1 // Copyright 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/mac/relauncher.h"
6
7 #include <ApplicationServices/ApplicationServices.h>
8 #include <AvailabilityMacros.h>
9 #include <crt_externs.h>
10 #include <dlfcn.h>
11 #include <string.h>
12 #include <sys/event.h>
13 #include <sys/time.h>
14 #include <sys/types.h>
15 #include <unistd.h>
16
17 #include <string>
18 #include <vector>
19
20 #include "base/basictypes.h"
21 #include "base/files/file_util.h"
22 #include "base/files/scoped_file.h"
23 #include "base/logging.h"
24 #include "base/mac/mac_logging.h"
25 #include "base/mac/mac_util.h"
26 #include "base/mac/scoped_cftyperef.h"
27 #include "base/path_service.h"
28 #include "base/posix/eintr_wrapper.h"
29 #include "base/process/launch.h"
30 #include "base/strings/stringprintf.h"
31 #include "base/strings/sys_string_conversions.h"
32 #include "chrome/browser/mac/install_from_dmg.h"
33 #include "chrome/common/chrome_switches.h"
34 #include "content/public/common/content_paths.h"
35 #include "content/public/common/content_switches.h"
36 #include "content/public/common/main_function_params.h"
37
38 namespace mac_relauncher {
39
40 const char* const kRelauncherDMGDeviceArg = "--dmg-device=";
41
42 namespace {
43
44 // The "magic" file descriptor that the relauncher process' write side of the
45 // pipe shows up on. Chosen to avoid conflicting with stdin, stdout, and
46 // stderr.
47 const int kRelauncherSyncFD = STDERR_FILENO + 1;
48
49 // The argument separating arguments intended for the relauncher process from
50 // those intended for the relaunched process. "---" is chosen instead of "--"
51 // because CommandLine interprets "--" as meaning "end of switches", but
52 // for many purposes, the relauncher process' CommandLine ought to interpret
53 // arguments intended for the relaunched process, to get the correct settings
54 // for such things as logging and the user-data-dir in case it affects crash
55 // reporting.
56 const char kRelauncherArgSeparator[] = "---";
57
58 // When this argument is supplied to the relauncher process, it will launch
59 // the relaunched process without bringing it to the foreground.
60 const char kRelauncherBackgroundArg[] = "--background";
61
62 // The beginning of the "process serial number" argument that Launch Services
63 // sometimes inserts into command lines. A process serial number is only valid
64 // for a single process, so any PSN arguments will be stripped from command
65 // lines during relaunch to avoid confusion.
66 const char kPSNArg[] = "-psn_";
67
68 // Returns the "type" argument identifying a relauncher process
69 // ("--type=relauncher").
RelauncherTypeArg()70 std::string RelauncherTypeArg() {
71 return base::StringPrintf("--%s=%s",
72 switches::kProcessType,
73 switches::kRelauncherProcess);
74 }
75
76 } // namespace
77
RelaunchApp(const std::vector<std::string> & args)78 bool RelaunchApp(const std::vector<std::string>& args) {
79 // Use the currently-running application's helper process. The automatic
80 // update feature is careful to leave the currently-running version alone,
81 // so this is safe even if the relaunch is the result of an update having
82 // been applied. In fact, it's safer than using the updated version of the
83 // helper process, because there's no guarantee that the updated version's
84 // relauncher implementation will be compatible with the running version's.
85 base::FilePath child_path;
86 if (!PathService::Get(content::CHILD_PROCESS_EXE, &child_path)) {
87 LOG(ERROR) << "No CHILD_PROCESS_EXE";
88 return false;
89 }
90
91 std::vector<std::string> relauncher_args;
92 return RelaunchAppWithHelper(child_path.value(), relauncher_args, args);
93 }
94
RelaunchAppWithHelper(const std::string & helper,const std::vector<std::string> & relauncher_args,const std::vector<std::string> & args)95 bool RelaunchAppWithHelper(const std::string& helper,
96 const std::vector<std::string>& relauncher_args,
97 const std::vector<std::string>& args) {
98 std::vector<std::string> relaunch_args;
99 relaunch_args.push_back(helper);
100 relaunch_args.push_back(RelauncherTypeArg());
101
102 // If this application isn't in the foreground, the relaunched one shouldn't
103 // be either.
104 if (!base::mac::AmIForeground()) {
105 relaunch_args.push_back(kRelauncherBackgroundArg);
106 }
107
108 relaunch_args.insert(relaunch_args.end(),
109 relauncher_args.begin(), relauncher_args.end());
110
111 relaunch_args.push_back(kRelauncherArgSeparator);
112
113 // When using the CommandLine interface, -psn_ may have been rewritten as
114 // --psn_. Look for both.
115 const char alt_psn_arg[] = "--psn_";
116 for (size_t index = 0; index < args.size(); ++index) {
117 // Strip any -psn_ arguments, as they apply to a specific process.
118 if (args[index].compare(0, strlen(kPSNArg), kPSNArg) != 0 &&
119 args[index].compare(0, strlen(alt_psn_arg), alt_psn_arg) != 0) {
120 relaunch_args.push_back(args[index]);
121 }
122 }
123
124 int pipe_fds[2];
125 if (HANDLE_EINTR(pipe(pipe_fds)) != 0) {
126 PLOG(ERROR) << "pipe";
127 return false;
128 }
129
130 // The parent process will only use pipe_read_fd as the read side of the
131 // pipe. It can close the write side as soon as the relauncher process has
132 // forked off. The relauncher process will only use pipe_write_fd as the
133 // write side of the pipe. In that process, the read side will be closed by
134 // base::LaunchApp because it won't be present in fd_map, and the write side
135 // will be remapped to kRelauncherSyncFD by fd_map.
136 base::ScopedFD pipe_read_fd(pipe_fds[0]);
137 base::ScopedFD pipe_write_fd(pipe_fds[1]);
138
139 // Make sure kRelauncherSyncFD is a safe value. base::LaunchProcess will
140 // preserve these three FDs in forked processes, so kRelauncherSyncFD should
141 // not conflict with them.
142 COMPILE_ASSERT(kRelauncherSyncFD != STDIN_FILENO &&
143 kRelauncherSyncFD != STDOUT_FILENO &&
144 kRelauncherSyncFD != STDERR_FILENO,
145 kRelauncherSyncFD_must_not_conflict_with_stdio_fds);
146
147 base::FileHandleMappingVector fd_map;
148 fd_map.push_back(std::make_pair(pipe_write_fd.get(), kRelauncherSyncFD));
149
150 base::LaunchOptions options;
151 options.fds_to_remap = &fd_map;
152 if (!base::LaunchProcess(relaunch_args, options, NULL)) {
153 LOG(ERROR) << "base::LaunchProcess failed";
154 return false;
155 }
156
157 // The relauncher process is now starting up, or has started up. The
158 // original parent process continues.
159
160 pipe_write_fd.reset(); // close(pipe_fds[1]);
161
162 // Synchronize with the relauncher process.
163 char read_char;
164 int read_result = HANDLE_EINTR(read(pipe_read_fd.get(), &read_char, 1));
165 if (read_result != 1) {
166 if (read_result < 0) {
167 PLOG(ERROR) << "read";
168 } else {
169 LOG(ERROR) << "read: unexpected result " << read_result;
170 }
171 return false;
172 }
173
174 // Since a byte has been successfully read from the relauncher process, it's
175 // guaranteed to have set up its kqueue monitoring this process for exit.
176 // It's safe to exit now.
177 return true;
178 }
179
180 namespace {
181
182 // In the relauncher process, performs the necessary synchronization steps
183 // with the parent by setting up a kqueue to watch for it to exit, writing a
184 // byte to the pipe, and then waiting for the exit notification on the kqueue.
185 // If anything fails, this logs a message and returns immediately. In those
186 // situations, it can be assumed that something went wrong with the parent
187 // process and the best recovery approach is to attempt relaunch anyway.
RelauncherSynchronizeWithParent()188 void RelauncherSynchronizeWithParent() {
189 base::ScopedFD relauncher_sync_fd(kRelauncherSyncFD);
190
191 int parent_pid = getppid();
192
193 // PID 1 identifies init. launchd, that is. launchd never starts the
194 // relauncher process directly, having this parent_pid means that the parent
195 // already exited and launchd "inherited" the relauncher as its child.
196 // There's no reason to synchronize with launchd.
197 if (parent_pid == 1) {
198 LOG(ERROR) << "unexpected parent_pid";
199 return;
200 }
201
202 // Set up a kqueue to monitor the parent process for exit.
203 base::ScopedFD kq(kqueue());
204 if (!kq.is_valid()) {
205 PLOG(ERROR) << "kqueue";
206 return;
207 }
208
209 struct kevent change = { 0 };
210 EV_SET(&change, parent_pid, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
211 if (kevent(kq.get(), &change, 1, NULL, 0, NULL) == -1) {
212 PLOG(ERROR) << "kevent (add)";
213 return;
214 }
215
216 // Write a '\0' character to the pipe.
217 if (HANDLE_EINTR(write(relauncher_sync_fd.get(), "", 1)) != 1) {
218 PLOG(ERROR) << "write";
219 return;
220 }
221
222 // Up until now, the parent process was blocked in a read waiting for the
223 // write above to complete. The parent process is now free to exit. Wait for
224 // that to happen.
225 struct kevent event;
226 int events = kevent(kq.get(), NULL, 0, &event, 1, NULL);
227 if (events != 1) {
228 if (events < 0) {
229 PLOG(ERROR) << "kevent (monitor)";
230 } else {
231 LOG(ERROR) << "kevent (monitor): unexpected result " << events;
232 }
233 return;
234 }
235
236 if (event.filter != EVFILT_PROC ||
237 event.fflags != NOTE_EXIT ||
238 event.ident != static_cast<uintptr_t>(parent_pid)) {
239 LOG(ERROR) << "kevent (monitor): unexpected event, filter " << event.filter
240 << ", fflags " << event.fflags << ", ident " << event.ident;
241 return;
242 }
243 }
244
245 } // namespace
246
247 namespace internal {
248
RelauncherMain(const content::MainFunctionParams & main_parameters)249 int RelauncherMain(const content::MainFunctionParams& main_parameters) {
250 // CommandLine rearranges the order of the arguments returned by
251 // main_parameters.argv(), rendering it impossible to determine which
252 // arguments originally came before kRelauncherArgSeparator and which came
253 // after. It's crucial to distinguish between these because only those
254 // after the separator should be given to the relaunched process; it's also
255 // important to not treat the path to the relaunched process as a "loose"
256 // argument. NXArgc and NXArgv are pointers to the original argc and argv as
257 // passed to main(), so use those. Access them through _NSGetArgc and
258 // _NSGetArgv because NXArgc and NXArgv are normally only available to a
259 // main executable via crt1.o and this code will run from a dylib, and
260 // because of http://crbug.com/139902.
261 const int* argcp = _NSGetArgc();
262 if (!argcp) {
263 NOTREACHED();
264 return 1;
265 }
266 int argc = *argcp;
267
268 const char* const* const* argvp = _NSGetArgv();
269 if (!argvp) {
270 NOTREACHED();
271 return 1;
272 }
273 const char* const* argv = *argvp;
274
275 if (argc < 4 || RelauncherTypeArg() != argv[1]) {
276 LOG(ERROR) << "relauncher process invoked with unexpected arguments";
277 return 1;
278 }
279
280 RelauncherSynchronizeWithParent();
281
282 // The capacity for relaunch_args is 4 less than argc, because it
283 // won't contain the argv[0] of the relauncher process, the
284 // RelauncherTypeArg() at argv[1], kRelauncherArgSeparator, or the
285 // executable path of the process to be launched.
286 base::ScopedCFTypeRef<CFMutableArrayRef> relaunch_args(
287 CFArrayCreateMutable(NULL, argc - 4, &kCFTypeArrayCallBacks));
288 if (!relaunch_args) {
289 LOG(ERROR) << "CFArrayCreateMutable";
290 return 1;
291 }
292
293 // Figure out what to execute, what arguments to pass it, and whether to
294 // start it in the background.
295 bool background = false;
296 bool in_relaunch_args = false;
297 std::string dmg_bsd_device_name;
298 bool seen_relaunch_executable = false;
299 std::string relaunch_executable;
300 const std::string relauncher_arg_separator(kRelauncherArgSeparator);
301 for (int argv_index = 2; argv_index < argc; ++argv_index) {
302 const std::string arg(argv[argv_index]);
303
304 // Strip any -psn_ arguments, as they apply to a specific process.
305 if (arg.compare(0, strlen(kPSNArg), kPSNArg) == 0) {
306 continue;
307 }
308
309 if (!in_relaunch_args) {
310 if (arg == relauncher_arg_separator) {
311 in_relaunch_args = true;
312 } else if (arg == kRelauncherBackgroundArg) {
313 background = true;
314 } else if (arg.compare(0, strlen(kRelauncherDMGDeviceArg),
315 kRelauncherDMGDeviceArg) == 0) {
316 dmg_bsd_device_name.assign(arg.substr(strlen(kRelauncherDMGDeviceArg)));
317 }
318 } else {
319 if (!seen_relaunch_executable) {
320 // The first argument after kRelauncherBackgroundArg is the path to
321 // the executable file or .app bundle directory. The Launch Services
322 // interface wants this separate from the rest of the arguments. In
323 // the relaunched process, this path will still be visible at argv[0].
324 relaunch_executable.assign(arg);
325 seen_relaunch_executable = true;
326 } else {
327 base::ScopedCFTypeRef<CFStringRef> arg_cf(
328 base::SysUTF8ToCFStringRef(arg));
329 if (!arg_cf) {
330 LOG(ERROR) << "base::SysUTF8ToCFStringRef failed for " << arg;
331 return 1;
332 }
333 CFArrayAppendValue(relaunch_args, arg_cf);
334 }
335 }
336 }
337
338 if (!seen_relaunch_executable) {
339 LOG(ERROR) << "nothing to relaunch";
340 return 1;
341 }
342
343 FSRef app_fsref;
344 if (!base::mac::FSRefFromPath(relaunch_executable, &app_fsref)) {
345 LOG(ERROR) << "base::mac::FSRefFromPath failed for " << relaunch_executable;
346 return 1;
347 }
348
349 LSApplicationParameters ls_parameters = {
350 0, // version
351 kLSLaunchDefaults | kLSLaunchAndDisplayErrors | kLSLaunchNewInstance |
352 (background ? kLSLaunchDontSwitch : 0),
353 &app_fsref,
354 NULL, // asyncLaunchRefCon
355 NULL, // environment
356 relaunch_args,
357 NULL // initialEvent
358 };
359
360 OSStatus status = LSOpenApplication(&ls_parameters, NULL);
361 if (status != noErr) {
362 OSSTATUS_LOG(ERROR, status) << "LSOpenApplication";
363 return 1;
364 }
365
366 // The application should have relaunched (or is in the process of
367 // relaunching). From this point on, only clean-up tasks should occur, and
368 // failures are tolerable.
369
370 if (!dmg_bsd_device_name.empty()) {
371 EjectAndTrashDiskImage(dmg_bsd_device_name);
372 }
373
374 return 0;
375 }
376
377 } // namespace internal
378
379 } // namespace mac_relauncher
380