1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/browser/renderer_host/sandbox_ipc_linux.h"
6
7 #include <fcntl.h>
8 #include <sys/poll.h>
9 #include <sys/socket.h>
10 #include <sys/stat.h>
11
12 #include "base/basictypes.h"
13 #include "base/command_line.h"
14 #include "base/files/scoped_file.h"
15 #include "base/linux_util.h"
16 #include "base/macros.h"
17 #include "base/memory/scoped_vector.h"
18 #include "base/memory/shared_memory.h"
19 #include "base/posix/eintr_wrapper.h"
20 #include "base/posix/unix_domain_socket_linux.h"
21 #include "base/process/launch.h"
22 #include "base/strings/string_number_conversions.h"
23 #include "content/browser/renderer_host/font_utils_linux.h"
24 #include "content/common/font_config_ipc_linux.h"
25 #include "content/common/sandbox_linux/sandbox_linux.h"
26 #include "content/common/set_process_title.h"
27 #include "content/public/common/content_switches.h"
28 #include "ppapi/c/trusted/ppb_browser_font_trusted.h"
29 #include "third_party/WebKit/public/platform/linux/WebFontInfo.h"
30 #include "third_party/WebKit/public/web/WebKit.h"
31 #include "third_party/npapi/bindings/npapi_extensions.h"
32 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
33 #include "ui/gfx/font.h"
34 #include "ui/gfx/font_render_params.h"
35
36 using blink::WebCString;
37 using blink::WebFontInfo;
38 using blink::WebUChar;
39 using blink::WebUChar32;
40
41 namespace content {
42
43 namespace {
44
45 // Converts gfx::FontRenderParams::Hinting to WebFontRenderStyle::hintStyle.
46 // Returns an int for serialization, but the underlying Blink type is a char.
ConvertHinting(gfx::FontRenderParams::Hinting hinting)47 int ConvertHinting(gfx::FontRenderParams::Hinting hinting) {
48 switch (hinting) {
49 case gfx::FontRenderParams::HINTING_NONE: return 0;
50 case gfx::FontRenderParams::HINTING_SLIGHT: return 1;
51 case gfx::FontRenderParams::HINTING_MEDIUM: return 2;
52 case gfx::FontRenderParams::HINTING_FULL: return 3;
53 }
54 NOTREACHED() << "Unexpected hinting value " << hinting;
55 return 0;
56 }
57
58 // Converts gfx::FontRenderParams::SubpixelRendering to
59 // WebFontRenderStyle::useSubpixelRendering. Returns an int for serialization,
60 // but the underlying Blink type is a char.
ConvertSubpixelRendering(gfx::FontRenderParams::SubpixelRendering rendering)61 int ConvertSubpixelRendering(
62 gfx::FontRenderParams::SubpixelRendering rendering) {
63 switch (rendering) {
64 case gfx::FontRenderParams::SUBPIXEL_RENDERING_NONE: return 0;
65 case gfx::FontRenderParams::SUBPIXEL_RENDERING_RGB: return 1;
66 case gfx::FontRenderParams::SUBPIXEL_RENDERING_BGR: return 1;
67 case gfx::FontRenderParams::SUBPIXEL_RENDERING_VRGB: return 1;
68 case gfx::FontRenderParams::SUBPIXEL_RENDERING_VBGR: return 1;
69 }
70 NOTREACHED() << "Unexpected subpixel rendering value " << rendering;
71 return 0;
72 }
73
74 } // namespace
75
SandboxIPCHandler(int lifeline_fd,int browser_socket)76 SandboxIPCHandler::SandboxIPCHandler(int lifeline_fd, int browser_socket)
77 : lifeline_fd_(lifeline_fd),
78 browser_socket_(browser_socket) {
79 }
80
Run()81 void SandboxIPCHandler::Run() {
82 struct pollfd pfds[2];
83 pfds[0].fd = lifeline_fd_;
84 pfds[0].events = POLLIN;
85 pfds[1].fd = browser_socket_;
86 pfds[1].events = POLLIN;
87
88 int failed_polls = 0;
89 for (;;) {
90 const int r =
91 HANDLE_EINTR(poll(pfds, arraysize(pfds), -1 /* no timeout */));
92 // '0' is not a possible return value with no timeout.
93 DCHECK_NE(0, r);
94 if (r < 0) {
95 PLOG(WARNING) << "poll";
96 if (failed_polls++ == 3) {
97 LOG(FATAL) << "poll(2) failing. SandboxIPCHandler aborting.";
98 return;
99 }
100 continue;
101 }
102
103 failed_polls = 0;
104
105 // The browser process will close the other end of this pipe on shutdown,
106 // so we should exit.
107 if (pfds[0].revents) {
108 break;
109 }
110
111 // If poll(2) reports an error condition in this fd,
112 // we assume the zygote is gone and we exit the loop.
113 if (pfds[1].revents & (POLLERR | POLLHUP)) {
114 break;
115 }
116
117 if (pfds[1].revents & POLLIN) {
118 HandleRequestFromRenderer(browser_socket_);
119 }
120 }
121
122 VLOG(1) << "SandboxIPCHandler stopping.";
123 }
124
HandleRequestFromRenderer(int fd)125 void SandboxIPCHandler::HandleRequestFromRenderer(int fd) {
126 ScopedVector<base::ScopedFD> fds;
127
128 // A FontConfigIPC::METHOD_MATCH message could be kMaxFontFamilyLength
129 // bytes long (this is the largest message type).
130 // 128 bytes padding are necessary so recvmsg() does not return MSG_TRUNC
131 // error for a maximum length message.
132 char buf[FontConfigIPC::kMaxFontFamilyLength + 128];
133
134 const ssize_t len = UnixDomainSocket::RecvMsg(fd, buf, sizeof(buf), &fds);
135 if (len == -1) {
136 // TODO: should send an error reply, or the sender might block forever.
137 NOTREACHED() << "Sandbox host message is larger than kMaxFontFamilyLength";
138 return;
139 }
140 if (fds.empty())
141 return;
142
143 Pickle pickle(buf, len);
144 PickleIterator iter(pickle);
145
146 int kind;
147 if (!pickle.ReadInt(&iter, &kind))
148 return;
149
150 if (kind == FontConfigIPC::METHOD_MATCH) {
151 HandleFontMatchRequest(fd, pickle, iter, fds.get());
152 } else if (kind == FontConfigIPC::METHOD_OPEN) {
153 HandleFontOpenRequest(fd, pickle, iter, fds.get());
154 } else if (kind == LinuxSandbox::METHOD_GET_FALLBACK_FONT_FOR_CHAR) {
155 HandleGetFallbackFontForChar(fd, pickle, iter, fds.get());
156 } else if (kind == LinuxSandbox::METHOD_LOCALTIME) {
157 HandleLocaltime(fd, pickle, iter, fds.get());
158 } else if (kind == LinuxSandbox::METHOD_GET_STYLE_FOR_STRIKE) {
159 HandleGetStyleForStrike(fd, pickle, iter, fds.get());
160 } else if (kind == LinuxSandbox::METHOD_MAKE_SHARED_MEMORY_SEGMENT) {
161 HandleMakeSharedMemorySegment(fd, pickle, iter, fds.get());
162 } else if (kind == LinuxSandbox::METHOD_MATCH_WITH_FALLBACK) {
163 HandleMatchWithFallback(fd, pickle, iter, fds.get());
164 }
165 }
166
FindOrAddPath(const SkString & path)167 int SandboxIPCHandler::FindOrAddPath(const SkString& path) {
168 int count = paths_.count();
169 for (int i = 0; i < count; ++i) {
170 if (path == *paths_[i])
171 return i;
172 }
173 *paths_.append() = new SkString(path);
174 return count;
175 }
176
HandleFontMatchRequest(int fd,const Pickle & pickle,PickleIterator iter,const std::vector<base::ScopedFD * > & fds)177 void SandboxIPCHandler::HandleFontMatchRequest(
178 int fd,
179 const Pickle& pickle,
180 PickleIterator iter,
181 const std::vector<base::ScopedFD*>& fds) {
182 uint32_t requested_style;
183 std::string family;
184 if (!pickle.ReadString(&iter, &family) ||
185 !pickle.ReadUInt32(&iter, &requested_style))
186 return;
187
188 SkFontConfigInterface::FontIdentity result_identity;
189 SkString result_family;
190 SkTypeface::Style result_style;
191 SkFontConfigInterface* fc =
192 SkFontConfigInterface::GetSingletonDirectInterface();
193 const bool r =
194 fc->matchFamilyName(family.c_str(),
195 static_cast<SkTypeface::Style>(requested_style),
196 &result_identity,
197 &result_family,
198 &result_style);
199
200 Pickle reply;
201 if (!r) {
202 reply.WriteBool(false);
203 } else {
204 // Stash away the returned path, so we can give it an ID (index)
205 // which will later be given to us in a request to open the file.
206 int index = FindOrAddPath(result_identity.fString);
207 result_identity.fID = static_cast<uint32_t>(index);
208
209 reply.WriteBool(true);
210 skia::WriteSkString(&reply, result_family);
211 skia::WriteSkFontIdentity(&reply, result_identity);
212 reply.WriteUInt32(result_style);
213 }
214 SendRendererReply(fds, reply, -1);
215 }
216
HandleFontOpenRequest(int fd,const Pickle & pickle,PickleIterator iter,const std::vector<base::ScopedFD * > & fds)217 void SandboxIPCHandler::HandleFontOpenRequest(
218 int fd,
219 const Pickle& pickle,
220 PickleIterator iter,
221 const std::vector<base::ScopedFD*>& fds) {
222 uint32_t index;
223 if (!pickle.ReadUInt32(&iter, &index))
224 return;
225 if (index >= static_cast<uint32_t>(paths_.count()))
226 return;
227 const int result_fd = open(paths_[index]->c_str(), O_RDONLY);
228
229 Pickle reply;
230 if (result_fd == -1) {
231 reply.WriteBool(false);
232 } else {
233 reply.WriteBool(true);
234 }
235
236 // The receiver will have its own access to the file, so we will close it
237 // after this send.
238 SendRendererReply(fds, reply, result_fd);
239
240 if (result_fd >= 0) {
241 int err = IGNORE_EINTR(close(result_fd));
242 DCHECK(!err);
243 }
244 }
245
HandleGetFallbackFontForChar(int fd,const Pickle & pickle,PickleIterator iter,const std::vector<base::ScopedFD * > & fds)246 void SandboxIPCHandler::HandleGetFallbackFontForChar(
247 int fd,
248 const Pickle& pickle,
249 PickleIterator iter,
250 const std::vector<base::ScopedFD*>& fds) {
251 // The other side of this call is
252 // content/common/child_process_sandbox_support_impl_linux.cc
253
254 EnsureWebKitInitialized();
255 WebUChar32 c;
256 if (!pickle.ReadInt(&iter, &c))
257 return;
258
259 std::string preferred_locale;
260 if (!pickle.ReadString(&iter, &preferred_locale))
261 return;
262
263 blink::WebFallbackFont fallbackFont;
264 WebFontInfo::fallbackFontForChar(c, preferred_locale.c_str(), &fallbackFont);
265
266 int pathIndex = FindOrAddPath(SkString(fallbackFont.filename.data()));
267 fallbackFont.fontconfigInterfaceId = pathIndex;
268
269 Pickle reply;
270 if (fallbackFont.name.data()) {
271 reply.WriteString(fallbackFont.name.data());
272 } else {
273 reply.WriteString(std::string());
274 }
275 if (fallbackFont.filename.data()) {
276 reply.WriteString(fallbackFont.filename.data());
277 } else {
278 reply.WriteString(std::string());
279 }
280 reply.WriteInt(fallbackFont.fontconfigInterfaceId);
281 reply.WriteInt(fallbackFont.ttcIndex);
282 reply.WriteBool(fallbackFont.isBold);
283 reply.WriteBool(fallbackFont.isItalic);
284 SendRendererReply(fds, reply, -1);
285 }
286
HandleGetStyleForStrike(int fd,const Pickle & pickle,PickleIterator iter,const std::vector<base::ScopedFD * > & fds)287 void SandboxIPCHandler::HandleGetStyleForStrike(
288 int fd,
289 const Pickle& pickle,
290 PickleIterator iter,
291 const std::vector<base::ScopedFD*>& fds) {
292 std::string family;
293 bool bold, italic;
294 uint16 pixel_size;
295
296 if (!pickle.ReadString(&iter, &family) ||
297 !pickle.ReadBool(&iter, &bold) ||
298 !pickle.ReadBool(&iter, &italic) ||
299 !pickle.ReadUInt16(&iter, &pixel_size)) {
300 return;
301 }
302
303 EnsureWebKitInitialized();
304
305 gfx::FontRenderParamsQuery query(true);
306 query.families.push_back(family);
307 query.pixel_size = pixel_size;
308 query.style = gfx::Font::NORMAL |
309 (bold ? gfx::Font::BOLD : 0) | (italic ? gfx::Font::ITALIC : 0);
310 const gfx::FontRenderParams params = gfx::GetFontRenderParams(query, NULL);
311
312 // These are passed as ints since they're interpreted as tri-state chars in
313 // Blink.
314 Pickle reply;
315 reply.WriteInt(params.use_bitmaps);
316 reply.WriteInt(params.autohinter);
317 reply.WriteInt(params.hinting != gfx::FontRenderParams::HINTING_NONE);
318 reply.WriteInt(ConvertHinting(params.hinting));
319 reply.WriteInt(params.antialiasing);
320 reply.WriteInt(ConvertSubpixelRendering(params.subpixel_rendering));
321 reply.WriteInt(params.subpixel_positioning);
322
323 SendRendererReply(fds, reply, -1);
324 }
325
HandleLocaltime(int fd,const Pickle & pickle,PickleIterator iter,const std::vector<base::ScopedFD * > & fds)326 void SandboxIPCHandler::HandleLocaltime(
327 int fd,
328 const Pickle& pickle,
329 PickleIterator iter,
330 const std::vector<base::ScopedFD*>& fds) {
331 // The other side of this call is in zygote_main_linux.cc
332
333 std::string time_string;
334 if (!pickle.ReadString(&iter, &time_string) ||
335 time_string.size() != sizeof(time_t)) {
336 return;
337 }
338
339 time_t time;
340 memcpy(&time, time_string.data(), sizeof(time));
341 // We use localtime here because we need the tm_zone field to be filled
342 // out. Since we are a single-threaded process, this is safe.
343 const struct tm* expanded_time = localtime(&time);
344
345 std::string result_string;
346 const char* time_zone_string = "";
347 if (expanded_time != NULL) {
348 result_string = std::string(reinterpret_cast<const char*>(expanded_time),
349 sizeof(struct tm));
350 time_zone_string = expanded_time->tm_zone;
351 }
352
353 Pickle reply;
354 reply.WriteString(result_string);
355 reply.WriteString(time_zone_string);
356 SendRendererReply(fds, reply, -1);
357 }
358
HandleMakeSharedMemorySegment(int fd,const Pickle & pickle,PickleIterator iter,const std::vector<base::ScopedFD * > & fds)359 void SandboxIPCHandler::HandleMakeSharedMemorySegment(
360 int fd,
361 const Pickle& pickle,
362 PickleIterator iter,
363 const std::vector<base::ScopedFD*>& fds) {
364 base::SharedMemoryCreateOptions options;
365 uint32_t size;
366 if (!pickle.ReadUInt32(&iter, &size))
367 return;
368 options.size = size;
369 if (!pickle.ReadBool(&iter, &options.executable))
370 return;
371 int shm_fd = -1;
372 base::SharedMemory shm;
373 if (shm.Create(options))
374 shm_fd = shm.handle().fd;
375 Pickle reply;
376 SendRendererReply(fds, reply, shm_fd);
377 }
378
HandleMatchWithFallback(int fd,const Pickle & pickle,PickleIterator iter,const std::vector<base::ScopedFD * > & fds)379 void SandboxIPCHandler::HandleMatchWithFallback(
380 int fd,
381 const Pickle& pickle,
382 PickleIterator iter,
383 const std::vector<base::ScopedFD*>& fds) {
384 std::string face;
385 bool is_bold, is_italic;
386 uint32 charset, fallback_family;
387
388 if (!pickle.ReadString(&iter, &face) || face.empty() ||
389 !pickle.ReadBool(&iter, &is_bold) ||
390 !pickle.ReadBool(&iter, &is_italic) ||
391 !pickle.ReadUInt32(&iter, &charset) ||
392 !pickle.ReadUInt32(&iter, &fallback_family)) {
393 return;
394 }
395
396 int font_fd = MatchFontFaceWithFallback(
397 face, is_bold, is_italic, charset, fallback_family);
398
399 Pickle reply;
400 SendRendererReply(fds, reply, font_fd);
401
402 if (font_fd >= 0) {
403 if (IGNORE_EINTR(close(font_fd)) < 0)
404 PLOG(ERROR) << "close";
405 }
406 }
407
SendRendererReply(const std::vector<base::ScopedFD * > & fds,const Pickle & reply,int reply_fd)408 void SandboxIPCHandler::SendRendererReply(
409 const std::vector<base::ScopedFD*>& fds,
410 const Pickle& reply,
411 int reply_fd) {
412 struct msghdr msg;
413 memset(&msg, 0, sizeof(msg));
414 struct iovec iov = {const_cast<void*>(reply.data()), reply.size()};
415 msg.msg_iov = &iov;
416 msg.msg_iovlen = 1;
417
418 char control_buffer[CMSG_SPACE(sizeof(int))];
419
420 if (reply_fd != -1) {
421 struct stat st;
422 if (fstat(reply_fd, &st) == 0 && S_ISDIR(st.st_mode)) {
423 LOG(FATAL) << "Tried to send a directory descriptor over sandbox IPC";
424 // We must never send directory descriptors to a sandboxed process
425 // because they can use openat with ".." elements in the path in order
426 // to escape the sandbox and reach the real filesystem.
427 }
428
429 struct cmsghdr* cmsg;
430 msg.msg_control = control_buffer;
431 msg.msg_controllen = sizeof(control_buffer);
432 cmsg = CMSG_FIRSTHDR(&msg);
433 cmsg->cmsg_level = SOL_SOCKET;
434 cmsg->cmsg_type = SCM_RIGHTS;
435 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
436 memcpy(CMSG_DATA(cmsg), &reply_fd, sizeof(reply_fd));
437 msg.msg_controllen = cmsg->cmsg_len;
438 }
439
440 if (HANDLE_EINTR(sendmsg(fds[0]->get(), &msg, MSG_DONTWAIT)) < 0)
441 PLOG(ERROR) << "sendmsg";
442 }
443
~SandboxIPCHandler()444 SandboxIPCHandler::~SandboxIPCHandler() {
445 paths_.deleteAll();
446 if (webkit_platform_support_)
447 blink::shutdownWithoutV8();
448
449 if (IGNORE_EINTR(close(lifeline_fd_)) < 0)
450 PLOG(ERROR) << "close";
451 if (IGNORE_EINTR(close(browser_socket_)) < 0)
452 PLOG(ERROR) << "close";
453 }
454
EnsureWebKitInitialized()455 void SandboxIPCHandler::EnsureWebKitInitialized() {
456 if (webkit_platform_support_)
457 return;
458 webkit_platform_support_.reset(new BlinkPlatformImpl);
459 blink::initializeWithoutV8(webkit_platform_support_.get());
460 }
461
462 } // namespace content
463