services/service_manager/sandbox/sandbox.cc - chromium/src - Git at Google

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "services/service_manager/sandbox/sandbox.h"

 #include "base/command_line.h"
 #include "build/build_config.h"
 #include "services/service_manager/sandbox/switches.h"

 #if defined(OS_ANDROID)
 #include "base/android/jni_android.h"
 #endif  // defined(OS_ANDROID)

 #if defined(OS_LINUX)
 #include "services/service_manager/sandbox/linux/sandbox_linux.h"
 #endif  // defined(OS_LINUX)

 #if defined(OS_MACOSX)
 #include "sandbox/mac/seatbelt.h"
 #include "services/service_manager/sandbox/mac/sandbox_mac.h"
 #endif  // defined(OS_MACOSX)

 #if defined(OS_WIN)
 #include "base/process/process_info.h"
 #include "sandbox/win/src/sandbox.h"
 #include "services/service_manager/sandbox/win/sandbox_win.h"
 #endif  // defined(OS_WIN)

 namespace service_manager {

 #if defined(OS_LINUX)
 bool Sandbox::Initialize(SandboxType sandbox_type,
                          SandboxLinux::PreSandboxHook hook,
                          const SandboxLinux::Options& options) {
   return SandboxLinux::GetInstance()->InitializeSandbox(
       sandbox_type, std::move(hook), options);
 }
 #endif  // defined(OS_LINUX)

 #if defined(OS_MACOSX)
 bool Sandbox::Initialize(SandboxType sandbox_type, base::OnceClosure hook) {
   // Warm up APIs before turning on the sandbox.
   SandboxMac::Warmup(sandbox_type);

   // Execute the post warmup callback.
   if (!hook.is_null())
     std::move(hook).Run();

   // Actually sandbox the process.
   return SandboxMac::Enable(sandbox_type);
 }
 #endif  // defined(OS_MACOSX)

 #if defined(OS_WIN)
 bool Sandbox::Initialize(SandboxType sandbox_type,
                          sandbox::SandboxInterfaceInfo* sandbox_info) {
   sandbox::BrokerServices* broker_services = sandbox_info->broker_services;
   if (broker_services) {
     if (!SandboxWin::InitBrokerServices(broker_services))
       return false;

     // IMPORTANT: This piece of code needs to run as early as possible in the
     // process because it will initialize the sandbox broker, which requires the
     // process to swap its window station. During this time all the UI will be
     // broken. This has to run before threads and windows are created.
     if (!IsUnsandboxedSandboxType(sandbox_type)) {
       // Precreate the desktop and window station used by the renderers.
       scoped_refptr<sandbox::TargetPolicy> policy =
           broker_services->CreatePolicy();
       sandbox::ResultCode result = policy->CreateAlternateDesktop(true);
       CHECK(sandbox::SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION != result);
     }
     return true;
   }
   return IsUnsandboxedSandboxType(sandbox_type) ||
          SandboxWin::InitTargetServices(sandbox_info->target_services);
 }
 #endif  // defined(OS_WIN)

 // static
 bool Sandbox::IsProcessSandboxed() {
   auto* command_line = base::CommandLine::ForCurrentProcess();
   bool is_browser = !command_line->HasSwitch(switches::kProcessType);

   if (!is_browser &&
       base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kNoSandbox)) {
     // When running with --no-sandbox, unconditionally report the process as
     // sandboxed. This lets code write |DCHECK(IsProcessSandboxed())| and not
     // break when testing with the --no-sandbox switch.
     return true;
   }

 #if defined(OS_ANDROID)
   // Note that this does not check the status of the Seccomp sandbox. Call
   // https://developer.android.com/reference/android/os/Process#isIsolated().
   JNIEnv* env = base::android::AttachCurrentThread();
   base::android::ScopedJavaLocalRef<jclass> process_class =
       base::android::GetClass(env, "android/os/Process");
   jmethodID is_isolated =
       base::android::MethodID::Get<base::android::MethodID::TYPE_STATIC>(
           env, process_class.obj(), "isIsolated", "()Z");
   return env->CallStaticBooleanMethod(process_class.obj(), is_isolated);
 #elif defined(OS_FUCHSIA)
   // TODO(https://crbug.com/1071420): Figure out what to do here. Process
   // launching controls the sandbox and there are no ambient capabilities, so
   // basically everything but the browser is considered sandboxed.
   return !is_browser;
 #elif defined(OS_LINUX)
   int status = SandboxLinux::GetInstance()->GetStatus();
   constexpr int kLayer1Flags = SandboxLinux::Status::kSUID |
                                SandboxLinux::Status::kPIDNS |
                                SandboxLinux::Status::kUserNS;
   constexpr int kLayer2Flags =
       SandboxLinux::Status::kSeccompBPF | SandboxLinux::Status::kSeccompTSYNC;
   return (status & kLayer1Flags) != 0 && (status & kLayer2Flags) != 0;
 #elif defined(OS_MACOSX)
   return sandbox::Seatbelt::IsSandboxed();
 #elif defined(OS_WIN)
   return base::GetCurrentProcessIntegrityLevel() < base::MEDIUM_INTEGRITY;
 #else
   return false;
 #endif
 }

 }  // namespace service_manager
	// Copyright 2017 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "services/service_manager/sandbox/sandbox.h"

	#include "base/command_line.h"
	#include "build/build_config.h"
	#include "services/service_manager/sandbox/switches.h"

	#if defined(OS_ANDROID)
	#include "base/android/jni_android.h"
	#endif // defined(OS_ANDROID)

	#if defined(OS_LINUX)
	#include "services/service_manager/sandbox/linux/sandbox_linux.h"
	#endif // defined(OS_LINUX)

	#if defined(OS_MACOSX)
	#include "sandbox/mac/seatbelt.h"
	#include "services/service_manager/sandbox/mac/sandbox_mac.h"
	#endif // defined(OS_MACOSX)

	#if defined(OS_WIN)
	#include "base/process/process_info.h"
	#include "sandbox/win/src/sandbox.h"
	#include "services/service_manager/sandbox/win/sandbox_win.h"
	#endif // defined(OS_WIN)

	namespace service_manager {

	#if defined(OS_LINUX)
	bool Sandbox::Initialize(SandboxType sandbox_type,
	SandboxLinux::PreSandboxHook hook,
	const SandboxLinux::Options& options) {
	return SandboxLinux::GetInstance()->InitializeSandbox(
	sandbox_type, std::move(hook), options);
	}
	#endif // defined(OS_LINUX)

	#if defined(OS_MACOSX)
	bool Sandbox::Initialize(SandboxType sandbox_type, base::OnceClosure hook) {
	// Warm up APIs before turning on the sandbox.
	SandboxMac::Warmup(sandbox_type);

	// Execute the post warmup callback.
	if (!hook.is_null())
	std::move(hook).Run();

	// Actually sandbox the process.
	return SandboxMac::Enable(sandbox_type);
	}
	#endif // defined(OS_MACOSX)

	#if defined(OS_WIN)
	bool Sandbox::Initialize(SandboxType sandbox_type,
	sandbox::SandboxInterfaceInfo* sandbox_info) {
	sandbox::BrokerServices* broker_services = sandbox_info->broker_services;
	if (broker_services) {
	if (!SandboxWin::InitBrokerServices(broker_services))
	return false;

	// IMPORTANT: This piece of code needs to run as early as possible in the
	// process because it will initialize the sandbox broker, which requires the
	// process to swap its window station. During this time all the UI will be
	// broken. This has to run before threads and windows are created.
	if (!IsUnsandboxedSandboxType(sandbox_type)) {
	// Precreate the desktop and window station used by the renderers.
	scoped_refptr<sandbox::TargetPolicy> policy =
	broker_services->CreatePolicy();
	sandbox::ResultCode result = policy->CreateAlternateDesktop(true);
	CHECK(sandbox::SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION != result);
	}
	return true;
	}
	return IsUnsandboxedSandboxType(sandbox_type) \|\|
	SandboxWin::InitTargetServices(sandbox_info->target_services);
	}
	#endif // defined(OS_WIN)

	// static
	bool Sandbox::IsProcessSandboxed() {
	auto* command_line = base::CommandLine::ForCurrentProcess();
	bool is_browser = !command_line->HasSwitch(switches::kProcessType);

	if (!is_browser &&
	base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kNoSandbox)) {
	// When running with --no-sandbox, unconditionally report the process as
	// sandboxed. This lets code write \|DCHECK(IsProcessSandboxed())\| and not
	// break when testing with the --no-sandbox switch.
	return true;
	}

	#if defined(OS_ANDROID)
	// Note that this does not check the status of the Seccomp sandbox. Call
	// https://developer.android.com/reference/android/os/Process#isIsolated().
	JNIEnv* env = base::android::AttachCurrentThread();
	base::android::ScopedJavaLocalRef<jclass> process_class =
	base::android::GetClass(env, "android/os/Process");
	jmethodID is_isolated =
	base::android::MethodID::Get<base::android::MethodID::TYPE_STATIC>(
	env, process_class.obj(), "isIsolated", "()Z");
	return env->CallStaticBooleanMethod(process_class.obj(), is_isolated);
	#elif defined(OS_FUCHSIA)
	// TODO(https://crbug.com/1071420): Figure out what to do here. Process
	// launching controls the sandbox and there are no ambient capabilities, so
	// basically everything but the browser is considered sandboxed.
	return !is_browser;
	#elif defined(OS_LINUX)
	int status = SandboxLinux::GetInstance()->GetStatus();
	constexpr int kLayer1Flags = SandboxLinux::Status::kSUID \|
	SandboxLinux::Status::kPIDNS \|
	SandboxLinux::Status::kUserNS;
	constexpr int kLayer2Flags =
	SandboxLinux::Status::kSeccompBPF \| SandboxLinux::Status::kSeccompTSYNC;
	return (status & kLayer1Flags) != 0 && (status & kLayer2Flags) != 0;
	#elif defined(OS_MACOSX)
	return sandbox::Seatbelt::IsSandboxed();
	#elif defined(OS_WIN)
	return base::GetCurrentProcessIntegrityLevel() < base::MEDIUM_INTEGRITY;
	#else
	return false;
	#endif
	}

	} // namespace service_manager