search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Use multiline attribute to check for IA2_STATE_MULTILINE.
[chromium-blink-merge.git] / content / browser / renderer_host / sandbox_ipc_linux.cc
blobbc24bca724955927cb79c4cc8dcba665281e9108
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/browser/renderer_host/sandbox_ipc_linux.h"
6
7 #include <fcntl.h>
8 #include <sys/poll.h>
9 #include <sys/socket.h>
10 #include <sys/stat.h>
11
12 #include "base/basictypes.h"
13 #include "base/command_line.h"
14 #include "base/files/scoped_file.h"
15 #include "base/linux_util.h"
16 #include "base/macros.h"
17 #include "base/memory/scoped_vector.h"
18 #include "base/memory/shared_memory.h"
19 #include "base/posix/eintr_wrapper.h"
20 #include "base/posix/unix_domain_socket_linux.h"
21 #include "base/process/launch.h"
22 #include "base/strings/string_number_conversions.h"
23 #include "content/browser/renderer_host/font_utils_linux.h"
24 #include "content/common/font_config_ipc_linux.h"
25 #include "content/common/sandbox_linux/sandbox_linux.h"
26 #include "content/common/set_process_title.h"
27 #include "content/public/common/content_switches.h"
28 #include "ppapi/c/trusted/ppb_browser_font_trusted.h"
29 #include "third_party/WebKit/public/platform/linux/WebFontInfo.h"
30 #include "third_party/WebKit/public/web/WebKit.h"
31 #include "third_party/npapi/bindings/npapi_extensions.h"
32 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
33 #include "ui/gfx/font.h"
34 #include "ui/gfx/font_render_params.h"
35
36 using blink::WebCString;
37 using blink::WebFontInfo;
38 using blink::WebUChar;
39 using blink::WebUChar32;
40
41 namespace content {
42
43 namespace {
44
45 // Converts gfx::FontRenderParams::Hinting to WebFontRenderStyle::hintStyle.
46 // Returns an int for serialization, but the underlying Blink type is a char.
47 int ConvertHinting(gfx::FontRenderParams::Hinting hinting) {
48 switch (hinting) {
49 case gfx::FontRenderParams::HINTING_NONE: return 0;
50 case gfx::FontRenderParams::HINTING_SLIGHT: return 1;
51 case gfx::FontRenderParams::HINTING_MEDIUM: return 2;
52 case gfx::FontRenderParams::HINTING_FULL: return 3;
53 }
54 NOTREACHED() << "Unexpected hinting value " << hinting;
55 return 0;
56 }
57
58 // Converts gfx::FontRenderParams::SubpixelRendering to
59 // WebFontRenderStyle::useSubpixelRendering. Returns an int for serialization,
60 // but the underlying Blink type is a char.
61 int ConvertSubpixelRendering(
62 gfx::FontRenderParams::SubpixelRendering rendering) {
63 switch (rendering) {
64 case gfx::FontRenderParams::SUBPIXEL_RENDERING_NONE: return 0;
65 case gfx::FontRenderParams::SUBPIXEL_RENDERING_RGB: return 1;
66 case gfx::FontRenderParams::SUBPIXEL_RENDERING_BGR: return 1;
67 case gfx::FontRenderParams::SUBPIXEL_RENDERING_VRGB: return 1;
68 case gfx::FontRenderParams::SUBPIXEL_RENDERING_VBGR: return 1;
69 }
70 NOTREACHED() << "Unexpected subpixel rendering value " << rendering;
71 return 0;
72 }
73
74 } // namespace
75
76 SandboxIPCHandler::SandboxIPCHandler(int lifeline_fd, int browser_socket)
77 : lifeline_fd_(lifeline_fd),
78 browser_socket_(browser_socket) {
79 }
80
81 void SandboxIPCHandler::Run() {
82 struct pollfd pfds[2];
83 pfds[0].fd = lifeline_fd_;
84 pfds[0].events = POLLIN;
85 pfds[1].fd = browser_socket_;
86 pfds[1].events = POLLIN;
87
88 int failed_polls = 0;
89 for (;;) {
90 const int r =
91 HANDLE_EINTR(poll(pfds, arraysize(pfds), -1 /* no timeout */));
92 // '0' is not a possible return value with no timeout.
93 DCHECK_NE(0, r);
94 if (r < 0) {
95 PLOG(WARNING) << "poll";
96 if (failed_polls++ == 3) {
97 LOG(FATAL) << "poll(2) failing. SandboxIPCHandler aborting.";
98 return;
99 }
100 continue;
101 }
102
103 failed_polls = 0;
104
105 // The browser process will close the other end of this pipe on shutdown,
106 // so we should exit.
107 if (pfds[0].revents) {
108 break;
109 }
110
111 // If poll(2) reports an error condition in this fd,
112 // we assume the zygote is gone and we exit the loop.
113 if (pfds[1].revents & (POLLERR | POLLHUP)) {
114 break;
115 }
116
117 if (pfds[1].revents & POLLIN) {
118 HandleRequestFromRenderer(browser_socket_);
119 }
120 }
121
122 VLOG(1) << "SandboxIPCHandler stopping.";
123 }
124
125 void SandboxIPCHandler::HandleRequestFromRenderer(int fd) {
126 ScopedVector<base::ScopedFD> fds;
127
128 // A FontConfigIPC::METHOD_MATCH message could be kMaxFontFamilyLength
129 // bytes long (this is the largest message type).
130 // 128 bytes padding are necessary so recvmsg() does not return MSG_TRUNC
131 // error for a maximum length message.
132 char buf[FontConfigIPC::kMaxFontFamilyLength + 128];
133
134 const ssize_t len = UnixDomainSocket::RecvMsg(fd, buf, sizeof(buf), &fds);
135 if (len == -1) {
136 // TODO: should send an error reply, or the sender might block forever.
137 NOTREACHED() << "Sandbox host message is larger than kMaxFontFamilyLength";
138 return;
139 }
140 if (fds.empty())
141 return;
142
143 Pickle pickle(buf, len);
144 PickleIterator iter(pickle);
145
146 int kind;
147 if (!iter.ReadInt(&kind))
148 return;
149
150 if (kind == FontConfigIPC::METHOD_MATCH) {
151 HandleFontMatchRequest(fd, iter, fds.get());
152 } else if (kind == FontConfigIPC::METHOD_OPEN) {
153 HandleFontOpenRequest(fd, iter, fds.get());
154 } else if (kind == LinuxSandbox::METHOD_GET_FALLBACK_FONT_FOR_CHAR) {
155 HandleGetFallbackFontForChar(fd, iter, fds.get());
156 } else if (kind == LinuxSandbox::METHOD_LOCALTIME) {
157 HandleLocaltime(fd, iter, fds.get());
158 } else if (kind == LinuxSandbox::METHOD_GET_STYLE_FOR_STRIKE) {
159 HandleGetStyleForStrike(fd, iter, fds.get());
160 } else if (kind == LinuxSandbox::METHOD_MAKE_SHARED_MEMORY_SEGMENT) {
161 HandleMakeSharedMemorySegment(fd, iter, fds.get());
162 } else if (kind == LinuxSandbox::METHOD_MATCH_WITH_FALLBACK) {
163 HandleMatchWithFallback(fd, iter, fds.get());
164 }
165 }
166
167 int SandboxIPCHandler::FindOrAddPath(const SkString& path) {
168 int count = paths_.count();
169 for (int i = 0; i < count; ++i) {
170 if (path == *paths_[i])
171 return i;
172 }
173 *paths_.append() = new SkString(path);
174 return count;
175 }
176
177 void SandboxIPCHandler::HandleFontMatchRequest(
178 int fd,
179 PickleIterator iter,
180 const std::vector<base::ScopedFD*>& fds) {
181 uint32_t requested_style;
182 std::string family;
183 if (!iter.ReadString(&family) || !iter.ReadUInt32(&requested_style))
184 return;
185
186 SkFontConfigInterface::FontIdentity result_identity;
187 SkString result_family;
188 SkTypeface::Style result_style;
189 SkFontConfigInterface* fc =
190 SkFontConfigInterface::GetSingletonDirectInterface();
191 const bool r =
192 fc->matchFamilyName(family.c_str(),
193 static_cast<SkTypeface::Style>(requested_style),
194 &result_identity,
195 &result_family,
196 &result_style);
197
198 Pickle reply;
199 if (!r) {
200 reply.WriteBool(false);
201 } else {
202 // Stash away the returned path, so we can give it an ID (index)
203 // which will later be given to us in a request to open the file.
204 int index = FindOrAddPath(result_identity.fString);
205 result_identity.fID = static_cast<uint32_t>(index);
206
207 reply.WriteBool(true);
208 skia::WriteSkString(&reply, result_family);
209 skia::WriteSkFontIdentity(&reply, result_identity);
210 reply.WriteUInt32(result_style);
211 }
212 SendRendererReply(fds, reply, -1);
213 }
214
215 void SandboxIPCHandler::HandleFontOpenRequest(
216 int fd,
217 PickleIterator iter,
218 const std::vector<base::ScopedFD*>& fds) {
219 uint32_t index;
220 if (!iter.ReadUInt32(&index))
221 return;
222 if (index >= static_cast<uint32_t>(paths_.count()))
223 return;
224 const int result_fd = open(paths_[index]->c_str(), O_RDONLY);
225
226 Pickle reply;
227 if (result_fd == -1) {
228 reply.WriteBool(false);
229 } else {
230 reply.WriteBool(true);
231 }
232
233 // The receiver will have its own access to the file, so we will close it
234 // after this send.
235 SendRendererReply(fds, reply, result_fd);
236
237 if (result_fd >= 0) {
238 int err = IGNORE_EINTR(close(result_fd));
239 DCHECK(!err);
240 }
241 }
242
243 void SandboxIPCHandler::HandleGetFallbackFontForChar(
244 int fd,
245 PickleIterator iter,
246 const std::vector<base::ScopedFD*>& fds) {
247 // The other side of this call is
248 // content/common/child_process_sandbox_support_impl_linux.cc
249
250 EnsureWebKitInitialized();
251 WebUChar32 c;
252 if (!iter.ReadInt(&c))
253 return;
254
255 std::string preferred_locale;
256 if (!iter.ReadString(&preferred_locale))
257 return;
258
259 blink::WebFallbackFont fallbackFont;
260 WebFontInfo::fallbackFontForChar(c, preferred_locale.c_str(), &fallbackFont);
261
262 int pathIndex = FindOrAddPath(SkString(fallbackFont.filename.data()));
263 fallbackFont.fontconfigInterfaceId = pathIndex;
264
265 Pickle reply;
266 if (fallbackFont.name.data()) {
267 reply.WriteString(fallbackFont.name.data());
268 } else {
269 reply.WriteString(std::string());
270 }
271 if (fallbackFont.filename.data()) {
272 reply.WriteString(fallbackFont.filename.data());
273 } else {
274 reply.WriteString(std::string());
275 }
276 reply.WriteInt(fallbackFont.fontconfigInterfaceId);
277 reply.WriteInt(fallbackFont.ttcIndex);
278 reply.WriteBool(fallbackFont.isBold);
279 reply.WriteBool(fallbackFont.isItalic);
280 SendRendererReply(fds, reply, -1);
281 }
282
283 void SandboxIPCHandler::HandleGetStyleForStrike(
284 int fd,
285 PickleIterator iter,
286 const std::vector<base::ScopedFD*>& fds) {
287 std::string family;
288 bool bold, italic;
289 uint16 pixel_size;
290
291 if (!iter.ReadString(&family) ||
292 !iter.ReadBool(&bold) ||
293 !iter.ReadBool(&italic) ||
294 !iter.ReadUInt16(&pixel_size)) {
295 return;
296 }
297
298 EnsureWebKitInitialized();
299
300 gfx::FontRenderParamsQuery query;
301 query.families.push_back(family);
302 query.pixel_size = pixel_size;
303 query.style = gfx::Font::NORMAL |
304 (bold ? gfx::Font::BOLD : 0) | (italic ? gfx::Font::ITALIC : 0);
305 const gfx::FontRenderParams params = gfx::GetFontRenderParams(query, NULL);
306
307 // These are passed as ints since they're interpreted as tri-state chars in
308 // Blink.
309 Pickle reply;
310 reply.WriteInt(params.use_bitmaps);
311 reply.WriteInt(params.autohinter);
312 reply.WriteInt(params.hinting != gfx::FontRenderParams::HINTING_NONE);
313 reply.WriteInt(ConvertHinting(params.hinting));
314 reply.WriteInt(params.antialiasing);
315 reply.WriteInt(ConvertSubpixelRendering(params.subpixel_rendering));
316 reply.WriteInt(params.subpixel_positioning);
317
318 SendRendererReply(fds, reply, -1);
319 }
320
321 void SandboxIPCHandler::HandleLocaltime(
322 int fd,
323 PickleIterator iter,
324 const std::vector<base::ScopedFD*>& fds) {
325 // The other side of this call is in zygote_main_linux.cc
326
327 std::string time_string;
328 if (!iter.ReadString(&time_string) || time_string.size() != sizeof(time_t))
329 return;
330
331 time_t time;
332 memcpy(&time, time_string.data(), sizeof(time));
333 // We use localtime here because we need the tm_zone field to be filled
334 // out. Since we are a single-threaded process, this is safe.
335 const struct tm* expanded_time = localtime(&time);
336
337 std::string result_string;
338 const char* time_zone_string = "";
339 if (expanded_time != NULL) {
340 result_string = std::string(reinterpret_cast<const char*>(expanded_time),
341 sizeof(struct tm));
342 time_zone_string = expanded_time->tm_zone;
343 }
344
345 Pickle reply;
346 reply.WriteString(result_string);
347 reply.WriteString(time_zone_string);
348 SendRendererReply(fds, reply, -1);
349 }
350
351 void SandboxIPCHandler::HandleMakeSharedMemorySegment(
352 int fd,
353 PickleIterator iter,
354 const std::vector<base::ScopedFD*>& fds) {
355 base::SharedMemoryCreateOptions options;
356 uint32_t size;
357 if (!iter.ReadUInt32(&size))
358 return;
359 options.size = size;
360 if (!iter.ReadBool(&options.executable))
361 return;
362 int shm_fd = -1;
363 base::SharedMemory shm;
364 if (shm.Create(options))
365 shm_fd = shm.handle().fd;
366 Pickle reply;
367 SendRendererReply(fds, reply, shm_fd);
368 }
369
370 void SandboxIPCHandler::HandleMatchWithFallback(
371 int fd,
372 PickleIterator iter,
373 const std::vector<base::ScopedFD*>& fds) {
374 std::string face;
375 bool is_bold, is_italic;
376 uint32 charset, fallback_family;
377
378 if (!iter.ReadString(&face) || face.empty() ||
379 !iter.ReadBool(&is_bold) ||
380 !iter.ReadBool(&is_italic) ||
381 !iter.ReadUInt32(&charset) ||
382 !iter.ReadUInt32(&fallback_family)) {
383 return;
384 }
385
386 int font_fd = MatchFontFaceWithFallback(
387 face, is_bold, is_italic, charset, fallback_family);
388
389 Pickle reply;
390 SendRendererReply(fds, reply, font_fd);
391
392 if (font_fd >= 0) {
393 if (IGNORE_EINTR(close(font_fd)) < 0)
394 PLOG(ERROR) << "close";
395 }
396 }
397
398 void SandboxIPCHandler::SendRendererReply(
399 const std::vector<base::ScopedFD*>& fds,
400 const Pickle& reply,
401 int reply_fd) {
402 struct msghdr msg;
403 memset(&msg, 0, sizeof(msg));
404 struct iovec iov = {const_cast<void*>(reply.data()), reply.size()};
405 msg.msg_iov = &iov;
406 msg.msg_iovlen = 1;
407
408 char control_buffer[CMSG_SPACE(sizeof(int))];
409
410 if (reply_fd != -1) {
411 struct stat st;
412 if (fstat(reply_fd, &st) == 0 && S_ISDIR(st.st_mode)) {
413 LOG(FATAL) << "Tried to send a directory descriptor over sandbox IPC";
414 // We must never send directory descriptors to a sandboxed process
415 // because they can use openat with ".." elements in the path in order
416 // to escape the sandbox and reach the real filesystem.
417 }
418
419 struct cmsghdr* cmsg;
420 msg.msg_control = control_buffer;
421 msg.msg_controllen = sizeof(control_buffer);
422 cmsg = CMSG_FIRSTHDR(&msg);
423 cmsg->cmsg_level = SOL_SOCKET;
424 cmsg->cmsg_type = SCM_RIGHTS;
425 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
426 memcpy(CMSG_DATA(cmsg), &reply_fd, sizeof(reply_fd));
427 msg.msg_controllen = cmsg->cmsg_len;
428 }
429
430 if (HANDLE_EINTR(sendmsg(fds[0]->get(), &msg, MSG_DONTWAIT)) < 0)
431 PLOG(ERROR) << "sendmsg";
432 }
433
434 SandboxIPCHandler::~SandboxIPCHandler() {
435 paths_.deleteAll();
436 if (blink_platform_impl_)
437 blink::shutdownWithoutV8();
438
439 if (IGNORE_EINTR(close(lifeline_fd_)) < 0)
440 PLOG(ERROR) << "close";
441 if (IGNORE_EINTR(close(browser_socket_)) < 0)
442 PLOG(ERROR) << "close";
443 }
444
445 void SandboxIPCHandler::EnsureWebKitInitialized() {
446 if (blink_platform_impl_)
447 return;
448 blink_platform_impl_.reset(new BlinkPlatformImpl);
449 blink::initializeWithoutV8(blink_platform_impl_.get());
450 }
451
452 } // namespace content