWindow(HWND window) {
93 plugin_parent_windows_set_.insert(window);
94 }
95 #endif // defined(OS_WIN)
96
97 // NOTE: changes to this class need to be reviewed by the security team.
98 class PluginSandboxedProcessLauncherDelegate
99 : public SandboxedProcessLauncherDelegate {
100 public:
PluginSandboxedProcessLauncherDelegate(ChildProcessHost * host)101 explicit PluginSandboxedProcessLauncherDelegate(ChildProcessHost* host)
102 #if defined(OS_POSIX)
103 : ipc_fd_(host->TakeClientFileDescriptor())
104 #endif // OS_POSIX
105 {}
106
~PluginSandboxedProcessLauncherDelegate()107 virtual ~PluginSandboxedProcessLauncherDelegate() {}
108
109 #if defined(OS_WIN)
ShouldSandbox()110 virtual bool ShouldSandbox() OVERRIDE {
111 return false;
112 }
113
114 #elif defined(OS_POSIX)
GetIpcFd()115 virtual int GetIpcFd() OVERRIDE {
116 return ipc_fd_;
117 }
118 #endif // OS_WIN
119
120 private:
121 #if defined(OS_POSIX)
122 int ipc_fd_;
123 #endif // OS_POSIX
124
125 DISALLOW_COPY_AND_ASSIGN(PluginSandboxedProcessLauncherDelegate);
126 };
127
PluginProcessHost()128 PluginProcessHost::PluginProcessHost()
129 : pid_(base::kNullProcessId)
130 #if defined(OS_MACOSX)
131 , plugin_cursor_visible_(true)
132 #endif
133 {
134 process_.reset(new BrowserChildProcessHostImpl(PROCESS_TYPE_PLUGIN, this));
135 }
136
~PluginProcessHost()137 PluginProcessHost::~PluginProcessHost() {
138 #if defined(OS_WIN)
139 // We erase HWNDs from the plugin_parent_windows_set_ when we receive a
140 // notification that the window is being destroyed. If we don't receive this
141 // notification and the PluginProcessHost instance is being destroyed, it
142 // means that the plugin process crashed. We paint a sad face in this case in
143 // the renderer process. To ensure that the sad face shows up, and we don't
144 // leak HWNDs, we should destroy existing plugin parent windows.
145 std::set<HWND>::iterator window_index;
146 for (window_index = plugin_parent_windows_set_.begin();
147 window_index != plugin_parent_windows_set_.end();
148 ++window_index) {
149 PostMessage(*window_index, WM_CLOSE, 0, 0);
150 }
151 #elif defined(OS_MACOSX)
152 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
153 // If the plugin process crashed but had fullscreen windows open at the time,
154 // make sure that the menu bar is visible.
155 for (size_t i = 0; i < plugin_fullscreen_windows_set_.size(); ++i) {
156 BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
157 base::Bind(base::mac::ReleaseFullScreen,
158 base::mac::kFullScreenModeHideAll));
159 }
160 // If the plugin hid the cursor, reset that.
161 if (!plugin_cursor_visible_) {
162 BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
163 base::Bind(base::mac::SetCursorVisibility, true));
164 }
165 #endif
166 // Cancel all pending and sent requests.
167 CancelRequests();
168
169 {
170 base::AutoLock lock(g_process_webplugin_info_lock.Get());
171 g_process_webplugin_info.Get()[pid_] = info_;
172 }
173 }
174
Send(IPC::Message * message)175 bool PluginProcessHost::Send(IPC::Message* message) {
176 return process_->Send(message);
177 }
178
Init(const WebPluginInfo & info)179 bool PluginProcessHost::Init(const WebPluginInfo& info) {
180 info_ = info;
181 process_->SetName(info_.name);
182
183 std::string channel_id = process_->GetHost()->CreateChannel();
184 if (channel_id.empty())
185 return false;
186
187 // Build command line for plugin. When we have a plugin launcher, we can't
188 // allow "self" on linux and we need the real file path.
189 const base::CommandLine& browser_command_line =
190 *base::CommandLine::ForCurrentProcess();
191 base::CommandLine::StringType plugin_launcher =
192 browser_command_line.GetSwitchValueNative(switches::kPluginLauncher);
193
194 #if defined(OS_MACOSX)
195 // Run the plug-in process in a mode tolerant of heap execution without
196 // explicit mprotect calls. Some plug-ins still rely on this quaint and
197 // archaic "feature." See http://crbug.com/93551.
198 int flags = ChildProcessHost::CHILD_ALLOW_HEAP_EXECUTION;
199 #elif defined(OS_LINUX)
200 int flags = plugin_launcher.empty() ? ChildProcessHost::CHILD_ALLOW_SELF :
201 ChildProcessHost::CHILD_NORMAL;
202 #else
203 int flags = ChildProcessHost::CHILD_NORMAL;
204 #endif
205
206 base::FilePath exe_path = ChildProcessHost::GetChildPath(flags);
207 if (exe_path.empty())
208 return false;
209
210 base::CommandLine* cmd_line = new base::CommandLine(exe_path);
211 // Put the process type and plugin path first so they're easier to see
212 // in process listings using native process management tools.
213 cmd_line->AppendSwitchASCII(switches::kProcessType, switches::kPluginProcess);
214 cmd_line->AppendSwitchPath(switches::kPluginPath, info.path);
215
216 // Propagate the following switches to the plugin command line (along with
217 // any associated values) if present in the browser command line
218 static const char* const kSwitchNames[] = {
219 switches::kDisableBreakpad,
220 switches::kDisableDirectNPAPIRequests,
221 switches::kEnableStatsTable,
222 switches::kFullMemoryCrashReport,
223 switches::kLoggingLevel,
224 switches::kLogPluginMessages,
225 switches::kNoSandbox,
226 switches::kPluginStartupDialog,
227 switches::kTraceStartup,
228 switches::kUseGL,
229 switches::kForceDeviceScaleFactor,
230 #if defined(OS_MACOSX)
231 switches::kDisableCoreAnimationPlugins,
232 switches::kEnableSandboxLogging,
233 #endif
234 };
235
236 cmd_line->CopySwitchesFrom(browser_command_line, kSwitchNames,
237 arraysize(kSwitchNames));
238
239 GpuDataManagerImpl::GetInstance()->AppendPluginCommandLine(cmd_line);
240
241 // If specified, prepend a launcher program to the command line.
242 if (!plugin_launcher.empty())
243 cmd_line->PrependWrapper(plugin_launcher);
244
245 std::string locale = GetContentClient()->browser()->GetApplicationLocale();
246 if (!locale.empty()) {
247 // Pass on the locale so the null plugin will use the right language in the
248 // prompt to install the desired plugin.
249 cmd_line->AppendSwitchASCII(switches::kLang, locale);
250 }
251
252 cmd_line->AppendSwitchASCII(switches::kProcessChannelID, channel_id);
253
254 process_->Launch(
255 new PluginSandboxedProcessLauncherDelegate(process_->GetHost()),
256 cmd_line);
257
258 // The plugin needs to be shutdown gracefully, i.e. NP_Shutdown needs to be
259 // called on the plugin. The plugin process exits when it receives the
260 // OnChannelError notification indicating that the browser plugin channel has
261 // been destroyed.
262 process_->SetTerminateChildOnShutdown(false);
263
264 ResourceMessageFilter::GetContextsCallback get_contexts_callback(
265 base::Bind(&PluginProcessHost::GetContexts,
266 base::Unretained(this)));
267
268 // TODO(jam): right now we're passing NULL for appcache, blob storage, and
269 // file system. If NPAPI plugins actually use this, we'll have to plumb them.
270 ResourceMessageFilter* resource_message_filter = new ResourceMessageFilter(
271 process_->GetData().id, PROCESS_TYPE_PLUGIN, NULL, NULL, NULL, NULL,
272 get_contexts_callback);
273 process_->AddFilter(resource_message_filter);
274 return true;
275 }
276
ForceShutdown()277 void PluginProcessHost::ForceShutdown() {
278 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
279 Send(new PluginProcessMsg_NotifyRenderersOfPendingShutdown());
280 process_->ForceShutdown();
281 }
282
OnMessageReceived(const IPC::Message & msg)283 bool PluginProcessHost::OnMessageReceived(const IPC::Message& msg) {
284 bool handled = true;
285 IPC_BEGIN_MESSAGE_MAP(PluginProcessHost, msg)
286 IPC_MESSAGE_HANDLER(PluginProcessHostMsg_ChannelCreated, OnChannelCreated)
287 IPC_MESSAGE_HANDLER(PluginProcessHostMsg_ChannelDestroyed,
288 OnChannelDestroyed)
289 #if defined(OS_WIN)
290 IPC_MESSAGE_HANDLER(PluginProcessHostMsg_PluginWindowDestroyed,
291 OnPluginWindowDestroyed)
292 #endif
293 #if defined(OS_MACOSX)
294 IPC_MESSAGE_HANDLER(PluginProcessHostMsg_PluginShowWindow,
295 OnPluginShowWindow)
296 IPC_MESSAGE_HANDLER(PluginProcessHostMsg_PluginHideWindow,
297 OnPluginHideWindow)
298 IPC_MESSAGE_HANDLER(PluginProcessHostMsg_PluginSetCursorVisibility,
299 OnPluginSetCursorVisibility)
300 #endif
301 IPC_MESSAGE_UNHANDLED(handled = false)
302 IPC_END_MESSAGE_MAP()
303
304 return handled;
305 }
306
OnChannelConnected(int32 peer_pid)307 void PluginProcessHost::OnChannelConnected(int32 peer_pid) {
308 for (size_t i = 0; i < pending_requests_.size(); ++i) {
309 RequestPluginChannel(pending_requests_[i]);
310 }
311
312 pending_requests_.clear();
313
314 pid_ = peer_pid;
315 {
316 base::AutoLock lock(g_process_webplugin_info_lock.Get());
317 g_process_webplugin_info.Get()[pid_] = info_;
318 }
319 }
320
OnChannelError()321 void PluginProcessHost::OnChannelError() {
322 CancelRequests();
323 }
324
CanShutdown()325 bool PluginProcessHost::CanShutdown() {
326 return sent_requests_.empty();
327 }
328
OnProcessCrashed(int exit_code)329 void PluginProcessHost::OnProcessCrashed(int exit_code) {
330 PluginServiceImpl::GetInstance()->RegisterPluginCrash(info_.path);
331 }
332
CancelRequests()333 void PluginProcessHost::CancelRequests() {
334 for (size_t i = 0; i < pending_requests_.size(); ++i)
335 pending_requests_[i]->OnError();
336 pending_requests_.clear();
337
338 while (!sent_requests_.empty()) {
339 Client* client = sent_requests_.front();
340 if (client)
341 client->OnError();
342 sent_requests_.pop_front();
343 }
344 }
345
OpenChannelToPlugin(Client * client)346 void PluginProcessHost::OpenChannelToPlugin(Client* client) {
347 BrowserThread::PostTask(
348 BrowserThread::UI, FROM_HERE,
349 base::Bind(&BrowserChildProcessHostImpl::NotifyProcessInstanceCreated,
350 process_->GetData()));
351 client->SetPluginInfo(info_);
352 if (process_->GetHost()->IsChannelOpening()) {
353 // The channel is already in the process of being opened. Put
354 // this "open channel" request into a queue of requests that will
355 // be run once the channel is open.
356 pending_requests_.push_back(client);
357 return;
358 }
359
360 // We already have an open channel, send a request right away to plugin.
361 RequestPluginChannel(client);
362 }
363
CancelPendingRequest(Client * client)364 void PluginProcessHost::CancelPendingRequest(Client* client) {
365 std::vector<Client*>::iterator it = pending_requests_.begin();
366 while (it != pending_requests_.end()) {
367 if (client == *it) {
368 pending_requests_.erase(it);
369 return;
370 }
371 ++it;
372 }
373 DCHECK(it != pending_requests_.end());
374 }
375
CancelSentRequest(Client * client)376 void PluginProcessHost::CancelSentRequest(Client* client) {
377 std::list<Client*>::iterator it = sent_requests_.begin();
378 while (it != sent_requests_.end()) {
379 if (client == *it) {
380 *it = NULL;
381 return;
382 }
383 ++it;
384 }
385 DCHECK(it != sent_requests_.end());
386 }
387
RequestPluginChannel(Client * client)388 void PluginProcessHost::RequestPluginChannel(Client* client) {
389 // We can't send any sync messages from the browser because it might lead to
390 // a hang. However this async messages must be answered right away by the
391 // plugin process (i.e. unblocks a Send() call like a sync message) otherwise
392 // a deadlock can occur if the plugin creation request from the renderer is
393 // a result of a sync message by the plugin process.
394 PluginProcessMsg_CreateChannel* msg =
395 new PluginProcessMsg_CreateChannel(
396 client->ID(),
397 client->OffTheRecord());
398 msg->set_unblock(true);
399 if (Send(msg)) {
400 sent_requests_.push_back(client);
401 client->OnSentPluginChannelRequest();
402 } else {
403 client->OnError();
404 }
405 }
406
OnChannelCreated(const IPC::ChannelHandle & channel_handle)407 void PluginProcessHost::OnChannelCreated(
408 const IPC::ChannelHandle& channel_handle) {
409 Client* client = sent_requests_.front();
410
411 if (client) {
412 if (!resource_context_map_.count(client->ID())) {
413 ResourceContextEntry entry;
414 entry.ref_count = 0;
415 entry.resource_context = client->GetResourceContext();
416 resource_context_map_[client->ID()] = entry;
417 }
418 resource_context_map_[client->ID()].ref_count++;
419 client->OnChannelOpened(channel_handle);
420 }
421 sent_requests_.pop_front();
422 }
423
OnChannelDestroyed(int renderer_id)424 void PluginProcessHost::OnChannelDestroyed(int renderer_id) {
425 resource_context_map_[renderer_id].ref_count--;
426 if (!resource_context_map_[renderer_id].ref_count)
427 resource_context_map_.erase(renderer_id);
428 }
429
GetContexts(const ResourceHostMsg_Request & request,ResourceContext ** resource_context,net::URLRequestContext ** request_context)430 void PluginProcessHost::GetContexts(const ResourceHostMsg_Request& request,
431 ResourceContext** resource_context,
432 net::URLRequestContext** request_context) {
433 *resource_context =
434 resource_context_map_[request.origin_pid].resource_context;
435 *request_context = (*resource_context)->GetRequestContext();
436 }
437
438 } // namespace content
439