1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "content/browser/plugin_process_host.h"
6
7#if defined(OS_WIN)
8#include <windows.h>
9#elif defined(OS_POSIX)
10#include <utility>  // for pair<>
11#endif
12
13#include <vector>
14
15#include "base/base_switches.h"
16#include "base/bind.h"
17#include "base/command_line.h"
18#include "base/files/file_path.h"
19#include "base/lazy_instance.h"
20#include "base/logging.h"
21#include "base/metrics/histogram.h"
22#include "base/path_service.h"
23#include "base/strings/string_number_conversions.h"
24#include "base/strings/string_util.h"
25#include "base/strings/utf_string_conversions.h"
26#include "base/synchronization/lock.h"
27#include "content/browser/browser_child_process_host_impl.h"
28#include "content/browser/loader/resource_message_filter.h"
29#include "content/browser/gpu/gpu_data_manager_impl.h"
30#include "content/browser/plugin_service_impl.h"
31#include "content/common/child_process_host_impl.h"
32#include "content/common/plugin_process_messages.h"
33#include "content/common/resource_messages.h"
34#include "content/public/browser/browser_thread.h"
35#include "content/public/browser/content_browser_client.h"
36#include "content/public/browser/notification_types.h"
37#include "content/public/browser/plugin_service.h"
38#include "content/public/browser/resource_context.h"
39#include "content/public/common/content_switches.h"
40#include "content/public/common/process_type.h"
41#include "content/public/common/sandboxed_process_launcher_delegate.h"
42#include "ipc/ipc_switches.h"
43#include "net/url_request/url_request_context_getter.h"
44#include "ui/base/ui_base_switches.h"
45#include "ui/gfx/native_widget_types.h"
46#include "ui/gfx/switches.h"
47#include "ui/gl/gl_switches.h"
48
49#if defined(OS_MACOSX)
50#include "base/mac/mac_util.h"
51#include "ui/gfx/rect.h"
52#endif
53
54#if defined(OS_WIN)
55#include "base/win/windows_version.h"
56#include "content/common/plugin_constants_win.h"
57#endif
58
59namespace content {
60
61namespace {
62
63base::LazyInstance<std::map<base::ProcessId, WebPluginInfo> >
64    g_process_webplugin_info = LAZY_INSTANCE_INITIALIZER;
65base::LazyInstance<base::Lock>::Leaky
66    g_process_webplugin_info_lock = LAZY_INSTANCE_INITIALIZER;
67}
68
69bool PluginProcessHost::GetWebPluginInfoFromPluginPid(base::ProcessId pid,
70                                                      WebPluginInfo* info) {
71  base::AutoLock lock(g_process_webplugin_info_lock.Get());
72  if (!g_process_webplugin_info.Get().count(pid))
73    return false;
74
75  *info = g_process_webplugin_info.Get()[pid];
76  return true;
77}
78
79#if defined(OS_WIN)
80void PluginProcessHost::OnPluginWindowDestroyed(HWND window, HWND parent) {
81  // The window is destroyed at this point, we just care about its parent, which
82  // is the intermediate window we created.
83  std::set<HWND>::iterator window_index =
84      plugin_parent_windows_set_.find(parent);
85  if (window_index == plugin_parent_windows_set_.end())
86    return;
87
88  plugin_parent_windows_set_.erase(window_index);
89  PostMessage(parent, WM_CLOSE, 0, 0);
90}
91
92void PluginProcessHost::AddWindow(HWND window) {
93  plugin_parent_windows_set_.insert(window);
94}
95#endif  // defined(OS_WIN)
96
97// NOTE: changes to this class need to be reviewed by the security team.
98class PluginSandboxedProcessLauncherDelegate
99    : public SandboxedProcessLauncherDelegate {
100 public:
101  explicit PluginSandboxedProcessLauncherDelegate(ChildProcessHost* host)
102#if defined(OS_POSIX)
103      : ipc_fd_(host->TakeClientFileDescriptor())
104#endif  // OS_POSIX
105  {}
106
107  virtual ~PluginSandboxedProcessLauncherDelegate() {}
108
109#if defined(OS_WIN)
110  virtual bool ShouldSandbox() OVERRIDE {
111    return false;
112  }
113
114#elif defined(OS_POSIX)
115  virtual int GetIpcFd() OVERRIDE {
116    return ipc_fd_;
117  }
118#endif  // OS_WIN
119
120 private:
121#if defined(OS_POSIX)
122  int ipc_fd_;
123#endif  // OS_POSIX
124
125  DISALLOW_COPY_AND_ASSIGN(PluginSandboxedProcessLauncherDelegate);
126};
127
128PluginProcessHost::PluginProcessHost()
129    : pid_(base::kNullProcessId)
130#if defined(OS_MACOSX)
131    , plugin_cursor_visible_(true)
132#endif
133{
134  process_.reset(new BrowserChildProcessHostImpl(PROCESS_TYPE_PLUGIN, this));
135}
136
137PluginProcessHost::~PluginProcessHost() {
138#if defined(OS_WIN)
139  // We erase HWNDs from the plugin_parent_windows_set_ when we receive a
140  // notification that the window is being destroyed. If we don't receive this
141  // notification and the PluginProcessHost instance is being destroyed, it
142  // means that the plugin process crashed. We paint a sad face in this case in
143  // the renderer process. To ensure that the sad face shows up, and we don't
144  // leak HWNDs, we should destroy existing plugin parent windows.
145  std::set<HWND>::iterator window_index;
146  for (window_index = plugin_parent_windows_set_.begin();
147       window_index != plugin_parent_windows_set_.end();
148       ++window_index) {
149    PostMessage(*window_index, WM_CLOSE, 0, 0);
150  }
151#elif defined(OS_MACOSX)
152  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
153  // If the plugin process crashed but had fullscreen windows open at the time,
154  // make sure that the menu bar is visible.
155  for (size_t i = 0; i < plugin_fullscreen_windows_set_.size(); ++i) {
156    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
157                            base::Bind(base::mac::ReleaseFullScreen,
158                                       base::mac::kFullScreenModeHideAll));
159  }
160  // If the plugin hid the cursor, reset that.
161  if (!plugin_cursor_visible_) {
162    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
163                            base::Bind(base::mac::SetCursorVisibility, true));
164  }
165#endif
166  // Cancel all pending and sent requests.
167  CancelRequests();
168
169  {
170    base::AutoLock lock(g_process_webplugin_info_lock.Get());
171    g_process_webplugin_info.Get()[pid_] = info_;
172  }
173}
174
175bool PluginProcessHost::Send(IPC::Message* message) {
176  return process_->Send(message);
177}
178
179bool PluginProcessHost::Init(const WebPluginInfo& info) {
180  info_ = info;
181  process_->SetName(info_.name);
182
183  std::string channel_id = process_->GetHost()->CreateChannel();
184  if (channel_id.empty())
185    return false;
186
187  // Build command line for plugin. When we have a plugin launcher, we can't
188  // allow "self" on linux and we need the real file path.
189  const base::CommandLine& browser_command_line =
190      *base::CommandLine::ForCurrentProcess();
191  base::CommandLine::StringType plugin_launcher =
192      browser_command_line.GetSwitchValueNative(switches::kPluginLauncher);
193
194#if defined(OS_MACOSX)
195  // Run the plug-in process in a mode tolerant of heap execution without
196  // explicit mprotect calls. Some plug-ins still rely on this quaint and
197  // archaic "feature." See http://crbug.com/93551.
198  int flags = ChildProcessHost::CHILD_ALLOW_HEAP_EXECUTION;
199#elif defined(OS_LINUX)
200  int flags = plugin_launcher.empty() ? ChildProcessHost::CHILD_ALLOW_SELF :
201                                        ChildProcessHost::CHILD_NORMAL;
202#else
203  int flags = ChildProcessHost::CHILD_NORMAL;
204#endif
205
206  base::FilePath exe_path = ChildProcessHost::GetChildPath(flags);
207  if (exe_path.empty())
208    return false;
209
210  base::CommandLine* cmd_line = new base::CommandLine(exe_path);
211  // Put the process type and plugin path first so they're easier to see
212  // in process listings using native process management tools.
213  cmd_line->AppendSwitchASCII(switches::kProcessType, switches::kPluginProcess);
214  cmd_line->AppendSwitchPath(switches::kPluginPath, info.path);
215
216  // Propagate the following switches to the plugin command line (along with
217  // any associated values) if present in the browser command line
218  static const char* const kSwitchNames[] = {
219    switches::kDisableBreakpad,
220    switches::kDisableDirectNPAPIRequests,
221    switches::kEnableStatsTable,
222    switches::kFullMemoryCrashReport,
223    switches::kLoggingLevel,
224    switches::kLogPluginMessages,
225    switches::kNoSandbox,
226    switches::kPluginStartupDialog,
227    switches::kTraceStartup,
228    switches::kUseGL,
229    switches::kForceDeviceScaleFactor,
230#if defined(OS_MACOSX)
231    switches::kDisableCoreAnimationPlugins,
232    switches::kEnableSandboxLogging,
233#endif
234  };
235
236  cmd_line->CopySwitchesFrom(browser_command_line, kSwitchNames,
237                             arraysize(kSwitchNames));
238
239  GpuDataManagerImpl::GetInstance()->AppendPluginCommandLine(cmd_line);
240
241  // If specified, prepend a launcher program to the command line.
242  if (!plugin_launcher.empty())
243    cmd_line->PrependWrapper(plugin_launcher);
244
245  std::string locale = GetContentClient()->browser()->GetApplicationLocale();
246  if (!locale.empty()) {
247    // Pass on the locale so the null plugin will use the right language in the
248    // prompt to install the desired plugin.
249    cmd_line->AppendSwitchASCII(switches::kLang, locale);
250  }
251
252  cmd_line->AppendSwitchASCII(switches::kProcessChannelID, channel_id);
253
254  process_->Launch(
255      new PluginSandboxedProcessLauncherDelegate(process_->GetHost()),
256      cmd_line);
257
258  // The plugin needs to be shutdown gracefully, i.e. NP_Shutdown needs to be
259  // called on the plugin. The plugin process exits when it receives the
260  // OnChannelError notification indicating that the browser plugin channel has
261  // been destroyed.
262  process_->SetTerminateChildOnShutdown(false);
263
264  ResourceMessageFilter::GetContextsCallback get_contexts_callback(
265      base::Bind(&PluginProcessHost::GetContexts,
266      base::Unretained(this)));
267
268  // TODO(jam): right now we're passing NULL for appcache, blob storage, and
269  // file system. If NPAPI plugins actually use this, we'll have to plumb them.
270  ResourceMessageFilter* resource_message_filter = new ResourceMessageFilter(
271      process_->GetData().id, PROCESS_TYPE_PLUGIN, NULL, NULL, NULL, NULL,
272      get_contexts_callback);
273  process_->AddFilter(resource_message_filter);
274  return true;
275}
276
277void PluginProcessHost::ForceShutdown() {
278  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
279  Send(new PluginProcessMsg_NotifyRenderersOfPendingShutdown());
280  process_->ForceShutdown();
281}
282
283bool PluginProcessHost::OnMessageReceived(const IPC::Message& msg) {
284  bool handled = true;
285  IPC_BEGIN_MESSAGE_MAP(PluginProcessHost, msg)
286    IPC_MESSAGE_HANDLER(PluginProcessHostMsg_ChannelCreated, OnChannelCreated)
287    IPC_MESSAGE_HANDLER(PluginProcessHostMsg_ChannelDestroyed,
288                        OnChannelDestroyed)
289#if defined(OS_WIN)
290    IPC_MESSAGE_HANDLER(PluginProcessHostMsg_PluginWindowDestroyed,
291                        OnPluginWindowDestroyed)
292#endif
293#if defined(OS_MACOSX)
294    IPC_MESSAGE_HANDLER(PluginProcessHostMsg_PluginShowWindow,
295                        OnPluginShowWindow)
296    IPC_MESSAGE_HANDLER(PluginProcessHostMsg_PluginHideWindow,
297                        OnPluginHideWindow)
298    IPC_MESSAGE_HANDLER(PluginProcessHostMsg_PluginSetCursorVisibility,
299                        OnPluginSetCursorVisibility)
300#endif
301    IPC_MESSAGE_UNHANDLED(handled = false)
302  IPC_END_MESSAGE_MAP()
303
304  return handled;
305}
306
307void PluginProcessHost::OnChannelConnected(int32 peer_pid) {
308  for (size_t i = 0; i < pending_requests_.size(); ++i) {
309    RequestPluginChannel(pending_requests_[i]);
310  }
311
312  pending_requests_.clear();
313
314  pid_ = peer_pid;
315  {
316    base::AutoLock lock(g_process_webplugin_info_lock.Get());
317    g_process_webplugin_info.Get()[pid_] = info_;
318  }
319}
320
321void PluginProcessHost::OnChannelError() {
322  CancelRequests();
323}
324
325bool PluginProcessHost::CanShutdown() {
326  return sent_requests_.empty();
327}
328
329void PluginProcessHost::OnProcessCrashed(int exit_code) {
330  PluginServiceImpl::GetInstance()->RegisterPluginCrash(info_.path);
331}
332
333void PluginProcessHost::CancelRequests() {
334  for (size_t i = 0; i < pending_requests_.size(); ++i)
335    pending_requests_[i]->OnError();
336  pending_requests_.clear();
337
338  while (!sent_requests_.empty()) {
339    Client* client = sent_requests_.front();
340    if (client)
341      client->OnError();
342    sent_requests_.pop_front();
343  }
344}
345
346void PluginProcessHost::OpenChannelToPlugin(Client* client) {
347  BrowserThread::PostTask(
348      BrowserThread::UI, FROM_HERE,
349      base::Bind(&BrowserChildProcessHostImpl::NotifyProcessInstanceCreated,
350                 process_->GetData()));
351  client->SetPluginInfo(info_);
352  if (process_->GetHost()->IsChannelOpening()) {
353    // The channel is already in the process of being opened.  Put
354    // this "open channel" request into a queue of requests that will
355    // be run once the channel is open.
356    pending_requests_.push_back(client);
357    return;
358  }
359
360  // We already have an open channel, send a request right away to plugin.
361  RequestPluginChannel(client);
362}
363
364void PluginProcessHost::CancelPendingRequest(Client* client) {
365  std::vector<Client*>::iterator it = pending_requests_.begin();
366  while (it != pending_requests_.end()) {
367    if (client == *it) {
368      pending_requests_.erase(it);
369      return;
370    }
371    ++it;
372  }
373  DCHECK(it != pending_requests_.end());
374}
375
376void PluginProcessHost::CancelSentRequest(Client* client) {
377  std::list<Client*>::iterator it = sent_requests_.begin();
378  while (it != sent_requests_.end()) {
379    if (client == *it) {
380      *it = NULL;
381      return;
382    }
383    ++it;
384  }
385  DCHECK(it != sent_requests_.end());
386}
387
388void PluginProcessHost::RequestPluginChannel(Client* client) {
389  // We can't send any sync messages from the browser because it might lead to
390  // a hang.  However this async messages must be answered right away by the
391  // plugin process (i.e. unblocks a Send() call like a sync message) otherwise
392  // a deadlock can occur if the plugin creation request from the renderer is
393  // a result of a sync message by the plugin process.
394  PluginProcessMsg_CreateChannel* msg =
395      new PluginProcessMsg_CreateChannel(
396          client->ID(),
397          client->OffTheRecord());
398  msg->set_unblock(true);
399  if (Send(msg)) {
400    sent_requests_.push_back(client);
401    client->OnSentPluginChannelRequest();
402  } else {
403    client->OnError();
404  }
405}
406
407void PluginProcessHost::OnChannelCreated(
408    const IPC::ChannelHandle& channel_handle) {
409  Client* client = sent_requests_.front();
410
411  if (client) {
412    if (!resource_context_map_.count(client->ID())) {
413      ResourceContextEntry entry;
414      entry.ref_count = 0;
415      entry.resource_context = client->GetResourceContext();
416      resource_context_map_[client->ID()] = entry;
417    }
418    resource_context_map_[client->ID()].ref_count++;
419    client->OnChannelOpened(channel_handle);
420  }
421  sent_requests_.pop_front();
422}
423
424void PluginProcessHost::OnChannelDestroyed(int renderer_id) {
425  resource_context_map_[renderer_id].ref_count--;
426  if (!resource_context_map_[renderer_id].ref_count)
427    resource_context_map_.erase(renderer_id);
428}
429
430void PluginProcessHost::GetContexts(const ResourceHostMsg_Request& request,
431                                    ResourceContext** resource_context,
432                                    net::URLRequestContext** request_context) {
433  *resource_context =
434      resource_context_map_[request.origin_pid].resource_context;
435  *request_context = (*resource_context)->GetRequestContext();
436}
437
438}  // namespace content
439