/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include"GeckoChildProcessHost.h"
#include"base/command_line.h" #include"base/process.h" #include"base/process_util.h" #include"base/string_util.h" #include"base/task.h" #include"chrome/common/chrome_switches.h" #include"chrome/common/process_watcher.h" #ifdef XP_DARWIN # include <mach/mach_traps.h> # include "SharedMemory.h" # include "base/rand_util.h" # include "chrome/common/mach_ipc_mac.h" # include "mozilla/StaticPrefs_media.h" #endif #ifdef MOZ_WIDGET_COCOA # include <bsm/libbsm.h> # include <servers/bootstrap.h> # include "nsILocalFileMac.h" #endif
#include"nsClassHashtable.h" #include"nsHashKeys.h" #include"nsNativeCharsetUtils.h" #include"nsTArray.h" #include"nscore.h"// for NS_FREE_PERMANENT_DATA #include"nsIThread.h"
using mozilla::MonitorAutoLock; using mozilla::Preferences; using mozilla::StaticMutexAutoLock;
#ifdef MOZ_WIDGET_ANDROID # include "AndroidBridge.h" # include "mozilla/java/GeckoProcessManagerWrappers.h" # include "mozilla/java/GeckoProcessTypeWrappers.h" # include "mozilla/java/GeckoResultWrappers.h" # include "mozilla/jni/Refs.h" # include "mozilla/jni/Utils.h" #endif
#ifdef MOZ_ENABLE_FORKSERVER # include "mozilla/ipc/ForkServiceChild.h" #endif
// Monotonic counter used to generate a unique ChildID for each process as it is // created. The parent process is given the ChildID of `0`, and each child // process is given a non-zero ID. static Atomic<int32_t> gChildCounter;
// Compute the serial event target we'll use for launching.
nsCOMPtr<nsIEventTarget> threadOrPool = GetIPCLauncher();
mLaunchThread =
TaskQueue::Create(threadOrPool.forget(), "BaseProcessLauncher");
if (ShouldHaveDirectoryService()) { // "Current process directory" means the app dir, not the current // working dir or similar.
mozilla::Unused
<< nsDirectoryService::gService->GetCurrentProcessDirectory(
getter_AddRefs(mAppDir));
}
}
// Overrideable hooks. If superclass behavior is invoked, it's always at the // top of the override. virtual Result<Ok, LaunchError> DoSetup(); virtual RefPtr<ProcessHandlePromise> DoLaunch() = 0; virtual Result<Ok, LaunchError> DoFinishLaunch();
# ifdefined(XP_MACOSX) class MacProcessLauncher : public PosixProcessLauncher { public:
MacProcessLauncher(GeckoChildProcessHost* aHost,
geckoargs::ChildProcessArgs&& aExtraOpts)
: PosixProcessLauncher(aHost, std::move(aExtraOpts)), // Put a random number into the channel name, so that // a compromised renderer can't pretend being the child // that's forked off.
mMachConnectionName(
StringPrintf("org.mozilla.machname.%d",
base::RandInt(0, std::numeric_limits<int>::max()))) {
MOZ_ASSERT(mMachConnectionName.size() < BOOTSTRAP_MAX_NAME_LEN);
}
std::string mMachConnectionName; // We add a mach port to the command line so the child can communicate its // 'task_t' back to the parent.
mozilla::UniqueMachReceiveRight mParentRecvPort;
protected: virtual RefPtr<ProcessHandlePromise> DoLaunch() override;
RefPtr<ProcessHandlePromise> LaunchAndroidService( const GeckoProcessType aType, const geckoargs::ChildProcessArgs& args);
}; typedef AndroidProcessLauncher ProcessLauncher; // NB: Technically Android is linux (i.e. XP_LINUX is defined), but we want // orthogonal IPC machinery there. Conversely, there are tier-3 non-Linux // platforms (BSD and Solaris) where we want the "linux" IPC machinery. So // we use MOZ_WIDGET_* to choose the platform backend. # elif defined(MOZ_WIDGET_GTK) class LinuxProcessLauncher : public PosixProcessLauncher { public:
LinuxProcessLauncher(GeckoChildProcessHost* aHost,
geckoargs::ChildProcessArgs&& aExtraOpts)
: PosixProcessLauncher(aHost, std::move(aExtraOpts)) {}
GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType, bool aIsFileContent)
: mProcessType(aProcessType),
mChildID(++gChildCounter),
mIsFileContent(aIsFileContent),
mMonitor("mozilla.ipc.GeckoChildProcessHost.mMonitor"),
mLaunchOptions(MakeUnique<base::LaunchOptions>()),
mInitialChannelId(nsID::GenerateUUID()),
mProcessState(CREATING_CHANNEL), #ifdef XP_WIN
mGroupId(u"-"), #endif #ifdefined(MOZ_SANDBOX) && defined(XP_WIN)
mEnableSandboxLogging(false),
mSandboxLevel(0), #endif
mHandleLock("mozilla.ipc.GeckoChildProcessHost.mHandleLock"),
mChildProcessHandle(0), #ifdefined(XP_DARWIN)
mChildTask(MACH_PORT_NULL), #endif #ifdefined(MOZ_SANDBOX) && defined(XP_MACOSX)
mDisableOSActivityMode(false), #endif
mDestroying(false) {
MOZ_COUNT_CTOR(GeckoChildProcessHost);
MOZ_RELEASE_ASSERT(mChildID > 0, "gChildCounter overflowed");
StaticMutexAutoLock lock(sMutex); if (!sGeckoChildProcessHosts) {
sGeckoChildProcessHosts = new mozilla::LinkedList<GeckoChildProcessHost>();
}
sGeckoChildProcessHosts->insertBack(this); #ifdefined(MOZ_SANDBOX) && defined(XP_LINUX) if (aProcessType == GeckoProcessType_RDD) { // The RDD process makes limited use of EGL. If Mesa's shader // cache is enabled and the directory isn't explicitly set, then // it will try to getpwuid() the user which can cause problems // with sandboxing. Because we shouldn't need shader caching in // this process, we just disable the cache to prevent that.
mLaunchOptions->env_map["MESA_GLSL_CACHE_DISABLE"] = "true";
mLaunchOptions->env_map["MESA_SHADER_CACHE_DISABLE"] = "true"; // In case the nvidia driver is also loaded:
mLaunchOptions->env_map["__GL_SHADER_DISK_CACHE"] = "0";
} #endif
}
void GeckoChildProcessHost::Destroy() {
MOZ_RELEASE_ASSERT(!mDestroying); // We can remove from the list before it's really destroyed
RemoveFromProcessList();
RefPtr<ProcessHandlePromise> whenReady = mHandlePromise;
if (!whenReady) { // AsyncLaunch not called yet, so dispatch immediately.
whenReady = ProcessHandlePromise::CreateAndReject(
LaunchError("DestroyEarly"), __func__);
}
using Value = ProcessHandlePromise::ResolveOrRejectValue;
mDestroying = true;
whenReady->Then(XRE_GetAsyncIOEventTarget(), __func__,
[this](const Value&) { deletethis; });
}
#ifdef MOZ_WIDGET_COCOA // The GMP child process runs via the Media Plugin Helper executable // which is a clone of plugin-container allowing for GMP-specific // codesigning entitlements.
nsCString bundleName;
std::string executableLeafName; if (processType == GeckoProcessType_GMPlugin &&
mozilla::StaticPrefs::media_plugin_helper_process_enabled()) {
bundleName = MOZ_EME_PROCESS_BUNDLENAME;
executableLeafName = MOZ_EME_PROCESS_NAME_BRANDED;
} else {
bundleName = MOZ_CHILD_PROCESS_BUNDLENAME;
executableLeafName = MOZ_CHILD_PROCESS_NAME;
} #endif
if (ShouldHaveDirectoryService()) {
MOZ_ASSERT(gGREBinPath); #ifdef XP_WIN
exePath = FilePath(char16ptr_t(gGREBinPath)); #elif MOZ_WIDGET_COCOA
nsCOMPtr<nsIFile> childProcPath; if (NS_SUCCEEDED(NS_NewLocalFile(nsDependentString(gGREBinPath),
getter_AddRefs(childProcPath)))) { // We need to use an App Bundle on OS X so that we can hide // the dock icon. See Bug 557225. if (NS_SUCCEEDED(childProcPath->AppendNative(bundleName)) &&
NS_SUCCEEDED(childProcPath->AppendNative("Contents"_ns)) &&
NS_SUCCEEDED(childProcPath->AppendNative("MacOS"_ns))) {
nsCString tempCPath; if (NS_SUCCEEDED(childProcPath->GetNativePath(tempCPath))) {
exePath = FilePath(tempCPath.get());
}
}
} #else
nsCString path; if (NS_SUCCEEDED(
NS_CopyUnicodeToNative(nsDependentString(gGREBinPath), path))) {
exePath = FilePath(path.get());
} #endif
}
// We start the unique IDs at 1 so that 0 can be used to mean that // a component has no unique ID assigned to it.
uint32_t GeckoChildProcessHost::sNextUniqueID = 1;
# ifdefined(MOZ_SANDBOX) // We need to get the pref here as the process is launched off main thread. if (mProcessType == GeckoProcessType_Content) { // Win32k Lockdown state must be initialized on the main thread. // This is our last chance to do it before it is read on the IPC Launch // thread
GetWin32kLockdownState();
mSandboxLevel = GetEffectiveContentSandboxLevel();
mEnableSandboxLogging =
Preferences::GetBool("security.sandbox.logging.enabled");
// We currently have to whitelist certain paths for tests to work in some // development configurations.
nsAutoString readPaths;
nsresult rv = Preferences::GetString( "security.sandbox.content.read_path_whitelist", readPaths); if (NS_SUCCEEDED(rv)) { for (const nsAString& readPath : readPaths.Split(',')) {
nsString trimmedPath(readPath);
trimmedPath.Trim(" ", true, true);
std::wstring resolvedPath(trimmedPath.Data()); // Check if path ends with '\' as this indicates we want to give read // access to a directory and so it needs a wildcard. if (resolvedPath.back() == L'\\') {
resolvedPath.append(L"*");
}
mAllowedFilesRead.push_back(resolvedPath);
}
}
} # endif
# ifdefined(MOZ_SANDBOX) // For other process types we can't rely on them being launched on main // thread and they may not have access to prefs in the child process, so allow // them to turn on logging via an environment variable.
mEnableSandboxLogging =
mEnableSandboxLogging || !!PR_GetEnv("MOZ_SANDBOX_LOGGING");
#ifdef XP_WIN void GeckoChildProcessHost::InitWindowsGroupID() { // On Win7+, pass the application user model to the child, so it can // register with it. This insures windows created by the container // properly group with the parent app on the Win7 taskbar.
nsCOMPtr<nsIWinTaskbar> taskbarInfo = do_GetService(NS_TASKBAR_CONTRACTID); if (taskbarInfo) { bool isSupported = false;
taskbarInfo->GetAvailable(&isSupported);
nsAutoString appId; if (isSupported && NS_SUCCEEDED(taskbarInfo->GetDefaultGroupId(appId))) {
MOZ_ASSERT(mGroupId.EqualsLiteral("-"));
mGroupId.Assign(appId);
}
}
} #endif
bool GeckoChildProcessHost::SyncLaunch(geckoargs::ChildProcessArgs aExtraOpts, int aTimeoutMs) { if (!AsyncLaunch(std::move(aExtraOpts))) { returnfalse;
} return WaitUntilConnected(aTimeoutMs);
}
// Note: for most process types, we currently call AsyncLaunch, and therefore // the *ProcessLauncher constructor, on the main thread, while the // ProcessLauncher methods to actually execute the launch are called on the IO // or IPC launcher thread. GMP processes are an exception - the GMP code // invokes GeckoChildProcessHost from non-main-threads, and therefore we cannot // rely on having access to mainthread-only services (like the directory // service) from this code if we're launching that type of process. bool GeckoChildProcessHost::AsyncLaunch(
geckoargs::ChildProcessArgs aExtraOpts) { if (!PrepareLaunch(aExtraOpts)) { returnfalse;
}
RefPtr<BaseProcessLauncher> launcher = new ProcessLauncher(this, std::move(aExtraOpts)); #ifdef ALLOW_GECKO_CHILD_PROCESS_ARCH
launcher->SetLaunchArchitecture(mLaunchArch); #endif
// Note: Destroy() waits on mHandlePromise to delete |this|. As such, we want // to be sure that all of our post-launch processing on |this| happens before // mHandlePromise notifies.
MOZ_ASSERT(mHandlePromise == nullptr);
mHandlePromise =
mozilla::InvokeAsync<GeckoChildProcessHost*>(
XRE_GetAsyncIOEventTarget(), launcher.get(), __func__,
&BaseProcessLauncher::Launch, this)
->Then(
XRE_GetAsyncIOEventTarget(), __func__,
[this](LaunchResults&& aResults) {
{
{
mozilla::AutoWriteLock handleLock(mHandleLock); if (!OpenPrivilegedHandle(base::GetProcId(aResults.mHandle)) #ifdef XP_WIN // If we failed in opening the process handle, try // harder by duplicating one.
&& !::DuplicateHandle(
::GetCurrentProcess(), aResults.mHandle,
::GetCurrentProcess(), &mChildProcessHandle,
PROCESS_DUP_HANDLE | PROCESS_TERMINATE |
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ |
SYNCHRONIZE, FALSE, 0) #endif// XP_WIN
) {
MOZ_CRASH("cannot open handle to child process");
} // The original handle is no longer needed; it must // be closed to prevent a resource leak.
base::CloseProcessHandle(aResults.mHandle); // FIXME (bug 1720523): define a cross-platform // "safe" invalid value to use in places like this.
aResults.mHandle = 0;
// NB: this uses a different mechanism than the chromium parent // class.
TimeDuration timeout = (aTimeoutMs > 0)
? TimeDuration::FromMilliseconds(aTimeoutMs)
: TimeDuration::Forever();
// We'll receive several notifications, we need to exit when we // have either successfully launched or have timed out. while (mProcessState != PROCESS_CONNECTED) { // If there was an error then return it, don't wait out the timeout. if (mProcessState == PROCESS_ERROR) { break;
}
CVStatus status = lock.Wait(timeout); if (status == CVStatus::Timeout) { break;
}
if (timeout != TimeDuration::Forever()) {
current = TimeStamp::Now();
timeout -= current - waitStart;
waitStart = current;
}
}
void GeckoChildProcessHost::InitializeChannel(
IPC::Channel::ChannelHandle&& aServerHandle) { // Create the IPC channel which will be used for communication with this // process.
mozilla::UniquePtr<IPC::Channel> channel = MakeUnique<IPC::Channel>(
std::move(aServerHandle), IPC::Channel::MODE_SERVER,
base::kInvalidProcessId); #ifdefined(XP_WIN)
channel->StartAcceptingHandles(IPC::Channel::MODE_SERVER); #elifdefined(XP_DARWIN)
channel->StartAcceptingMachPorts(IPC::Channel::MODE_SERVER); #endif
void BaseProcessLauncher::GetChildLogName(constchar* origLogName,
nsACString& buffer) { #ifdef XP_WIN // On Windows we must expand relative paths because sandboxing rules // bound only to full paths. fopen fowards to NtCreateFile which checks // the path against the sanboxing rules as passed to fopen (left relative). char absPath[MAX_PATH + 2]; if (_fullpath(absPath, origLogName, sizeof(absPath))) {
buffer.Append(absPath);
} else #endif
{
buffer.Append(origLogName);
}
// Remove .moz_log extension to avoid its duplication, it will be added // automatically by the logging backend static constexpr auto kMozLogExt = nsLiteralCString{MOZ_LOG_FILE_EXTENSION}; if (StringEndsWith(buffer, kMozLogExt)) {
buffer.Truncate(buffer.Length() - kMozLogExt.Length());
}
// Append child-specific postfix to name
buffer.AppendLiteral(".child-");
buffer.AppendASCII(mChildIDString);
}
// Windows needs a single dedicated thread for process launching, // because of thread-safety restrictions/assertions in the sandbox // code. // // Android also needs a single dedicated thread to simplify thread // safety in java. // // Fork server needs a dedicated thread for accessing // |ForkServiceChild|. #ifdefined(XP_WIN) || defined(MOZ_WIDGET_ANDROID) || \ defined(MOZ_ENABLE_FORKSERVER)
void #ifdefined(XP_WIN)
AddAppDirToCommandLine(CommandLine& aCmdLine, nsIFile* aAppDir) #else
AddAppDirToCommandLine(geckoargs::ChildProcessArgs& aCmdLine,
nsIFile* aAppDir, nsIFile* aProfileDir) #endif
{ // Content processes need access to application resources, so pass // the full application directory path to the child process. if (aAppDir) { #ifdefined(XP_WIN)
nsString path;
MOZ_ALWAYS_SUCCEEDS(aAppDir->GetPath(path));
aCmdLine.AppendLooseValue(UTF8ToWide(geckoargs::sAppDir.Name()));
std::wstring wpath(path.get());
aCmdLine.AppendLooseValue(wpath); #else
nsAutoCString path;
MOZ_ALWAYS_SUCCEEDS(aAppDir->GetNativePath(path));
geckoargs::sAppDir.Put(path.get(), aCmdLine); #endif
#ifdefined(XP_MACOSX) && defined(MOZ_SANDBOX) // Full path to the profile dir if (aProfileDir) { // If the profile doesn't exist, normalization will // fail. But we don't return an error here because some // tests require startup with a missing profile dir. // For users, almost universally, the profile will be in // the home directory and normalization isn't required.
mozilla::Unused << aProfileDir->Normalize();
nsAutoCString path;
MOZ_ALWAYS_SUCCEEDS(aProfileDir->GetNativePath(path));
geckoargs::sProfile.Put(path.get(), aCmdLine);
} #endif
}
}
// `RUST_LOG_CHILD` is meant for logging child processes only.
nsAutoCString childRustLog(PR_GetEnv("RUST_LOG_CHILD")); if (!childRustLog.IsEmpty()) {
mLaunchOptions->env_map[ENVIRONMENT_LITERAL("RUST_LOG")] =
ENVIRONMENT_STRING(childRustLog.get());
}
}
Result<Ok, LaunchError> BaseProcessLauncher::DoFinishLaunch() { // We're in the parent and the child was launched. Clean up any FDs which were // transferred to the child in the parent as soon as possible, which will // allow the parent to detect when the child closes its handle (either due to // normal exit or due to crash).
mChildArgs.mFiles.clear();
if (mProcessType == GeckoProcessType_Content) { // disable IM module to avoid sandbox violation
mLaunchOptions->env_map["GTK_IM_MODULE"] = "gtk-im-context-simple";
// Disable ATK accessibility code in content processes because it conflicts // with the sandbox, and we proxy that information through the main process // anyway.
mLaunchOptions->env_map["NO_AT_BRIDGE"] = "1";
}
// XPCOM may not be initialized in some subprocesses. We don't want // to initialize XPCOM just for the directory service, especially // since LD_LIBRARY_PATH is already set correctly in subprocesses // (meaning that we don't need to set that up in the environment). if (ShouldHaveDirectoryService()) {
MOZ_ASSERT(gGREBinPath);
nsCString path;
NS_CopyUnicodeToNative(nsDependentString(gGREBinPath), path); # ifdefined(XP_LINUX) || defined(__DragonFly__) || defined(XP_FREEBSD) || \ defined(XP_NETBSD) || defined(XP_OPENBSD) constchar* ld_library_path = PR_GetEnv("LD_LIBRARY_PATH");
nsCString new_ld_lib_path(path.get());
# elif XP_MACOSX // With signed production Mac builds, the dynamic linker (dyld) will // ignore dyld environment variables preventing the use of variables // such as DYLD_LIBRARY_PATH and DYLD_INSERT_LIBRARIES.
// If we're running with gtests, add the gtest XUL ahead of normal XUL on // the DYLD_LIBRARY_PATH so that plugin-container.app loads it instead.
nsCString new_dyld_lib_path(path.get()); if (PR_GetEnv("MOZ_RUN_GTEST")) {
new_dyld_lib_path = path + "/gtest:"_ns + new_dyld_lib_path;
mLaunchOptions->env_map["DYLD_LIBRARY_PATH"] = new_dyld_lib_path.get();
}
// DYLD_INSERT_LIBRARIES is currently unused by default but we allow // it to be set by the external environment. constchar* interpose = PR_GetEnv("DYLD_INSERT_LIBRARIES"); if (interpose && strlen(interpose) > 0) {
mLaunchOptions->env_map["DYLD_INSERT_LIBRARIES"] = interpose;
}
// Prevent connection attempts to diagnosticd(8) to save cycles. Log // messages can trigger these connection attempts, but access to // diagnosticd is blocked in sandboxed child processes. # ifdefined(MOZ_SANDBOX) && defined(XP_MACOSX) if (mDisableOSActivityMode) {
mLaunchOptions->env_map["OS_ACTIVITY_MODE"] = "disable";
} # endif // defined(MOZ_SANDBOX) # endif
}
// Make sure the executable path is present at the start of our argument list. // If we're using BinPathType::Self, also add the `-contentproc` argument. if (pathType == BinPathType::Self) {
std::string args[]{exePath.value(), "-contentproc"};
mChildArgs.mArgs.insert(mChildArgs.mArgs.begin(), std::begin(args),
std::end(args));
} else {
mChildArgs.mArgs.insert(mChildArgs.mArgs.begin(), exePath.value());
}
if ((mProcessType == GeckoProcessType_Content ||
mProcessType == GeckoProcessType_ForkServer) &&
Omnijar::IsInitialized()) { // Make sure that child processes can find the omnijar, if they // use full XPCOM. See Omnijar::ChildProcessInit and its callers.
nsAutoCString path;
nsCOMPtr<nsIFile> greFile = Omnijar::GetPath(Omnijar::GRE); if (greFile && NS_SUCCEEDED(greFile->GetNativePath(path))) {
geckoargs::sGREOmni.Put(path.get(), mChildArgs);
}
nsCOMPtr<nsIFile> appFile = Omnijar::GetPath(Omnijar::APP); if (appFile && NS_SUCCEEDED(appFile->GetNativePath(path))) {
geckoargs::sAppOmni.Put(path.get(), mChildArgs);
}
}
// XXX Command line params past this point are expected to be at // the end of the command line string, and in a specific order. // See XRE_InitChildProcess in nsEmbedFunction.
# if !defined(MOZ_WIDGET_ANDROID) // Add any files which need to be transferred to fds_to_remap. // NOTE: This doesn't transfer ownership of the files out of `mChildArgs`.
geckoargs::AddToFdsToRemap(mChildArgs, mLaunchOptions->fds_to_remap); # endif
auto process = result.unwrap();
self->mResults.mForegroundCapabilityGrant =
process.GrantForegroundCapability();
self->mResults.mXPCConnection = process.MakeLibXPCConnection();
self->mResults.mExtensionKitProcess = Some(std::move(process));
// We don't actually use the event handler for anything other than // watching for errors. Once the promise is resolved, this becomes a // no-op.
xpc_connection_set_event_handler(self->mResults.mXPCConnection.get(), ^(
xpc_object_t event) { if (!event || xpc_get_type(event) == XPC_TYPE_ERROR) {
CHROMIUM_LOG(WARNING) << "XPC connection received encountered an error";
promise->Reject(LaunchError("xpc_connection_event_handler"), __func__);
}
});
xpc_connection_resume(self->mResults.mXPCConnection.get());
// Send our bootstrap message to the content and wait for it to reply with // the task port before resolving. // FIXME: Should we have a time-out for if the child process doesn't respond // in time? The main thread may be blocked while we're starting this // process.
xpc_connection_send_message_with_reply(
self->mResults.mXPCConnection.get(), bootstrapMessage.get(), nullptr,
^(xpc_object_t reply) { if (xpc_get_type(reply) == XPC_TYPE_ERROR) {
CHROMIUM_LOG(ERROR)
<< "Got error sending XPC bootstrap message to child";
promise->Reject(
LaunchError("xpc_connection_send_message_with_reply error"),
__func__); return;
}
if (xpc_get_type(reply) != XPC_TYPE_DICTIONARY) {
CHROMIUM_LOG(ERROR)
<< "Unexpected reply type for bootstrap message from child";
promise->Reject(
LaunchError( "xpc_connection_send_message_with_reply non-dictionary"),
__func__); return;
}
// FIXME: We have to trust the child to tell us its pid & mach task. // WebKit uses `xpc_connection_get_pid` to get the pid, however this // is marked as unavailable on iOS. // // Given how the process is started, however, validating this // information it sends us this early during startup may be // unnecessary.
self->mResults.mChildTask =
xpc_dictionary_copy_mach_send(reply, "task");
pid_t pid = static_cast<pid_t>(xpc_dictionary_get_int64(reply, "pid"));
CHROMIUM_LOG(INFO) << "ExtensionKit process started, task: "
<< self->mResults.mChildTask << ", pid: " << pid;
MOZ_ASSERT(mParentRecvPort, "should have been configured during DoSetup()");
// Wait for the child process to send us its 'task_t' data, then send it the // mach send/receive rights which are being passed on the commandline. constint kTimeoutMs = 10000;
MOZ_TRY(MachHandleProcessCheckIn(
mParentRecvPort.get(), base::GetProcId(mResults.mHandle), kTimeoutMs,
mChildArgs.mSendRights, &mResults.mChildTask));
// XXX: Bug 1124167: We should get rid of the process specific logic for // sandboxing in this class at some point. Unfortunately it will take a bit // of reorganizing so I don't think this patch is the right time. switch (mProcessType) { case GeckoProcessType_Content: if (mSandboxLevel > 0) { // For now we treat every failure as fatal in // SetSecurityLevelForContentProcess and just crash there right away. // Should this change in the future then we should also handle the error // here.
mResults.mSandboxBroker->SetSecurityLevelForContentProcess(
mSandboxLevel, mIsFileContent);
mUseSandbox = true;
} break; case GeckoProcessType_IPDLUnitTest: // XXX: We don't sandbox this process type yet break; case GeckoProcessType_GMPlugin: if (!PR_GetEnv("MOZ_DISABLE_GMP_SANDBOX")) { // The Widevine CDM on Windows can only load at USER_RESTRICTED, // not at USER_LOCKDOWN. So look in the command line arguments // to see if we're loading the path to the Widevine CDM, and if // so use sandbox level USER_RESTRICTED instead of USER_LOCKDOWN. auto level =
isWidevine ? SandboxBroker::Restricted : SandboxBroker::LockDown; if (NS_WARN_IF(
!mResults.mSandboxBroker->SetSecurityLevelForGMPlugin(level))) { return Err(LaunchError("SetSecurityLevelForGMPlugin"));
}
mUseSandbox = true;
} break; case GeckoProcessType_GPU: if (mSandboxLevel > 0 && !PR_GetEnv("MOZ_DISABLE_GPU_SANDBOX")) { // For now we treat every failure as fatal in // SetSecurityLevelForGPUProcess and just crash there right away. Should // this change in the future then we should also handle the error here.
mResults.mSandboxBroker->SetSecurityLevelForGPUProcess(mSandboxLevel);
mUseSandbox = true;
} break; case GeckoProcessType_VR: if (mSandboxLevel > 0 && !PR_GetEnv("MOZ_DISABLE_VR_SANDBOX")) { // TODO: Implement sandbox for VR process, Bug 1430043.
} break; case GeckoProcessType_RDD: if (!PR_GetEnv("MOZ_DISABLE_RDD_SANDBOX")) { if (NS_WARN_IF(
!mResults.mSandboxBroker->SetSecurityLevelForRDDProcess())) { return Err(LaunchError("SetSecurityLevelForRDDProcess"));
}
mUseSandbox = true;
} break; case GeckoProcessType_Socket: if (!PR_GetEnv("MOZ_DISABLE_SOCKET_PROCESS_SANDBOX")) { if (NS_WARN_IF(
!mResults.mSandboxBroker->SetSecurityLevelForSocketProcess())) { return Err(LaunchError("SetSecurityLevelForSocketProcess"));
}
mUseSandbox = true;
} break; case GeckoProcessType_Utility: if (IsUtilitySandboxEnabled(mSandbox)) { if (!mResults.mSandboxBroker->SetSecurityLevelForUtilityProcess(
mSandbox)) { return Err(LaunchError("SetSecurityLevelForUtilityProcess"));
}
mUseSandbox = true;
} break; case GeckoProcessType_Default: default:
MOZ_CRASH("Bad process type in GeckoChildProcessHost"); break;
};
if (mUseSandbox) { for (auto it = mAllowedFilesRead.begin(); it != mAllowedFilesRead.end();
++it) {
mResults.mSandboxBroker->AllowReadFile(it->c_str());
}
// Add the application directory path (-appdir path)
AddAppDirToCommandLine(mCmdLine.ref(), mAppDir);
// XXX Command line params past this point are expected to be at // the end of the command line string, and in a specific order. // See XRE_InitChildProcess in nsEmbedFunction.
// Win app model id
mCmdLine->AppendLooseValue(mGroupId.get());
// Gecko child id
mCmdLine->AppendLooseValue(UTF8ToWide(mChildIDString));
// Process type
mCmdLine->AppendLooseValue(UTF8ToWide(ChildProcessType()));
// Add any files which need to be transferred to handles_to_inherit. for (auto& file : mChildArgs.mFiles) {
mLaunchOptions->handles_to_inherit.push_back(file.get());
}
# ifdef MOZ_SANDBOX if (mUseSandbox) { // Mark the handles to inherit as inheritable. for (HANDLE h : mLaunchOptions->handles_to_inherit) {
mResults.mSandboxBroker->AddHandleToShare(h);
}
} # endif // MOZ_SANDBOX
const size_t argvSize = args.mArgs.size();
jni::ObjectArray::LocalRef jargs =
jni::ObjectArray::New<jni::String>(argvSize); for (size_t ix = 0; ix < argvSize; ix++) {
jargs->SetElement(ix, jni::StringParam(args.mArgs[ix].c_str(), env));
}
std::vector<int> fds(args.mFiles.size()); for (size_t ix = 0; ix < fds.size(); ix++) {
fds[ix] = args.mFiles[ix].get();
}
jni::IntArray::LocalRef jfds = jni::IntArray::New(fds.data(), fds.size());
auto type = java::GeckoProcessType::FromInt(aType); auto genericResult = java::GeckoProcessManager::Start(type, jargs, jfds); auto typedResult = java::GeckoResult::LocalRef(std::move(genericResult)); return ProcessHandlePromise::FromGeckoResult(typedResult);
} #endif
// Fill |aInfo| with the flags needed to launch the utility sandbox bool GeckoChildProcessHost::FillMacSandboxInfo(MacSandboxInfo& aInfo) {
aInfo.type = GetDefaultMacSandboxType();
aInfo.shouldLog = Preferences::GetBool("security.sandbox.logging.enabled") ||
PR_GetEnv("MOZ_SANDBOX_LOGGING");
nsAutoCString appPath; if (!nsMacUtilsImpl::GetAppPath(appPath)) {
MOZ_CRASH("Failed to get app path");
}
aInfo.appPath.assign(appPath.get()); returntrue;
}
// // If early sandbox startup is enabled for this process type, map the // process type to the sandbox type and enable the sandbox. Returns true // if no errors were encountered or if early sandbox startup is not // enabled for this process. Returns false if an error was encountered. // /* static */ bool GeckoChildProcessHost::StartMacSandbox(int aArgc, char** aArgv,
std::string& aErrorMessage) {
MacSandboxType sandboxType = MacSandboxType_Invalid; switch (XRE_GetProcessType()) { // For now, only support early sandbox startup for content, // RDD, and GMP processes. Add case statements for the additional // process types once early sandbox startup is implemented for them. case GeckoProcessType_Content: // Content processes don't use GeckoChildProcessHost // to configure sandboxing so hard code the sandbox type.
sandboxType = MacSandboxType_Content; break; case GeckoProcessType_RDD:
sandboxType = RDDProcessHost::GetMacSandboxType(); break; case GeckoProcessType_Socket:
sandboxType = net::SocketProcessHost::GetMacSandboxType(); break; case GeckoProcessType_GMPlugin:
sandboxType = gmp::GMPProcessParent::GetMacSandboxType(); break; case GeckoProcessType_Utility:
sandboxType = ipc::UtilityProcessHost::GetMacSandboxType(); break; default: returntrue;
}
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
