summaryrefslogtreecommitdiffstats
path: root/chromium/sandbox/mac/bootstrap_sandbox.h
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/sandbox/mac/bootstrap_sandbox.h')
-rw-r--r--chromium/sandbox/mac/bootstrap_sandbox.h114
1 files changed, 114 insertions, 0 deletions
diff --git a/chromium/sandbox/mac/bootstrap_sandbox.h b/chromium/sandbox/mac/bootstrap_sandbox.h
new file mode 100644
index 00000000000..dff7814d545
--- /dev/null
+++ b/chromium/sandbox/mac/bootstrap_sandbox.h
@@ -0,0 +1,114 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_
+#define SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_
+
+#include <mach/mach.h>
+
+#include <map>
+#include <string>
+
+#include "base/mac/scoped_mach_port.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/process/process_handle.h"
+#include "base/synchronization/lock.h"
+#include "sandbox/mac/policy.h"
+#include "sandbox/sandbox_export.h"
+
+namespace sandbox {
+
+class LaunchdInterceptionServer;
+
+// The BootstrapSandbox is a second-layer sandbox for Mac. It is used to limit
+// the bootstrap namespace attack surface of child processes. The parent
+// process creates an instance of this class and registers policies that it
+// can enforce on its children.
+//
+// With this sandbox, the parent process must replace the bootstrap port prior
+// to the sandboxed target's execution. This should be done by setting the
+// base::LaunchOptions.replacement_bootstrap_name to the
+// server_bootstrap_name() of this class. Requests from the child that would
+// normally go to launchd are filtered based on the specified per-process
+// policies. If a request is permitted by the policy, it is forwarded on to
+// launchd for servicing. If it is not, then the sandbox will reply with a
+// primitive that does not grant additional capabilities to the receiver.
+//
+// Clients that which to use the sandbox must inform it of the creation and
+// death of child processes for which the sandbox should be enforced. The
+// client of the sandbox is intended to be an unsandboxed parent process that
+// fork()s sandboxed (and other unsandboxed) child processes.
+//
+// When the parent is ready to fork a new child process with this sandbox
+// being enforced, it should use the pair of methods PrepareToForkWithPolicy()
+// and FinishedFork(), and call fork() between them. The first method will
+// set the policy for the new process, and the second will finialize the
+// association between the process ID and sandbox policy ID.
+//
+// All methods of this class may be called from any thread, but
+// PrepareToForkWithPolicy() and FinishedFork() must be non-nested and balanced.
+class SANDBOX_EXPORT BootstrapSandbox {
+ public:
+ // Creates a new sandbox manager. Returns NULL on failure.
+ static scoped_ptr<BootstrapSandbox> Create();
+
+ ~BootstrapSandbox();
+
+ // Registers a bootstrap policy associated it with an identifier. The
+ // |sandbox_policy_id| must be greater than 0.
+ void RegisterSandboxPolicy(int sandbox_policy_id,
+ const BootstrapSandboxPolicy& policy);
+
+ // Called in the parent prior to fork()ing a child. The policy registered
+ // to |sandbox_policy_id| will be enforced on the new child. This must be
+ // followed by a call to FinishedFork().
+ void PrepareToForkWithPolicy(int sandbox_policy_id);
+
+ // Called in the parent after fork()ing a child. It records the |handle|
+ // and associates it with the specified-above |sandbox_policy_id|.
+ // If fork() failed and a new child was not created, pass kNullProcessHandle.
+ void FinishedFork(base::ProcessHandle handle);
+
+ // Called in the parent when a process has died. It cleans up the references
+ // to the process.
+ void ChildDied(base::ProcessHandle handle);
+
+ // Looks up the policy for a given process ID. If no policy is associated
+ // with the |pid|, this returns NULL.
+ const BootstrapSandboxPolicy* PolicyForProcess(pid_t pid) const;
+
+ std::string server_bootstrap_name() const { return server_bootstrap_name_; }
+ mach_port_t real_bootstrap_port() const { return real_bootstrap_port_; }
+
+ private:
+ BootstrapSandbox();
+
+ // A Mach IPC message server that is used to intercept and filter bootstrap
+ // requests.
+ scoped_ptr<LaunchdInterceptionServer> server_;
+
+ // The name in the system bootstrap server by which the |server_|'s port
+ // is known.
+ const std::string server_bootstrap_name_;
+
+ // The original bootstrap port of the process, which is connected to the
+ // real launchd server.
+ base::mac::ScopedMachSendRight real_bootstrap_port_;
+
+ // The |lock_| protects all the following variables.
+ mutable base::Lock lock_;
+
+ // The sandbox_policy_id that will be enforced for the new child.
+ int effective_policy_id_;
+
+ // All the policies that have been registered with this sandbox manager.
+ std::map<int, const BootstrapSandboxPolicy> policies_;
+
+ // The association between process ID and sandbox policy ID.
+ std::map<base::ProcessHandle, int> sandboxed_processes_;
+};
+
+} // namespace sandbox
+
+#endif // SANDBOX_MAC_BOOTSTRAP_SANDBOX_H_
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-07 09:28:29 +0000