search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert 268405 "Make sure that ScratchBuffer::Allocate() always r..."
[chromium-blink-merge.git] / content / browser / renderer_host / sandbox_ipc_linux.cc
blobf988ae942dc0b16cfdff1a6ad85a22f33750ce7f
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/browser/renderer_host/sandbox_ipc_linux.h"
6
7 #include <fcntl.h>
8 #include <fontconfig/fontconfig.h>
9 #include <sys/poll.h>
10 #include <sys/socket.h>
11 #include <sys/stat.h>
12
13 #include "base/command_line.h"
14 #include "base/files/scoped_file.h"
15 #include "base/linux_util.h"
16 #include "base/memory/scoped_vector.h"
17 #include "base/memory/shared_memory.h"
18 #include "base/posix/eintr_wrapper.h"
19 #include "base/posix/unix_domain_socket_linux.h"
20 #include "base/process/launch.h"
21 #include "base/strings/string_number_conversions.h"
22 #include "content/common/font_config_ipc_linux.h"
23 #include "content/common/sandbox_linux/sandbox_linux.h"
24 #include "content/common/set_process_title.h"
25 #include "content/public/common/content_switches.h"
26 #include "ppapi/c/trusted/ppb_browser_font_trusted.h"
27 #include "third_party/WebKit/public/platform/linux/WebFontInfo.h"
28 #include "third_party/WebKit/public/web/WebKit.h"
29 #include "third_party/npapi/bindings/npapi_extensions.h"
30 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
31 #include "ui/gfx/font_render_params_linux.h"
32
33 using blink::WebCString;
34 using blink::WebFontInfo;
35 using blink::WebUChar;
36 using blink::WebUChar32;
37
38 namespace {
39
40 // MSCharSetToFontconfig translates a Microsoft charset identifier to a
41 // fontconfig language set by appending to |langset|.
42 static void MSCharSetToFontconfig(FcLangSet* langset, unsigned fdwCharSet) {
43 // We have need to translate raw fdwCharSet values into terms that
44 // fontconfig can understand. (See the description of fdwCharSet in the MSDN
45 // documentation for CreateFont:
46 // http://msdn.microsoft.com/en-us/library/dd183499(VS.85).aspx )
47 //
48 // Although the argument is /called/ 'charset', the actual values conflate
49 // character sets (which are sets of Unicode code points) and character
50 // encodings (which are algorithms for turning a series of bits into a
51 // series of code points.) Sometimes the values will name a language,
52 // sometimes they'll name an encoding. In the latter case I'm assuming that
53 // they mean the set of code points in the domain of that encoding.
54 //
55 // fontconfig deals with ISO 639-1 language codes:
56 // http://en.wikipedia.org/wiki/List_of_ISO_639-1_codes
57 //
58 // So, for each of the documented fdwCharSet values I've had to take a
59 // guess at the set of ISO 639-1 languages intended.
60
61 switch (fdwCharSet) {
62 case NPCharsetAnsi:
63 // These values I don't really know what to do with, so I'm going to map
64 // them to English also.
65 case NPCharsetDefault:
66 case NPCharsetMac:
67 case NPCharsetOEM:
68 case NPCharsetSymbol:
69 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("en"));
70 break;
71 case NPCharsetBaltic:
72 // The three baltic languages.
73 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("et"));
74 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("lv"));
75 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("lt"));
76 break;
77 // TODO(jungshik): Would we be better off mapping Big5 to zh-tw
78 // and GB2312 to zh-cn? Fontconfig has 4 separate orthography
79 // files (zh-{cn,tw,hk,mo}.
80 case NPCharsetChineseBIG5:
81 case NPCharsetGB2312:
82 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("zh"));
83 break;
84 case NPCharsetEastEurope:
85 // A scattering of eastern European languages.
86 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("pl"));
87 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("cs"));
88 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("sk"));
89 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("hu"));
90 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("hr"));
91 break;
92 case NPCharsetGreek:
93 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("el"));
94 break;
95 case NPCharsetHangul:
96 case NPCharsetJohab:
97 // Korean
98 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("ko"));
99 break;
100 case NPCharsetRussian:
101 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("ru"));
102 break;
103 case NPCharsetShiftJIS:
104 // Japanese
105 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("ja"));
106 break;
107 case NPCharsetTurkish:
108 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("tr"));
109 break;
110 case NPCharsetVietnamese:
111 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("vi"));
112 break;
113 case NPCharsetArabic:
114 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("ar"));
115 break;
116 case NPCharsetHebrew:
117 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("he"));
118 break;
119 case NPCharsetThai:
120 FcLangSetAdd(langset, reinterpret_cast<const FcChar8*>("th"));
121 break;
122 // default:
123 // Don't add any languages in that case that we don't recognise the
124 // constant.
125 }
126 }
127
128 } // namespace
129
130 namespace content {
131
132 SandboxIPCProcess::SandboxIPCProcess(int lifeline_fd,
133 int browser_socket,
134 std::string sandbox_cmd)
135 : lifeline_fd_(lifeline_fd), browser_socket_(browser_socket) {
136 if (!sandbox_cmd.empty()) {
137 sandbox_cmd_.push_back(sandbox_cmd);
138 sandbox_cmd_.push_back(base::kFindInodeSwitch);
139 }
140
141 // FontConfig doesn't provide a standard property to control subpixel
142 // positioning, so we pass the current setting through to WebKit.
143 WebFontInfo::setSubpixelPositioning(
144 gfx::GetDefaultWebkitSubpixelPositioning());
145
146 CommandLine& command_line = *CommandLine::ForCurrentProcess();
147 command_line.AppendSwitchASCII(switches::kProcessType,
148 switches::kSandboxIPCProcess);
149
150 // Update the process title. The argv was already cached by the call to
151 // SetProcessTitleFromCommandLine in content_main_runner.cc, so we can pass
152 // NULL here (we don't have the original argv at this point).
153 SetProcessTitleFromCommandLine(NULL);
154 }
155
156 void SandboxIPCProcess::Run() {
157 struct pollfd pfds[2];
158 pfds[0].fd = lifeline_fd_;
159 pfds[0].events = POLLIN;
160 pfds[1].fd = browser_socket_;
161 pfds[1].events = POLLIN;
162
163 int failed_polls = 0;
164 for (;;) {
165 const int r = HANDLE_EINTR(poll(pfds, 2, -1 /* no timeout */));
166 // '0' is not a possible return value with no timeout.
167 DCHECK_NE(0, r);
168 if (r < 0) {
169 PLOG(WARNING) << "poll";
170 if (failed_polls++ == 3) {
171 LOG(FATAL) << "poll(2) failing. RenderSandboxHostLinux aborting.";
172 return;
173 }
174 continue;
175 }
176
177 failed_polls = 0;
178
179 if (pfds[0].revents) {
180 // our parent died so we should too.
181 _exit(0);
182 }
183
184 if (pfds[1].revents) {
185 HandleRequestFromRenderer(browser_socket_);
186 }
187 }
188 }
189
190 void SandboxIPCProcess::HandleRequestFromRenderer(int fd) {
191 ScopedVector<base::ScopedFD> fds;
192
193 // A FontConfigIPC::METHOD_MATCH message could be kMaxFontFamilyLength
194 // bytes long (this is the largest message type).
195 // 128 bytes padding are necessary so recvmsg() does not return MSG_TRUNC
196 // error for a maximum length message.
197 char buf[FontConfigIPC::kMaxFontFamilyLength + 128];
198
199 const ssize_t len = UnixDomainSocket::RecvMsg(fd, buf, sizeof(buf), &fds);
200 if (len == -1) {
201 // TODO: should send an error reply, or the sender might block forever.
202 NOTREACHED() << "Sandbox host message is larger than kMaxFontFamilyLength";
203 return;
204 }
205 if (fds.empty())
206 return;
207
208 Pickle pickle(buf, len);
209 PickleIterator iter(pickle);
210
211 int kind;
212 if (!pickle.ReadInt(&iter, &kind))
213 return;
214
215 if (kind == FontConfigIPC::METHOD_MATCH) {
216 HandleFontMatchRequest(fd, pickle, iter, fds.get());
217 } else if (kind == FontConfigIPC::METHOD_OPEN) {
218 HandleFontOpenRequest(fd, pickle, iter, fds.get());
219 } else if (kind == LinuxSandbox::METHOD_GET_FONT_FAMILY_FOR_CHAR) {
220 HandleGetFontFamilyForChar(fd, pickle, iter, fds.get());
221 } else if (kind == LinuxSandbox::METHOD_LOCALTIME) {
222 HandleLocaltime(fd, pickle, iter, fds.get());
223 } else if (kind == LinuxSandbox::METHOD_GET_CHILD_WITH_INODE) {
224 HandleGetChildWithInode(fd, pickle, iter, fds.get());
225 } else if (kind == LinuxSandbox::METHOD_GET_STYLE_FOR_STRIKE) {
226 HandleGetStyleForStrike(fd, pickle, iter, fds.get());
227 } else if (kind == LinuxSandbox::METHOD_MAKE_SHARED_MEMORY_SEGMENT) {
228 HandleMakeSharedMemorySegment(fd, pickle, iter, fds.get());
229 } else if (kind == LinuxSandbox::METHOD_MATCH_WITH_FALLBACK) {
230 HandleMatchWithFallback(fd, pickle, iter, fds.get());
231 }
232 }
233
234 int SandboxIPCProcess::FindOrAddPath(const SkString& path) {
235 int count = paths_.count();
236 for (int i = 0; i < count; ++i) {
237 if (path == *paths_[i])
238 return i;
239 }
240 *paths_.append() = new SkString(path);
241 return count;
242 }
243
244 void SandboxIPCProcess::HandleFontMatchRequest(
245 int fd,
246 const Pickle& pickle,
247 PickleIterator iter,
248 const std::vector<base::ScopedFD*>& fds) {
249 uint32_t requested_style;
250 std::string family;
251 if (!pickle.ReadString(&iter, &family) ||
252 !pickle.ReadUInt32(&iter, &requested_style))
253 return;
254
255 SkFontConfigInterface::FontIdentity result_identity;
256 SkString result_family;
257 SkTypeface::Style result_style;
258 SkFontConfigInterface* fc =
259 SkFontConfigInterface::GetSingletonDirectInterface();
260 const bool r =
261 fc->matchFamilyName(family.c_str(),
262 static_cast<SkTypeface::Style>(requested_style),
263 &result_identity,
264 &result_family,
265 &result_style);
266
267 Pickle reply;
268 if (!r) {
269 reply.WriteBool(false);
270 } else {
271 // Stash away the returned path, so we can give it an ID (index)
272 // which will later be given to us in a request to open the file.
273 int index = FindOrAddPath(result_identity.fString);
274 result_identity.fID = static_cast<uint32_t>(index);
275
276 reply.WriteBool(true);
277 skia::WriteSkString(&reply, result_family);
278 skia::WriteSkFontIdentity(&reply, result_identity);
279 reply.WriteUInt32(result_style);
280 }
281 SendRendererReply(fds, reply, -1);
282 }
283
284 void SandboxIPCProcess::HandleFontOpenRequest(
285 int fd,
286 const Pickle& pickle,
287 PickleIterator iter,
288 const std::vector<base::ScopedFD*>& fds) {
289 uint32_t index;
290 if (!pickle.ReadUInt32(&iter, &index))
291 return;
292 if (index >= static_cast<uint32_t>(paths_.count()))
293 return;
294 const int result_fd = open(paths_[index]->c_str(), O_RDONLY);
295
296 Pickle reply;
297 if (result_fd == -1) {
298 reply.WriteBool(false);
299 } else {
300 reply.WriteBool(true);
301 }
302
303 // The receiver will have its own access to the file, so we will close it
304 // after this send.
305 SendRendererReply(fds, reply, result_fd);
306
307 if (result_fd >= 0) {
308 int err = IGNORE_EINTR(close(result_fd));
309 DCHECK(!err);
310 }
311 }
312
313 void SandboxIPCProcess::HandleGetFontFamilyForChar(
314 int fd,
315 const Pickle& pickle,
316 PickleIterator iter,
317 const std::vector<base::ScopedFD*>& fds) {
318 // The other side of this call is
319 // chrome/renderer/renderer_sandbox_support_linux.cc
320
321 EnsureWebKitInitialized();
322 WebUChar32 c;
323 if (!pickle.ReadInt(&iter, &c))
324 return;
325
326 std::string preferred_locale;
327 if (!pickle.ReadString(&iter, &preferred_locale))
328 return;
329
330 blink::WebFontFamily family;
331 WebFontInfo::familyForChar(c, preferred_locale.c_str(), &family);
332
333 Pickle reply;
334 if (family.name.data()) {
335 reply.WriteString(family.name.data());
336 } else {
337 reply.WriteString(std::string());
338 }
339 reply.WriteBool(family.isBold);
340 reply.WriteBool(family.isItalic);
341 SendRendererReply(fds, reply, -1);
342 }
343
344 void SandboxIPCProcess::HandleGetStyleForStrike(
345 int fd,
346 const Pickle& pickle,
347 PickleIterator iter,
348 const std::vector<base::ScopedFD*>& fds) {
349 std::string family;
350 int sizeAndStyle;
351
352 if (!pickle.ReadString(&iter, &family) ||
353 !pickle.ReadInt(&iter, &sizeAndStyle)) {
354 return;
355 }
356
357 EnsureWebKitInitialized();
358 blink::WebFontRenderStyle style;
359 WebFontInfo::renderStyleForStrike(family.c_str(), sizeAndStyle, &style);
360
361 Pickle reply;
362 reply.WriteInt(style.useBitmaps);
363 reply.WriteInt(style.useAutoHint);
364 reply.WriteInt(style.useHinting);
365 reply.WriteInt(style.hintStyle);
366 reply.WriteInt(style.useAntiAlias);
367 reply.WriteInt(style.useSubpixelRendering);
368 reply.WriteInt(style.useSubpixelPositioning);
369
370 SendRendererReply(fds, reply, -1);
371 }
372
373 void SandboxIPCProcess::HandleLocaltime(
374 int fd,
375 const Pickle& pickle,
376 PickleIterator iter,
377 const std::vector<base::ScopedFD*>& fds) {
378 // The other side of this call is in zygote_main_linux.cc
379
380 std::string time_string;
381 if (!pickle.ReadString(&iter, &time_string) ||
382 time_string.size() != sizeof(time_t)) {
383 return;
384 }
385
386 time_t time;
387 memcpy(&time, time_string.data(), sizeof(time));
388 // We use localtime here because we need the tm_zone field to be filled
389 // out. Since we are a single-threaded process, this is safe.
390 const struct tm* expanded_time = localtime(&time);
391
392 std::string result_string;
393 const char* time_zone_string = "";
394 if (expanded_time != NULL) {
395 result_string = std::string(reinterpret_cast<const char*>(expanded_time),
396 sizeof(struct tm));
397 time_zone_string = expanded_time->tm_zone;
398 }
399
400 Pickle reply;
401 reply.WriteString(result_string);
402 reply.WriteString(time_zone_string);
403 SendRendererReply(fds, reply, -1);
404 }
405
406 void SandboxIPCProcess::HandleGetChildWithInode(
407 int fd,
408 const Pickle& pickle,
409 PickleIterator iter,
410 const std::vector<base::ScopedFD*>& fds) {
411 // The other side of this call is in zygote_main_linux.cc
412 if (sandbox_cmd_.empty()) {
413 LOG(ERROR) << "Not in the sandbox, this should not be called";
414 return;
415 }
416
417 uint64_t inode;
418 if (!pickle.ReadUInt64(&iter, &inode))
419 return;
420
421 base::ProcessId pid = 0;
422 std::string inode_output;
423
424 std::vector<std::string> sandbox_cmd = sandbox_cmd_;
425 sandbox_cmd.push_back(base::Int64ToString(inode));
426 CommandLine get_inode_cmd(sandbox_cmd);
427 if (base::GetAppOutput(get_inode_cmd, &inode_output))
428 base::StringToInt(inode_output, &pid);
429
430 if (!pid) {
431 // Even though the pid is invalid, we still need to reply to the zygote
432 // and not just return here.
433 LOG(ERROR) << "Could not get pid";
434 }
435
436 Pickle reply;
437 reply.WriteInt(pid);
438 SendRendererReply(fds, reply, -1);
439 }
440
441 void SandboxIPCProcess::HandleMakeSharedMemorySegment(
442 int fd,
443 const Pickle& pickle,
444 PickleIterator iter,
445 const std::vector<base::ScopedFD*>& fds) {
446 base::SharedMemoryCreateOptions options;
447 uint32_t size;
448 if (!pickle.ReadUInt32(&iter, &size))
449 return;
450 options.size = size;
451 if (!pickle.ReadBool(&iter, &options.executable))
452 return;
453 int shm_fd = -1;
454 base::SharedMemory shm;
455 if (shm.Create(options))
456 shm_fd = shm.handle().fd;
457 Pickle reply;
458 SendRendererReply(fds, reply, shm_fd);
459 }
460
461 void SandboxIPCProcess::HandleMatchWithFallback(
462 int fd,
463 const Pickle& pickle,
464 PickleIterator iter,
465 const std::vector<base::ScopedFD*>& fds) {
466 // Unlike the other calls, for which we are an indirection in front of
467 // WebKit or Skia, this call is always made via this sandbox helper
468 // process. Therefore the fontconfig code goes in here directly.
469
470 std::string face;
471 bool is_bold, is_italic;
472 uint32 charset, fallback_family;
473
474 if (!pickle.ReadString(&iter, &face) || face.empty() ||
475 !pickle.ReadBool(&iter, &is_bold) ||
476 !pickle.ReadBool(&iter, &is_italic) ||
477 !pickle.ReadUInt32(&iter, &charset) ||
478 !pickle.ReadUInt32(&iter, &fallback_family)) {
479 return;
480 }
481
482 FcLangSet* langset = FcLangSetCreate();
483 MSCharSetToFontconfig(langset, charset);
484
485 FcPattern* pattern = FcPatternCreate();
486 // TODO(agl): FC_FAMILy needs to change
487 FcPatternAddString(
488 pattern, FC_FAMILY, reinterpret_cast<const FcChar8*>(face.c_str()));
489
490 std::string generic_font_name;
491 switch (fallback_family) {
492 case PP_BROWSERFONT_TRUSTED_FAMILY_SERIF:
493 generic_font_name = "Times New Roman";
494 break;
495 case PP_BROWSERFONT_TRUSTED_FAMILY_SANSSERIF:
496 generic_font_name = "Arial";
497 break;
498 case PP_BROWSERFONT_TRUSTED_FAMILY_MONOSPACE:
499 generic_font_name = "Courier New";
500 break;
501 }
502 if (!generic_font_name.empty()) {
503 const FcChar8* fc_generic_font_name =
504 reinterpret_cast<const FcChar8*>(generic_font_name.c_str());
505 FcPatternAddString(pattern, FC_FAMILY, fc_generic_font_name);
506 }
507
508 if (is_bold)
509 FcPatternAddInteger(pattern, FC_WEIGHT, FC_WEIGHT_BOLD);
510 if (is_italic)
511 FcPatternAddInteger(pattern, FC_SLANT, FC_SLANT_ITALIC);
512 FcPatternAddLangSet(pattern, FC_LANG, langset);
513 FcPatternAddBool(pattern, FC_SCALABLE, FcTrue);
514 FcConfigSubstitute(NULL, pattern, FcMatchPattern);
515 FcDefaultSubstitute(pattern);
516
517 FcResult result;
518 FcFontSet* font_set = FcFontSort(0, pattern, 0, 0, &result);
519 int font_fd = -1;
520 int good_enough_index = -1;
521 bool good_enough_index_set = false;
522
523 if (font_set) {
524 for (int i = 0; i < font_set->nfont; ++i) {
525 FcPattern* current = font_set->fonts[i];
526
527 // Older versions of fontconfig have a bug where they cannot select
528 // only scalable fonts so we have to manually filter the results.
529 FcBool is_scalable;
530 if (FcPatternGetBool(current, FC_SCALABLE, 0, &is_scalable) !=
531 FcResultMatch ||
532 !is_scalable) {
533 continue;
534 }
535
536 FcChar8* c_filename;
537 if (FcPatternGetString(current, FC_FILE, 0, &c_filename) !=
538 FcResultMatch) {
539 continue;
540 }
541
542 // We only want to return sfnt (TrueType) based fonts. We don't have a
543 // very good way of detecting this so we'll filter based on the
544 // filename.
545 bool is_sfnt = false;
546 static const char kSFNTExtensions[][5] = {".ttf", ".otc", ".TTF", ".ttc",
547 ""};
548 const size_t filename_len = strlen(reinterpret_cast<char*>(c_filename));
549 for (unsigned j = 0;; j++) {
550 if (kSFNTExtensions[j][0] == 0) {
551 // None of the extensions matched.
552 break;
553 }
554 const size_t ext_len = strlen(kSFNTExtensions[j]);
555 if (filename_len > ext_len &&
556 memcmp(c_filename + filename_len - ext_len,
557 kSFNTExtensions[j],
558 ext_len) == 0) {
559 is_sfnt = true;
560 break;
561 }
562 }
563
564 if (!is_sfnt)
565 continue;
566
567 // This font is good enough to pass muster, but we might be able to do
568 // better with subsequent ones.
569 if (!good_enough_index_set) {
570 good_enough_index = i;
571 good_enough_index_set = true;
572 }
573
574 FcValue matrix;
575 bool have_matrix = FcPatternGet(current, FC_MATRIX, 0, &matrix) == 0;
576
577 if (is_italic && have_matrix) {
578 // we asked for an italic font, but fontconfig is giving us a
579 // non-italic font with a transformation matrix.
580 continue;
581 }
582
583 FcValue embolden;
584 const bool have_embolden =
585 FcPatternGet(current, FC_EMBOLDEN, 0, &embolden) == 0;
586
587 if (is_bold && have_embolden) {
588 // we asked for a bold font, but fontconfig gave us a non-bold font
589 // and asked us to apply fake bolding.
590 continue;
591 }
592
593 font_fd = open(reinterpret_cast<char*>(c_filename), O_RDONLY);
594 if (font_fd >= 0)
595 break;
596 }
597 }
598
599 if (font_fd == -1 && good_enough_index_set) {
600 // We didn't find a font that we liked, so we fallback to something
601 // acceptable.
602 FcPattern* current = font_set->fonts[good_enough_index];
603 FcChar8* c_filename;
604 FcPatternGetString(current, FC_FILE, 0, &c_filename);
605 font_fd = open(reinterpret_cast<char*>(c_filename), O_RDONLY);
606 }
607
608 if (font_set)
609 FcFontSetDestroy(font_set);
610 FcPatternDestroy(pattern);
611
612 Pickle reply;
613 SendRendererReply(fds, reply, font_fd);
614
615 if (font_fd >= 0) {
616 if (IGNORE_EINTR(close(font_fd)) < 0)
617 PLOG(ERROR) << "close";
618 }
619 }
620
621 void SandboxIPCProcess::SendRendererReply(
622 const std::vector<base::ScopedFD*>& fds,
623 const Pickle& reply,
624 int reply_fd) {
625 struct msghdr msg;
626 memset(&msg, 0, sizeof(msg));
627 struct iovec iov = {const_cast<void*>(reply.data()), reply.size()};
628 msg.msg_iov = &iov;
629 msg.msg_iovlen = 1;
630
631 char control_buffer[CMSG_SPACE(sizeof(int))];
632
633 if (reply_fd != -1) {
634 struct stat st;
635 if (fstat(reply_fd, &st) == 0 && S_ISDIR(st.st_mode)) {
636 LOG(FATAL) << "Tried to send a directory descriptor over sandbox IPC";
637 // We must never send directory descriptors to a sandboxed process
638 // because they can use openat with ".." elements in the path in order
639 // to escape the sandbox and reach the real filesystem.
640 }
641
642 struct cmsghdr* cmsg;
643 msg.msg_control = control_buffer;
644 msg.msg_controllen = sizeof(control_buffer);
645 cmsg = CMSG_FIRSTHDR(&msg);
646 cmsg->cmsg_level = SOL_SOCKET;
647 cmsg->cmsg_type = SCM_RIGHTS;
648 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
649 memcpy(CMSG_DATA(cmsg), &reply_fd, sizeof(reply_fd));
650 msg.msg_controllen = cmsg->cmsg_len;
651 }
652
653 if (HANDLE_EINTR(sendmsg(fds[0]->get(), &msg, MSG_DONTWAIT)) < 0)
654 PLOG(ERROR) << "sendmsg";
655 }
656
657 SandboxIPCProcess::~SandboxIPCProcess() {
658 paths_.deleteAll();
659 if (webkit_platform_support_)
660 blink::shutdownWithoutV8();
661 }
662
663 void SandboxIPCProcess::EnsureWebKitInitialized() {
664 if (webkit_platform_support_)
665 return;
666 webkit_platform_support_.reset(new BlinkPlatformImpl);
667 blink::initializeWithoutV8(webkit_platform_support_.get());
668 }
669
670 } // namespace content