diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-09-01 11:08:40 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-10-01 12:16:21 +0000 |
| commit | 03c549e0392f92c02536d3f86d5e1d8dfa3435ac (patch) | |
| tree | fe49d170a929b34ba82cd10db1a0bd8e3760fa4b /chromium/sandbox | |
| parent | 5d013f5804a0d91fcf6c626b2d6fb6eca5c845b0 (diff) | |
| download | qtwebengine-chromium-03c549e0392f92c02536d3f86d5e1d8dfa3435ac.tar.gz | |
BASELINE: Update Chromium to 91.0.4472.160
Change-Id: I0def1f08a2412aeed79a9ab95dd50eb5c3f65f31
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/sandbox')
65 files changed, 1302 insertions, 831 deletions
diff --git a/chromium/sandbox/OWNERS b/chromium/sandbox/OWNERS index 64cd8f430ac..a1529108d5c 100644 --- a/chromium/sandbox/OWNERS +++ b/chromium/sandbox/OWNERS @@ -1,6 +1,5 @@ set noparent jorgelo@chromium.org -jschuh@chromium.org palmer@chromium.org rsesek@chromium.org tsepez@chromium.org diff --git a/chromium/sandbox/constants.h b/chromium/sandbox/constants.h index 3e0ebc16fe4..8f8ddf2f448 100644 --- a/chromium/sandbox/constants.h +++ b/chromium/sandbox/constants.h @@ -15,7 +15,9 @@ namespace sandbox { // JOBOBJECT_EXTENDED_LIMIT_INFORMATION.JobMemoryLimit on Windows. // #if defined(ARCH_CPU_64_BITS) -constexpr size_t kDataSizeLimit = size_t{1} << 34; // 16 GB +// Note: On Linux and Windows, the sandbox may set a higher limit for +// renderer and GPU processes if the system has enough physical memory. +constexpr size_t kDataSizeLimit = size_t{1} << 32; // 4 GB #else // Limit the data memory to a size that prevents allocations that can't be // indexed by an int. diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc index 5242bde81fb..05c39f0f564 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -140,6 +140,17 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, } #endif + if (sysno == __NR_uname) { + return Allow(); + } + + // Return -EPERM rather than killing the process with SIGSYS. This happens + // because if a sandboxed process attempts to use sendfile(2) it should be + // allowed to fall back to read(2)/write(2). + if (SyscallSets::IsSendfile(sysno)) { + return Error(EPERM); + } + if (IsBaselinePolicyAllowed(sysno)) { return Allow(); } @@ -159,7 +170,7 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, return Allow(); #endif - if (sysno == __NR_clock_gettime || sysno == __NR_clock_nanosleep) { + if (SyscallSets::IsClockApi(sysno)) { return RestrictClockID(); } @@ -193,8 +204,14 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, } #endif - if (sysno == __NR_futex) + if (sysno == __NR_futex +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + || sysno == __NR_futex_time64 +#endif + ) { return RestrictFutex(); + } if (sysno == __NR_set_robust_list) return Error(EPERM); diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.cc index c9d598cfd00..7610acd3e0f 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.cc @@ -112,6 +112,10 @@ ResultExpr BaselinePolicyAndroid::EvaluateSyscall(int sysno) const { case __NR_openat: case __NR_pwrite64: case __NR_rt_sigtimedwait: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_rt_sigtimedwait_time64: +#endif // sched_getaffinity() and sched_setaffinity() are required for an // experiment to schedule all Chromium threads onto LITTLE cores // (crbug.com/1111789). Should be removed or reconsidered once @@ -134,7 +138,6 @@ ResultExpr BaselinePolicyAndroid::EvaluateSyscall(int sysno) const { case __NR_getrlimit: #endif case __NR_sysinfo: // https://crbug.com/655277 - case __NR_uname: // Permit socket operations so that renderers can connect to logd and // debuggerd. The arguments to socket() are further restricted below. @@ -172,7 +175,12 @@ ResultExpr BaselinePolicyAndroid::EvaluateSyscall(int sysno) const { } // https://crbug.com/655299 - if (sysno == __NR_clock_getres) { + if (sysno == __NR_clock_getres +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + || sysno == __NR_clock_getres_time64 +#endif + ) { return RestrictClockID(); } diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc index 8fa54f5a077..cc0e91b203c 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc @@ -159,6 +159,10 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() { .Else(CrashSIGSYSClone()); } +#ifndef PR_PAC_RESET_KEYS +#define PR_PAC_RESET_KEYS 54 +#endif + ResultExpr RestrictPrctl() { // Will need to add seccomp compositing in the future. PR_SET_PTRACER is // used by breakpad but not needed anymore. @@ -167,7 +171,7 @@ ResultExpr RestrictPrctl() { .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE #if defined(OS_ANDROID) , PR_SET_VMA, PR_SET_PTRACER, PR_SET_TIMERSLACK - , PR_GET_NO_NEW_PRIVS + , PR_GET_NO_NEW_PRIVS, PR_PAC_RESET_KEYS // Enable PR_SET_TIMERSLACK_PID, an Android custom prctl which is used in: // https://android.googlesource.com/platform/system/core/+/lollipop-release/libcutils/sched_policy.c. @@ -332,6 +336,10 @@ ResultExpr RestrictSchedTarget(pid_t target_pid, int sysno) { case __NR_sched_getparam: case __NR_sched_getscheduler: case __NR_sched_rr_get_interval: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_sched_rr_get_interval_time64: +#endif case __NR_sched_setaffinity: case __NR_sched_setattr: case __NR_sched_setparam: diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc index 4bbfc7e53b6..903e702eab1 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc @@ -59,8 +59,14 @@ class RestrictClockIdPolicy : public bpf_dsl::Policy { ResultExpr EvaluateSyscall(int sysno) const override { switch (sysno) { case __NR_clock_gettime: +#if defined(__NR_clock_gettime64) + case __NR_clock_gettime64: +#endif case __NR_clock_getres: case __NR_clock_nanosleep: +#if defined(__NR_clock_nanosleep_time64) + case __NR_clock_nanosleep_time64: +#endif return RestrictClockID(); default: return Allow(); diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc index f40d436edfb..96c9f490e28 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc @@ -34,12 +34,23 @@ bool SyscallSets::IsAllowedGettime(int sysno) { #endif return true; case __NR_adjtimex: // Privileged. + case __NR_clock_gettime: // Parameters filtered by RestrictClockID(). + case __NR_clock_settime: // Privileged. case __NR_clock_adjtime: // Privileged. case __NR_clock_getres: // Allowed only on Android with parameters - // filtered by RestrictClokID(). - case __NR_clock_gettime: // Parameters filtered by RestrictClockID(). + // filtered by RestrictClockID(). case __NR_clock_nanosleep: // Parameters filtered by RestrictClockID(). - case __NR_clock_settime: // Privileged. + + // time64 versions are available on 32-bit systems. +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_clock_gettime64: // Parameters filtered by RestrictClockID(). + case __NR_clock_settime64: // Privileged. + case __NR_clock_adjtime64: // Privileged. + case __NR_clock_getres_time64: // Allowed only on Android with parameters + // filtered by RestrictClockID(). + case __NR_clock_nanosleep_time64: // Parameters filtered by RestrictClockID(). +#endif #if defined(__i386__) || \ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) case __NR_ftime: // Obsolete. @@ -54,6 +65,18 @@ bool SyscallSets::IsAllowedGettime(int sysno) { } } +bool SyscallSets::IsSendfile(int sysno) { + if (sysno == __NR_sendfile) { + return true; + } +#if defined(__NR_sendfile64) + if (sysno == __NR_sendfile64) { + return true; + } +#endif + return false; +} + bool SyscallSets::IsCurrentDirectory(int sysno) { switch (sysno) { case __NR_getcwd: @@ -159,6 +182,10 @@ bool SyscallSets::IsFileSystem(int sysno) { case __NR_utime: #endif case __NR_utimensat: // New. +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_utimensat_time64: +#endif return true; default: return false; @@ -314,6 +341,7 @@ bool SyscallSets::IsAllowedSignalHandling(int sysno) { case __NR_rt_sigtimedwait: #if defined(__i386__) || defined(__arm__) || \ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_rt_sigtimedwait_time64: case __NR_sigaction: case __NR_sigprocmask: case __NR_sigreturn: @@ -417,6 +445,10 @@ bool SyscallSets::IsAllowedFutex(int sysno) { case __NR_get_robust_list: case __NR_set_robust_list: case __NR_futex: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_futex_time64: +#endif default: return false; } @@ -553,7 +585,15 @@ bool SyscallSets::IsAllowedGeneralIo(int sysno) { case __NR_poll: #endif case __NR_ppoll: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_ppoll_time64: +#endif case __NR_pselect6: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_pselect6_time64: +#endif case __NR_read: case __NR_readv: case __NR_pread64: @@ -589,10 +629,9 @@ bool SyscallSets::IsAllowedGeneralIo(int sysno) { case __NR_pwrite64: case __NR_pwritev: case __NR_recvmmsg: // Could specify source. - case __NR_sendfile: #if defined(__i386__) || defined(__arm__) || \ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) - case __NR_sendfile64: + case __NR_recvmmsg_time64: // Could specify source. #endif case __NR_sendmmsg: // Could specify destination. case __NR_splice: @@ -730,6 +769,12 @@ bool SyscallSets::IsMessageQueue(int sysno) { case __NR_mq_timedreceive: case __NR_mq_timedsend: case __NR_mq_unlink: + // time64 versions available on 32-bit systems. +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_mq_timedreceive_time64: + case __NR_mq_timedsend_time64: +#endif return true; default: return false; @@ -836,6 +881,10 @@ bool SyscallSets::IsSystemVSemaphores(int sysno) { case __NR_semget: case __NR_semop: case __NR_semtimedop: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_semtimedop_time64: +#endif return true; default: return false; @@ -912,6 +961,10 @@ bool SyscallSets::IsAdvancedScheduler(int sysno) { case __NR_sched_getparam: case __NR_sched_getscheduler: case __NR_sched_rr_get_interval: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_sched_rr_get_interval_time64: +#endif case __NR_sched_setaffinity: case __NR_sched_setattr: case __NR_sched_setparam: @@ -969,6 +1022,29 @@ bool SyscallSets::IsAdvancedTimer(int sysno) { case __NR_timerfd_create: case __NR_timerfd_gettime: case __NR_timerfd_settime: +// time64 versions are available on 32-bit systems. +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_timer_gettime64: + case __NR_timer_settime64: + case __NR_timerfd_gettime64: + case __NR_timerfd_settime64: +#endif + return true; + default: + return false; + } +} + +bool SyscallSets::IsClockApi(int sysno) { + switch (sysno) { + case __NR_clock_gettime: + case __NR_clock_nanosleep: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_clock_gettime64: + case __NR_clock_nanosleep_time64: +#endif return true; default: return false; diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h index 923533ec9fd..4921eed8cf0 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h @@ -62,6 +62,7 @@ class SANDBOX_EXPORT SyscallSets { static bool IsKernelModule(int sysno); static bool IsGlobalFSViewChange(int sysno); static bool IsFsControl(int sysno); + static bool IsSendfile(int sysno); static bool IsNuma(int sysno); static bool IsMessageQueue(int sysno); static bool IsGlobalProcessEnvironment(int sysno); @@ -99,6 +100,7 @@ class SANDBOX_EXPORT SyscallSets { static bool IsFaNotify(int sysno); static bool IsTimer(int sysno); static bool IsAdvancedTimer(int sysno); + static bool IsClockApi(int sysno); static bool IsExtendedAttributes(int sysno); static bool IsMisc(int sysno); #if defined(__arm__) diff --git a/chromium/sandbox/linux/services/proc_util.cc b/chromium/sandbox/linux/services/proc_util.cc index 74f589121e7..78389df782f 100644 --- a/chromium/sandbox/linux/services/proc_util.cc +++ b/chromium/sandbox/linux/services/proc_util.cc @@ -94,7 +94,7 @@ bool ProcUtil::HasOpenDirectory(int proc_fd) { struct stat s; // It's OK to use proc_self_fd here, fstatat won't modify it. - CHECK(fstatat(proc_self_fd, de->d_name, &s, 0) == 0); + PCHECK(fstatat(proc_self_fd, de->d_name, &s, 0) == 0); if (S_ISDIR(s.st_mode)) { return true; } diff --git a/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc b/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc index 43359fb2ab9..0d31776b0c8 100644 --- a/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc +++ b/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc @@ -18,7 +18,6 @@ #include "base/task/thread_pool.h" #include "base/test/bind.h" #include "base/test/task_environment.h" -#include "base/test/test_timeouts.h" #include "base/threading/thread.h" #include "sandbox/linux/syscall_broker/broker_channel.h" #include "sandbox/linux/syscall_broker/broker_simple_message.h" @@ -791,11 +790,6 @@ void ReceiveThreeFdsSendTwoBack(BrokerChannel::EndPoint* ipc_reader) { class BrokerSimpleMessageFdTest : public testing::Test { public: void SetUp() override { -#if !defined(SANDBOX_USES_BASE_TEST_SUITE) - // TaskEnvironment requires initialized TestTimeouts, which are already - // enabled if using the base test suite. - TestTimeouts::Initialize(); -#endif task_environment_ = std::make_unique<base::test::TaskEnvironment>(); } diff --git a/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h b/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h index 85e2110b4c2..85da6f41c66 100644 --- a/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h +++ b/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h @@ -1441,6 +1441,170 @@ #define __NR_io_pgetevents (__NR_SYSCALL_BASE+399) #endif +#if !defined(__NR_migrate_pages) +#define __NR_migrate_pages (__NR_SYSCALL_BASE + 400) +#endif + +#if !defined(__NR_kexec_file_load) +#define __NR_kexec_file_load (__NR_SYSCALL_BASE + 401) +#endif + +#if !defined(__NR_clock_gettime64) +#define __NR_clock_gettime64 (__NR_SYSCALL_BASE + 403) +#endif + +#if !defined(__NR_clock_settime64) +#define __NR_clock_settime64 (__NR_SYSCALL_BASE + 404) +#endif + +#if !defined(__NR_clock_adjtime64) +#define __NR_clock_adjtime64 (__NR_SYSCALL_BASE + 405) +#endif + +#if !defined(__NR_clock_getres_time64) +#define __NR_clock_getres_time64 (__NR_SYSCALL_BASE + 406) +#endif + +#if !defined(__NR_clock_nanosleep_time64) +#define __NR_clock_nanosleep_time64 (__NR_SYSCALL_BASE + 407) +#endif + +#if !defined(__NR_timer_gettime64) +#define __NR_timer_gettime64 (__NR_SYSCALL_BASE + 408) +#endif + +#if !defined(__NR_timer_settime64) +#define __NR_timer_settime64 (__NR_SYSCALL_BASE + 409) +#endif + +#if !defined(__NR_timerfd_gettime64) +#define __NR_timerfd_gettime64 (__NR_SYSCALL_BASE + 410) +#endif + +#if !defined(__NR_timerfd_settime64) +#define __NR_timerfd_settime64 (__NR_SYSCALL_BASE + 411) +#endif + +#if !defined(__NR_utimensat_time64) +#define __NR_utimensat_time64 (__NR_SYSCALL_BASE + 412) +#endif + +#if !defined(__NR_pselect6_time64) +#define __NR_pselect6_time64 (__NR_SYSCALL_BASE + 413) +#endif + +#if !defined(__NR_ppoll_time64) +#define __NR_ppoll_time64 (__NR_SYSCALL_BASE + 414) +#endif + +#if !defined(__NR_io_pgetevents_time64) +#define __NR_io_pgetevents_time64 (__NR_SYSCALL_BASE + 416) +#endif + +#if !defined(__NR_recvmmsg_time64) +#define __NR_recvmmsg_time64 (__NR_SYSCALL_BASE + 417) +#endif + +#if !defined(__NR_mq_timedsend_time64) +#define __NR_mq_timedsend_time64 (__NR_SYSCALL_BASE + 418) +#endif + +#if !defined(__NR_mq_timedreceive_time64) +#define __NR_mq_timedreceive_time64 (__NR_SYSCALL_BASE + 419) +#endif + +#if !defined(__NR_semtimedop_time64) +#define __NR_semtimedop_time64 (__NR_SYSCALL_BASE + 420) +#endif + +#if !defined(__NR_rt_sigtimedwait_time64) +#define __NR_rt_sigtimedwait_time64 (__NR_SYSCALL_BASE + 421) +#endif + +#if !defined(__NR_futex_time64) +#define __NR_futex_time64 (__NR_SYSCALL_BASE + 422) +#endif + +#if !defined(__NR_sched_rr_get_interval_time64) +#define __NR_sched_rr_get_interval_time64 (__NR_SYSCALL_BASE + 423) +#endif + +#if !defined(__NR_pidfd_send_signal) +#define __NR_pidfd_send_signal (__NR_SYSCALL_BASE + 424) +#endif + +#if !defined(__NR_io_uring_setup) +#define __NR_io_uring_setup (__NR_SYSCALL_BASE + 425) +#endif + +#if !defined(__NR_io_uring_enter) +#define __NR_io_uring_enter (__NR_SYSCALL_BASE + 426) +#endif + +#if !defined(__NR_io_uring_register) +#define __NR_io_uring_register (__NR_SYSCALL_BASE + 427) +#endif + +#if !defined(__NR_open_tree) +#define __NR_open_tree (__NR_SYSCALL_BASE + 428) +#endif + +#if !defined(__NR_move_mount) +#define __NR_move_mount (__NR_SYSCALL_BASE + 429) +#endif + +#if !defined(__NR_fsopen) +#define __NR_fsopen (__NR_SYSCALL_BASE + 430) +#endif + +#if !defined(__NR_fsconfig) +#define __NR_fsconfig (__NR_SYSCALL_BASE + 431) +#endif + +#if !defined(__NR_fsmount) +#define __NR_fsmount (__NR_SYSCALL_BASE + 432) +#endif + +#if !defined(__NR_fspick) +#define __NR_fspick (__NR_SYSCALL_BASE + 433) +#endif + +#if !defined(__NR_pidfd_open) +#define __NR_pidfd_open (__NR_SYSCALL_BASE + 434) +#endif + +#if !defined(__NR_clone3) +#define __NR_clone3 (__NR_SYSCALL_BASE + 435) +#endif + +#if !defined(__NR_close_range) +#define __NR_close_range (__NR_SYSCALL_BASE + 436) +#endif + +#if !defined(__NR_openat2) +#define __NR_openat2 (__NR_SYSCALL_BASE + 437) +#endif + +#if !defined(__NR_pidfd_getfd) +#define __NR_pidfd_getfd (__NR_SYSCALL_BASE + 438) +#endif + +#if !defined(__NR_faccessat2) +#define __NR_faccessat2 (__NR_SYSCALL_BASE + 439) +#endif + +#if !defined(__NR_process_madvise) +#define __NR_process_madvise (__NR_SYSCALL_BASE + 440) +#endif + +#if !defined(__NR_epoll_pwait2) +#define __NR_epoll_pwait2 (__NR_SYSCALL_BASE + 441) +#endif + +#if !defined(__NR_mount_setattr) +#define __NR_mount_setattr (__NR_SYSCALL_BASE + 442) +#endif + // ARM private syscalls. #if !defined(__ARM_NR_BASE) #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000) diff --git a/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h b/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h index ddbf97f3d8b..50d9ea11bfa 100644 --- a/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h +++ b/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h @@ -1433,4 +1433,256 @@ #define __NR_memfd_create (__NR_Linux + 354) #endif +#if !defined(__NR_bpf) +#define __NR_bpf (__NR_Linux + 355) +#endif + +#if !defined(__NR_execveat) +#define __NR_execveat (__NR_Linux + 356) +#endif + +#if !defined(__NR_userfaultfd) +#define __NR_userfaultfd (__NR_Linux + 357) +#endif + +#if !defined(__NR_membarrier) +#define __NR_membarrier (__NR_Linux + 358) +#endif + +#if !defined(__NR_mlock2) +#define __NR_mlock2 (__NR_Linux + 359) +#endif + +#if !defined(__NR_copy_file_range) +#define __NR_copy_file_range (__NR_Linux + 360) +#endif + +#if !defined(__NR_preadv2) +#define __NR_preadv2 (__NR_Linux + 361) +#endif + +#if !defined(__NR_pwritev2) +#define __NR_pwritev2 (__NR_Linux + 362) +#endif + +#if !defined(__NR_pkey_mprotect) +#define __NR_pkey_mprotect (__NR_Linux + 363) +#endif + +#if !defined(__NR_pkey_alloc) +#define __NR_pkey_alloc (__NR_Linux + 364) +#endif + +#if !defined(__NR_pkey_free) +#define __NR_pkey_free (__NR_Linux + 365) +#endif + +#if !defined(__NR_statx) +#define __NR_statx (__NR_Linux + 366) +#endif + +#if !defined(__NR_rseq) +#define __NR_rseq (__NR_Linux + 367) +#endif + +#if !defined(__NR_io_pgetevents) +#define __NR_io_pgetevents (__NR_Linux + 368) +#endif + +#if !defined(__NR_semget) +#define __NR_semget (__NR_Linux + 393) +#endif + +#if !defined(__NR_semctl) +#define __NR_semctl (__NR_Linux + 394) +#endif + +#if !defined(__NR_shmget) +#define __NR_shmget (__NR_Linux + 395) +#endif + +#if !defined(__NR_shmctl) +#define __NR_shmctl (__NR_Linux + 396) +#endif + +#if !defined(__NR_shmat) +#define __NR_shmat (__NR_Linux + 397) +#endif + +#if !defined(__NR_shmdt) +#define __NR_shmdt (__NR_Linux + 398) +#endif + +#if !defined(__NR_msgget) +#define __NR_msgget (__NR_Linux + 399) +#endif + +#if !defined(__NR_msgsnd) +#define __NR_msgsnd (__NR_Linux + 400) +#endif + +#if !defined(__NR_msgrcv) +#define __NR_msgrcv (__NR_Linux + 401) +#endif + +#if !defined(__NR_msgctl) +#define __NR_msgctl (__NR_Linux + 402) +#endif + +#if !defined(__NR_clock_gettime64) +#define __NR_clock_gettime64 (__NR_Linux + 403) +#endif + +#if !defined(__NR_clock_settime64) +#define __NR_clock_settime64 (__NR_Linux + 404) +#endif + +#if !defined(__NR_clock_adjtime64) +#define __NR_clock_adjtime64 (__NR_Linux + 405) +#endif + +#if !defined(__NR_clock_getres_time64) +#define __NR_clock_getres_time64 (__NR_Linux + 406) +#endif + +#if !defined(__NR_clock_nanosleep_time64) +#define __NR_clock_nanosleep_time64 (__NR_Linux + 407) +#endif + +#if !defined(__NR_timer_gettime64) +#define __NR_timer_gettime64 (__NR_Linux + 408) +#endif + +#if !defined(__NR_timer_settime64) +#define __NR_timer_settime64 (__NR_Linux + 409) +#endif + +#if !defined(__NR_timerfd_gettime64) +#define __NR_timerfd_gettime64 (__NR_Linux + 410) +#endif + +#if !defined(__NR_timerfd_settime64) +#define __NR_timerfd_settime64 (__NR_Linux + 411) +#endif + +#if !defined(__NR_utimensat_time64) +#define __NR_utimensat_time64 (__NR_Linux + 412) +#endif + +#if !defined(__NR_pselect6_time64) +#define __NR_pselect6_time64 (__NR_Linux + 413) +#endif + +#if !defined(__NR_ppoll_time64) +#define __NR_ppoll_time64 (__NR_Linux + 414) +#endif + +#if !defined(__NR_io_pgetevents_time64) +#define __NR_io_pgetevents_time64 (__NR_Linux + 416) +#endif + +#if !defined(__NR_recvmmsg_time64) +#define __NR_recvmmsg_time64 (__NR_Linux + 417) +#endif + +#if !defined(__NR_mq_timedsend_time64) +#define __NR_mq_timedsend_time64 (__NR_Linux + 418) +#endif + +#if !defined(__NR_mq_timedreceive_time64) +#define __NR_mq_timedreceive_time64 (__NR_Linux + 419) +#endif + +#if !defined(__NR_semtimedop_time64) +#define __NR_semtimedop_time64 (__NR_Linux + 420) +#endif + +#if !defined(__NR_rt_sigtimedwait_time64) +#define __NR_rt_sigtimedwait_time64 (__NR_Linux + 421) +#endif + +#if !defined(__NR_futex_time64) +#define __NR_futex_time64 (__NR_Linux + 422) +#endif + +#if !defined(__NR_sched_rr_get_interval_time64) +#define __NR_sched_rr_get_interval_time64 (__NR_Linux + 423) +#endif + +#if !defined(__NR_pidfd_send_signal) +#define __NR_pidfd_send_signal (__NR_Linux + 424) +#endif + +#if !defined(__NR_io_uring_setup) +#define __NR_io_uring_setup (__NR_Linux + 425) +#endif + +#if !defined(__NR_io_uring_enter) +#define __NR_io_uring_enter (__NR_Linux + 426) +#endif + +#if !defined(__NR_io_uring_register) +#define __NR_io_uring_register (__NR_Linux + 427) +#endif + +#if !defined(__NR_open_tree) +#define __NR_open_tree (__NR_Linux + 428) +#endif + +#if !defined(__NR_move_mount) +#define __NR_move_mount (__NR_Linux + 429) +#endif + +#if !defined(__NR_fsopen) +#define __NR_fsopen (__NR_Linux + 430) +#endif + +#if !defined(__NR_fsconfig) +#define __NR_fsconfig (__NR_Linux + 431) +#endif + +#if !defined(__NR_fsmount) +#define __NR_fsmount (__NR_Linux + 432) +#endif + +#if !defined(__NR_fspick) +#define __NR_fspick (__NR_Linux + 433) +#endif + +#if !defined(__NR_pidfd_open) +#define __NR_pidfd_open (__NR_Linux + 434) +#endif + +#if !defined(__NR_clone3) +#define __NR_clone3 (__NR_Linux + 435) +#endif + +#if !defined(__NR_close_range) +#define __NR_close_range (__NR_Linux + 436) +#endif + +#if !defined(__NR_openat2) +#define __NR_openat2 (__NR_Linux + 437) +#endif + +#if !defined(__NR_pidfd_getfd) +#define __NR_pidfd_getfd (__NR_Linux + 438) +#endif + +#if !defined(__NR_faccessat2) +#define __NR_faccessat2 (__NR_Linux + 439) +#endif + +#if !defined(__NR_process_madvise) +#define __NR_process_madvise (__NR_Linux + 440) +#endif + +#if !defined(__NR_epoll_pwait2) +#define __NR_epoll_pwait2 (__NR_Linux + 441) +#endif + +#if !defined(__NR_mount_setattr) +#define __NR_mount_setattr (__NR_Linux + 442) +#endif + #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_ diff --git a/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h index 7613c9bbcdc..1720edb1810 100644 --- a/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h +++ b/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h @@ -1710,5 +1710,33 @@ #define __NR_clone3 435 #endif +#if !defined(__NR_close_range) +#define __NR_close_range 436 +#endif + +#if !defined(__NR_openat2) +#define __NR_openat2 437 +#endif + +#if !defined(__NR_pidfd_getfd) +#define __NR_pidfd_getfd 438 +#endif + +#if !defined(__NR_faccessat2) +#define __NR_faccessat2 439 +#endif + +#if !defined(__NR_process_madvise) +#define __NR_process_madvise 440 +#endif + +#if !defined(__NR_epoll_pwait2) +#define __NR_epoll_pwait2 441 +#endif + +#if !defined(__NR_mount_setattr) +#define __NR_mount_setattr 442 +#endif + #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_ diff --git a/chromium/sandbox/policy/BUILD.gn b/chromium/sandbox/policy/BUILD.gn index 50073ae7266..c41a82ff483 100644 --- a/chromium/sandbox/policy/BUILD.gn +++ b/chromium/sandbox/policy/BUILD.gn @@ -49,12 +49,14 @@ component("policy") { "linux/bpf_network_policy_linux.h", "linux/bpf_ppapi_policy_linux.cc", "linux/bpf_ppapi_policy_linux.h", + "linux/bpf_print_backend_policy_linux.cc", + "linux/bpf_print_backend_policy_linux.h", "linux/bpf_print_compositor_policy_linux.cc", "linux/bpf_print_compositor_policy_linux.h", "linux/bpf_renderer_policy_linux.cc", "linux/bpf_renderer_policy_linux.h", - "linux/bpf_sharing_service_policy_linux.cc", - "linux/bpf_sharing_service_policy_linux.h", + "linux/bpf_service_policy_linux.cc", + "linux/bpf_service_policy_linux.h", "linux/bpf_speech_recognition_policy_linux.cc", "linux/bpf_speech_recognition_policy_linux.h", "linux/bpf_utility_policy_linux.cc", diff --git a/chromium/sandbox/policy/features.cc b/chromium/sandbox/policy/features.cc index 255bab5c05a..8ba5f501bda 100644 --- a/chromium/sandbox/policy/features.cc +++ b/chromium/sandbox/policy/features.cc @@ -35,6 +35,11 @@ const base::Feature kGpuAppContainer{"GpuAppContainer", // Enables GPU Low Privilege AppContainer when combined with kGpuAppContainer. const base::Feature kGpuLPAC{"GpuLPAC", base::FEATURE_ENABLED_BY_DEFAULT}; + +// Use LPAC for network sandbox instead of restricted token. Relies on +// NetworkServiceSandbox being also enabled. +const base::Feature kNetworkServiceSandboxLPAC{ + "NetworkServiceSandboxLPAC", base::FEATURE_DISABLED_BY_DEFAULT}; #endif // defined(OS_WIN) #if !defined(OS_ANDROID) diff --git a/chromium/sandbox/policy/features.h b/chromium/sandbox/policy/features.h index d26e0d1f7bd..6de7bbd6742 100644 --- a/chromium/sandbox/policy/features.h +++ b/chromium/sandbox/policy/features.h @@ -26,6 +26,7 @@ SANDBOX_POLICY_EXPORT extern const base::Feature kWinSboxDisableKtmComponent; SANDBOX_POLICY_EXPORT extern const base::Feature kWinSboxDisableExtensionPoints; SANDBOX_POLICY_EXPORT extern const base::Feature kGpuAppContainer; SANDBOX_POLICY_EXPORT extern const base::Feature kGpuLPAC; +SANDBOX_POLICY_EXPORT extern const base::Feature kNetworkServiceSandboxLPAC; #endif // defined(OS_WIN) #if !defined(OS_ANDROID) diff --git a/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc b/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc index 42b6af2e014..d0cc6e4a531 100644 --- a/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc +++ b/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc @@ -139,8 +139,9 @@ const SandboxConfig* GetConfigForSandboxType(SandboxType type) { case SandboxType::kAudio: case SandboxType::kCdm: case SandboxType::kPpapi: + case SandboxType::kPrintBackend: case SandboxType::kPrintCompositor: - case SandboxType::kSharingService: + case SandboxType::kService: case SandboxType::kSpeechRecognition: case SandboxType::kUtility: return &kEmptySandboxConfig; @@ -170,14 +171,20 @@ SandboxPolicyFuchsia::SandboxPolicyFuchsia(SandboxType type) { service_directory_ = std::make_unique<base::FilteredServiceDirectory>( base::ComponentContextForProcess()->svc().get()); for (const char* service_name : kDefaultServices) { - service_directory_->AddService(service_name); + zx_status_t status = service_directory_->AddService(service_name); + ZX_CHECK(status == ZX_OK, status) + << "AddService(" << service_name << ") failed"; } for (const char* service_name : config->services) { - service_directory_->AddService(service_name); + zx_status_t status = service_directory_->AddService(service_name); + ZX_CHECK(status == ZX_OK, status) + << "AddService(" << service_name << ") failed"; } // Bind the service directory and store the client channel for // UpdateLaunchOptionsForSandbox()'s use. - service_directory_->ConnectClient(service_directory_client_.NewRequest()); + zx_status_t status = service_directory_->ConnectClient( + service_directory_client_.NewRequest()); + ZX_CHECK(status == ZX_OK, status) << "ConnectClient failed"; CHECK(service_directory_client_); } } diff --git a/chromium/sandbox/policy/linux/bpf_audio_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_audio_policy_linux.cc index 73226c5fc81..863af298f2d 100644 --- a/chromium/sandbox/policy/linux/bpf_audio_policy_linux.cc +++ b/chromium/sandbox/policy/linux/bpf_audio_policy_linux.cc @@ -77,7 +77,12 @@ ResultExpr AudioProcessPolicy::EvaluateSyscall(int system_call_number) const { #endif return Allow(); #if defined(__NR_futex) - case __NR_futex: { + case __NR_futex: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_futex_time64: +#endif + { const Arg<int> op(1); #if defined(USE_PULSEAUDIO) return Switch(op & ~FUTEX_PRIVATE_FLAG) diff --git a/chromium/sandbox/policy/linux/bpf_ime_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_ime_policy_linux.cc index 3fcdbcc188c..886fb5d02b3 100644 --- a/chromium/sandbox/policy/linux/bpf_ime_policy_linux.cc +++ b/chromium/sandbox/policy/linux/bpf_ime_policy_linux.cc @@ -32,6 +32,10 @@ ResultExpr ImeProcessPolicy::EvaluateSyscall(int sysno) const { #if defined(__NR_clock_gettime) case __NR_clock_gettime: #endif +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_clock_gettime64: +#endif return Allow(); // https://crbug.com/991435 #if defined(__NR_getrusage) diff --git a/chromium/sandbox/policy/linux/bpf_print_backend_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_print_backend_policy_linux.cc new file mode 100644 index 00000000000..2c9a4be39b6 --- /dev/null +++ b/chromium/sandbox/policy/linux/bpf_print_backend_policy_linux.cc @@ -0,0 +1,14 @@ +// Copyright 2021 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "sandbox/policy/linux/bpf_print_backend_policy_linux.h" + +namespace sandbox { +namespace policy { + +PrintBackendProcessPolicy::PrintBackendProcessPolicy() = default; +PrintBackendProcessPolicy::~PrintBackendProcessPolicy() = default; + +} // namespace policy +} // namespace sandbox diff --git a/chromium/sandbox/policy/linux/bpf_print_backend_policy_linux.h b/chromium/sandbox/policy/linux/bpf_print_backend_policy_linux.h new file mode 100644 index 00000000000..711a600550f --- /dev/null +++ b/chromium/sandbox/policy/linux/bpf_print_backend_policy_linux.h @@ -0,0 +1,33 @@ +// Copyright 2021 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_POLICY_LINUX_BPF_PRINT_BACKEND_POLICY_LINUX_H_ +#define SANDBOX_POLICY_LINUX_BPF_PRINT_BACKEND_POLICY_LINUX_H_ + +#include "sandbox/policy/linux/bpf_network_policy_linux.h" + +namespace sandbox { +namespace policy { + +// This policy can be used by print backend utility processes. +// It is based upon NetworkProcessPolicy because print backend talks to CUPS +// servers over network. +class PrintBackendProcessPolicy : public NetworkProcessPolicy { + public: + PrintBackendProcessPolicy(); + PrintBackendProcessPolicy(const PrintBackendProcessPolicy&) = delete; + PrintBackendProcessPolicy& operator=(const PrintBackendProcessPolicy&) = + delete; + ~PrintBackendProcessPolicy() override; + + // Currently no need to override EvaluateSyscall() because network base class + // already provides sufficient capabilities. + // TODO(crbug.com/809738) Provide more specific policy allowances once + // network receives refined restrictions. +}; + +} // namespace policy +} // namespace sandbox + +#endif // SANDBOX_POLICY_LINUX_BPF_PRINT_BACKEND_POLICY_LINUX_H_ diff --git a/chromium/sandbox/policy/linux/bpf_renderer_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_renderer_policy_linux.cc index 9fe9575eb63..f789e92c37c 100644 --- a/chromium/sandbox/policy/linux/bpf_renderer_policy_linux.cc +++ b/chromium/sandbox/policy/linux/bpf_renderer_policy_linux.cc @@ -56,6 +56,10 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const { // The baseline policy allows __NR_clock_gettime. Allow // clock_getres() for V8. crbug.com/329053. case __NR_clock_getres: +#if defined(__i386__) || defined(__arm__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_clock_getres_time64: +#endif return RestrictClockID(); case __NR_ioctl: return RestrictIoctl(); diff --git a/chromium/sandbox/policy/linux/bpf_sharing_service_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_service_policy_linux.cc index 91c12ca9ce8..3ddc8bfa79b 100644 --- a/chromium/sandbox/policy/linux/bpf_sharing_service_policy_linux.cc +++ b/chromium/sandbox/policy/linux/bpf_service_policy_linux.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "sandbox/policy/linux/bpf_sharing_service_policy_linux.h" +#include "sandbox/policy/linux/bpf_service_policy_linux.h" #include <errno.h> @@ -20,7 +20,7 @@ using sandbox::bpf_dsl::ResultExpr; namespace sandbox { namespace policy { -ResultExpr SharingServiceProcessPolicy::EvaluateSyscall(int sysno) const { +ResultExpr ServiceProcessPolicy::EvaluateSyscall(int sysno) const { switch (sysno) { case __NR_ioctl: return RestrictIoctl(); diff --git a/chromium/sandbox/policy/linux/bpf_service_policy_linux.h b/chromium/sandbox/policy/linux/bpf_service_policy_linux.h new file mode 100644 index 00000000000..2c7a33595b0 --- /dev/null +++ b/chromium/sandbox/policy/linux/bpf_service_policy_linux.h @@ -0,0 +1,32 @@ +// Copyright 2020 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_POLICY_LINUX_BPF_SERVICE_POLICY_LINUX_H_ +#define SANDBOX_POLICY_LINUX_BPF_SERVICE_POLICY_LINUX_H_ + +#include "base/macros.h" +#include "sandbox/policy/linux/bpf_base_policy_linux.h" + +namespace sandbox { +namespace policy { + +// This policy can be used by isolated utilities such as the Sharing +// service to host WebRTC, and isolated javascript worklets to host +// jitless javascript. Resources should be provided via mojo. +// Consider UtilityProcessPolicy if this is too restrictive. +class ServiceProcessPolicy : public BPFBasePolicy { + public: + ServiceProcessPolicy() = default; + ~ServiceProcessPolicy() override = default; + + bpf_dsl::ResultExpr EvaluateSyscall(int system_call_number) const override; + + ServiceProcessPolicy(const ServiceProcessPolicy&) = delete; + ServiceProcessPolicy& operator=(const ServiceProcessPolicy&) = delete; +}; + +} // namespace policy +} // namespace sandbox + +#endif // SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_SERVICE_POLICY_LINUX_H_ diff --git a/chromium/sandbox/policy/linux/bpf_sharing_service_policy_linux.h b/chromium/sandbox/policy/linux/bpf_sharing_service_policy_linux.h deleted file mode 100644 index bde3ffa2a38..00000000000 --- a/chromium/sandbox/policy/linux/bpf_sharing_service_policy_linux.h +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright 2020 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef SANDBOX_POLICY_LINUX_BPF_SHARING_SERVICE_POLICY_LINUX_H_ -#define SANDBOX_POLICY_LINUX_BPF_SHARING_SERVICE_POLICY_LINUX_H_ - -#include "base/macros.h" -#include "sandbox/policy/linux/bpf_base_policy_linux.h" - -namespace sandbox { -namespace policy { - -// This policy can be used by the Sharing service to host WebRTC. -class SharingServiceProcessPolicy : public BPFBasePolicy { - public: - SharingServiceProcessPolicy() = default; - ~SharingServiceProcessPolicy() override = default; - - bpf_dsl::ResultExpr EvaluateSyscall(int system_call_number) const override; - - SharingServiceProcessPolicy(const SharingServiceProcessPolicy&) = delete; - SharingServiceProcessPolicy& operator=(const SharingServiceProcessPolicy&) = - delete; -}; - -} // namespace policy -} // namespace sandbox - -#endif // SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_UTILITY_POLICY_LINUX_H_ diff --git a/chromium/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc index 4e62fadfafc..f3509c03fd3 100644 --- a/chromium/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc +++ b/chromium/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc @@ -5,6 +5,7 @@ #include "sandbox/policy/linux/bpf_speech_recognition_policy_linux.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" +#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" #include "sandbox/linux/syscall_broker/broker_process.h" #include "sandbox/linux/system_headers/linux_syscalls.h" #include "sandbox/policy/linux/sandbox_linux.h" @@ -33,6 +34,9 @@ ResultExpr SpeechRecognitionProcessPolicy::EvaluateSyscall( case __NR_getdents: return Allow(); #endif + case __NR_sched_setscheduler: + // Used for starting an AudioStream when recognizing microphone data. + return RestrictSchedTarget(GetPolicyPid(), system_call_number); default: auto* sandbox_linux = SandboxLinux::GetInstance(); if (sandbox_linux->ShouldBrokerHandleSyscall(system_call_number)) diff --git a/chromium/sandbox/policy/linux/sandbox_linux.cc b/chromium/sandbox/policy/linux/sandbox_linux.cc index c4231d0b964..ba21e015b5a 100644 --- a/chromium/sandbox/policy/linux/sandbox_linux.cc +++ b/chromium/sandbox/policy/linux/sandbox_linux.cc @@ -445,7 +445,7 @@ rlim_t GetProcessDataSizeLimit(SandboxType sandbox_type) { return 32 * GB; } else if (physical_memory > 16 * GB) { return 16 * GB; - } else if (physical_memory > 8 * GB) { + } else { return 8 * GB; } } diff --git a/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc index 16a436b926f..bfa47a118ab 100644 --- a/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc +++ b/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc @@ -43,9 +43,10 @@ #include "sandbox/policy/linux/bpf_gpu_policy_linux.h" #include "sandbox/policy/linux/bpf_network_policy_linux.h" #include "sandbox/policy/linux/bpf_ppapi_policy_linux.h" +#include "sandbox/policy/linux/bpf_print_backend_policy_linux.h" #include "sandbox/policy/linux/bpf_print_compositor_policy_linux.h" #include "sandbox/policy/linux/bpf_renderer_policy_linux.h" -#include "sandbox/policy/linux/bpf_sharing_service_policy_linux.h" +#include "sandbox/policy/linux/bpf_service_policy_linux.h" #include "sandbox/policy/linux/bpf_speech_recognition_policy_linux.h" #include "sandbox/policy/linux/bpf_utility_policy_linux.h" @@ -175,12 +176,14 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType( return std::make_unique<CdmProcessPolicy>(); case SandboxType::kPrintCompositor: return std::make_unique<PrintCompositorProcessPolicy>(); + case SandboxType::kPrintBackend: + return std::make_unique<PrintBackendProcessPolicy>(); case SandboxType::kNetwork: return std::make_unique<NetworkProcessPolicy>(); case SandboxType::kAudio: return std::make_unique<AudioProcessPolicy>(); - case SandboxType::kSharingService: - return std::make_unique<SharingServiceProcessPolicy>(); + case SandboxType::kService: + return std::make_unique<ServiceProcessPolicy>(); case SandboxType::kSpeechRecognition: return std::make_unique<SpeechRecognitionProcessPolicy>(); #if BUILDFLAG(IS_CHROMEOS_ASH) @@ -234,9 +237,10 @@ void SandboxSeccompBPF::RunSandboxSanityChecks( case SandboxType::kTts: #endif // BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kAudio: - case SandboxType::kSharingService: + case SandboxType::kService: case SandboxType::kSpeechRecognition: case SandboxType::kNetwork: + case SandboxType::kPrintBackend: case SandboxType::kUtility: case SandboxType::kNoSandbox: case SandboxType::kVideoCapture: diff --git a/chromium/sandbox/policy/mac/BUILD.gn b/chromium/sandbox/policy/mac/BUILD.gn index 840c9b1f367..1bd2780d9bc 100644 --- a/chromium/sandbox/policy/mac/BUILD.gn +++ b/chromium/sandbox/policy/mac/BUILD.gn @@ -11,10 +11,10 @@ action_foreach("package_sb_files") { "cdm.sb", "common.sb", "gpu.sb", - "gpu_v2.sb", "nacl_loader.sb", "network.sb", "ppapi.sb", + "print_backend.sb", "print_compositor.sb", "renderer.sb", "speech_recognition.sb", diff --git a/chromium/sandbox/policy/mac/gpu.sb b/chromium/sandbox/policy/mac/gpu.sb index dc0cd5f609f..7d93ec13b84 100644 --- a/chromium/sandbox/policy/mac/gpu.sb +++ b/chromium/sandbox/policy/mac/gpu.sb @@ -1,91 +1,145 @@ -;; -;; Copyright (c) 2011 The Chromium Authors. All rights reserved. -;; Use of this source code is governed by a BSD-style license that can be -;; found in the LICENSE file. -;; +; Copyright 2017 The Chromium Authors. All rights reserved. +; Use of this source code is governed by a BSD-style license that can be +; found in the LICENSE file. -; *** The contents of the V1 sandbox common.sb are below. *** +; --- The contents of common.sb implicitly included here. --- -(version 1) +(deny default (with partial-symbolication)) +(debug deny) -; Helper function to check if a param is set to true. -(define (param-true? str) (string=? (param str) "TRUE")) +; Allow cf prefs to work. +(allow user-preference-read) -; Helper function to determine if a parameter is defined or not. -(define (param-defined? str) (string? (param str))) - -; Define constants for all of the parameter strings passed in. -(define bundle-version-path "BUNDLE_VERSION_PATH") -(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING") -(define enable-logging "ENABLE_LOGGING") -(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL") -(define macos-1013 "MACOS_1013") -(define field-trial-server-name "FIELD_TRIAL_SERVER_NAME") - -; Backwards compatibility for 10.11 -(if (not (defined? 'iokit-registry-entry-class)) - (define iokit-registry-entry-class iokit-user-client-class)) - -; Consumes a subpath and appends it to the user's homedir path. -(define (user-homedir-path subpath) - (string-append (param homedir-as-literal) subpath)) - -; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log. -(if (param-true? disable-sandbox-denial-logging) - (deny default (with no-log)) - (deny default)) - -; Support for programmatically enabling verbose debugging. -(if (param-true? enable-logging) (debug deny)) - -(allow mach-lookup (global-name (param field-trial-server-name))) - -; Allow sending signals to self - https://crbug.com/20370 -(allow signal (target self)) - -; Needed for full-page-zoomed controls - https://crbug.com/11325 -(allow sysctl-read) - -; Loading System Libraries. -(allow file-read* - (subpath "/System/Library/Frameworks") - (subpath "/System/Library/PrivateFrameworks") - (subpath "/System/Library/CoreServices")) +(allow-cvms-blobs) (allow ipc-posix-shm) -; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow -; third party code (eg: bits of Adobe Flash and NSS) to function properly. -(allow file-read-data file-read-metadata (literal "/dev/urandom")) - -; *** The contents of the V1 sandbox gpu.sb are below. *** +(define disable-metal-shader-cache "DISABLE_METAL_SHADER_CACHE") ; Allow communication between the GPU process and the UI server. -(allow mach-lookup (global-name "com.apple.tsm.uiserver")) - -(allow file-read-metadata (literal "/")) - -; Needed for WebGL - crbug.com/75343 +(allow mach-lookup + (global-name "com.apple.bsd.dirhelper") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.CoreServices.coreservicesd") + (global-name "com.apple.coreservices.launchservicesd") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SecurityServer") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.membership") ; https://crbug.com/1126350#c5 + (global-name "com.apple.tsm.uiserver") + (global-name "com.apple.windowserver.active") +) + +; Needed for metal decoding - https://crbug.com/957217 +(if (>= os-version 1014) + (allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService")) +) + +; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936 +(if (>= os-version 1016) + (begin + (allow mach-lookup (global-name "com.apple.trustd.agent")) + (allow file-read* (path "/Library/Preferences/com.apple.security.plist")) + ) +) + +; Needed for WebGL - https://crbug.com/75343 (allow iokit-open (iokit-connection "IOAccelerator") + (iokit-user-client-class "AGPMClient") + (iokit-user-client-class "AppleGraphicsControlClient") + (iokit-user-client-class "AppleGraphicsPolicyClient") + (iokit-user-client-class "AppleIntelMEUserClient") + (iokit-user-client-class "AppleMGPUPowerControlClient") + (iokit-user-client-class "AppleSNBFBUserClient") (iokit-user-client-class "IOAccelerationUserClient") (iokit-user-client-class "IOFramebufferSharedUserClient") - (iokit-user-client-class "AppleGraphicsControlClient") - (iokit-user-client-class "AGPMClient") (iokit-user-client-class "IOHIDParamUserClient") - (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class "IOSurfaceRootUserClient") - (iokit-user-client-class "IOSurfaceSendRight")) + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "RootDomainUserClient") +) -; https://crbug.com/515280 -(allow file-read* (subpath "/System/Library/Extensions")) +(allow iokit-set-properties + (require-all (iokit-connection "IODisplay") + (require-any (iokit-property "brightness") + (iokit-property "linear-brightness") + (iokit-property "commit") + (iokit-property "rgcs") + (iokit-property "ggcs") + (iokit-property "bgcs") +))) -; Needed for VideoToolbox usage - https://crbug.com/767037 -(allow mach-lookup (global-name "com.apple.coremedia.videodecoder")) +(allow ipc-posix-shm-read-data + (ipc-posix-name "apple.shm.notification_center")) -; Needed for 10.14.5+ - https://crbug.com/957217 -(if (defined? 'xpc-service-name) - (allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))) -; Needed for GPU process to fallback to SwiftShader - https://crbug.com/897914 -(allow file-read-data file-read-metadata (subpath (param bundle-version-path))) +; Needed for VideoToolbox usage - https://crbug.com/767037 +(if (>= os-version 1013) + (allow mach-lookup + (xpc-service-name "com.apple.coremedia.videodecoder") + (xpc-service-name "com.apple.coremedia.videoencoder") + (xpc-service-name-regex #"\.apple-extension-service$") +)) + +(allow sysctl-read + (sysctl-name "hw.busfrequency_max") + (sysctl-name "hw.cachelinesize") + (sysctl-name "hw.logicalcpu_max") + (sysctl-name "hw.memsize") + (sysctl-name "hw.model") + (sysctl-name "kern.osvariant_status") +) + +(allow file-read-data + (path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") + (path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") + (regex (user-homedir-path #"/Library/Preferences/(.*/)?com\.apple\.driver\..*\.plist")) + (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*")) +) + +(allow file-read* + (path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14. + (path (user-homedir-path "/Library/Preferences/ByHost")) + (subpath "/Library/GPUBundles") + (subpath "/Library/Video/Plug-Ins") + (subpath "/System/Library/ColorSync/Profiles") + (subpath "/System/Library/CoreServices/RawCamera.bundle") + (subpath "/System/Library/Extensions") ; https://crbug.com/515280 + (subpath "/System/Library/Video/Plug-Ins") +) + +; crbug.com/980134 +(allow file-read* file-write* + (subpath (param darwin-user-cache-dir)) + (subpath (param darwin-user-dir)) + (subpath (param darwin-user-temp-dir)) +) + +(if (param-true? filter-syscalls-debug) + (when (defined? 'syscall-unix) + (deny syscall-unix (with send-signal SIGSYS)) + (allow syscall-unix + (syscall-number SYS_csrctl) + (syscall-number SYS_getentropy) + (syscall-number SYS_getxattr) + (syscall-number SYS_kdebug_typefilter) + (syscall-number SYS_sigaltstack) + (syscall-number SYS_write) + (syscall-number SYS_write_nocancel) +))) + +; crbug.com/1159113 +(if (param-true? disable-metal-shader-cache) + (let ((metal-cache-dir (subpath (string-append (param darwin-user-cache-dir) + "/com.apple.metal")))) + (deny file-read* metal-cache-dir) + (deny file-write* metal-cache-dir)) +) diff --git a/chromium/sandbox/policy/mac/gpu_v2.sb b/chromium/sandbox/policy/mac/gpu_v2.sb deleted file mode 100644 index a01030e3418..00000000000 --- a/chromium/sandbox/policy/mac/gpu_v2.sb +++ /dev/null @@ -1,183 +0,0 @@ -; Copyright 2017 The Chromium Authors. All rights reserved. -; Use of this source code is governed by a BSD-style license that can be -; found in the LICENSE file. - -; --- The contents of common.sb implicitly included here. --- - -(deny default (with partial-symbolication)) -(debug deny) - -; Allow cf prefs to work. -(allow user-preference-read) - -(allow-cvms-blobs) - -(allow ipc-posix-shm) - -(define disable-metal-shader-cache "DISABLE_METAL_SHADER_CACHE") - -; TODO(https://crbug.com/1126350): Remove this after debugging. These blocks -; enumerate known denials, while turning unknown denials into fatal crashes. -(define crash-on-unknown-denials #f) ; Single-line kill switch. -(if crash-on-unknown-denials - (begin - (deny mach-lookup (with no-report) - (global-name "com.apple.GameController.gamecontrollerd") - (global-name "com.apple.UsageTrackingAgent") - (global-name "com.apple.analyticsd") - (global-name "com.apple.diagnosticd") - (global-name "com.apple.pasteboard.1") ; For tests only. - (global-name "com.apple.systemstats.analysis") ; https://crbug.com/1135413 - (global-name "com.apple.tccd.system") - ) - (deny mach-lookup (with send-signal SIGABRT)) - (deny iokit-open (with send-signal SIGTRAP)) - ; Added in 10.14, but only needed on 10.15+. Partial compatibility - ; definition. - (unless (defined? 'path-ancestors) (define (path-ancestors x) (path x))) - (deny file-read* (with no-report) - (path (param "PARENT_DIR")) - (path (param "PWD")) - (path-ancestors (param "PARENT_DIR")) ; libxpc.dylib`_xpc_bundle_resolve_sync walks the dir tree. - (subpath "/Library/Apple") - (subpath "/Library/Application Support/CrashReporter") - (subpath "/usr/share/locale") - (subpath (user-homedir-path "/Library/Containers")) - ) - (deny file-read* (with send-signal SIGFPE)) - (deny file-write-data (with no-report) - ; CoreServicesInternal`prepareValuesForBitmap() calls getattrlist(), which - ; results for some reason in a file-write-data evaluation in the kernel. - (subpath (param bundle-path)) - ) - (deny file-write* (with send-signal SIGSYS)) - ) -) - -; Allow communication between the GPU process and the UI server. -(allow mach-lookup - (global-name "com.apple.bsd.dirhelper") - (global-name "com.apple.CARenderServer") - (global-name "com.apple.cfprefsd.agent") - (global-name "com.apple.cfprefsd.daemon") - (global-name "com.apple.CoreServices.coreservicesd") - (global-name "com.apple.coreservices.launchservicesd") - (global-name "com.apple.cvmsServ") - (global-name "com.apple.gpumemd.source") - (global-name "com.apple.lsd.mapdb") - (global-name "com.apple.lsd.modifydb") - (global-name "com.apple.powerlog.plxpclogger.xpc") - (global-name "com.apple.PowerManagement.control") - (global-name "com.apple.SecurityServer") - (global-name "com.apple.system.notification_center") - (global-name "com.apple.system.opendirectoryd.membership") ; https://crbug.com/1126350#c5 - (global-name "com.apple.tsm.uiserver") - (global-name "com.apple.windowserver.active") -) - -; Needed for metal decoding - https://crbug.com/957217 -(if (>= os-version 1014) - (allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService")) -) - -; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936 -(if (>= os-version 1016) - (begin - (allow mach-lookup (global-name "com.apple.trustd.agent")) - (allow file-read* (path "/Library/Preferences/com.apple.security.plist")) - ) -) - -; Needed for WebGL - https://crbug.com/75343 -(allow iokit-open - (iokit-connection "IOAccelerator") - (iokit-user-client-class "AGPMClient") - (iokit-user-client-class "AppleGraphicsControlClient") - (iokit-user-client-class "AppleGraphicsPolicyClient") - (iokit-user-client-class "AppleIntelMEUserClient") - (iokit-user-client-class "AppleMGPUPowerControlClient") - (iokit-user-client-class "AppleSNBFBUserClient") - (iokit-user-client-class "IOAccelerationUserClient") - (iokit-user-client-class "IOFramebufferSharedUserClient") - (iokit-user-client-class "IOHIDParamUserClient") - (iokit-user-client-class "IOSurfaceRootUserClient") - (iokit-user-client-class "IOSurfaceSendRight") - (iokit-user-client-class "RootDomainUserClient") -) - -(allow iokit-set-properties - (require-all (iokit-connection "IODisplay") - (require-any (iokit-property "brightness") - (iokit-property "linear-brightness") - (iokit-property "commit") - (iokit-property "rgcs") - (iokit-property "ggcs") - (iokit-property "bgcs") -))) - -(allow ipc-posix-shm-read-data - (ipc-posix-name "apple.shm.notification_center")) - - -; Needed for VideoToolbox usage - https://crbug.com/767037 -(if (>= os-version 1013) - (allow mach-lookup - (xpc-service-name "com.apple.coremedia.videodecoder") - (xpc-service-name "com.apple.coremedia.videoencoder") - (xpc-service-name-regex #"\.apple-extension-service$") -)) - -(allow sysctl-read - (sysctl-name "hw.busfrequency_max") - (sysctl-name "hw.cachelinesize") - (sysctl-name "hw.logicalcpu_max") - (sysctl-name "hw.memsize") - (sysctl-name "hw.model") - (sysctl-name "kern.osvariant_status") -) - -(allow file-read-data - (path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") - (path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") - (regex (user-homedir-path #"/Library/Preferences/(.*/)?com\.apple\.driver\..*\.plist")) - (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*")) -) - -(allow file-read* - (path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14. - (path (user-homedir-path "/Library/Preferences/ByHost")) - (subpath "/Library/GPUBundles") - (subpath "/Library/Video/Plug-Ins") - (subpath "/System/Library/ColorSync/Profiles") - (subpath "/System/Library/CoreServices/RawCamera.bundle") - (subpath "/System/Library/Extensions") ; https://crbug.com/515280 - (subpath "/System/Library/Video/Plug-Ins") -) - -; crbug.com/980134 -(allow file-read* file-write* - (subpath (param darwin-user-cache-dir)) - (subpath (param darwin-user-dir)) - (subpath (param darwin-user-temp-dir)) -) - -(if (param-true? filter-syscalls-debug) - (when (defined? 'syscall-unix) - (deny syscall-unix (with send-signal SIGSYS)) - (allow syscall-unix - (syscall-number SYS_csrctl) - (syscall-number SYS_getentropy) - (syscall-number SYS_getxattr) - (syscall-number SYS_kdebug_typefilter) - (syscall-number SYS_sigaltstack) - (syscall-number SYS_write) - (syscall-number SYS_write_nocancel) -))) - -; crbug.com/1159113 -(if (param-true? disable-metal-shader-cache) - (let ((metal-cache-dir (subpath (string-append (param darwin-user-cache-dir) - "/com.apple.metal")))) - (deny file-read* metal-cache-dir) - (deny file-write* metal-cache-dir)) -) diff --git a/chromium/sandbox/policy/mac/print_backend.sb b/chromium/sandbox/policy/mac/print_backend.sb new file mode 100644 index 00000000000..9c077c29480 --- /dev/null +++ b/chromium/sandbox/policy/mac/print_backend.sb @@ -0,0 +1,25 @@ +;; Copyright 2021 The Chromium Authors. All rights reserved. +;; Use of this source code is governed by a BSD-style license that can be +;; found in the LICENSE file. +;; +; This is the sandbox configuration file used for safeguarding the print +; backend service which is used for interfacing with operating system print +; drivers. +; + +; *** The contents of common.sb are implicitly included here. *** + +; Need ~/.cups folder access for cupsEnumDests() to determine the user's +; default printer choice. +; https://www.cups.org/doc/cupspm.html#cupsEnumDests +; https://www.cups.org/doc/options.html +(allow file-read-data + (path (user-homedir-path "/.cups/lpoptions")) +) + +; Network socket access. +; Required to establish a connection to CUPS server: +; https://www.cups.org/doc/cupspm.html#httpConnect2 +(allow network-outbound + (remote tcp) +) diff --git a/chromium/sandbox/policy/mac/sandbox_mac.h b/chromium/sandbox/policy/mac/sandbox_mac.h index 7740d30f445..76bdc209ffb 100644 --- a/chromium/sandbox/policy/mac/sandbox_mac.h +++ b/chromium/sandbox/policy/mac/sandbox_mac.h @@ -5,7 +5,9 @@ #ifndef SANDBOX_POLICY_MAC_SANDBOX_MAC_H_ #define SANDBOX_POLICY_MAC_SANDBOX_MAC_H_ -#include "base/gtest_prod_util.h" +#include <string> + +#include "base/files/file_path.h" #include "base/macros.h" #include "sandbox/policy/export.h" #include "sandbox/policy/sandbox_type.h" @@ -19,20 +21,6 @@ namespace policy { class SANDBOX_POLICY_EXPORT SandboxMac { public: - // Warm up System APIs that empirically need to be accessed before the - // sandbox is turned on. |sandbox_type| is the type of sandbox to warm up. - // Valid |sandbox_type| values are defined by the enum SandboxType, or can be - // defined by the embedder via - // ContentClient::GetSandboxProfileForProcessType(). - static void Warmup(SandboxType sandbox_type); - - // Turns on the OS X sandbox for this process. - // |sandbox_type| - type of Sandbox to use. See SandboxWarmup() for legal - // values. - // - // Returns true on success, false if an error occurred enabling the sandbox. - static bool Enable(SandboxType sandbox_type); - // Convert provided path into a "canonical" path matching what the Sandbox // expects i.e. one without symlinks. // This path is not necessarily unique e.g. in the face of hardlinks. @@ -55,18 +43,10 @@ class SANDBOX_POLICY_EXPORT SandboxMac { static const char* kSandboxLoggingPathAsLiteral; static const char* kSandboxOSVersion; - // TODO(kerrnel): this is only for the legacy sandbox. - static const char* kSandboxMacOS1013; - static const char* kSandboxFieldTrialSeverName; - static const char* kSandboxBundleVersionPath; static const char* kSandboxDisableMetalShaderCache; private: - FRIEND_TEST_ALL_PREFIXES(MacDirAccessSandboxTest, StringEscape); - FRIEND_TEST_ALL_PREFIXES(MacDirAccessSandboxTest, RegexEscape); - FRIEND_TEST_ALL_PREFIXES(MacDirAccessSandboxTest, SandboxAccess); - DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxMac); }; diff --git a/chromium/sandbox/policy/mac/sandbox_mac.mm b/chromium/sandbox/policy/mac/sandbox_mac.mm index 179675dfee7..f63a70a7d65 100644 --- a/chromium/sandbox/policy/mac/sandbox_mac.mm +++ b/chromium/sandbox/policy/mac/sandbox_mac.mm @@ -4,59 +4,30 @@ #include "sandbox/policy/mac/sandbox_mac.h" -#import <Cocoa/Cocoa.h> -#include <stddef.h> -#include <stdint.h> - -#include <CoreFoundation/CFTimeZone.h> -#include <signal.h> +#include <fcntl.h> #include <sys/param.h> -#include <algorithm> -#include <iterator> -#include <map> #include <string> -#include "base/command_line.h" -#include "base/compiler_specific.h" -#include "base/files/file_util.h" #include "base/files/scoped_file.h" -#include "base/mac/bundle_locations.h" -#include "base/mac/foundation_util.h" -#include "base/mac/mac_util.h" -#include "base/mac/mach_port_rendezvous.h" -#include "base/mac/scoped_cftyperef.h" -#include "base/mac/scoped_nsobject.h" -#include "base/rand_util.h" -#include "base/stl_util.h" -#include "base/strings/string16.h" -#include "base/strings/string_piece.h" -#include "base/strings/string_split.h" -#include "base/strings/string_util.h" -#include "base/strings/stringprintf.h" -#include "base/strings/sys_string_conversions.h" -#include "base/strings/utf_string_conversions.h" -#include "base/system/sys_info.h" -#include "sandbox/mac/sandbox_compiler.h" +#include "base/logging.h" +#include "base/posix/eintr_wrapper.h" #include "sandbox/policy/mac/audio.sb.h" #include "sandbox/policy/mac/cdm.sb.h" #include "sandbox/policy/mac/common.sb.h" #include "sandbox/policy/mac/gpu.sb.h" -#include "sandbox/policy/mac/gpu_v2.sb.h" #include "sandbox/policy/mac/nacl_loader.sb.h" #include "sandbox/policy/mac/network.sb.h" #include "sandbox/policy/mac/ppapi.sb.h" +#include "sandbox/policy/mac/print_backend.sb.h" #include "sandbox/policy/mac/print_compositor.sb.h" #include "sandbox/policy/mac/renderer.sb.h" #include "sandbox/policy/mac/speech_recognition.sb.h" #include "sandbox/policy/mac/utility.sb.h" -#include "sandbox/policy/sandbox_type.h" -#include "sandbox/policy/switches.h" namespace sandbox { namespace policy { -// Static variable declarations. const char* SandboxMac::kSandboxBrowserPID = "BROWSER_PID"; const char* SandboxMac::kSandboxBundlePath = "BUNDLE_PATH"; const char* SandboxMac::kSandboxChromeBundleId = "BUNDLE_ID"; @@ -70,148 +41,10 @@ const char* SandboxMac::kSandboxEnableLogging = "ENABLE_LOGGING"; const char* SandboxMac::kSandboxHomedirAsLiteral = "USER_HOMEDIR_AS_LITERAL"; const char* SandboxMac::kSandboxLoggingPathAsLiteral = "LOG_FILE_PATH"; const char* SandboxMac::kSandboxOSVersion = "OS_VERSION"; -const char* SandboxMac::kSandboxMacOS1013 = "MACOS_1013"; -const char* SandboxMac::kSandboxFieldTrialSeverName = "FIELD_TRIAL_SERVER_NAME"; const char* SandboxMac::kSandboxBundleVersionPath = "BUNDLE_VERSION_PATH"; const char* SandboxMac::kSandboxDisableMetalShaderCache = "DISABLE_METAL_SHADER_CACHE"; -// Warm up System APIs that empirically need to be accessed before the Sandbox -// is turned on. -// This method is layed out in blocks, each one containing a separate function -// that needs to be warmed up. The OS version on which we found the need to -// enable the function is also noted. -// This function is tested on the following OS versions: -// 10.5.6, 10.6.0 - -// static -void SandboxMac::Warmup(SandboxType sandbox_type) { - DCHECK_EQ(sandbox_type, SandboxType::kGpu); - - @autoreleasepool { - { // CGColorSpaceCreateWithName(), CGBitmapContextCreate() - 10.5.6 - base::ScopedCFTypeRef<CGColorSpaceRef> rgb_colorspace( - CGColorSpaceCreateWithName(kCGColorSpaceGenericRGB)); - - // Allocate a 1x1 image. - char data[4]; - base::ScopedCFTypeRef<CGContextRef> context(CGBitmapContextCreate( - data, 1, 1, 8, 1 * 4, rgb_colorspace, - kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host)); - - // Load in the color profiles we'll need (as a side effect). - ignore_result(base::mac::GetSRGBColorSpace()); - ignore_result(base::mac::GetSystemColorSpace()); - - // CGColorSpaceCreateSystemDefaultCMYK - 10.6 - base::ScopedCFTypeRef<CGColorSpaceRef> cmyk_colorspace( - CGColorSpaceCreateWithName(kCGColorSpaceGenericCMYK)); - } - - { // localtime() - 10.5.6 - time_t tv = {0}; - localtime(&tv); - } - - { // Gestalt() tries to read - // /System/Library/CoreServices/SystemVersion.plist - // on 10.5.6 - int32_t tmp; - base::SysInfo::OperatingSystemVersionNumbers(&tmp, &tmp, &tmp); - } - - { // CGImageSourceGetStatus() - 10.6 - // Create a png with just enough data to get everything warmed up... - char png_header[] = {0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A}; - NSData* data = [NSData dataWithBytes:png_header - length:base::size(png_header)]; - base::ScopedCFTypeRef<CGImageSourceRef> img( - CGImageSourceCreateWithData((CFDataRef)data, NULL)); - CGImageSourceGetStatus(img); - } - - { - // Allow access to /dev/urandom. - base::GetUrandomFD(); - } - - { // IOSurfaceLookup() - 10.7 - // Needed by zero-copy texture update framework - crbug.com/323338 - base::ScopedCFTypeRef<IOSurfaceRef> io_surface(IOSurfaceLookup(0)); - } - } -} - -// Load the appropriate template for the given sandbox type. -// Returns the template as a string or an empty string on error. -std::string LoadSandboxTemplate(SandboxType sandbox_type) { - DCHECK_EQ(sandbox_type, SandboxType::kGpu); - return kSeatbeltPolicyString_gpu; -} - -// Turns on the OS X sandbox for this process. - -// static -bool SandboxMac::Enable(SandboxType sandbox_type) { - DCHECK_EQ(sandbox_type, SandboxType::kGpu); - - std::string sandbox_data = LoadSandboxTemplate(sandbox_type); - if (sandbox_data.empty()) - return false; - - SandboxCompiler compiler(sandbox_data); - - // Enable verbose logging if enabled on the command line. (See common.sb - // for details). - const base::CommandLine* command_line = - base::CommandLine::ForCurrentProcess(); - bool enable_logging = - command_line->HasSwitch(switches::kEnableSandboxLogging); - if (!compiler.InsertBooleanParam(kSandboxEnableLogging, enable_logging)) - return false; - - // Without this, the sandbox will print a message to the system log every - // time it denies a request. This floods the console with useless spew. - if (!compiler.InsertBooleanParam(kSandboxDisableDenialLogging, - !enable_logging)) - return false; - - // Splice the path of the user's home directory into the sandbox profile - // (see renderer.sb for details). - std::string home_dir = [NSHomeDirectory() fileSystemRepresentation]; - base::FilePath home_dir_canonical = - GetCanonicalPath(base::FilePath(home_dir)); - - if (!compiler.InsertStringParam(kSandboxHomedirAsLiteral, - home_dir_canonical.value())) { - return false; - } - - if (!compiler.InsertStringParam( - kSandboxFieldTrialSeverName, - base::MachPortRendezvousClient::GetBootstrapName())) { - return false; - } - - bool macos_1013 = base::mac::IsOS10_13(); - if (!compiler.InsertBooleanParam(kSandboxMacOS1013, macos_1013)) - return false; - - if (sandbox_type == SandboxType::kGpu) { - base::FilePath bundle_path = - SandboxMac::GetCanonicalPath(base::mac::FrameworkBundlePath()); - if (!compiler.InsertStringParam(kSandboxBundleVersionPath, - bundle_path.value())) - return false; - } - - // Initialize sandbox. - std::string error_str; - bool success = compiler.CompileAndApplyProfile(&error_str); - DLOG_IF(FATAL, !success) << "Failed to initialize sandbox: " << error_str; - return success; -} - // static base::FilePath SandboxMac::GetCanonicalPath(const base::FilePath& path) { base::ScopedFD fd(HANDLE_EINTR(open(path.value().c_str(), O_RDONLY))); @@ -241,7 +74,7 @@ std::string SandboxMac::GetSandboxProfile(SandboxType sandbox_type) { profile += kSeatbeltPolicyString_cdm; break; case SandboxType::kGpu: - profile += kSeatbeltPolicyString_gpu_v2; + profile += kSeatbeltPolicyString_gpu; break; case SandboxType::kNaClLoader: profile += kSeatbeltPolicyString_nacl_loader; @@ -252,6 +85,9 @@ std::string SandboxMac::GetSandboxProfile(SandboxType sandbox_type) { case SandboxType::kPpapi: profile += kSeatbeltPolicyString_ppapi; break; + case SandboxType::kPrintBackend: + profile += kSeatbeltPolicyString_print_backend; + break; case SandboxType::kPrintCompositor: profile += kSeatbeltPolicyString_print_compositor; break; diff --git a/chromium/sandbox/policy/sandbox.cc b/chromium/sandbox/policy/sandbox.cc index 95482e83b8b..449ee4f986d 100644 --- a/chromium/sandbox/policy/sandbox.cc +++ b/chromium/sandbox/policy/sandbox.cc @@ -18,7 +18,6 @@ #if defined(OS_MAC) #include "sandbox/mac/seatbelt.h" -#include "sandbox/policy/mac/sandbox_mac.h" #endif // defined(OS_MAC) #if defined(OS_WIN) @@ -39,20 +38,6 @@ bool Sandbox::Initialize(SandboxType sandbox_type, } #endif // defined(OS_LINUX) || defined(OS_CHROMEOS) -#if defined(OS_MAC) -bool Sandbox::Initialize(SandboxType sandbox_type, base::OnceClosure hook) { - // Warm up APIs before turning on the sandbox. - SandboxMac::Warmup(sandbox_type); - - // Execute the post warmup callback. - if (!hook.is_null()) - std::move(hook).Run(); - - // Actually sandbox the process. - return SandboxMac::Enable(sandbox_type); -} -#endif // defined(OS_MAC) - #if defined(OS_WIN) bool Sandbox::Initialize(SandboxType sandbox_type, SandboxInterfaceInfo* sandbox_info) { diff --git a/chromium/sandbox/policy/sandbox.h b/chromium/sandbox/policy/sandbox.h index c842e1d19cd..e7c20ed24df 100644 --- a/chromium/sandbox/policy/sandbox.h +++ b/chromium/sandbox/policy/sandbox.h @@ -13,10 +13,6 @@ #include "sandbox/policy/linux/sandbox_linux.h" #endif -#if defined(OS_MAC) -#include "base/callback.h" -#endif // defined(OS_MAC) - namespace sandbox { struct SandboxInterfaceInfo; } // namespace sandbox @@ -40,14 +36,6 @@ class SANDBOX_POLICY_EXPORT Sandbox { const SandboxLinux::Options& options); #endif // defined(OS_LINUX) || defined(OS_CHROMEOS) -#if defined(OS_MAC) - // Initialize the sandbox of |sandbox_type|. Runs |post_warmup_hook| if - // non-empty after performing any sandbox warmup but immediately before - // engaging the sandbox. Return true on success, false otherwise. - static bool Initialize(SandboxType sandbox_type, - base::OnceClosure post_warmup_hook); -#endif // defined(OS_MAC) - #if defined(OS_WIN) static bool Initialize(SandboxType sandbox_type, SandboxInterfaceInfo* sandbox_info); diff --git a/chromium/sandbox/policy/sandbox_type.cc b/chromium/sandbox/policy/sandbox_type.cc index 89b2aab0580..071daec2867 100644 --- a/chromium/sandbox/policy/sandbox_type.cc +++ b/chromium/sandbox/policy/sandbox_type.cc @@ -47,6 +47,7 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) { case SandboxType::kGpu: case SandboxType::kPpapi: case SandboxType::kCdm: + case SandboxType::kPrintBackend: case SandboxType::kPrintCompositor: #if defined(OS_FUCHSIA) case SandboxType::kWebContext: @@ -59,7 +60,7 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) { case SandboxType::kTts: #endif #if !defined(OS_MAC) - case SandboxType::kSharingService: + case SandboxType::kService: #endif #if defined(OS_LINUX) || defined(OS_CHROMEOS) case SandboxType::kZygoteIntermediateSandbox: @@ -109,6 +110,7 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line, case SandboxType::kUtility: case SandboxType::kNetwork: case SandboxType::kCdm: + case SandboxType::kPrintBackend: case SandboxType::kPrintCompositor: case SandboxType::kAudio: case SandboxType::kVideoCapture: @@ -124,7 +126,7 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line, case SandboxType::kTts: #endif // BUILDFLAG(IS_CHROMEOS_ASH) #if !defined(OS_MAC) - case SandboxType::kSharingService: + case SandboxType::kService: #endif case SandboxType::kSpeechRecognition: DCHECK(command_line->GetSwitchValueASCII(switches::kProcessType) == @@ -197,6 +199,11 @@ SandboxType SandboxTypeFromCommandLine(const base::CommandLine& command_line) { return SandboxType::kZygoteIntermediateSandbox; #endif +#if defined(OS_MAC) + if (process_type == switches::kRelauncherProcessType) + return SandboxType::kNoSandbox; +#endif + if (process_type == switches::kCloudPrintServiceProcess) return SandboxType::kNoSandbox; @@ -217,6 +224,8 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) { return switches::kPpapiSandbox; case SandboxType::kCdm: return switches::kCdmSandbox; + case SandboxType::kPrintBackend: + return switches::kPrintBackendSandbox; case SandboxType::kPrintCompositor: return switches::kPrintCompositorSandbox; case SandboxType::kUtility: @@ -226,8 +235,8 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) { case SandboxType::kVideoCapture: return switches::kVideoCaptureSandbox; #if !defined(OS_MAC) - case SandboxType::kSharingService: - return switches::kSharingServiceSandbox; + case SandboxType::kService: + return switches::kServiceSandbox; #endif case SandboxType::kSpeechRecognition: return switches::kSpeechRecognitionSandbox; @@ -285,6 +294,8 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) { return SandboxType::kPpapi; if (sandbox_string == switches::kCdmSandbox) return SandboxType::kCdm; + if (sandbox_string == switches::kPrintBackendSandbox) + return SandboxType::kPrintBackend; if (sandbox_string == switches::kPrintCompositorSandbox) return SandboxType::kPrintCompositor; #if defined(OS_WIN) diff --git a/chromium/sandbox/policy/sandbox_type.h b/chromium/sandbox/policy/sandbox_type.h index abf1b013494..4b97b9cd17e 100644 --- a/chromium/sandbox/policy/sandbox_type.h +++ b/chromium/sandbox/policy/sandbox_type.h @@ -49,9 +49,19 @@ enum class SandboxType { // Renderer or worker process. Most common case. kRenderer, - // Utility processes. Used by most isolated services. + // Utility processes. Used by most isolated services. Consider using + // kService for Chromium-code that makes limited use of OS APIs. kUtility, +#if defined(OS_MAC) + // On Mac these are identical. + kService = kUtility, +#else + // Services with limited use of OS APIs. Tighter than kUtility and + // suitable for most isolated mojo service endpoints. + kService, +#endif + // GPU process. kGpu, @@ -69,6 +79,10 @@ enum class SandboxType { kNaClLoader, #endif // defined(OS_MAC) + // The print backend service process which interfaces with operating system + // print drivers. + kPrintBackend, + // The print compositor service process. kPrintCompositor, @@ -86,11 +100,6 @@ enum class SandboxType { kZygoteIntermediateSandbox, #endif -#if !defined(OS_MAC) - // Hosts WebRTC for Sharing Service, uses kUtility on OS_MAC. - kSharingService, -#endif - // The speech recognition service process. kSpeechRecognition, diff --git a/chromium/sandbox/policy/sandbox_type_unittest.cc b/chromium/sandbox/policy/sandbox_type_unittest.cc index e6860da3694..2edf01d8001 100644 --- a/chromium/sandbox/policy/sandbox_type_unittest.cc +++ b/chromium/sandbox/policy/sandbox_type_unittest.cc @@ -112,10 +112,16 @@ TEST(SandboxTypeTest, Utility) { #endif base::CommandLine command_line13(command_line); - command_line13.AppendSwitchASCII(switches::kServiceSandboxType, + SetCommandLineFlagsForSandboxType(&command_line13, + SandboxType::kPrintBackend); + EXPECT_EQ(SandboxType::kPrintBackend, + SandboxTypeFromCommandLine(command_line13)); + + base::CommandLine command_line14(command_line); + command_line14.AppendSwitchASCII(switches::kServiceSandboxType, switches::kNoneSandbox); EXPECT_EQ(SandboxType::kNoSandbox, - SandboxTypeFromCommandLine(command_line13)); + SandboxTypeFromCommandLine(command_line14)); command_line.AppendSwitch(switches::kNoSandbox); EXPECT_EQ(SandboxType::kNoSandbox, SandboxTypeFromCommandLine(command_line)); diff --git a/chromium/sandbox/policy/switches.cc b/chromium/sandbox/policy/switches.cc index 5abf7ed4164..58158d96912 100644 --- a/chromium/sandbox/policy/switches.cc +++ b/chromium/sandbox/policy/switches.cc @@ -28,9 +28,10 @@ const char kNetworkSandbox[] = "network"; const char kPpapiSandbox[] = "ppapi"; const char kUtilitySandbox[] = "utility"; const char kCdmSandbox[] = "cdm"; +const char kPrintBackendSandbox[] = "print_backend"; const char kPrintCompositorSandbox[] = "print_compositor"; const char kAudioSandbox[] = "audio"; -const char kSharingServiceSandbox[] = "sharing_service"; +const char kServiceSandbox[] = "service"; const char kSpeechRecognitionSandbox[] = "speech_recognition"; const char kVideoCaptureSandbox[] = "video_capture"; @@ -123,6 +124,7 @@ const char kRendererProcess[] = "renderer"; const char kUtilityProcess[] = "utility"; const char kCloudPrintServiceProcess[] = "service"; const char kZygoteProcessType[] = "zygote"; +const char kRelauncherProcessType[] = "relauncher"; } // namespace switches } // namespace policy diff --git a/chromium/sandbox/policy/switches.h b/chromium/sandbox/policy/switches.h index 3db13f3bd07..7dd86989dc6 100644 --- a/chromium/sandbox/policy/switches.h +++ b/chromium/sandbox/policy/switches.h @@ -25,9 +25,10 @@ SANDBOX_POLICY_EXPORT extern const char kNetworkSandbox[]; SANDBOX_POLICY_EXPORT extern const char kPpapiSandbox[]; SANDBOX_POLICY_EXPORT extern const char kUtilitySandbox[]; SANDBOX_POLICY_EXPORT extern const char kCdmSandbox[]; +SANDBOX_POLICY_EXPORT extern const char kPrintBackendSandbox[]; SANDBOX_POLICY_EXPORT extern const char kPrintCompositorSandbox[]; SANDBOX_POLICY_EXPORT extern const char kAudioSandbox[]; -SANDBOX_POLICY_EXPORT extern const char kSharingServiceSandbox[]; +SANDBOX_POLICY_EXPORT extern const char kServiceSandbox[]; SANDBOX_POLICY_EXPORT extern const char kSpeechRecognitionSandbox[]; SANDBOX_POLICY_EXPORT extern const char kVideoCaptureSandbox[]; @@ -78,6 +79,7 @@ SANDBOX_POLICY_EXPORT extern const char kRendererProcess[]; SANDBOX_POLICY_EXPORT extern const char kUtilityProcess[]; SANDBOX_POLICY_EXPORT extern const char kCloudPrintServiceProcess[]; SANDBOX_POLICY_EXPORT extern const char kZygoteProcessType[]; +SANDBOX_POLICY_EXPORT extern const char kRelauncherProcessType[]; } // namespace switches } // namespace policy diff --git a/chromium/sandbox/policy/win/sandbox_win.cc b/chromium/sandbox/policy/win/sandbox_win.cc index f03e8049ec7..21f6c792c1a 100644 --- a/chromium/sandbox/policy/win/sandbox_win.cc +++ b/chromium/sandbox/policy/win/sandbox_win.cc @@ -26,7 +26,6 @@ #include "base/process/launch.h" #include "base/stl_util.h" #include "base/strings/strcat.h" -#include "base/strings/string16.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_split.h" #include "base/strings/string_util.h" @@ -606,7 +605,7 @@ ResultCode SetJobMemoryLimit(const base::CommandLine& cmd_line, memory_limit = 32 * GB; } else if (physical_memory > 16 * GB) { memory_limit = 16 * GB; - } else if (physical_memory > 8 * GB) { + } else { memory_limit = 8 * GB; } } @@ -632,6 +631,9 @@ std::wstring GetAppContainerProfileName(const std::string& appcontainer_id, case SandboxType::kMediaFoundationCdm: sandbox_base_name = std::string("cr.sb.cdm"); break; + case SandboxType::kNetwork: + sandbox_base_name = std::string("cr.sb.net"); + break; default: DCHECK(0); } @@ -652,9 +654,13 @@ ResultCode SetupAppContainerProfile(AppContainerProfile* profile, SandboxType sandbox_type) { if (sandbox_type != SandboxType::kMediaFoundationCdm && sandbox_type != SandboxType::kGpu && - sandbox_type != SandboxType::kXrCompositing) + sandbox_type != SandboxType::kXrCompositing && + sandbox_type != SandboxType::kNetwork) return SBOX_ERROR_UNSUPPORTED; + DCHECK(sandbox_type != SandboxType::kNetwork || + base::FeatureList::IsEnabled(features::kNetworkServiceSandboxLPAC)); + if (sandbox_type == SandboxType::kGpu && !profile->AddImpersonationCapability(L"chromeInstallFiles")) { DLOG(ERROR) << "AppContainerProfile::AddImpersonationCapability(" @@ -739,6 +745,18 @@ ResultCode SetupAppContainerProfile(AppContainerProfile* profile, profile->SetEnableLowPrivilegeAppContainer(true); } + // Enable LPAC for Network service. + if (sandbox_type == SandboxType::kNetwork) { + profile->AddCapability( + sandbox::WellKnownCapabilities::kPrivateNetworkClientServer); + profile->AddCapability(sandbox::WellKnownCapabilities::kInternetClient); + profile->AddCapability( + sandbox::WellKnownCapabilities::kEnterpriseAuthentication); + profile->AddCapability(L"lpacIdentityServices"); + profile->AddCapability(L"lpacCryptoServices"); + profile->SetEnableLowPrivilegeAppContainer(true); + } + if (sandbox_type == SandboxType::kMediaFoundationCdm) profile->SetEnableLowPrivilegeAppContainer(true); @@ -901,9 +919,13 @@ bool SandboxWin::IsAppContainerEnabledForSandbox( if (sandbox_type == SandboxType::kMediaFoundationCdm) return true; - if (sandbox_type != SandboxType::kGpu) - return false; - return base::FeatureList::IsEnabled(features::kGpuAppContainer); + if (sandbox_type == SandboxType::kGpu) + return base::FeatureList::IsEnabled(features::kGpuAppContainer); + + if (sandbox_type == SandboxType::kNetwork) + return base::FeatureList::IsEnabled(features::kNetworkServiceSandboxLPAC); + + return false; } // static @@ -1191,6 +1213,8 @@ std::string SandboxWin::GetSandboxTypeInEnglish(SandboxType sandbox_type) { return "CDM"; case SandboxType::kPrintCompositor: return "Print Compositor"; + case SandboxType::kPrintBackend: + return "Print Backend"; case SandboxType::kAudio: return "Audio"; case SandboxType::kSpeechRecognition: @@ -1201,8 +1225,8 @@ std::string SandboxWin::GetSandboxTypeInEnglish(SandboxType sandbox_type) { return "PDF Conversion"; case SandboxType::kMediaFoundationCdm: return "Media Foundation CDM"; - case SandboxType::kSharingService: - return "Sharing"; + case SandboxType::kService: + return "Service"; case SandboxType::kVideoCapture: return "Video Capture"; case SandboxType::kIconReader: diff --git a/chromium/sandbox/policy/win/sandbox_win_unittest.cc b/chromium/sandbox/policy/win/sandbox_win_unittest.cc index 757bdf8d603..12ee09f3899 100644 --- a/chromium/sandbox/policy/win/sandbox_win_unittest.cc +++ b/chromium/sandbox/policy/win/sandbox_win_unittest.cc @@ -5,6 +5,7 @@ #include "sandbox/policy/win/sandbox_win.h" #include <algorithm> +#include <string> #include <vector> #include <windows.h> @@ -19,7 +20,6 @@ #include "base/path_service.h" #include "base/scoped_native_library.h" #include "base/strings/strcat.h" -#include "base/strings/string16.h" #include "base/test/scoped_feature_list.h" #include "base/win/windows_version.h" #include "build/build_config.h" @@ -68,9 +68,7 @@ class TestTargetPolicy : public TargetPolicy { ResultCode SetAlternateDesktop(bool alternate_winstation) override { return SBOX_ALL_OK; } - base::string16 GetAlternateDesktop() const override { - return base::string16(); - } + std::wstring GetAlternateDesktop() const override { return std::wstring(); } ResultCode CreateAlternateDesktop(bool alternate_winstation) override { return SBOX_ALL_OK; } @@ -141,9 +139,7 @@ class TestTargetPolicy : public TargetPolicy { return blocklisted_dlls_; } - std::unique_ptr<PolicyInfo> GetPolicyInfo() override { - return std::unique_ptr<PolicyDiagnostic>(); - } + std::unique_ptr<PolicyInfo> GetPolicyInfo() override { return nullptr; } private: std::vector<std::wstring> blocklisted_dlls_; @@ -151,7 +147,7 @@ class TestTargetPolicy : public TargetPolicy { }; std::vector<Sid> GetCapabilitySids( - const std::initializer_list<base::string16>& capabilities) { + const std::initializer_list<std::wstring>& capabilities) { std::vector<Sid> sids; for (const auto& capability : capabilities) { sids.emplace_back(Sid::FromNamedCapability(capability.c_str())); @@ -159,11 +155,11 @@ std::vector<Sid> GetCapabilitySids( return sids; } -base::string16 GetAccessAllowedForCapabilities( - const std::initializer_list<base::string16>& capabilities) { - base::string16 sddl = kBaseSecurityDescriptor; +std::wstring GetAccessAllowedForCapabilities( + const std::initializer_list<std::wstring>& capabilities) { + std::wstring sddl = kBaseSecurityDescriptor; for (const auto& capability : GetCapabilitySids(capabilities)) { - base::string16 sid_string; + std::wstring sid_string; CHECK(capability.ToSddlString(&sid_string)); base::StrAppend(&sddl, {L"(A;;GRGX;;;", sid_string, L")"}); } @@ -173,7 +169,7 @@ base::string16 GetAccessAllowedForCapabilities( // Drops a temporary file granting RX access to a list of capabilities. bool DropTempFileWithSecurity( const base::ScopedTempDir& temp_dir, - const std::initializer_list<base::string16>& capabilities, + const std::initializer_list<std::wstring>& capabilities, base::FilePath* path) { if (!base::CreateTemporaryFileInDir(temp_dir.GetPath(), path)) return false; @@ -201,7 +197,7 @@ void EqualSidList(const std::vector<Sid>& left, const std::vector<Sid>& right) { void CheckCapabilities( AppContainerProfileBase* profile, - const std::initializer_list<base::string16>& additional_capabilities) { + const std::initializer_list<std::wstring>& additional_capabilities) { auto additional_caps = GetCapabilitySids(additional_capabilities); auto impersonation_caps = GetCapabilitySids({kChromeInstallFiles, klpacPnpNotifications, @@ -227,7 +223,7 @@ class SandboxWinTest : public ::testing::Test { void TearDown() override {} protected: - void CreateProgramFile(std::initializer_list<base::string16> capabilities, + void CreateProgramFile(std::initializer_list<std::wstring> capabilities, base::CommandLine* command_line) { base::FilePath path; ASSERT_TRUE(DropTempFileWithSecurity(temp_dir_, capabilities, &path)); @@ -332,7 +328,8 @@ TEST_F(SandboxWinTest, AppContainerCheckProfileAddCapabilities) { CheckCapabilities(profile.get(), {L"cap1", L"cap2"}); } -TEST_F(SandboxWinTest, BlocklistAddOneDllCheckInBrowser) { +// Disabled due to crbug.com/1210614 +TEST_F(SandboxWinTest, DISABLED_BlocklistAddOneDllCheckInBrowser) { { // Block loaded module. TestTargetPolicy policy; BlocklistAddOneDllForTesting(L"kernel32.dll", true, &policy); diff --git a/chromium/sandbox/win/BUILD.gn b/chromium/sandbox/win/BUILD.gn index 7ad5b7bdf61..56b81d5ce27 100644 --- a/chromium/sandbox/win/BUILD.gn +++ b/chromium/sandbox/win/BUILD.gn @@ -143,10 +143,10 @@ static_library("sandbox") { "src/target_process.h", "src/target_services.cc", "src/target_services.h", + "src/threadpool.cc", + "src/threadpool.h", "src/top_level_dispatcher.cc", "src/top_level_dispatcher.h", - "src/win2k_threadpool.cc", - "src/win2k_threadpool.h", "src/win_utils.cc", "src/win_utils.h", "src/window.cc", diff --git a/chromium/sandbox/win/OWNERS b/chromium/sandbox/win/OWNERS index 2fb3e5b1ffb..8414f3b0951 100644 --- a/chromium/sandbox/win/OWNERS +++ b/chromium/sandbox/win/OWNERS @@ -1,4 +1,3 @@ ajgo@chromium.org forshaw@chromium.org -jschuh@chromium.org wfh@chromium.org diff --git a/chromium/sandbox/win/src/broker_services.cc b/chromium/sandbox/win/src/broker_services.cc index 9f3d5395834..2c36a265ff3 100644 --- a/chromium/sandbox/win/src/broker_services.cc +++ b/chromium/sandbox/win/src/broker_services.cc @@ -26,7 +26,7 @@ #include "sandbox/win/src/sandbox_policy_diagnostic.h" #include "sandbox/win/src/startup_information_helper.h" #include "sandbox/win/src/target_process.h" -#include "sandbox/win/src/win2k_threadpool.h" +#include "sandbox/win/src/threadpool.h" #include "sandbox/win/src/win_utils.h" namespace { @@ -41,8 +41,8 @@ bool AssociateCompletionPort(HANDLE job, HANDLE port, void* key) { : false; } -// the different commands that you can send to the worker thread that -// executes TargetEventsThread(). +// Commands that can be sent to the completion port serviced by +// TargetEventsThread(). enum { THREAD_CTRL_NONE, THREAD_CTRL_NEW_JOB_TRACKER, @@ -53,6 +53,27 @@ enum { THREAD_CTRL_LAST, }; +// Transfers parameters to the target events thread during Init(). +struct TargetEventsThreadParams { + TargetEventsThreadParams(HANDLE iocp, + HANDLE no_targets, + std::unique_ptr<sandbox::ThreadPool> thread_pool) + : iocp(iocp), + no_targets(no_targets), + thread_pool(std::move(thread_pool)) {} + ~TargetEventsThreadParams() {} + // IOCP that job notifications and commands are sent to. + // Handle is closed when BrokerServices is destroyed. + HANDLE iocp; + // Event used when jobs cannot be tracked. + // Handle is closed when BrokerServices is destroyed. + HANDLE no_targets; + // Thread pool used to mediate sandbox IPC, owned by the target + // events thread but accessed by BrokerServices and TargetProcesses. + // Destroyed when TargetEventsThread ends. + std::unique_ptr<sandbox::ThreadPool> thread_pool; +}; + // Helper structure that allows the Broker to associate a job notification // with a job object and with a policy. struct JobTracker { @@ -121,103 +142,35 @@ class PolicyDiagnosticList final : public sandbox::PolicyList { std::vector<std::unique_ptr<sandbox::PolicyInfo>> internal_list_; }; -} // namespace - -namespace sandbox { - -BrokerServicesBase::BrokerServicesBase() {} - -// The broker uses a dedicated worker thread that services the job completion -// port to perform policy notifications and associated cleanup tasks. -ResultCode BrokerServicesBase::Init() { - if (job_port_.IsValid() || thread_pool_) - return SBOX_ERROR_UNEXPECTED_CALL; - - job_port_.Set(::CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 0)); - if (!job_port_.IsValid()) - return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES; - - no_targets_.Set(::CreateEventW(nullptr, true, false, nullptr)); - -#if defined(ARCH_CPU_32_BITS) - // Conserve address space in 32-bit Chrome. This thread uses a small and - // consistent amount and doesn't need the default of 1.5 MiB. - constexpr unsigned flags = STACK_SIZE_PARAM_IS_A_RESERVATION; - constexpr size_t stack_size = 128 * 1024; -#else - constexpr unsigned int flags = 0; - constexpr size_t stack_size = 0; -#endif - job_thread_.Set(::CreateThread(nullptr, stack_size, // Default security. - TargetEventsThread, this, flags, nullptr)); - if (!job_thread_.IsValid()) - return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES; - - return SBOX_ALL_OK; -} - -// The destructor should only be called when the Broker process is terminating. -// Since BrokerServicesBase is a singleton, this is called from the CRT -// termination handlers, if this code lives on a DLL it is called during -// DLL_PROCESS_DETACH in other words, holding the loader lock, so we cannot -// wait for threads here. -BrokerServicesBase::~BrokerServicesBase() { - // If there is no port Init() was never called successfully. - if (!job_port_.IsValid()) - return; - - // Closing the port causes, that no more Job notifications are delivered to - // the worker thread and also causes the thread to exit. This is what we - // want to do since we are going to close all outstanding Jobs and notifying - // the policy objects ourselves. - ::PostQueuedCompletionStatus(job_port_.Get(), 0, THREAD_CTRL_QUIT, nullptr); - - if (job_thread_.IsValid() && - WAIT_TIMEOUT == ::WaitForSingleObject(job_thread_.Get(), 1000)) { - // Cannot clean broker services. - NOTREACHED(); - return; - } - thread_pool_.reset(); -} - -scoped_refptr<TargetPolicy> BrokerServicesBase::CreatePolicy() { - // If you change the type of the object being created here you must also - // change the downcast to it in SpawnTarget(). - scoped_refptr<TargetPolicy> policy(new PolicyBase); - // PolicyBase starts with refcount 1. - policy->Release(); - return policy; -} - // The worker thread stays in a loop waiting for asynchronous notifications // from the job objects. Right now we only care about knowing when the last // process on a job terminates, but in general this is the place to tell // the policy about events. -DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { +DWORD WINAPI TargetEventsThread(PVOID param) { if (!param) return 1; base::PlatformThread::SetName("BrokerEvent"); - BrokerServicesBase* broker = reinterpret_cast<BrokerServicesBase*>(param); - HANDLE port = broker->job_port_.Get(); - HANDLE no_targets = broker->no_targets_.Get(); + // Take ownership of params so that it is deleted on thread exit. + std::unique_ptr<TargetEventsThreadParams> params( + reinterpret_cast<TargetEventsThreadParams*>(param)); std::set<DWORD> child_process_ids; std::list<std::unique_ptr<JobTracker>> jobs; std::list<std::unique_ptr<ProcessTracker>> processes; int target_counter = 0; int untracked_target_counter = 0; - ::ResetEvent(no_targets); + ::ResetEvent(params->no_targets); while (true) { DWORD events = 0; ULONG_PTR key = 0; LPOVERLAPPED ovl = nullptr; - if (!::GetQueuedCompletionStatus(port, &events, &key, &ovl, INFINITE)) { - // this call fails if the port has been closed before we have a + if (!::GetQueuedCompletionStatus(params->iocp, &events, &key, &ovl, + INFINITE)) { + // This call fails if the port has been closed before we have a // chance to service the last packet which is 'exit' anyway so // this is not an error. return 1; @@ -264,7 +217,7 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { untracked_target_counter++; ++target_counter; if (1 == target_counter) { - ::ResetEvent(no_targets); + ::ResetEvent(params->no_targets); } break; } @@ -280,7 +233,7 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { } --target_counter; if (0 == target_counter) - ::SetEvent(no_targets); + ::SetEvent(params->no_targets); DCHECK(target_counter >= 0); break; @@ -296,7 +249,7 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { case JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT: { bool res = ::TerminateJobObject(tracker->job.Get(), - SBOX_FATAL_MEMORY_EXCEEDED); + sandbox::SBOX_FATAL_MEMORY_EXCEEDED); DCHECK(res); break; } @@ -319,10 +272,10 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { tracker.reset(reinterpret_cast<ProcessTracker*>(ovl)); if (child_process_ids.empty()) { - ::SetEvent(broker->no_targets_.Get()); + ::SetEvent(params->no_targets); } - tracker->iocp = port; + tracker->iocp = params->iocp; if (!::RegisterWaitForSingleObject(&(tracker->wait_handle), tracker->process.Get(), ProcessEventCallback, tracker.get(), @@ -350,21 +303,21 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { } else if (THREAD_CTRL_GET_POLICY_INFO == key) { // Clone the policies for sandbox diagnostics. - std::unique_ptr<PolicyDiagnosticsReceiver> receiver; - receiver.reset(static_cast<PolicyDiagnosticsReceiver*>( + std::unique_ptr<sandbox::PolicyDiagnosticsReceiver> receiver; + receiver.reset(static_cast<sandbox::PolicyDiagnosticsReceiver*>( reinterpret_cast<void*>(ovl))); // The PollicyInfo ctor copies essential information from the trackers. auto policy_list = std::make_unique<PolicyDiagnosticList>(); for (auto&& process_tracker : processes) { if (process_tracker->policy) { - policy_list->push_back(std::make_unique<PolicyDiagnostic>( + policy_list->push_back(std::make_unique<sandbox::PolicyDiagnostic>( process_tracker->policy.get())); } } for (auto&& job_tracker : jobs) { if (job_tracker->policy) { - policy_list->push_back( - std::make_unique<PolicyDiagnostic>(job_tracker->policy.get())); + policy_list->push_back(std::make_unique<sandbox::PolicyDiagnostic>( + job_tracker->policy.get())); } } // Receiver should return quickly. @@ -389,6 +342,89 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { return 0; } +} // namespace + +namespace sandbox { + +BrokerServicesBase::BrokerServicesBase() {} + +// The broker uses a dedicated worker thread that services the job completion +// port to perform policy notifications and associated cleanup tasks. +ResultCode BrokerServicesBase::Init() { + if (job_port_.IsValid() || thread_pool_) + return SBOX_ERROR_UNEXPECTED_CALL; + + job_port_.Set(::CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 0)); + if (!job_port_.IsValid()) + return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES; + + no_targets_.Set(::CreateEventW(nullptr, true, false, nullptr)); + if (!no_targets_.IsValid()) + return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES; + + // We transfer ownership of this memory to the thread. + auto params = std::make_unique<TargetEventsThreadParams>( + job_port_.Get(), no_targets_.Get(), std::make_unique<ThreadPool>()); + + // We keep the thread alive until our destructor so we can use a raw + // pointer to the thread pool. + thread_pool_ = params->thread_pool.get(); + +#if defined(ARCH_CPU_32_BITS) + // Conserve address space in 32-bit Chrome. This thread uses a small and + // consistent amount and doesn't need the default of 1.5 MiB. + constexpr unsigned flags = STACK_SIZE_PARAM_IS_A_RESERVATION; + constexpr size_t stack_size = 128 * 1024; +#else + constexpr unsigned int flags = 0; + constexpr size_t stack_size = 0; +#endif + job_thread_.Set(::CreateThread(nullptr, stack_size, // Default security. + TargetEventsThread, params.get(), flags, + nullptr)); + if (!job_thread_.IsValid()) { + thread_pool_ = nullptr; + // Returning cleans up params. + return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES; + } + + params.release(); + return SBOX_ALL_OK; +} + +// The destructor should only be called when the Broker process is terminating. +// Since BrokerServicesBase is a singleton, this is called from the CRT +// termination handlers, if this code lives on a DLL it is called during +// DLL_PROCESS_DETACH in other words, holding the loader lock, so we cannot +// wait for threads here. +BrokerServicesBase::~BrokerServicesBase() { + // If there is no port Init() was never called successfully. + if (!job_port_.IsValid()) + return; + + // Closing the port causes, that no more Job notifications are delivered to + // the worker thread and also causes the thread to exit. This is what we + // want to do since we are going to close all outstanding Jobs and notifying + // the policy objects ourselves. + ::PostQueuedCompletionStatus(job_port_.Get(), 0, THREAD_CTRL_QUIT, nullptr); + + if (job_thread_.IsValid() && + WAIT_TIMEOUT == ::WaitForSingleObject(job_thread_.Get(), 1000)) { + // Cannot clean broker services. + NOTREACHED(); + return; + } +} + +scoped_refptr<TargetPolicy> BrokerServicesBase::CreatePolicy() { + // If you change the type of the object being created here you must also + // change the downcast to it in SpawnTarget(). + scoped_refptr<TargetPolicy> policy(new PolicyBase); + // PolicyBase starts with refcount 1. + policy->Release(); + return policy; +} + // SpawnTarget does all the interesting sandbox setup and creates the target // process inside the sandbox. ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, @@ -482,17 +518,12 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, if (!startup_info->BuildStartupInformation()) return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; - // Construct the thread pool here in case it is expensive. - // The thread pool is shared by all the targets - if (!thread_pool_) - thread_pool_ = std::make_unique<Win2kThreadPool>(); - // Create the TargetProcess object and spawn the target suspended. Note that // Brokerservices does not own the target object. It is owned by the Policy. base::win::ScopedProcessInformation process_info; std::unique_ptr<TargetProcess> target = std::make_unique<TargetProcess>( std::move(initial_token), std::move(lockdown_token), job.Get(), - thread_pool_.get(), + thread_pool_, profile ? profile->GetImpersonationCapabilities() : std::vector<Sid>()); result = target->Create(exe_path, command_line, std::move(startup_info), diff --git a/chromium/sandbox/win/src/broker_services.h b/chromium/sandbox/win/src/broker_services.h index c268b074efe..2053a1f664e 100644 --- a/chromium/sandbox/win/src/broker_services.h +++ b/chromium/sandbox/win/src/broker_services.h @@ -19,7 +19,7 @@ #include "sandbox/win/src/job.h" #include "sandbox/win/src/sandbox.h" #include "sandbox/win/src/sharedmem_ipc_server.h" -#include "sandbox/win/src/win2k_threadpool.h" +#include "sandbox/win/src/threadpool.h" #include "sandbox/win/src/win_utils.h" namespace sandbox { @@ -52,10 +52,6 @@ class BrokerServicesBase final : public BrokerServices, std::unique_ptr<PolicyDiagnosticsReceiver> receiver) override; private: - // The routine that the worker thread executes. It is in charge of - // notifications and cleanup-related tasks. - static DWORD WINAPI TargetEventsThread(PVOID param); - // The completion port used by the job objects to communicate events to // the worker thread. base::win::ScopedHandle job_port_; @@ -68,7 +64,8 @@ class BrokerServicesBase final : public BrokerServices, base::win::ScopedHandle job_thread_; // Provides a pool of threads that are used to wait on the IPC calls. - std::unique_ptr<ThreadProvider> thread_pool_; + // Owned by TargetEventsThread which is alive until our destructor. + ThreadPool* thread_pool_ = nullptr; DISALLOW_COPY_AND_ASSIGN(BrokerServicesBase); }; diff --git a/chromium/sandbox/win/src/crosscall_server.h b/chromium/sandbox/win/src/crosscall_server.h index aed7f99aae2..d5291887840 100644 --- a/chromium/sandbox/win/src/crosscall_server.h +++ b/chromium/sandbox/win/src/crosscall_server.h @@ -18,8 +18,8 @@ // This is the IPC server interface for CrossCall: The IPC for the Sandbox // On the server, CrossCall needs two things: // 1) threads: Or better said, someone to provide them, that is what the -// ThreadProvider interface is defined for. These thread(s) are -// the ones that will actually execute the IPC data retrieval. +// ThreadPool is for. These thread(s) are +// the ones that will actually execute the IPC data retrieval. // // 2) a dispatcher: This interface represents the way to route and process // an IPC call given the IPC tag. @@ -33,7 +33,7 @@ // // ------------ // | | -// ThreadProvider <--(1)Register--| IPC | +// ThreadPool<-------(1)Register--| IPC | // | | Implemen | // | | -tation | // (2) | | OnMessage @@ -48,46 +48,6 @@ namespace sandbox { class InterceptionManager; -// This function signature is required as the callback when an IPC call fires. -// context: a user-defined pointer that was set using ThreadProvider -// reason: 0 if the callback was fired because of a timeout. -// 1 if the callback was fired because of an event. -typedef void(__stdcall* CrossCallIPCCallback)(void* context, - unsigned char reason); - -// ThreadProvider models a thread factory. The idea is to decouple thread -// creation and lifetime from the inner guts of the IPC. The contract is -// simple: -// - the IPC implementation calls RegisterWait with a waitable object that -// becomes signaled when an IPC arrives and needs to be serviced. -// - when the waitable object becomes signaled, the thread provider conjures -// a thread that calls the callback (CrossCallIPCCallback) function -// - the callback function tries its best not to block and return quickly -// and should not assume that the next callback will use the same thread -// - when the callback returns the ThreadProvider owns again the thread -// and can destroy it or keep it around. -class ThreadProvider { - public: - // Registers a waitable object with the thread provider. - // client: A number to associate with all the RegisterWait calls, typically - // this is the address of the caller object. This parameter cannot - // be zero. - // waitable_object : a kernel object that can be waited on - // callback: a function pointer which is the function that will be called - // when the waitable object fires - // context: a user-provider pointer that is passed back to the callback - // when its called - virtual bool RegisterWait(const void* client, - HANDLE waitable_object, - CrossCallIPCCallback callback, - void* context) = 0; - - // Removes all the registrations done with the same cookie parameter. - // This frees internal thread pool resources. - virtual bool UnRegisterWaits(void* cookie) = 0; - virtual ~ThreadProvider() {} -}; - // Models the server-side of the original input parameters. // Provides IPC buffer validation and it is capable of reading the parameters // out of the IPC buffer. diff --git a/chromium/sandbox/win/src/handle_closer.h b/chromium/sandbox/win/src/handle_closer.h index 9fd887a06c1..948eddca538 100644 --- a/chromium/sandbox/win/src/handle_closer.h +++ b/chromium/sandbox/win/src/handle_closer.h @@ -56,6 +56,9 @@ class HandleCloser { bool InitializeTargetHandles(TargetProcess& target); private: + // Allow PolicyInfo to snapshot HandleCloser for diagnostics. + friend class PolicyDiagnostic; + // Calculates the memory needed to copy the serialized handles list (rounded // to the nearest machine-word size). size_t GetBufferSize(); diff --git a/chromium/sandbox/win/src/named_pipe_dispatcher.cc b/chromium/sandbox/win/src/named_pipe_dispatcher.cc index 85ffebe6e6b..4ea95c761a1 100644 --- a/chromium/sandbox/win/src/named_pipe_dispatcher.cc +++ b/chromium/sandbox/win/src/named_pipe_dispatcher.cc @@ -52,14 +52,13 @@ bool NamedPipeDispatcher::CreateNamedPipe(IPCInfo* ipc, ipc->return_info.win32_result = ERROR_ACCESS_DENIED; ipc->return_info.handle = INVALID_HANDLE_VALUE; - base::StringPiece16 dotdot(STRING16_LITERAL("..")); - - for (const base::StringPiece16& path : base::SplitStringPiece( - base::AsStringPiece16(*name), STRING16_LITERAL("/"), - base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { - for (const base::StringPiece16& inner : - base::SplitStringPiece(path, STRING16_LITERAL("\\"), - base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { + base::StringPiece16 dotdot(u".."); + + for (const base::StringPiece16& path : + base::SplitStringPiece(base::AsStringPiece16(*name), u"/", + base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { + for (const base::StringPiece16& inner : base::SplitStringPiece( + path, u"\\", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { if (inner == dotdot) return true; } diff --git a/chromium/sandbox/win/src/process_mitigations_unittest.cc b/chromium/sandbox/win/src/process_mitigations_unittest.cc index 3fc6d146617..accdaa19d28 100644 --- a/chromium/sandbox/win/src/process_mitigations_unittest.cc +++ b/chromium/sandbox/win/src/process_mitigations_unittest.cc @@ -1144,7 +1144,9 @@ TEST(ProcessMitigationsTest, CetDisablePolicy) { } TEST(ProcessMitigationsTest, CheckWin10KernelTransactionManagerMitigation) { - if (base::win::GetVersion() < base::win::Version::WIN10_21H1) + const auto& ver = base::win::OSInfo::GetInstance()->version_number(); + // TODO(wfh): Determine exactly which release/build this is enabled in. + if (ver.build < 20287) return; std::wstring test_policy_command = L"CheckPolicy "; test_policy_command += std::to_wstring(TESTPOLICY_KTMCOMPONENTFILTER); diff --git a/chromium/sandbox/win/src/sandbox_constants.cc b/chromium/sandbox/win/src/sandbox_constants.cc index 5ed326eda7e..81723f9271e 100644 --- a/chromium/sandbox/win/src/sandbox_constants.cc +++ b/chromium/sandbox/win/src/sandbox_constants.cc @@ -6,13 +6,22 @@ namespace sandbox { // Strings used as keys in base::Value snapshots of Policies for WebUI. +extern const char kAppContainerCapabilities[] = "appContainerCapabilities"; +extern const char kAppContainerInitialCapabilities[] = + "appContainerInitialCapabilities"; extern const char kAppContainerSid[] = "appContainerSid"; extern const char kDesiredIntegrityLevel[] = "desiredIntegrityLevel"; extern const char kDesiredMitigations[] = "desiredMitigations"; +extern const char kDisconnectCsrss[] = "disconnectCsrss"; +extern const char kHandlesToClose[] = "handlesToClose"; extern const char kJobLevel[] = "jobLevel"; extern const char kLockdownLevel[] = "lockdownLevel"; extern const char kLowboxSid[] = "lowboxSid"; extern const char kPlatformMitigations[] = "platformMitigations"; extern const char kPolicyRules[] = "policyRules"; extern const char kProcessIds[] = "processIds"; + +// Strings used as values in snapshots of Policies. +extern const char kDisabled[] = "disabled"; +extern const char kEnabled[] = "enabled"; } // namespace sandbox diff --git a/chromium/sandbox/win/src/sandbox_constants.h b/chromium/sandbox/win/src/sandbox_constants.h index 330a2ae5917..65718ef12cd 100644 --- a/chromium/sandbox/win/src/sandbox_constants.h +++ b/chromium/sandbox/win/src/sandbox_constants.h @@ -7,15 +7,23 @@ namespace sandbox { // Strings used as keys in base::Value snapshots of Policies. +extern const char kAppContainerCapabilities[]; +extern const char kAppContainerInitialCapabilities[]; extern const char kAppContainerSid[]; extern const char kDesiredIntegrityLevel[]; extern const char kDesiredMitigations[]; +extern const char kDisconnectCsrss[]; +extern const char kHandlesToClose[]; extern const char kJobLevel[]; extern const char kLockdownLevel[]; extern const char kLowboxSid[]; extern const char kPlatformMitigations[]; extern const char kPolicyRules[]; extern const char kProcessIds[]; + +// Strings used as values in snapshots of Policies. +extern const char kDisabled[]; +extern const char kEnabled[]; } // namespace sandbox #endif // SANDBOX_WIN_SRC_SANDBOX_CONSTANTS_H_ diff --git a/chromium/sandbox/win/src/sandbox_policy_diagnostic.cc b/chromium/sandbox/win/src/sandbox_policy_diagnostic.cc index e5d06e5e773..a5fb6ba2a01 100644 --- a/chromium/sandbox/win/src/sandbox_policy_diagnostic.cc +++ b/chromium/sandbox/win/src/sandbox_policy_diagnostic.cc @@ -339,6 +339,20 @@ base::Value GetPolicyRules(const PolicyGlobal* policy_rules) { return results; } +// HandleMap is just wstrings, nested sets could be empty. +base::Value GetHandlesToClose(const HandleMap& handle_map) { + base::Value results(base::Value::Type::DICTIONARY); + for (const auto& kv : handle_map) { + base::Value entries(base::Value::Type::LIST); + // kv.second may be an empty map. + for (const auto& entry : kv.second) { + entries.Append(base::AsStringPiece16(entry)); + } + results.SetKey(base::WideToUTF8(kv.first), std::move(entries)); + } + return results; +} + } // namespace // We are a friend of PolicyBase so that we can steal its private members @@ -364,9 +378,17 @@ PolicyDiagnostic::PolicyDiagnostic(PolicyBase* policy) { desired_mitigations_ = policy->mitigations_ | policy->delayed_mitigations_; - if (policy->app_container_profile_) + if (policy->app_container_profile_) { app_container_sid_ = std::make_unique<Sid>(policy->app_container_profile_->GetPackageSid()); + for (const auto& sid : policy->app_container_profile_->GetCapabilities()) { + capabilities_.push_back(sid); + } + for (const auto& sid : + policy->app_container_profile_->GetImpersonationCapabilities()) { + initial_capabilities_.push_back(sid); + } + } if (policy->lowbox_sid_) lowbox_sid_ = std::make_unique<Sid>(policy->lowbox_sid_); @@ -387,6 +409,9 @@ PolicyDiagnostic::PolicyDiagnostic(PolicyBase* policy) { } } } + is_csrss_connected_ = policy->is_csrss_connected_; + handles_to_close_.insert(policy->handle_closer_.handles_to_close_.begin(), + policy->handle_closer_.handles_to_close_.end()); } PolicyDiagnostic::~PolicyDiagnostic() = default; @@ -409,10 +434,28 @@ const char* PolicyDiagnostic::JsonString() { value.SetKey(kPlatformMitigations, base::Value(GetPlatformMitigationsAsHex(desired_mitigations_))); - if (app_container_sid_) + if (app_container_sid_) { value.SetStringKey( kAppContainerSid, base::AsStringPiece16(GetSidAsString(app_container_sid_.get()))); + std::vector<base::Value> caps; + for (auto sid : capabilities_) { + auto sid_value = base::Value(base::AsStringPiece16(GetSidAsString(&sid))); + caps.push_back(std::move(sid_value)); + } + if (!caps.empty()) { + value.SetKey(kAppContainerCapabilities, base::Value(std::move(caps))); + } + std::vector<base::Value> imp_caps; + for (auto sid : initial_capabilities_) { + auto sid_value = base::Value(base::AsStringPiece16(GetSidAsString(&sid))); + imp_caps.push_back(std::move(sid_value)); + } + if (!imp_caps.empty()) { + value.SetKey(kAppContainerInitialCapabilities, + base::Value(std::move(imp_caps))); + } + } if (lowbox_sid_) { value.SetStringKey( @@ -422,6 +465,11 @@ const char* PolicyDiagnostic::JsonString() { if (policy_rules_) value.SetKey(kPolicyRules, GetPolicyRules(policy_rules_.get())); + value.SetStringKey(kDisconnectCsrss, + is_csrss_connected_ ? kDisabled : kEnabled); + if (!handles_to_close_.empty()) + value.SetKey(kHandlesToClose, GetHandlesToClose(handles_to_close_)); + auto json_string = std::make_unique<std::string>(); JSONStringValueSerializer to_json(json_string.get()); CHECK(to_json.Serialize(value)); diff --git a/chromium/sandbox/win/src/sandbox_policy_diagnostic.h b/chromium/sandbox/win/src/sandbox_policy_diagnostic.h index a392c7b2d7b..4b6dc4d7239 100644 --- a/chromium/sandbox/win/src/sandbox_policy_diagnostic.h +++ b/chromium/sandbox/win/src/sandbox_policy_diagnostic.h @@ -13,6 +13,7 @@ #include "base/macros.h" #include "base/values.h" +#include "sandbox/win/src/handle_closer.h" #include "sandbox/win/src/policy_low_level.h" #include "sandbox/win/src/process_mitigations.h" #include "sandbox/win/src/sandbox.h" @@ -41,9 +42,17 @@ class PolicyDiagnostic final : public PolicyInfo { JobLevel job_level_ = JOB_NONE; IntegrityLevel desired_integrity_level_ = INTEGRITY_LEVEL_LAST; MitigationFlags desired_mitigations_ = 0; + // Cannot have both |lowbox_sid_| and |app_container_sid_|. May have neither. std::unique_ptr<Sid> app_container_sid_ = nullptr; + // Only populated if |app_container_sid_| is present. + std::vector<Sid> capabilities_; + // Only populated if |app_container_sid_| is present. + std::vector<Sid> initial_capabilities_; + // Cannot have both |lowbox_sid_| and |app_container_sid_|. May have neither. std::unique_ptr<Sid> lowbox_sid_ = nullptr; std::unique_ptr<PolicyGlobal> policy_rules_ = nullptr; + bool is_csrss_connected_ = false; + HandleMap handles_to_close_; DISALLOW_COPY_AND_ASSIGN(PolicyDiagnostic); }; diff --git a/chromium/sandbox/win/src/sharedmem_ipc_server.cc b/chromium/sandbox/win/src/sharedmem_ipc_server.cc index 99c3ee4e98a..e30c7d900cf 100644 --- a/chromium/sandbox/win/src/sharedmem_ipc_server.cc +++ b/chromium/sandbox/win/src/sharedmem_ipc_server.cc @@ -17,6 +17,7 @@ #include "sandbox/win/src/sandbox.h" #include "sandbox/win/src/sandbox_types.h" #include "sandbox/win/src/sharedmem_ipc_client.h" +#include "sandbox/win/src/threadpool.h" namespace { // This handle must not be closed. @@ -31,10 +32,10 @@ SharedMemIPCServer::ServerControl::~ServerControl() {} SharedMemIPCServer::SharedMemIPCServer(HANDLE target_process, DWORD target_process_id, - ThreadProvider* thread_provider, + ThreadPool* thread_pool, Dispatcher* dispatcher) : client_control_(nullptr), - thread_provider_(thread_provider), + thread_pool_(thread_pool), target_process_(target_process), target_process_id_(target_process_id), call_dispatcher_(dispatcher) { @@ -55,7 +56,7 @@ SharedMemIPCServer::SharedMemIPCServer(HANDLE target_process, SharedMemIPCServer::~SharedMemIPCServer() { // Free the wait handles associated with the thread pool. - if (!thread_provider_->UnRegisterWaits(this)) { + if (!thread_pool_->UnRegisterWaits(this)) { // Better to leak than to crash. return; } @@ -127,8 +128,8 @@ bool SharedMemIPCServer::Init(void* shared_mem, // Advance to the next channel. base_start += channel_size; // Register the ping event with the threadpool. - thread_provider_->RegisterWait(this, service_context->ping_event.Get(), - ThreadPingEventReady, service_context); + thread_pool_->RegisterWait(this, service_context->ping_event.Get(), + ThreadPingEventReady, service_context); } if (!::DuplicateHandle(::GetCurrentProcess(), g_alive_mutex, target_process_, &client_control_->server_alive, diff --git a/chromium/sandbox/win/src/sharedmem_ipc_server.h b/chromium/sandbox/win/src/sharedmem_ipc_server.h index fce52c6ad03..8530985a3e9 100644 --- a/chromium/sandbox/win/src/sharedmem_ipc_server.h +++ b/chromium/sandbox/win/src/sharedmem_ipc_server.h @@ -16,6 +16,7 @@ #include "sandbox/win/src/crosscall_params.h" #include "sandbox/win/src/crosscall_server.h" #include "sandbox/win/src/sharedmem_ipc_client.h" +#include "sandbox/win/src/threadpool.h" // IPC transport implementation that uses shared memory. // This is the server side @@ -47,11 +48,11 @@ class SharedMemIPCServer { // everything is safe. If that changes, we should break this dependency and // duplicate the handle instead. // target_process_id: process id of the target process. - // thread_provider: a thread provider object. + // thread_pool: a thread pool object. // dispatcher: an object that can service IPC calls. SharedMemIPCServer(HANDLE target_process, DWORD target_process_id, - ThreadProvider* thread_provider, + ThreadPool* thread_pool, Dispatcher* dispatcher); ~SharedMemIPCServer(); @@ -64,9 +65,9 @@ class SharedMemIPCServer { // Allow tests to be marked DISABLED_. Note that FLAKY_ and FAILS_ prefixes // do not work with sandbox tests. FRIEND_TEST_ALL_PREFIXES(IPCTest, SharedMemServerTests); - // When an event fires (IPC request). A thread from the ThreadProvider + // When an event fires (IPC request). A thread from the ThreadPool // will call this function. The context parameter should be the same as - // provided when ThreadProvider::RegisterWait was called. + // provided when ThreadPool::RegisterWait was called. static void __stdcall ThreadPingEventReady(void* context, unsigned char); // Makes the client and server events. This function is called once @@ -116,9 +117,9 @@ class SharedMemIPCServer { // Keeps track of the server side objects that are used to answer an IPC. std::list<std::unique_ptr<ServerControl>> server_contexts_; - // The thread provider provides the threads that call back into this object + // The thread pool provides the threads that call back into this object // when the IPC events fire. - ThreadProvider* thread_provider_; + ThreadPool* thread_pool_; // The IPC object is associated with a target process. HANDLE target_process_; diff --git a/chromium/sandbox/win/src/sid.cc b/chromium/sandbox/win/src/sid.cc index efcb2583dfc..a22e8a40a9b 100644 --- a/chromium/sandbox/win/src/sid.cc +++ b/chromium/sandbox/win/src/sid.cc @@ -106,11 +106,11 @@ Sid Sid::FromNamedCapability(const wchar_t* capability_name) { } Sid Sid::FromSddlString(const wchar_t* sddl_sid) { - PSID converted_sid; - if (!::ConvertStringSidToSid(sddl_sid, &converted_sid)) + PSID psid = nullptr; + if (!::ConvertStringSidToSid(sddl_sid, &psid)) return Sid(); - - return Sid(converted_sid); + std::unique_ptr<void, sandbox::LocalFreeDeleter> converted_sid(psid); + return Sid(converted_sid.get()); } Sid Sid::FromSubAuthorities(PSID_IDENTIFIER_AUTHORITY identifier_authority, diff --git a/chromium/sandbox/win/src/sid.h b/chromium/sandbox/win/src/sid.h index 745f4710546..7436442229c 100644 --- a/chromium/sandbox/win/src/sid.h +++ b/chromium/sandbox/win/src/sid.h @@ -31,7 +31,8 @@ enum WellKnownCapabilities { // This class is used to hold and generate SIDS. class Sid { public: - // As PSID is just a void* make it explicit. + // As PSID is just a void* make it explicit. Copies + // the memory referenced by |sid|. explicit Sid(PSID sid); // Constructors initializing the object with the SID passed. // This is a converting constructor. It is not explicit. diff --git a/chromium/sandbox/win/src/target_process.cc b/chromium/sandbox/win/src/target_process.cc index b4700a723f9..70e700112b6 100644 --- a/chromium/sandbox/win/src/target_process.cc +++ b/chromium/sandbox/win/src/target_process.cc @@ -104,7 +104,7 @@ SANDBOX_INTERCEPT size_t g_shared_policy_size; TargetProcess::TargetProcess(base::win::ScopedHandle initial_token, base::win::ScopedHandle lockdown_token, HANDLE job, - ThreadProvider* thread_pool, + ThreadPool* thread_pool, const std::vector<Sid>& impersonation_capabilities) // This object owns everything initialized here except thread_pool and // the job_ handle. The Job handle is closed by BrokerServices and results diff --git a/chromium/sandbox/win/src/target_process.h b/chromium/sandbox/win/src/target_process.h index fc3dce58d02..77410bda61e 100644 --- a/chromium/sandbox/win/src/target_process.h +++ b/chromium/sandbox/win/src/target_process.h @@ -24,7 +24,7 @@ namespace sandbox { class SharedMemIPCServer; class Sid; -class ThreadProvider; +class ThreadPool; class StartupInformationHelper; // TargetProcess models a target instance (child process). Objects of this @@ -35,7 +35,7 @@ class TargetProcess { TargetProcess(base::win::ScopedHandle initial_token, base::win::ScopedHandle lockdown_token, HANDLE job, - ThreadProvider* thread_pool, + ThreadPool* thread_pool, const std::vector<Sid>& impersonation_capabilities); ~TargetProcess(); @@ -104,7 +104,7 @@ class TargetProcess { // Reference to the IPC subsystem. std::unique_ptr<SharedMemIPCServer> ipc_server_; // Provides the threads used by the IPC. This class does not own this pointer. - ThreadProvider* thread_pool_; + ThreadPool* thread_pool_; // Base address of the main executable void* base_address_; // Full name of the target executable. diff --git a/chromium/sandbox/win/src/win2k_threadpool.cc b/chromium/sandbox/win/src/threadpool.cc index 49cc68bb00e..1d8fa8ac829 100644 --- a/chromium/sandbox/win/src/win2k_threadpool.cc +++ b/chromium/sandbox/win/src/threadpool.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "sandbox/win/src/win2k_threadpool.h" +#include "sandbox/win/src/threadpool.h" #include <stddef.h> @@ -10,14 +10,14 @@ namespace sandbox { -Win2kThreadPool::Win2kThreadPool() { +ThreadPool::ThreadPool() { ::InitializeCriticalSection(&lock_); } -bool Win2kThreadPool::RegisterWait(const void* cookie, - HANDLE waitable_object, - CrossCallIPCCallback callback, - void* context) { +bool ThreadPool::RegisterWait(const void* cookie, + HANDLE waitable_object, + CrossCallIPCCallback callback, + void* context) { if (0 == cookie) { return false; } @@ -33,7 +33,7 @@ bool Win2kThreadPool::RegisterWait(const void* cookie, return true; } -bool Win2kThreadPool::UnRegisterWaits(void* cookie) { +bool ThreadPool::UnRegisterWaits(void* cookie) { if (0 == cookie) { return false; } @@ -52,12 +52,12 @@ bool Win2kThreadPool::UnRegisterWaits(void* cookie) { return success; } -size_t Win2kThreadPool::OutstandingWaits() { +size_t ThreadPool::OutstandingWaits() { AutoLock lock(&lock_); return pool_objects_.size(); } -Win2kThreadPool::~Win2kThreadPool() { +ThreadPool::~ThreadPool() { // Here we used to unregister all the pool wait handles. Now, following the // rest of the code we avoid lengthy or blocking calls given that the process // is being torn down. diff --git a/chromium/sandbox/win/src/threadpool.h b/chromium/sandbox/win/src/threadpool.h new file mode 100644 index 00000000000..045a9d2b7d2 --- /dev/null +++ b/chromium/sandbox/win/src/threadpool.h @@ -0,0 +1,87 @@ +// Copyright 2021 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_SRC_THREADPOOL_H_ +#define SANDBOX_SRC_THREADPOOL_H_ + +#include <stddef.h> + +#include <algorithm> +#include <list> +#include "base/macros.h" +#include "sandbox/win/src/crosscall_server.h" + +namespace sandbox { +// This function signature is required as the callback when an IPC call fires. +// context: a user-defined pointer that was set using ThreadProvider +// reason: 0 if the callback was fired because of a timeout. +// 1 if the callback was fired because of an event. +typedef void(__stdcall* CrossCallIPCCallback)(void* context, + unsigned char reason); + +// ThreadPool provides threads to run callbacks for the sandbox IPC +// subsystem. See sandbox\crosscall_server.h for further details. +// +// ThreadPool models a thread factory. The idea is to decouple thread +// creation and lifetime from the inner guts of the IPC. The contract is +// simple: +// - the IPC implementation calls RegisterWait with a waitable object that +// becomes signaled when an IPC arrives and needs to be serviced. +// - when the waitable object becomes signaled, the thread provider conjures +// a thread that calls the callback (CrossCallIPCCallback) function +// - the callback function tries its best not to block and return quickly +// and should not assume that the next callback will use the same thread +// - when the callback returns the ThreadProvider owns again the thread +// and can destroy it or keep it around. +// +// Implementing the thread provider as a thread pool is desirable in the case +// of shared memory IPC because it can generate a large number of waitable +// events: as many as channels. A thread pool does not create a thread per +// event, instead maintains a few idle threads but can create more if the need +// arises. +// +// This implementation simply thunks to the nice thread pool API of win2k. +class ThreadPool { + public: + ThreadPool(); + ~ThreadPool(); + // Registers a waitable object with the thread provider. + // client: A number to associate with all the RegisterWait calls, typically + // this is the address of the caller object. This parameter cannot + // be zero. + // waitable_object : a kernel object that can be waited on + // callback: a function pointer which is the function that will be called + // when the waitable object fires + // context: a user-provider pointer that is passed back to the callback + // when its called + bool RegisterWait(const void* cookie, + HANDLE waitable_object, + CrossCallIPCCallback callback, + void* context); + // Removes all the registrations done with the same cookie parameter. + // This frees internal thread pool resources. + bool UnRegisterWaits(void* cookie); + + // Returns the total number of wait objects associated with + // the thread pool. + size_t OutstandingWaits(); + + private: + // Record to keep track of a wait and its associated cookie. + struct PoolObject { + const void* cookie; + HANDLE wait; + }; + // The list of pool wait objects. + typedef std::list<PoolObject> PoolObjects; + PoolObjects pool_objects_; + // This lock protects the list of pool wait objects. + CRITICAL_SECTION lock_; + + DISALLOW_COPY_AND_ASSIGN(ThreadPool); +}; + +} // namespace sandbox + +#endif // SANDBOX_SRC_THREADPOOL_H_ diff --git a/chromium/sandbox/win/src/threadpool_unittest.cc b/chromium/sandbox/win/src/threadpool_unittest.cc index 3f951b761b7..15cc38634e4 100644 --- a/chromium/sandbox/win/src/threadpool_unittest.cc +++ b/chromium/sandbox/win/src/threadpool_unittest.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "sandbox/win/src/win2k_threadpool.h" +#include "sandbox/win/src/threadpool.h" #include <stdint.h> @@ -19,7 +19,7 @@ namespace sandbox { // Test that register and unregister work, part 1. TEST(IPCTest, ThreadPoolRegisterTest1) { - Win2kThreadPool thread_pool; + ThreadPool thread_pool; EXPECT_EQ(0u, thread_pool.OutstandingWaits()); @@ -44,7 +44,7 @@ TEST(IPCTest, ThreadPoolRegisterTest1) { // Test that register and unregister work, part 2. TEST(IPCTest, ThreadPoolRegisterTest2) { - Win2kThreadPool thread_pool; + ThreadPool thread_pool; HANDLE event1 = ::CreateEventW(nullptr, false, false, nullptr); HANDLE event2 = ::CreateEventW(nullptr, false, false, nullptr); @@ -73,7 +73,7 @@ TEST(IPCTest, ThreadPoolRegisterTest2) { // Test that the thread pool has at least a thread that services an event. // Test that when the event is un-registered is no longer serviced. TEST(IPCTest, ThreadPoolSignalAndWaitTest) { - Win2kThreadPool thread_pool; + ThreadPool thread_pool; // The events are auto reset and start not signaled. HANDLE event1 = ::CreateEventW(nullptr, false, false, nullptr); diff --git a/chromium/sandbox/win/src/win2k_threadpool.h b/chromium/sandbox/win/src/win2k_threadpool.h deleted file mode 100644 index c4d539dd7fe..00000000000 --- a/chromium/sandbox/win/src/win2k_threadpool.h +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef SANDBOX_SRC_WIN2K_THREADPOOL_H_ -#define SANDBOX_SRC_WIN2K_THREADPOOL_H_ - -#include <stddef.h> - -#include <algorithm> -#include <list> -#include "base/macros.h" -#include "sandbox/win/src/crosscall_server.h" - -namespace sandbox { - -// Win2kThreadPool a simple implementation of a thread provider as required -// for the sandbox IPC subsystem. See sandbox\crosscall_server.h for the details -// and requirements of this interface. -// -// Implementing the thread provider as a thread pool is desirable in the case -// of shared memory IPC because it can generate a large number of waitable -// events: as many as channels. A thread pool does not create a thread per -// event, instead maintains a few idle threads but can create more if the need -// arises. -// -// This implementation simply thunks to the nice thread pool API of win2k. -class Win2kThreadPool : public ThreadProvider { - public: - Win2kThreadPool(); - ~Win2kThreadPool() override; - - bool RegisterWait(const void* cookie, - HANDLE waitable_object, - CrossCallIPCCallback callback, - void* context) override; - - bool UnRegisterWaits(void* cookie) override; - - // Returns the total number of wait objects associated with - // the thread pool. - size_t OutstandingWaits(); - - private: - // record to keep track of a wait and its associated cookie. - struct PoolObject { - const void* cookie; - HANDLE wait; - }; - // The list of pool wait objects. - typedef std::list<PoolObject> PoolObjects; - PoolObjects pool_objects_; - // This lock protects the list of pool wait objects. - CRITICAL_SECTION lock_; - - DISALLOW_COPY_AND_ASSIGN(Win2kThreadPool); -}; - -} // namespace sandbox - -#endif // SANDBOX_SRC_WIN2K_THREADPOOL_H_ |