[go: nahoru, domu]
Google Git
Sign in
chromium / chromium / src / 37459e262c73633854fcb0e72b8b6b0c731353a2 / . / content / utility / utility_main.cc
blob: 39f98f4ce285cb6e0c69d3b96885bb1ccf6914b7 [file] [log] [blame]
// Copyright 2011 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <optional>
#include "base/allocator/partition_alloc_support.h"
#include "base/command_line.h"
#include "base/debug/leak_annotations.h"
#include "base/functional/bind.h"
#include "base/message_loop/message_pump_type.h"
#include "base/metrics/histogram_functions.h"
#include "base/power_monitor/power_monitor.h"
#include "base/run_loop.h"
#include "base/task/single_thread_task_executor.h"
#include "base/threading/hang_watcher.h"
#include "base/threading/platform_thread.h"
#include "base/time/time.h"
#include "base/timer/hi_res_timer_manager.h"
#include "build/build_config.h"
#include "build/chromeos_buildflags.h"
#include "components/services/screen_ai/buildflags/buildflags.h"
#include "content/child/child_process.h"
#include "content/common/content_switches_internal.h"
#include "content/common/features.h"
#include "content/public/common/content_client.h"
#include "content/public/common/content_switches.h"
#include "content/public/common/main_function_params.h"
#include "content/public/utility/content_utility_client.h"
#include "content/utility/utility_thread_impl.h"
#include "printing/buildflags/buildflags.h"
#include "sandbox/policy/mojom/sandbox.mojom.h"
#include "sandbox/policy/sandbox.h"
#include "sandbox/policy/sandbox_type.h"
#include "services/on_device_model/on_device_model_service.h"
#include "services/tracing/public/cpp/trace_startup.h"
#include "third_party/icu/source/common/unicode/unistr.h"
#include "third_party/icu/source/i18n/unicode/timezone.h"
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
#include "base/file_descriptor_store.h"
#include "base/files/file_util.h"
#include "base/pickle.h"
#include "content/child/sandboxed_process_thread_type_handler.h"
#include "content/common/gpu_pre_sandbox_hook_linux.h"
#include "content/public/common/content_descriptor_keys.h"
#include "content/utility/speech/speech_recognition_sandbox_hook_linux.h"
#include "gpu/config/gpu_info_collector.h"
#include "media/gpu/sandbox/hardware_video_encoding_sandbox_hook_linux.h"
#include "sandbox/policy/linux/sandbox_linux.h"
#include "services/audio/audio_sandbox_hook_linux.h"
#include "services/network/network_sandbox_hook_linux.h"
// gn check is not smart enough to realize that this include only applies to
// Linux/ChromeOS and the BUILD.gn dependencies correctly account for that.
#include "third_party/angle/src/gpu_info_util/SystemInfo.h" //nogncheck
#if BUILDFLAG(ENABLE_PRINTING)
#include "printing/sandbox/print_backend_sandbox_hook_linux.h"
#endif
#endif
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
#include "media/gpu/sandbox/hardware_video_decoding_sandbox_hook_linux.h"
#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
#if BUILDFLAG(IS_CHROMEOS_ASH)
#include "chromeos/ash/components/assistant/buildflags.h"
#include "chromeos/ash/services/ime/ime_sandbox_hook.h"
#include "chromeos/services/tts/tts_sandbox_hook.h"
#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
#include "chromeos/ash/services/libassistant/libassistant_sandbox_hook.h" // nogncheck
#endif // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
#if (BUILDFLAG(ENABLE_SCREEN_AI_SERVICE) && \
(BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)))
#include "components/services/screen_ai/sandbox/screen_ai_sandbox_hook_linux.h" // nogncheck
#endif
#if BUILDFLAG(IS_MAC)
#include "base/message_loop/message_pump_apple.h"
#endif
#if BUILDFLAG(IS_WIN)
#include "base/native_library.h"
#include "base/rand_util.h"
#include "base/win/win_util.h"
#include "base/win/windows_version.h"
#include "content/utility/sandbox_delegate_data.mojom.h"
#include "sandbox/policy/win/sandbox_warmup.h"
#include "sandbox/win/src/sandbox.h"
#endif // BUILDFLAG(IS_WIN)
#if BUILDFLAG(IS_WIN)
sandbox::TargetServices* g_utility_target_services = nullptr;
#endif // BUILDFLAG(IS_WIN)
namespace content {
namespace {
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
std::vector<std::string> GetNetworkContextsParentDirectories() {
base::MemoryMappedFile::Region region;
base::ScopedFD read_pipe_fd = base::FileDescriptorStore::GetInstance().TakeFD(
kNetworkContextParentDirsDescriptor, &region);
DCHECK(region == base::MemoryMappedFile::Region::kWholeFile);
std::string dirs_str;
if (!base::ReadStreamToString(fdopen(read_pipe_fd.get(), "r"), &dirs_str)) {
LOG(FATAL) << "Failed to read network context parents dirs from pipe.";
}
base::Pickle dirs_pickle(dirs_str.data(), dirs_str.length());
base::PickleIterator dirs_pickle_iter(dirs_pickle);
std::vector<std::string> dirs;
std::string dir;
while (dirs_pickle_iter.ReadString(&dir)) {
dirs.push_back(dir);
}
CHECK(dirs_pickle_iter.ReachedEnd());
return dirs;
}
bool ShouldUseAmdGpuPolicy(sandbox::mojom::Sandbox sandbox_type) {
const bool obtain_gpu_info =
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
sandbox_type == sandbox::mojom::Sandbox::kHardwareVideoDecoding ||
#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
sandbox_type == sandbox::mojom::Sandbox::kHardwareVideoEncoding;
if (obtain_gpu_info) {
// The kHardwareVideoDecoding and kHardwareVideoEncoding sandboxes need to
// know the GPU type in order to select the right policy.
gpu::GPUInfo gpu_info{};
gpu::CollectBasicGraphicsInfo(&gpu_info);
return angle::IsAMD(gpu_info.active_gpu().vendor_id);
}
return false;
}
#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
#if BUILDFLAG(IS_WIN)
// Handle pre-lockdown sandbox hooks
bool PreLockdownSandboxHook(base::span<const uint8_t> delegate_blob) {
// TODO(1435571) Migrate other settable things to delegate_data.
CHECK(!delegate_blob.empty());
content::mojom::sandbox::UtilityConfigPtr sandbox_config;
if (!content::mojom::sandbox::UtilityConfig::Deserialize(
delegate_blob.data(), delegate_blob.size(), &sandbox_config)) {
NOTREACHED_NORETURN();
}
if (!sandbox_config->preload_libraries.empty()) {
for (const auto& library_path : sandbox_config->preload_libraries) {
CHECK(library_path.IsAbsolute());
base::NativeLibraryLoadError lib_error;
HMODULE h_mod = base::LoadNativeLibrary(library_path, &lib_error);
// We deliberately "leak" `h_mod` so that the module stays loaded.
if (!h_mod) {
base::UmaHistogramSparse(
"Process.Sandbox.PreloadLibraryFailed.ErrorCode", lib_error.code);
// The browser should not request libraries that do not exist, so crash
// on failure.
wchar_t dll_name[MAX_PATH];
base::wcslcpy(dll_name, library_path.value().c_str(), MAX_PATH);
base::debug::Alias(dll_name);
base::debug::Alias(&lib_error);
NOTREACHED_NORETURN();
}
}
}
if (sandbox_config->pin_user32) {
base::win::PinUser32();
}
return true;
}
#endif // BUILDFLAG(IS_WIN)
void SetUtilityThreadName(const std::string utility_sub_type) {
// Typical utility sub-types are audio.mojom.AudioService or
// proxy_resolver.mojom.ProxyResolverFactory. Using the full sub-type as part
// of the thread name is too verbose so we take the text in front of the first
// period and use that as a prefix. This give us thread names like
// audio.CrUtilityMain and proxy_resolver.CrUtilityMain. If there is no period
// then the entire utility_sub_type string will be put in front.
auto first_period = utility_sub_type.find('.');
base::PlatformThread::SetName(
(utility_sub_type.substr(0, first_period) + ".CrUtilityMain").c_str());
}
} // namespace
// Mainline routine for running as the utility process.
int UtilityMain(MainFunctionParams parameters) {
base::MessagePumpType message_pump_type =
parameters.command_line->HasSwitch(switches::kMessageLoopTypeUi)
? base::MessagePumpType::UI
: base::MessagePumpType::DEFAULT;
if (parameters.command_line->GetSwitchValueASCII(switches::kUtilitySubType) ==
on_device_model::mojom::OnDeviceModelService::Name_) {
CHECK(on_device_model::OnDeviceModelService::PreSandboxInit());
}
#if BUILDFLAG(IS_MAC)
auto sandbox_type =
sandbox::policy::SandboxTypeFromCommandLine(*parameters.command_line);
if (sandbox_type != sandbox::mojom::Sandbox::kNoSandbox) {
// On Mac, the TYPE_UI pump for the main thread is an NSApplication loop.
// In a sandboxed utility process, NSApp attempts to acquire more Mach
// resources than a restrictive sandbox policy should allow. Services that
// require a TYPE_UI pump generally just need a NS/CFRunLoop to pump system
// work sources, so choose that pump type instead. A NSRunLoop MessagePump
// is used for TYPE_UI MessageLoops on non-main threads.
base::MessagePump::OverrideMessagePumpForUIFactory(
[]() -> std::unique_ptr<base::MessagePump> {
return std::make_unique<base::MessagePumpNSRunLoop>();
});
}
#endif
#if BUILDFLAG(IS_FUCHSIA)
// On Fuchsia always use IO threads to allow FIDL calls.
if (message_pump_type == base::MessagePumpType::DEFAULT)
message_pump_type = base::MessagePumpType::IO;
#endif // BUILDFLAG(IS_FUCHSIA)
if (parameters.command_line->HasSwitch(switches::kTimeZoneForTesting)) {
std::string time_zone = parameters.command_line->GetSwitchValueASCII(
switches::kTimeZoneForTesting);
icu::TimeZone::adoptDefault(
icu::TimeZone::createTimeZone(icu::UnicodeString(time_zone.c_str())));
}
// The main task executor of the utility process.
base::SingleThreadTaskExecutor main_thread_task_executor(message_pump_type);
const std::string utility_sub_type =
parameters.command_line->GetSwitchValueASCII(switches::kUtilitySubType);
SetUtilityThreadName(utility_sub_type);
if (parameters.command_line->HasSwitch(switches::kUtilityStartupDialog)) {
auto dialog_match = parameters.command_line->GetSwitchValueASCII(
switches::kUtilityStartupDialog);
if (dialog_match.empty() || dialog_match == utility_sub_type) {
WaitForDebugger(utility_sub_type.empty() ? "Utility" : utility_sub_type);
}
}
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
// Thread type delegate of the process should be registered before
// first thread type change in ChildProcess constructor.
// It also needs to be registered before the process has multiple threads,
// which may race with application of the sandbox.
if (base::FeatureList::IsEnabled(
features::kHandleChildThreadTypeChangesInBrowser)) {
SandboxedProcessThreadTypeHandler::Create();
}
#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
// Initializes the sandbox before any threads are created.
// TODO(jorgelo): move this after GTK initialization when we enable a strict
// Seccomp-BPF policy.
auto sandbox_type =
sandbox::policy::SandboxTypeFromCommandLine(*parameters.command_line);
sandbox::policy::SandboxLinux::Options sandbox_options;
sandbox::policy::SandboxLinux::PreSandboxHook pre_sandbox_hook;
switch (sandbox_type) {
case sandbox::mojom::Sandbox::kNetwork:
pre_sandbox_hook = base::BindOnce(&network::NetworkPreSandboxHook,
GetNetworkContextsParentDirectories());
break;
#if BUILDFLAG(ENABLE_OOP_PRINTING)
case sandbox::mojom::Sandbox::kPrintBackend:
pre_sandbox_hook = base::BindOnce(&printing::PrintBackendPreSandboxHook);
break;
#endif // BUILDFLAG(ENABLE_OOP_PRINTING)
case sandbox::mojom::Sandbox::kAudio:
pre_sandbox_hook = base::BindOnce(&audio::AudioPreSandboxHook);
break;
case sandbox::mojom::Sandbox::kOnDeviceModelExecution:
on_device_model::OnDeviceModelService::AddSandboxLinuxOptions(
sandbox_options);
pre_sandbox_hook = base::BindOnce(&GpuPreSandboxHook);
break;
case sandbox::mojom::Sandbox::kSpeechRecognition:
pre_sandbox_hook =
base::BindOnce(&speech::SpeechRecognitionPreSandboxHook);
break;
#if BUILDFLAG(ENABLE_SCREEN_AI_SERVICE)
case sandbox::mojom::Sandbox::kScreenAI:
pre_sandbox_hook = base::BindOnce(&screen_ai::ScreenAIPreSandboxHook);
break;
#endif
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
case sandbox::mojom::Sandbox::kHardwareVideoDecoding:
pre_sandbox_hook =
base::BindOnce(&media::HardwareVideoDecodingPreSandboxHook);
break;
#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
case sandbox::mojom::Sandbox::kHardwareVideoEncoding:
pre_sandbox_hook =
base::BindOnce(&media::HardwareVideoEncodingPreSandboxHook);
break;
#if BUILDFLAG(IS_CHROMEOS_ASH)
case sandbox::mojom::Sandbox::kIme:
pre_sandbox_hook = base::BindOnce(&ash::ime::ImePreSandboxHook);
break;
case sandbox::mojom::Sandbox::kTts:
pre_sandbox_hook = base::BindOnce(&chromeos::tts::TtsPreSandboxHook);
break;
#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
case sandbox::mojom::Sandbox::kLibassistant:
pre_sandbox_hook =
base::BindOnce(&ash::libassistant::LibassistantPreSandboxHook);
break;
#endif // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
default:
break;
}
if (!sandbox::policy::IsUnsandboxedSandboxType(sandbox_type) &&
(parameters.zygote_child || !pre_sandbox_hook.is_null())) {
sandbox_options.use_amd_specific_policies =
ShouldUseAmdGpuPolicy(sandbox_type);
sandbox::policy::Sandbox::Initialize(
sandbox_type, std::move(pre_sandbox_hook), sandbox_options);
}
// Start the HangWatcher now that the sandbox is engaged, if it hasn't
// already been started.
if (base::HangWatcher::IsEnabled() &&
!base::HangWatcher::GetInstance()->IsStarted()) {
DCHECK(parameters.hang_watcher_not_started_time.has_value());
base::TimeDelta uncovered_hang_watcher_time =
base::TimeTicks::Now() -
parameters.hang_watcher_not_started_time.value();
base::UmaHistogramTimes("HangWatcher.UtilityProcess.UncoveredStartupTime",
uncovered_hang_watcher_time);
base::HangWatcher::GetInstance()->Start();
}
#elif BUILDFLAG(IS_WIN)
g_utility_target_services = parameters.sandbox_info->target_services;
// Call hooks with data provided by UtilitySandboxedProcessLauncherDelegate.
// Must happen before IO thread to preempt any mojo services starting.
if (g_utility_target_services) {
auto delegate_data = g_utility_target_services->GetDelegateData();
if (delegate_data.has_value() && !delegate_data->empty()) {
PreLockdownSandboxHook(delegate_data.value());
}
}
#endif
ChildProcess utility_process(base::ThreadType::kDefault);
GetContentClient()->utility()->PostIOThreadCreated(
utility_process.io_task_runner());
base::RunLoop run_loop;
utility_process.set_main_thread(
new UtilityThreadImpl(run_loop.QuitClosure()));
// Mojo IPC support is brought up by UtilityThreadImpl, so startup tracing
// is enabled here if it needs to start after mojo init (normally so the mojo
// broker can bypass the sandbox to allocate startup tracing's SMB).
if (parameters.needs_startup_tracing_after_mojo_init) {
tracing::EnableStartupTracingIfNeeded();
}
// Both utility process and service utility process would come
// here, but the later is launched without connection to service manager, so
// there has no base::PowerMonitor be created(See ChildThreadImpl::Init()).
// As base::PowerMonitor is necessary to base::HighResolutionTimerManager, for
// such case we just disable base::HighResolutionTimerManager for now.
// Note that disabling base::HighResolutionTimerManager means high resolution
// timer is always disabled no matter on battery or not, but it should have
// no any bad influence because currently service utility process is not using
// any high resolution timer.
// TODO(leonhsl): Once http://crbug.com/646833 got resolved, re-enable
// base::HighResolutionTimerManager here for future possible usage of high
// resolution timer in service utility process.
std::optional<base::HighResolutionTimerManager> hi_res_timer_manager;
if (base::PowerMonitor::IsInitialized()) {
hi_res_timer_manager.emplace();
}
#if BUILDFLAG(IS_WIN)
auto sandbox_type =
sandbox::policy::SandboxTypeFromCommandLine(*parameters.command_line);
DVLOG(1) << "Sandbox type: " << static_cast<int>(sandbox_type);
// https://crbug.com/1076771 https://crbug.com/1075487 Premature unload of
// shell32 caused process to crash during process shutdown. See also a
// separate fix for https://crbug.com/1139752. Fixed in Windows 11.
if (base::win::GetVersion() < base::win::Version::WIN11) {
HMODULE shell32_pin = ::LoadLibrary(L"shell32.dll");
UNREFERENCED_PARAMETER(shell32_pin);
}
// Not all utility processes require DPI awareness as this context only
// pertains to certain workloads & impacted system API calls (e.g. UX
// scaling or per-monitor windowing). We do not blanket apply DPI awareness
// as utility processes running within a kService sandbox with the Win32K
// Lockdown policy applied may crash when calling EnableHighDPISupport. See
// crbug.com/978133.
if (sandbox_type == sandbox::mojom::Sandbox::kMediaFoundationCdm) {
// The Media Foundation Utility Process needs to be marked as DPI aware so
// the Media Engine & CDM can correctly identify the target monitor for
// video output. This is required to ensure that the proper monitor is
// queried for hardware capabilities & any settings are applied to the
// correct monitor.
base::win::EnableHighDPISupport();
}
if (!sandbox::policy::IsUnsandboxedSandboxType(sandbox_type) &&
sandbox_type != sandbox::mojom::Sandbox::kCdm &&
sandbox_type != sandbox::mojom::Sandbox::kMediaFoundationCdm) {
if (!g_utility_target_services)
return false;
sandbox::policy::WarmupRandomnessInfrastructure();
g_utility_target_services->LowerToken();
}
#endif
base::allocator::PartitionAllocSupport::Get()->ReconfigureAfterTaskRunnerInit(
switches::kUtilityProcess);
run_loop.Run();
#if defined(LEAK_SANITIZER)
// Invoke LeakSanitizer before shutting down the utility thread, to avoid
// reporting shutdown-only leaks.
__lsan_do_leak_check();
#endif
return 0;
}
} // namespace content