content/public/common/sandbox_init.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CONTENT_PUBLIC_COMMON_SANDBOX_INIT_H_
   6 #define CONTENT_PUBLIC_COMMON_SANDBOX_INIT_H_
   7
   8 #include "base/files/scoped_file.h"
   9 #include "base/memory/scoped_ptr.h"
  10 #include "base/memory/shared_memory.h"
  11 #include "base/process/process.h"
  12 #include "base/process/process_handle.h"
  13 #include "build/build_config.h"
  14 #include "content/common/content_export.h"
  15
  16 namespace base {
  17 class CommandLine;
  18 class FilePath;
  19 }
  20
  21 namespace sandbox {
  22 namespace bpf_dsl {
  23 class Policy;
  24 }
  25 struct SandboxInterfaceInfo;
  26 }
  27
  28 namespace content {
  29 class SandboxedProcessLauncherDelegate;
  30
  31 #if defined(OS_WIN) || defined(OS_MACOSX)
  32 // This function allows a sandboxed process to duplicate a SharedMemoryHandle
  33 // to itself or to another process. The duplicated SharedMemoryHandle has the
  34 // same access rights as the original. Returns true on success, false
  35 // otherwise.
  36 CONTENT_EXPORT bool BrokerDuplicateSharedMemoryHandle(
  37     const base::SharedMemoryHandle& source_handle,
  38     base::ProcessId target_process_id,
  39     base::SharedMemoryHandle* target_handle);
  40 #endif  // defined(OS_WIN) || defined(OS_MACOSX)
  41
  42 #if defined(OS_WIN)
  43
  44 // Initialize the sandbox for renderer, gpu, utility, worker, nacl, and plugin
  45 // processes, depending on the command line flags. Although The browser process
  46 // is not sandboxed, this also needs to be called because it will initialize
  47 // the broker code.
  48 // Returns true if the sandbox was initialized succesfully, false if an error
  49 // occurred.  If process_type isn't one that needs sandboxing true is always
  50 // returned.
  51 CONTENT_EXPORT bool InitializeSandbox(
  52     sandbox::SandboxInterfaceInfo* sandbox_info);
  53
  54 // This is a restricted version of Windows' DuplicateHandle() function
  55 // that works inside the sandbox and can send handles but not retrieve
  56 // them.  Unlike DuplicateHandle(), it takes a process ID rather than
  57 // a process handle.  It returns true on success, false otherwise.
  58 CONTENT_EXPORT bool BrokerDuplicateHandle(HANDLE source_handle,
  59                                           DWORD target_process_id,
  60                                           HANDLE* target_handle,
  61                                           DWORD desired_access,
  62                                           DWORD options);
  63
  64 // Inform the current process's sandbox broker (e.g. the broker for
  65 // 32-bit processes) about a process created under a different sandbox
  66 // broker (e.g. the broker for 64-bit processes).  This allows
  67 // BrokerDuplicateHandle() to send handles to a process managed by
  68 // another broker.  For example, it allows the 32-bit renderer to send
  69 // handles to 64-bit NaCl processes.  This returns true on success,
  70 // false otherwise.
  71 CONTENT_EXPORT bool BrokerAddTargetPeer(HANDLE peer_process);
  72
  73 // Launch a sandboxed process. |delegate| may be NULL. If |delegate| is non-NULL
  74 // then it just has to outlive this method call.
  75 CONTENT_EXPORT base::Process StartSandboxedProcess(
  76     SandboxedProcessLauncherDelegate* delegate,
  77     base::CommandLine* cmd_line);
  78
  79 #elif defined(OS_MACOSX)
  80
  81 // Initialize the sandbox of the given |sandbox_type|, optionally specifying a
  82 // directory to allow access to. Note specifying a directory needs to be
  83 // supported by the sandbox profile associated with the given |sandbox_type|.
  84 // Valid values for |sandbox_type| are defined either by the enum SandboxType,
  85 // or by ContentClient::GetSandboxProfileForSandboxType().
  86 //
  87 // If the |sandbox_type| isn't one of the ones defined by content then the
  88 // embedder is queried using ContentClient::GetSandboxPolicyForSandboxType().
  89 // The embedder can use values for |sandbox_type| starting from
  90 // sandbox::SANDBOX_PROCESS_TYPE_AFTER_LAST_TYPE.
  91 //
  92 // Returns true if the sandbox was initialized succesfully, false if an error
  93 // occurred.  If process_type isn't one that needs sandboxing, no action is
  94 // taken and true is always returned.
  95 CONTENT_EXPORT bool InitializeSandbox(int sandbox_type,
  96                                       const base::FilePath& allowed_path);
  97
  98 #elif defined(OS_LINUX) || defined(OS_NACL_NONSFI)
  99
 100 class SandboxInitializerDelegate;
 101
 102 // Initialize a seccomp-bpf sandbox. |policy| may not be NULL.
 103 // If an existing layer of sandboxing is present that would prevent access to
 104 // /proc, |proc_fd| must be a valid file descriptor to /proc/.
 105 // Returns true if the sandbox has been properly engaged.
 106 CONTENT_EXPORT bool InitializeSandbox(
 107     scoped_ptr<sandbox::bpf_dsl::Policy> policy,
 108     base::ScopedFD proc_fd);
 109
 110 // Return a "baseline" policy. This is used by a SandboxInitializerDelegate to
 111 // implement a policy that is derived from the baseline.
 112 CONTENT_EXPORT scoped_ptr<sandbox::bpf_dsl::Policy>
 113 GetBPFSandboxBaselinePolicy();
 114 #endif  // defined(OS_LINUX) || defined(OS_NACL_NONSFI)
 115
 116 }  // namespace content
 117
 118 #endif  // CONTENT_PUBLIC_COMMON_SANDBOX_INIT_H_