diff options
Diffstat (limited to 'chromium/services/service_manager/sandbox')
13 files changed, 175 insertions, 20 deletions
diff --git a/chromium/services/service_manager/sandbox/BUILD.gn b/chromium/services/service_manager/sandbox/BUILD.gn index 0e9bfbf0327..21749ad3322 100644 --- a/chromium/services/service_manager/sandbox/BUILD.gn +++ b/chromium/services/service_manager/sandbox/BUILD.gn @@ -79,6 +79,8 @@ component("sandbox") { sources += [ "linux/bpf_ime_policy_linux.cc", "linux/bpf_ime_policy_linux.h", + "linux/bpf_tts_policy_linux.cc", + "linux/bpf_tts_policy_linux.h", ] } if (is_mac) { diff --git a/chromium/services/service_manager/sandbox/fuchsia/sandbox_policy_fuchsia.cc b/chromium/services/service_manager/sandbox/fuchsia/sandbox_policy_fuchsia.cc index 2747e169d6a..0d178b90d10 100644 --- a/chromium/services/service_manager/sandbox/fuchsia/sandbox_policy_fuchsia.cc +++ b/chromium/services/service_manager/sandbox/fuchsia/sandbox_policy_fuchsia.cc @@ -28,10 +28,10 @@ #include "base/command_line.h" #include "base/containers/span.h" #include "base/files/file_util.h" -#include "base/fuchsia/default_context.h" #include "base/fuchsia/default_job.h" #include "base/fuchsia/filtered_service_directory.h" #include "base/fuchsia/fuchsia_logging.h" +#include "base/fuchsia/process_context.h" #include "base/path_service.h" #include "base/process/launch.h" #include "base/process/process.h" @@ -167,7 +167,7 @@ SandboxPolicyFuchsia::SandboxPolicyFuchsia(service_manager::SandboxType type) { service_directory_task_runner_ = base::ThreadTaskRunnerHandle::Get(); service_directory_ = std::make_unique<base::fuchsia::FilteredServiceDirectory>( - base::fuchsia::ComponentContextForCurrentProcess()->svc().get()); + base::ComponentContextForProcess()->svc().get()); for (const char* service_name : kDefaultServices) { service_directory_->AddService(service_name); } diff --git a/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.cc b/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.cc new file mode 100644 index 00000000000..812072395ec --- /dev/null +++ b/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.cc @@ -0,0 +1,34 @@ +// Copyright 2020 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "services/service_manager/sandbox/linux/bpf_tts_policy_linux.h" + +#include <sys/socket.h> + +#include "sandbox/linux/bpf_dsl/bpf_dsl.h" +#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" +#include "sandbox/linux/syscall_broker/broker_process.h" +#include "sandbox/linux/system_headers/linux_syscalls.h" +#include "services/service_manager/sandbox/linux/sandbox_linux.h" + +using sandbox::bpf_dsl::Allow; +using sandbox::bpf_dsl::ResultExpr; +using sandbox::bpf_dsl::Trap; +using sandbox::syscall_broker::BrokerProcess; + +namespace service_manager { + +TtsProcessPolicy::TtsProcessPolicy() {} + +TtsProcessPolicy::~TtsProcessPolicy() {} + +ResultExpr TtsProcessPolicy::EvaluateSyscall(int sysno) const { + auto* broker_process = SandboxLinux::GetInstance()->broker_process(); + if (broker_process->IsSyscallAllowed(sysno)) + return Trap(BrokerProcess::SIGSYS_Handler, broker_process); + + return BPFBasePolicy::EvaluateSyscall(sysno); +} + +} // namespace service_manager diff --git a/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.h b/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.h new file mode 100644 index 00000000000..a562a68cfce --- /dev/null +++ b/chromium/services/service_manager/sandbox/linux/bpf_tts_policy_linux.h @@ -0,0 +1,27 @@ +// Copyright 2020 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_TTS_POLICY_LINUX_H_ +#define SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_TTS_POLICY_LINUX_H_ + +#include "sandbox/linux/bpf_dsl/bpf_dsl.h" +#include "services/service_manager/sandbox/export.h" +#include "services/service_manager/sandbox/linux/bpf_base_policy_linux.h" + +namespace service_manager { + +class SERVICE_MANAGER_SANDBOX_EXPORT TtsProcessPolicy : public BPFBasePolicy { + public: + TtsProcessPolicy(); + ~TtsProcessPolicy() override; + + sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override; + + private: + DISALLOW_COPY_AND_ASSIGN(TtsProcessPolicy); +}; + +} // namespace service_manager + +#endif // SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_TTS_POLICY_LINUX_H_ diff --git a/chromium/services/service_manager/sandbox/linux/sandbox_linux.h b/chromium/services/service_manager/sandbox/linux/sandbox_linux.h index 9f67272c5e2..6a17f9edb63 100644 --- a/chromium/services/service_manager/sandbox/linux/sandbox_linux.h +++ b/chromium/services/service_manager/sandbox/linux/sandbox_linux.h @@ -9,7 +9,7 @@ #include <string> #include <vector> -#include "base/logging.h" +#include "base/check_op.h" #include "base/macros.h" #include "base/posix/global_descriptors.h" #include "sandbox/linux/syscall_broker/broker_command.h" diff --git a/chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc b/chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc index e2f22540a5a..1c16d68df91 100644 --- a/chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc +++ b/chromium/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc @@ -54,6 +54,7 @@ #if defined(OS_CHROMEOS) #include "services/service_manager/sandbox/linux/bpf_ime_policy_linux.h" +#include "services/service_manager/sandbox/linux/bpf_tts_policy_linux.h" #endif // defined(OS_CHROMEOS) using sandbox::BaselinePolicy; @@ -185,6 +186,8 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType( #if defined(OS_CHROMEOS) case SandboxType::kIme: return std::make_unique<ImeProcessPolicy>(); + case SandboxType::kTts: + return std::make_unique<TtsProcessPolicy>(); #endif // defined(OS_CHROMEOS) case SandboxType::kZygoteIntermediateSandbox: case SandboxType::kNoSandbox: @@ -228,6 +231,7 @@ void SandboxSeccompBPF::RunSandboxSanityChecks( } break; #if defined(OS_CHROMEOS) case SandboxType::kIme: + case SandboxType::kTts: #endif // defined(OS_CHROMEOS) case SandboxType::kAudio: case SandboxType::kSharingService: diff --git a/chromium/services/service_manager/sandbox/sandbox_type.cc b/chromium/services/service_manager/sandbox/sandbox_type.cc index 9ea1cccb467..de79b63b7de 100644 --- a/chromium/services/service_manager/sandbox/sandbox_type.cc +++ b/chromium/services/service_manager/sandbox/sandbox_type.cc @@ -8,6 +8,7 @@ #include "base/check.h" #include "base/feature_list.h" +#include "base/logging.h" #include "base/notreached.h" #include "services/service_manager/sandbox/features.h" #include "services/service_manager/sandbox/switches.h" @@ -26,6 +27,7 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) { service_manager::features::kXRSandbox); case SandboxType::kProxyResolver: case SandboxType::kPdfConversion: + case SandboxType::kIconReader: return false; #endif case SandboxType::kAudio: @@ -57,6 +59,7 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) { #endif #if defined(OS_CHROMEOS) case SandboxType::kIme: + case SandboxType::kTts: #endif #if !defined(OS_MACOSX) case SandboxType::kSharingService: @@ -116,9 +119,11 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line, case SandboxType::kXrCompositing: case SandboxType::kProxyResolver: case SandboxType::kPdfConversion: + case SandboxType::kIconReader: #endif // defined(OS_WIN) #if defined(OS_CHROMEOS) case SandboxType::kIme: + case SandboxType::kTts: #endif // defined(OS_CHROMEOS) #if !defined(OS_MACOSX) case SandboxType::kSharingService: @@ -237,10 +242,14 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) { return switches::kProxyResolverSandbox; case SandboxType::kPdfConversion: return switches::kPdfConversionSandbox; + case SandboxType::kIconReader: + return switches::kIconReaderSandbox; #endif // defined(OS_WIN) #if defined(OS_CHROMEOS) case SandboxType::kIme: return switches::kImeSandbox; + case SandboxType::kTts: + return switches::kTtsSandbox; #endif // defined(OS_CHROMEOS) // The following are not utility processes so should not occur. case SandboxType::kRenderer: @@ -287,6 +296,8 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) { return SandboxType::kProxyResolver; if (sandbox_string == switches::kPdfConversionSandbox) return SandboxType::kPdfConversion; + if (sandbox_string == switches::kIconReaderSandbox) + return SandboxType::kIconReader; #endif if (sandbox_string == switches::kAudioSandbox) return SandboxType::kAudio; @@ -297,6 +308,8 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) { #if defined(OS_CHROMEOS) if (sandbox_string == switches::kImeSandbox) return SandboxType::kIme; + if (sandbox_string == switches::kTtsSandbox) + return SandboxType::kTts; #endif // defined(OS_CHROMEOS) return SandboxType::kUtility; } diff --git a/chromium/services/service_manager/sandbox/sandbox_type.h b/chromium/services/service_manager/sandbox/sandbox_type.h index 0eb1e615939..b35e3950ccf 100644 --- a/chromium/services/service_manager/sandbox/sandbox_type.h +++ b/chromium/services/service_manager/sandbox/sandbox_type.h @@ -30,6 +30,9 @@ enum class SandboxType { // The PDF conversion service process used in printing. kPdfConversion, + + // The icon reader service. + kIconReader, #endif #if defined(OS_FUCHSIA) @@ -69,6 +72,8 @@ enum class SandboxType { #if defined(OS_CHROMEOS) kIme, + // Text-to-speech. + kTts, #endif // defined(OS_CHROMEOS) #if defined(OS_LINUX) diff --git a/chromium/services/service_manager/sandbox/switches.cc b/chromium/services/service_manager/sandbox/switches.cc index 863638ae365..e635d4e8eed 100644 --- a/chromium/services/service_manager/sandbox/switches.cc +++ b/chromium/services/service_manager/sandbox/switches.cc @@ -36,10 +36,12 @@ const char kVideoCaptureSandbox[] = "video_capture"; const char kPdfConversionSandbox[] = "pdf_conversion"; const char kProxyResolverSandbox[] = "proxy_resolver"; const char kXrCompositingSandbox[] = "xr_compositing"; +const char kIconReaderSandbox[] = "icon_reader"; #endif // OS_WIN #if defined(OS_CHROMEOS) const char kImeSandbox[] = "ime"; +const char kTtsSandbox[] = "tts"; #endif // OS_CHROMEOS // Flags owned by the service manager sandbox. @@ -80,6 +82,7 @@ const char kGpuSandboxAllowSysVShm[] = "gpu-sandbox-allow-sysv-shm"; const char kGpuSandboxFailuresFatal[] = "gpu-sandbox-failures-fatal"; // Disables the sandbox for all process types that are normally sandboxed. +// Meant to be used as a browser-level switch for testing purposes only. const char kNoSandbox[] = "no-sandbox"; #if defined(OS_LINUX) diff --git a/chromium/services/service_manager/sandbox/switches.h b/chromium/services/service_manager/sandbox/switches.h index 0deedde8296..6d66ab6c4f2 100644 --- a/chromium/services/service_manager/sandbox/switches.h +++ b/chromium/services/service_manager/sandbox/switches.h @@ -35,10 +35,12 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kVideoCaptureSandbox[]; SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPdfConversionSandbox[]; SERVICE_MANAGER_SANDBOX_EXPORT extern const char kProxyResolverSandbox[]; SERVICE_MANAGER_SANDBOX_EXPORT extern const char kXrCompositingSandbox[]; +SERVICE_MANAGER_SANDBOX_EXPORT extern const char kIconReaderSandbox[]; #endif // OS_WIN #if defined(OS_CHROMEOS) SERVICE_MANAGER_SANDBOX_EXPORT extern const char kImeSandbox[]; +SERVICE_MANAGER_SANDBOX_EXPORT extern const char kTtsSandbox[]; #endif // OS_CHROMEOS // Flags owned by the service manager sandbox. diff --git a/chromium/services/service_manager/sandbox/win/sandbox_diagnostics.h b/chromium/services/service_manager/sandbox/win/sandbox_diagnostics.h index 5470fe1ada6..1f89e7ee7a9 100644 --- a/chromium/services/service_manager/sandbox/win/sandbox_diagnostics.h +++ b/chromium/services/service_manager/sandbox/win/sandbox_diagnostics.h @@ -14,7 +14,6 @@ #include <vector> #include "base/callback.h" -#include "base/logging.h" #include "base/sequenced_task_runner.h" #include "base/values.h" #include "sandbox/constants.h" diff --git a/chromium/services/service_manager/sandbox/win/sandbox_win.cc b/chromium/services/service_manager/sandbox/win/sandbox_win.cc index a05106e2611..cde75bd0710 100644 --- a/chromium/services/service_manager/sandbox/win/sandbox_win.cc +++ b/chromium/services/service_manager/sandbox/win/sandbox_win.cc @@ -33,6 +33,7 @@ #include "base/strings/stringprintf.h" #include "base/strings/utf_string_conversions.h" #include "base/system/sys_info.h" +#include "base/trace_event/trace_arguments.h" #include "base/trace_event/trace_event.h" #include "base/win/iat_patch_function.h" #include "base/win/scoped_handle.h" @@ -44,6 +45,7 @@ #include "sandbox/win/src/sandbox.h" #include "sandbox/win/src/sandbox_nt_util.h" #include "sandbox/win/src/sandbox_policy_base.h" +#include "sandbox/win/src/sandbox_policy_diagnostic.h" #include "sandbox/win/src/win_utils.h" #include "services/service_manager/sandbox/features.h" #include "services/service_manager/sandbox/sandbox_type.h" @@ -150,6 +152,26 @@ const wchar_t* const kTroublesomeDlls[] = { const base::Feature kEnableCsrssLockdownFeature{ "EnableCsrssLockdown", base::FEATURE_DISABLED_BY_DEFAULT}; +// Helps emit trace events for sandbox policy. This mediates memory between +// chrome.exe and chrome.dll. +class PolicyTraceHelper : public base::trace_event::ConvertableToTraceFormat { + public: + PolicyTraceHelper(sandbox::TargetPolicy* policy) { + // |info| must live until JsonString() output is copied. + std::unique_ptr<sandbox::PolicyInfo> info = policy->GetPolicyInfo(); + json_string_ = std::string(info->JsonString()); + } + ~PolicyTraceHelper() override = default; + + // ConvertableToTraceFormat. + void AppendAsTraceFormat(std::string* out) const override { + out->append(json_string_); + } + + private: + std::string json_string_; +}; // PolicyTraceHelper + #if !defined(NACL_WIN64) // Adds the policy rules for the path and path\ with the semantic |access|. // If |children| is set to true, we need to add the wildcard rules to also @@ -599,14 +621,15 @@ base::string16 GetAppContainerProfileName( sandbox_type == SandboxType::kXrCompositing); auto sha1 = base::SHA1HashString(appcontainer_id); std::string sandbox_base_name = (sandbox_type == SandboxType::kXrCompositing) - ? std::string("chrome.sandbox.xrdevice") - : std::string("chrome.sandbox.gpu"); + ? std::string("cr.sb.xr") + : std::string("cr.sb.gpu"); std::string profile_name = base::StrCat( {sandbox_base_name, base::HexEncode(sha1.data(), sha1.size())}); // CreateAppContainerProfile requires that the profile name is at most 64 - // characters. The size of sha1 is a constant 40, so validate that the base - // names are sufficiently short that the total length is valid. - DCHECK_LE(profile_name.length(), 64U); + // characters but 50 on WCOS systems. The size of sha1 is a constant 40, + // so validate that the base names are sufficiently short that the total + // length is valid on all systems. + DCHECK_LE(profile_name.length(), 50U); return base::UTF8ToWide(profile_name); } @@ -845,6 +868,7 @@ bool SandboxWin::InitTargetServices(sandbox::TargetServices* target_services) { return sandbox::SBOX_ALL_OK == result; } +// static sandbox::ResultCode SandboxWin::StartSandboxedProcess( base::CommandLine* cmd_line, const std::string& process_type, @@ -929,7 +953,8 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess( if (!cmd_line->HasSwitch(switches::kAllowThirdPartyModules)) mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS; if (sandbox_type == SandboxType::kNetwork || - sandbox_type == SandboxType::kAudio) { + sandbox_type == SandboxType::kAudio || + sandbox_type == SandboxType::kIconReader) { mitigations |= sandbox::MITIGATION_DYNAMIC_CODE_DISABLE; } // TODO(wfh): Relax strict handle checks for network process until root cause @@ -1017,20 +1042,17 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess( cmd_line->GetCommandLineString().c_str(), policy, &last_warning, &last_error, &temp_process_info); - // TODO(1059129) Remove logging and underlying plumbing on expiry. - // This must be logged after spawning the process as the policy - // memory is not committed until the target process is attached to - // the sandbox policy. Max is kPolMemSize from sandbox_policy_base.cc. - if (result == sandbox::SBOX_ALL_OK) { - UMA_HISTOGRAM_CUSTOM_COUNTS("Process.Sandbox.PolicyGlobalSizeOnSuccess", - policy->GetPolicyGlobalSize(), 16, 14 * 4096, - 50); - } - base::win::ScopedProcessInformation target(temp_process_info); TRACE_EVENT_END0("startup", "StartProcessWithAccess::LAUNCHPROCESS"); + // Trace policy as processes are started. Useful for both failure and success. + TRACE_EVENT_INSTANT2(TRACE_DISABLED_BY_DEFAULT("sandbox"), "processLaunch", + TRACE_EVENT_SCOPE_PROCESS, "sandboxType", + GetSandboxTypeInEnglish(delegate->GetSandboxType()), + "policy", + std::make_unique<PolicyTraceHelper>(policy.get())); + if (sandbox::SBOX_ALL_OK != result) { base::UmaHistogramSparse("Process.Sandbox.Launch.Error", last_error); if (result == sandbox::SBOX_ERROR_GENERIC) @@ -1057,6 +1079,7 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess( return sandbox::SBOX_ALL_OK; } +// static sandbox::ResultCode SandboxWin::GetPolicyDiagnostics( base::OnceCallback<void(base::Value)> response) { CHECK(g_broker_services); @@ -1072,4 +1095,44 @@ void BlocklistAddOneDllForTesting(const wchar_t* module_name, BlocklistAddOneDll(module_name, check_in_browser, policy); } +// static +std::string SandboxWin::GetSandboxTypeInEnglish(SandboxType sandbox_type) { + switch (sandbox_type) { + case SandboxType::kNoSandbox: + return "Unsandboxed"; + case SandboxType::kNoSandboxAndElevatedPrivileges: + return "Unsandboxed (Elevated)"; + case SandboxType::kXrCompositing: + return "XR Compositing"; + case SandboxType::kRenderer: + return "Renderer"; + case SandboxType::kUtility: + return "Utility"; + case SandboxType::kGpu: + return "GPU"; + case SandboxType::kPpapi: + return "PPAPI"; + case SandboxType::kNetwork: + return "Network"; + case SandboxType::kCdm: + return "CDM"; + case SandboxType::kPrintCompositor: + return "Print Compositor"; + case SandboxType::kAudio: + return "Audio"; + case SandboxType::kSpeechRecognition: + return "Speech Recognition"; + case SandboxType::kProxyResolver: + return "Proxy Resolver"; + case SandboxType::kPdfConversion: + return "PDF Conversion"; + case SandboxType::kSharingService: + return "Sharing"; + case SandboxType::kVideoCapture: + return "Video Capture"; + case SandboxType::kIconReader: + return "Icon Reader"; + } +} + } // namespace service_manager diff --git a/chromium/services/service_manager/sandbox/win/sandbox_win.h b/chromium/services/service_manager/sandbox/win/sandbox_win.h index b39b213ec05..6614a82461e 100644 --- a/chromium/services/service_manager/sandbox/win/sandbox_win.h +++ b/chromium/services/service_manager/sandbox/win/sandbox_win.h @@ -87,6 +87,9 @@ class SERVICE_MANAGER_SANDBOX_EXPORT SandboxWin { // will be an empty value if an error is encountered. static sandbox::ResultCode GetPolicyDiagnostics( base::OnceCallback<void(base::Value)> response); + + // Provides a friendly name for the sandbox for chrome://sandbox and tracing. + static std::string GetSandboxTypeInEnglish(SandboxType sandbox_type); }; SERVICE_MANAGER_SANDBOX_EXPORT |