mac: Make the (10.6-only) sandbox hole for the components build smaller

content/common/sandbox_mac.mm

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_mac.h"
 
 #import <Cocoa/Cocoa.h>
 
 extern "C" {
 #include <sandbox.h>
 }
 #include <signal.h>
 #include <sys/param.h>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/file_util.h"
+#include "base/mac/bundle_locations.h"
 #include "base/mac/mac_util.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/mac/scoped_nsautorelease_pool.h"
 #include "base/memory/scoped_nsobject.h"
 #include "base/rand_util.h"
 #include "base/string16.h"
 #include "base/string_piece.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/sys_info.h"
@@ skipping 69 matching lines @@
   // Copy bad string to the stack so it's recorded in the crash dump.
   char bad_string[256] = {0};
   base::strlcpy(bad_string, str.c_str(), arraysize(bad_string));
   DLOG(FATAL) << "String quoting failed " << bad_string;
 }
 
 }  // namespace
 
 namespace sandbox {
 
+// static
+NSString* Sandbox::AllowMetadataForPath(const FilePath& allowed_path) {

[Nico, 2012/06/05 17:54:21]

This was extracted almost unchanged from below. (I called out the one change.)

+  // Collect a list of all parent directories.
+  FilePath last_path = allowed_path;
+  std::vector<FilePath> subpaths;
+  for (FilePath path = allowed_path;

[Nico, 2012/06/05 17:54:21]

Note that this now starts at |allowed_path|, not at |allowed_path.DirName()|
like it did previously. Since the final component gets full read permissions at
the old calling site, giving it file-read-metadata permissions in addition isn't
any less secure.

+       path.value() != last_path.value();
+       path = path.DirName()) {
+    subpaths.push_back(path);
+    last_path = path;
+  }
+
+  // Iterate through all parents and allow stat() on them explicitly.
+  NSString* sandbox_command = @"(allow file-read-metadata ";
+  for (std::vector<FilePath>::reverse_iterator i = subpaths.rbegin();
+       i != subpaths.rend();
+       ++i) {
+    std::string subdir_escaped;
+    if (!QuotePlainString(i->value(), &subdir_escaped)) {
+      FatalStringQuoteException(i->value());
+      return nil;
+    }
+
+    NSString* subdir_escaped_ns =
+        base::SysUTF8ToNSString(subdir_escaped.c_str());
+    sandbox_command =
+        [sandbox_command stringByAppendingFormat:@"(literal \"%@\")",
+            subdir_escaped_ns];
+  }
+
+  return [sandbox_command stringByAppendingString:@")"];
+}
 
 // static
 bool Sandbox::QuotePlainString(const std::string& src_utf8, std::string* dst) {
   dst->clear();
 
   const char* src = src_utf8.c_str();
   int32_t length = src_utf8.length();
   int32_t position = 0;
   while (position < length) {
     UChar32 c;
@@ skipping 169 matching lines @@
   // The extension code in Chrome calls realpath() which fails if it can't call
   // stat() on one of the parent directories in the path.
   // The solution to this is to allow statting the parent directories themselves
   // but not their contents.  We need to add a separate rule for each parent
   // directory.
 
   // The sandbox only understands "real" paths.  This resolving step is
   // needed so the caller doesn't need to worry about things like /var
   // being a link to /private/var (like in the paths CreateNewTempDirectory()
   // returns).
-  FilePath allowed_dir_canonical(allowed_dir);
-  GetCanonicalSandboxPath(&allowed_dir_canonical);
+  FilePath allowed_dir_canonical = GetCanonicalSandboxPath(allowed_dir);
 
-  // Collect a list of all parent directories.
-  FilePath last_path = allowed_dir_canonical;
-  std::vector<FilePath> subpaths;
-  for (FilePath path = allowed_dir_canonical.DirName();
-       path.value() != last_path.value();
-       path = path.DirName()) {
-    subpaths.push_back(path);
-    last_path = path;
-  }
-
-  // Iterate through all parents and allow stat() on them explicitly.
-  NSString* sandbox_command = @"(allow file-read-metadata ";
-  for (std::vector<FilePath>::reverse_iterator i = subpaths.rbegin();
-       i != subpaths.rend();
-       ++i) {
-    std::string subdir_escaped;
-    if (!QuotePlainString(i->value(), &subdir_escaped)) {
-      FatalStringQuoteException(i->value());
-      return nil;
-    }
-
-    NSString* subdir_escaped_ns =
-        base::SysUTF8ToNSString(subdir_escaped.c_str());
-    sandbox_command =
-        [sandbox_command stringByAppendingFormat:@"(literal \"%@\")",
-            subdir_escaped_ns];
-  }
+  NSString* sandbox_command = AllowMetadataForPath(allowed_dir_canonical);
+  sandbox_command = [sandbox_command
+      substringToIndex:[sandbox_command length] - 1];  // strip trailing ')'
 
   // Finally append the leaf directory.  Unlike its parents (for which only
   // stat() should be allowed), the leaf directory needs full access.
   (*substitutions)["ALLOWED_DIR"] =
       SandboxSubstring(allowed_dir_canonical.value(),
                        SandboxSubstring::REGEX);
   sandbox_command =
       [sandbox_command
           stringByAppendingString:@") (allow file-read* file-write*"
                                    " (regex #\"@ALLOWED_DIR@\") )"];
@@ skipping 180 matching lines @@
     substitutions["DISABLE_SANDBOX_DENIAL_LOGGING"] =
         SandboxSubstring("(with no-log)");
   } else {
     substitutions["DISABLE_SANDBOX_DENIAL_LOGGING"] = SandboxSubstring("");
   }
 
   // Splice the path of the user's home directory into the sandbox profile
   // (see renderer.sb for details).
   std::string home_dir = [NSHomeDirectory() fileSystemRepresentation];
 
-  FilePath home_dir_canonical(home_dir);
-  GetCanonicalSandboxPath(&home_dir_canonical);
+  FilePath home_dir_canonical = GetCanonicalSandboxPath(FilePath(home_dir));
 
   substitutions["USER_HOMEDIR_AS_LITERAL"] =
       SandboxSubstring(home_dir_canonical.value(),
           SandboxSubstring::LITERAL);
 
   if (lion_or_later) {
     // >=10.7 Sandbox rules.
     [tokens_to_remove addObject:@";10.7_OR_ABOVE"];
   }
 
   if (snow_leopard_or_later) {
     // >=10.6 Sandbox rules.
     [tokens_to_remove addObject:@";10.6_OR_ABOVE"];
   } else {
     // Sandbox rules only for versions before 10.6.
     [tokens_to_remove addObject:@";BEFORE_10.6"];
   }
 
   substitutions["COMPONENT_BUILD_WORKAROUND"] = SandboxSubstring("");
 #if defined(COMPONENT_BUILD)
   // dlopen() fails without file-read-metadata access if the executable image
   // contains LC_RPATH load commands. The components build uses those.
   // See http://crbug.com/127465
   if (base::mac::IsOSSnowLeopardOrEarlier()) {
+    FilePath bundle_executable = base::mac::NSStringToFilePath(
+        [base::mac::MainBundle() executablePath]);
+    NSString* sandbox_command = AllowMetadataForPath(
+        GetCanonicalSandboxPath(bundle_executable));
     substitutions["COMPONENT_BUILD_WORKAROUND"] =
-        SandboxSubstring("(allow file-read-metadata)");
+        SandboxSubstring(base::SysNSStringToUTF8(sandbox_command));
   }
 #endif
 
   // All information needed to assemble the final profile has been collected.
   // Merge it all together.
   std::string final_sandbox_profile_str;
   if (!PostProcessSandboxProfile(sandbox_data, tokens_to_remove, substitutions,
                                  &final_sandbox_profile_str)) {
     return false;
   }
 
   // Initialize sandbox.
   char* error_buff = NULL;
   int error = sandbox_init(final_sandbox_profile_str.c_str(), 0, &error_buff);
   bool success = (error == 0 && error_buff == NULL);
   DLOG_IF(FATAL, !success) << "Failed to initialize sandbox: "
                            << error
                            << " "
                            << error_buff;
   sandbox_free_error(error_buff);
   return success;
 }
 
 // static
-void Sandbox::GetCanonicalSandboxPath(FilePath* path) {
-  int fd = HANDLE_EINTR(open(path->value().c_str(), O_RDONLY));
+FilePath Sandbox::GetCanonicalSandboxPath(const FilePath& path) {
+  int fd = HANDLE_EINTR(open(path.value().c_str(), O_RDONLY));
   if (fd < 0) {
     DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "
-                 << path->value();
-    return;
+                 << path.value();
+    return path;
   }
   file_util::ScopedFD file_closer(&fd);
 
   FilePath::CharType canonical_path[MAXPATHLEN];
   if (HANDLE_EINTR(fcntl(fd, F_GETPATH, canonical_path)) != 0) {
     DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "
-                 << path->value();
-    return;
+                 << path.value();
+    return path;
   }
 
-  *path = FilePath(canonical_path);
+  return FilePath(canonical_path);
 }
 
 }  // namespace sandbox