Delete unused V1 Mac sandbox profiles.

- The V1 common.sb file is merged into the V1 gpu.sb file. The GPU sandbox will be moved to V2 as part of https://crbug.com/915934. - common_v2.sb, renderer_v2.sb, and ppapi_v2.sb all lose their "_v2" suffix and replace the V1 file by the same name. - sandbox_mac.mm is thinned out to only support the V1 GPU sandbox. No intended behavior change. Bug: 689306 Change-Id: Icfc36c5a7b1907e0c93d6a87bdd1d0ffe18cf616 Reviewed-on: https://chromium-review.googlesource.com/c/1380554 Reviewed-by: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#617638}
Denger-Network · Dec 18, 2018 · 1de6069 · 1de6069
1 parent f409f5b
commit 1de6069
Show file tree

Hide file tree

Showing 13 changed files with 339 additions and 497 deletions.
diff --git a/content/browser/child_process_launcher_helper_mac.cc b/content/browser/child_process_launcher_helper_mac.cc
@@ -24,12 +24,12 @@
 #include "services/service_manager/embedder/result_codes.h"
 #include "services/service_manager/sandbox/mac/audio.sb.h"
 #include "services/service_manager/sandbox/mac/cdm.sb.h"
-#include "services/service_manager/sandbox/mac/common_v2.sb.h"
+#include "services/service_manager/sandbox/mac/common.sb.h"
 #include "services/service_manager/sandbox/mac/gpu_v2.sb.h"
 #include "services/service_manager/sandbox/mac/nacl_loader.sb.h"
 #include "services/service_manager/sandbox/mac/pdf_compositor.sb.h"
-#include "services/service_manager/sandbox/mac/ppapi_v2.sb.h"
-#include "services/service_manager/sandbox/mac/renderer_v2.sb.h"
+#include "services/service_manager/sandbox/mac/ppapi.sb.h"
+#include "services/service_manager/sandbox/mac/renderer.sb.h"
 #include "services/service_manager/sandbox/mac/utility.sb.h"
 #include "services/service_manager/sandbox/sandbox.h"
 #include "services/service_manager/sandbox/sandbox_type.h"
@@ -79,7 +79,7 @@ bool ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
   if (use_v2 && !no_sandbox) {
     // Generate the profile string.
     std::string profile =
-        std::string(service_manager::kSeatbeltPolicyString_common_v2);
+        std::string(service_manager::kSeatbeltPolicyString_common);
 
     switch (sandbox_type) {
       case service_manager::SANDBOX_TYPE_CDM:
@@ -92,10 +92,10 @@ bool ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
         profile += service_manager::kSeatbeltPolicyString_nacl_loader;
         break;
       case service_manager::SANDBOX_TYPE_PPAPI:
-        profile += service_manager::kSeatbeltPolicyString_ppapi_v2;
+        profile += service_manager::kSeatbeltPolicyString_ppapi;
         break;
       case service_manager::SANDBOX_TYPE_RENDERER:
-        profile += service_manager::kSeatbeltPolicyString_renderer_v2;
+        profile += service_manager::kSeatbeltPolicyString_renderer;
         break;
       case service_manager::SANDBOX_TYPE_PDF_COMPOSITOR:
         profile += service_manager::kSeatbeltPolicyString_pdf_compositor;
@@ -155,10 +155,6 @@ bool ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
       return false;
     }
 
-    base::FilePath helper_executable;
-    CHECK(
-        base::PathService::Get(content::CHILD_PROCESS_EXE, &helper_executable));
-
     options->fds_to_remap.push_back(std::make_pair(pipe, pipe));
 
     // Update the command line to enable the V2 sandbox and pass the

diff --git a/content/browser/sandbox_mac_unittest.mm b/content/browser/sandbox_mac_unittest.mm
@@ -27,12 +27,12 @@
 #include "sandbox/mac/seatbelt_exec.h"
 #include "services/service_manager/sandbox/mac/audio.sb.h"
 #include "services/service_manager/sandbox/mac/cdm.sb.h"
-#include "services/service_manager/sandbox/mac/common_v2.sb.h"
+#include "services/service_manager/sandbox/mac/common.sb.h"
 #include "services/service_manager/sandbox/mac/gpu_v2.sb.h"
 #include "services/service_manager/sandbox/mac/nacl_loader.sb.h"
 #include "services/service_manager/sandbox/mac/pdf_compositor.sb.h"
-#include "services/service_manager/sandbox/mac/ppapi_v2.sb.h"
-#include "services/service_manager/sandbox/mac/renderer_v2.sb.h"
+#include "services/service_manager/sandbox/mac/ppapi.sb.h"
+#include "services/service_manager/sandbox/mac/renderer.sb.h"
 #include "services/service_manager/sandbox/mac/utility.sb.h"
 #include "services/service_manager/sandbox/switches.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -62,7 +62,7 @@
   }
 
   std::string ProfileForSandbox(const std::string& sandbox_profile) {
-    return std::string(service_manager::kSeatbeltPolicyString_common_v2) +
+    return std::string(service_manager::kSeatbeltPolicyString_common) +
            sandbox_profile + kTempDirSuffix;
   }
 
@@ -118,13 +118,12 @@ void ExecuteInPDFSandbox(const std::string& procname) {
   }
 
   void ExecuteInPpapiSandbox(const std::string& procname) {
-    ExecuteWithParams(procname, service_manager::kSeatbeltPolicyString_ppapi_v2,
+    ExecuteWithParams(procname, service_manager::kSeatbeltPolicyString_ppapi,
                       &content::SetupPPAPISandboxParameters);
   }
 
   void ExecuteInRendererSandbox(const std::string& procname) {
-    ExecuteWithParams(procname,
-                      service_manager::kSeatbeltPolicyString_renderer_v2,
+    ExecuteWithParams(procname, service_manager::kSeatbeltPolicyString_renderer,
                       &content::SetupCommonSandboxParameters);
   }
 

diff --git a/content/renderer/sandbox_mac_v2_unittest.mm b/content/renderer/sandbox_mac_v2_unittest.mm
@@ -24,8 +24,8 @@
 #include "content/test/test_content_client.h"
 #include "sandbox/mac/sandbox_compiler.h"
 #include "sandbox/mac/seatbelt_exec.h"
-#include "services/service_manager/sandbox/mac/common_v2.sb.h"
-#include "services/service_manager/sandbox/mac/renderer_v2.sb.h"
+#include "services/service_manager/sandbox/mac/common.sb.h"
+#include "services/service_manager/sandbox/mac/renderer.sb.h"
 #include "services/service_manager/sandbox/mac/sandbox_mac.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/multiprocess_func_list.h"
@@ -93,8 +93,8 @@ void SetParametersForTest(sandbox::SandboxCompiler* compiler,
 MULTIPROCESS_TEST_MAIN(SandboxProfileProcess) {
   TestContentClient content_client;
   const std::string profile =
-      std::string(service_manager::kSeatbeltPolicyString_common_v2) +
-      service_manager::kSeatbeltPolicyString_renderer_v2;
+      std::string(service_manager::kSeatbeltPolicyString_common) +
+      service_manager::kSeatbeltPolicyString_renderer;
   sandbox::SandboxCompiler compiler(profile);
 
   // Create the logging file and pass /bin/ls as the executable path.

diff --git a/services/service_manager/sandbox/mac/BUILD.gn b/services/service_manager/sandbox/mac/BUILD.gn
@@ -8,15 +8,12 @@ action_foreach("package_sb_files") {
     "audio.sb",
     "cdm.sb",
     "common.sb",
-    "common_v2.sb",
     "gpu.sb",
     "gpu_v2.sb",
     "nacl_loader.sb",
     "pdf_compositor.sb",
     "ppapi.sb",
-    "ppapi_v2.sb",
     "renderer.sb",
-    "renderer_v2.sb",
     "utility.sb",
   ]
   outputs = [

diff --git a/services/service_manager/sandbox/mac/common.sb b/services/service_manager/sandbox/mac/common.sb
@@ -1,10 +1,6 @@
-;;
-;; Copyright (c) 2012 The Chromium Authors. All rights reserved.
-;; Use of this source code is governed by a BSD-style license that can be
-;; found in the LICENSE file.
-;;
-; This configuration file isn't used on it's own, but instead implicitly
-; included at the start of all other sandbox configuration files in Chrome.
+; Copyright 2017 The Chromium Authors. All rights reserved.
+; Use of this source code is governed by a BSD-style license that can be
+; found in the LICENSE file.
 (version 1)
 
 ; Helper function to check if a param is set to true.
@@ -14,52 +10,166 @@
 (define (param-defined? str) (string? (param str)))
 
 ; Define constants for all of the parameter strings passed in.
-(define bundle-version-path "BUNDLE_VERSION_PATH")
+(define browser-pid "BROWSER_PID")
+(define bundle-id "BUNDLE_ID")
+(define bundle-path "BUNDLE_PATH")
+(define component-path "COMPONENT_PATH")
+(define current-pid "CURRENT_PID")
 (define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
 (define enable-logging "ENABLE_LOGGING")
+(define executable-path "EXECUTABLE_PATH")
 (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
-(define elcap-or-later "ELCAP_OR_LATER")
-(define macos-1013 "MACOS_1013")
-(define field-trial-server-name "FIELD_TRIAL_SERVER_NAME")
+(define log-file-path "LOG_FILE_PATH")
+(define os-version (string->number (param "OS_VERSION")))
 
-; Backwards compatibility for 10.9
+; Backwards compatibility for 10.10.
 (if (not (defined? 'path))
   (define path literal))
+; Backwards compatibility for 10.11.
 (if (not (defined? 'iokit-registry-entry-class))
   (define iokit-registry-entry-class iokit-user-client-class))
 
+; --enable-sandbox-logging causes the sandbox to log failures to the syslog.
+(if (param-true? disable-sandbox-denial-logging)
+  (deny default (with no-log))
+  (deny default))
+
+(if (param-true? enable-logging) (debug deny))
+
+; Allow sending signals to self - https://crbug.com/20370
+(allow signal (target self))
+
 ; Consumes a subpath and appends it to the user's homedir path.
 (define (user-homedir-path subpath)
   (string-append (param homedir-as-literal) subpath))
 
-; (path) is not supported until 10.10.
-; TODO(kerrnel): remove this when 10.9 is no longer supported.
-(define (path x) (literal x))
+; A function that specific profiles (i.e. renderer) can call to allow
+; font rendering.
+(define (allow-font-access)
+  (begin
+    (allow file-read-data
+      (subpath "/Library/Fonts")
+      (subpath "/System/Library/Fonts")
+      (subpath (user-homedir-path "/Library/Fonts")))
+    (allow mach-lookup
+      (global-name "com.apple.fonts")
+      ; crbug.com/756145, crbug.com/786615
+      (global-name "com.apple.FontObjectsServer"))
+    (if (< os-version 1012)
+      (allow mach-lookup (global-name "com.apple.FontServer")))
+    ; To allow accessing downloaded and other hidden fonts in
+    ; /System/Library/Asssets/com_apple_MobileAsset_Font*.
+    ; (https://crbug.com/662686)
+    (allow file-read* (extension "com.apple.app-sandbox.read"))))
 
-; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
-(if (param-true? disable-sandbox-denial-logging)
-    (deny default (with no-log))
-    (deny default))
+; Allow logging for all processes.
+(allow file-write*
+  (require-all
+    (path (param log-file-path))
+    (vnode-type REGULAR-FILE)))
 
-; Support for programmatically enabling verbose debugging.
-(if (param-true? enable-logging) (debug deny))
+; Allow component builds to work.
+(if (param-defined? component-path)
+  (allow file-read* (subpath (param component-path))))
 
-(allow mach-lookup (global-name (param field-trial-server-name)))
+(allow process-exec (path (param executable-path)))
+(allow file-read* (path (param executable-path)))
 
-; Allow sending signals to self - https://crbug.com/20370
-(allow signal (target self))
+; The browser exposes Mach services at "bundle-id.service-name.browser-pid".
+; This macro is a helper for doing the string concatenation.
+(define (browser-service-name service-name)
+  (global-name (string-append (param bundle-id)
+                              "." service-name "."
+                              (param browser-pid))))
 
-; Needed for full-page-zoomed controls - https://crbug.com/11325
-(allow sysctl-read)
+(allow mach-lookup
+  (browser-service-name "FieldTrialMemoryServer")
+  (browser-service-name "rohitfork"))
 
-; Loading System Libraries.
+; Allow realpath() to work.
+(allow file-read-metadata (subpath "/"))
+
+; All processes can read the bundle contents.
+(allow file-read* (subpath (param bundle-path)))
+
+; Allow reads of system libraries and frameworks.
 (allow file-read*
-    (subpath "/System/Library/Frameworks")
-    (subpath "/System/Library/PrivateFrameworks")
-    (subpath "/System/Library/CoreServices"))
+  (subpath "/System/Library/Frameworks")
+  (subpath "/System/Library/Preferences/Logging")
+  (subpath "/System/Library/PrivateFrameworks")
+  (subpath "/usr/lib"))
+
+; Reads from /etc.
+; This is read by CFPrefs calling getpwuid in a loop. libinfo then fails to
+; contact any of the opendirectoryd mach services, and falls back to
+; the /etc/passwd file for the user info. The access is OK because
+; no actual password hashes are in /etc/passwd anymore.
+(allow file-read-data (path "/private/etc/passwd"))
+
+; Access to /dev.
+(allow file-ioctl file-read-data file-write-data
+  (require-all
+    (path "/dev/dtracehelper")
+    (vnode-type CHARACTER-DEVICE)))
+
+(allow file-read-data
+  (path "/dev/null")
+  (path "/dev/random")
+  (path "/dev/urandom"))
+
+(if (>= os-version 1013)
+  (begin (allow file-read* (subpath "/private/var/db/timezone"))
+         (allow file-read-data (subpath "/usr/share/zoneinfo.default"))))
+
+(if (< os-version 1013)
+  (allow file-read-data (subpath "/usr/share/zoneinfo")))
+
+; Reads from /Library.
+(allow file-read-data
+  (path "/Library/Preferences/.GlobalPreferences.plist"))
+
+; Reads from /System.
+(allow file-read-data
+  (path "/System/Library/CoreServices/checkfixlist")
+  (path "/System/Library/CoreServices/SystemVersion.plist"))
+
+; Reads from /usr.
+(allow file-read-data
+  (subpath "/usr/share/icu"))
+
+; Access to the home directory.
+(allow file-read-data
+  (path (user-homedir-path "/Library/Preferences/.GlobalPreferences.plist"))
+  (regex (user-homedir-path #"/Library/Preferences/ByHost/.GlobalPreferences.*")))
 
-(allow ipc-posix-shm)
+; Mach IPC needed by all Chromium Helper instances.
+(allow mach-lookup
+  ; crbug.com/792229
+  (global-name "com.apple.logd")
+  (global-name "com.apple.system.logger")
+  ; crbug.com/792228
+  (global-name "com.apple.system.opendirectoryd.libinfo"))
 
-; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
-; third party code (eg: bits of Adobe Flash and NSS) to function properly.
-(allow file-read-data file-read-metadata (literal "/dev/urandom"))
+; sysctls permitted.
+(allow sysctl-read
+  (sysctl-name "hw.activecpu")
+  (sysctl-name "hw.busfrequency_compat")
+  (sysctl-name "hw.byteorder")
+  (sysctl-name "hw.cachelinesize_compat")
+  (sysctl-name "hw.cpufrequency_compat")
+  (sysctl-name "hw.cputype")
+  (sysctl-name "hw.machine")
+  (sysctl-name "hw.ncpu")
+  (sysctl-name "hw.pagesize_compat")
+  (sysctl-name "hw.physicalcpu_max")
+  (sysctl-name "hw.tbfrequency_compat")
+  (sysctl-name "hw.vectorunit")
+  (sysctl-name "kern.hostname")
+  (sysctl-name "kern.maxfilesperproc")
+  (sysctl-name "kern.osrelease")
+  (sysctl-name "kern.ostype")
+  (sysctl-name "kern.osversion")
+  (sysctl-name (string-append "kern.proc.pid." (param current-pid)))
+  (sysctl-name "kern.usrstack64")
+  (sysctl-name "kern.version")
+  (sysctl-name "sysctl.proc_cputype"))