1// Copyright (c) 2011 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "content/public/common/sandbox_init.h" 6 7#include "base/command_line.h" 8#include "base/files/file_path.h" 9#include "base/logging.h" 10#include "content/common/sandbox_mac.h" 11#include "content/public/common/content_switches.h" 12 13namespace content { 14 15bool InitializeSandbox(int sandbox_type, const base::FilePath& allowed_dir) { 16 // Warm up APIs before turning on the sandbox. 17 Sandbox::SandboxWarmup(sandbox_type); 18 19 // Actually sandbox the process. 20 return Sandbox::EnableSandbox(sandbox_type, allowed_dir); 21} 22 23// Fill in |sandbox_type| and |allowed_dir| based on the command line, returns 24// false if the current process type doesn't need to be sandboxed or if the 25// sandbox was disabled from the command line. 26bool GetSandboxTypeFromCommandLine(int* sandbox_type, 27 base::FilePath* allowed_dir) { 28 DCHECK(sandbox_type); 29 DCHECK(allowed_dir); 30 31 *sandbox_type = -1; 32 *allowed_dir = base::FilePath(); // Empty by default. 33 34 const base::CommandLine& command_line = 35 *base::CommandLine::ForCurrentProcess(); 36 if (command_line.HasSwitch(switches::kNoSandbox)) 37 return false; 38 39 std::string process_type = 40 command_line.GetSwitchValueASCII(switches::kProcessType); 41 if (process_type.empty()) { 42 // Browser process isn't sandboxed. 43 return false; 44 } else if (process_type == switches::kRendererProcess) { 45 *sandbox_type = SANDBOX_TYPE_RENDERER; 46 } else if (process_type == switches::kUtilityProcess) { 47 // Utility process sandbox. 48 *sandbox_type = SANDBOX_TYPE_UTILITY; 49 *allowed_dir = 50 command_line.GetSwitchValuePath(switches::kUtilityProcessAllowedDir); 51 } else if (process_type == switches::kGpuProcess) { 52 if (command_line.HasSwitch(switches::kDisableGpuSandbox)) 53 return false; 54 *sandbox_type = SANDBOX_TYPE_GPU; 55 } else if ((process_type == switches::kPluginProcess) || 56 (process_type == switches::kPpapiBrokerProcess)) { 57 return false; 58 } else if (process_type == switches::kPpapiPluginProcess) { 59 *sandbox_type = SANDBOX_TYPE_PPAPI; 60 } else { 61 // This is a process which we don't know about, i.e. an embedder-defined 62 // process. If the embedder wants it sandboxed, they have a chance to return 63 // the sandbox profile in ContentClient::GetSandboxProfileForSandboxType. 64 return false; 65 } 66 return true; 67} 68 69bool InitializeSandbox() { 70 int sandbox_type = 0; 71 base::FilePath allowed_dir; 72 if (!GetSandboxTypeFromCommandLine(&sandbox_type, &allowed_dir)) 73 return true; 74 return InitializeSandbox(sandbox_type, allowed_dir); 75} 76 77extern const char kBootstrapPortNameForNPAPIPlugins[] = 78 "org.chromium.sandbox.real_bootstrap_server"; 79 80} // namespace content 81