1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/mac/bootstrap_sandbox.h"
6
7 #include <servers/bootstrap.h>
8 #include <unistd.h>
9
10 #include "base/logging.h"
11 #include "base/mac/foundation_util.h"
12 #include "base/mac/mach_logging.h"
13 #include "base/strings/stringprintf.h"
14 #include "sandbox/mac/launchd_interception_server.h"
15
16 namespace sandbox {
17
18 const int kNotAPolicy = -1;
19
20 // static
Create()21 scoped_ptr<BootstrapSandbox> BootstrapSandbox::Create() {
22 scoped_ptr<BootstrapSandbox> null; // Used for early returns.
23 scoped_ptr<BootstrapSandbox> sandbox(new BootstrapSandbox());
24 sandbox->server_.reset(new LaunchdInterceptionServer(sandbox.get()));
25
26 // Check in with launchd to get the receive right for the server that is
27 // published in the bootstrap namespace.
28 mach_port_t port = MACH_PORT_NULL;
29 kern_return_t kr = bootstrap_check_in(bootstrap_port,
30 sandbox->server_bootstrap_name().c_str(), &port);
31 if (kr != KERN_SUCCESS) {
32 BOOTSTRAP_LOG(ERROR, kr)
33 << "Failed to bootstrap_check_in the sandbox server.";
34 return null.Pass();
35 }
36 base::mac::ScopedMachReceiveRight scoped_port(port);
37
38 // Start the sandbox server.
39 if (sandbox->server_->Initialize(scoped_port.get()))
40 ignore_result(scoped_port.release()); // Transferred to server_.
41 else
42 return null.Pass();
43
44 return sandbox.Pass();
45 }
46
~BootstrapSandbox()47 BootstrapSandbox::~BootstrapSandbox() {
48 }
49
RegisterSandboxPolicy(int sandbox_policy_id,const BootstrapSandboxPolicy & policy)50 void BootstrapSandbox::RegisterSandboxPolicy(
51 int sandbox_policy_id,
52 const BootstrapSandboxPolicy& policy) {
53 CHECK(IsPolicyValid(policy));
54 CHECK_GT(sandbox_policy_id, kNotAPolicy);
55 base::AutoLock lock(lock_);
56 DCHECK(policies_.find(sandbox_policy_id) == policies_.end());
57 policies_.insert(std::make_pair(sandbox_policy_id, policy));
58 }
59
PrepareToForkWithPolicy(int sandbox_policy_id)60 void BootstrapSandbox::PrepareToForkWithPolicy(int sandbox_policy_id) {
61 base::AutoLock lock(lock_);
62
63 // Verify that this is a real policy.
64 CHECK(policies_.find(sandbox_policy_id) != policies_.end());
65 CHECK_EQ(kNotAPolicy, effective_policy_id_)
66 << "Cannot nest calls to PrepareToForkWithPolicy()";
67
68 // Store the policy for the process we're about to create.
69 effective_policy_id_ = sandbox_policy_id;
70 }
71
72 // TODO(rsesek): The |lock_| needs to be taken twice because
73 // base::LaunchProcess handles both fork+exec, and holding the lock for the
74 // duration would block servicing of other bootstrap messages. If a better
75 // LaunchProcess existed (do arbitrary work without layering violations), this
76 // could be avoided.
77
FinishedFork(base::ProcessHandle handle)78 void BootstrapSandbox::FinishedFork(base::ProcessHandle handle) {
79 base::AutoLock lock(lock_);
80
81 CHECK_NE(kNotAPolicy, effective_policy_id_)
82 << "Must PrepareToForkWithPolicy() before FinishedFork()";
83
84 // Apply the policy to the new process.
85 if (handle != base::kNullProcessHandle) {
86 const auto& existing_process = sandboxed_processes_.find(handle);
87 CHECK(existing_process == sandboxed_processes_.end());
88 sandboxed_processes_.insert(std::make_pair(handle, effective_policy_id_));
89 VLOG(3) << "Bootstrap sandbox enforced for pid " << handle;
90 }
91
92 effective_policy_id_ = kNotAPolicy;
93 }
94
ChildDied(base::ProcessHandle handle)95 void BootstrapSandbox::ChildDied(base::ProcessHandle handle) {
96 base::AutoLock lock(lock_);
97 const auto& it = sandboxed_processes_.find(handle);
98 if (it != sandboxed_processes_.end())
99 sandboxed_processes_.erase(it);
100 }
101
PolicyForProcess(pid_t pid) const102 const BootstrapSandboxPolicy* BootstrapSandbox::PolicyForProcess(
103 pid_t pid) const {
104 base::AutoLock lock(lock_);
105 const auto& process = sandboxed_processes_.find(pid);
106
107 // The new child could send bootstrap requests before the parent calls
108 // FinishedFork().
109 int policy_id = effective_policy_id_;
110 if (process != sandboxed_processes_.end()) {
111 policy_id = process->second;
112 }
113
114 if (policy_id == kNotAPolicy)
115 return NULL;
116
117 return &policies_.find(policy_id)->second;
118 }
119
BootstrapSandbox()120 BootstrapSandbox::BootstrapSandbox()
121 : server_bootstrap_name_(
122 base::StringPrintf("%s.sandbox.%d", base::mac::BaseBundleID(),
123 getpid())),
124 real_bootstrap_port_(MACH_PORT_NULL),
125 effective_policy_id_(kNotAPolicy) {
126 mach_port_t port = MACH_PORT_NULL;
127 kern_return_t kr = task_get_special_port(
128 mach_task_self(), TASK_BOOTSTRAP_PORT, &port);
129 MACH_CHECK(kr == KERN_SUCCESS, kr);
130 real_bootstrap_port_.reset(port);
131 }
132
133 } // namespace sandbox
134