2018-12-06 01:42:12 +00:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Jeremy Apthorp <nornagon@nornagon.net>
|
|
|
|
Date: Wed, 28 Nov 2018 13:20:27 -0800
|
2019-08-24 01:14:23 +00:00
|
|
|
Subject: support_mixed_sandbox_with_zygote.patch
|
2018-12-06 01:42:12 +00:00
|
|
|
|
|
|
|
On Linux, Chromium launches all new renderer processes via a "zygote"
|
|
|
|
process which has the sandbox pre-initialized (see
|
|
|
|
//docs/linux_zygote.md). In order to support mixed-sandbox mode, in
|
|
|
|
which some renderers are launched with the sandbox engaged and others
|
|
|
|
without it, we need the option to launch non-sandboxed renderers without
|
|
|
|
going through the zygote.
|
|
|
|
|
|
|
|
Chromium already supports a `--no-zygote` flag, but it turns off the
|
|
|
|
zygote completely, and thus also disables sandboxing. This patch allows
|
|
|
|
the `--no-zygote` flag to affect renderer processes on a case-by-case
|
|
|
|
basis, checking immediately prior to launch whether to go through the
|
|
|
|
zygote or not based on the command-line of the to-be-launched renderer.
|
|
|
|
|
|
|
|
This patch could conceivably be upstreamed, as it does not affect
|
|
|
|
production Chromium (which does not use the `--no-zygote` flag).
|
|
|
|
However, the patch would need to be reviewed by the security team, as it
|
|
|
|
does touch a security-sensitive class.
|
|
|
|
|
|
|
|
diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
|
2024-07-29 13:37:35 +00:00
|
|
|
index 3711868d3e39ff1a4541cea72e7e627d50405417..ff475a6538baa1a997eca6617d24213300522ffd 100644
|
2018-12-06 01:42:12 +00:00
|
|
|
--- a/content/browser/renderer_host/render_process_host_impl.cc
|
|
|
|
+++ b/content/browser/renderer_host/render_process_host_impl.cc
|
2024-07-29 13:37:35 +00:00
|
|
|
@@ -1612,9 +1612,15 @@ bool RenderProcessHostImpl::Init() {
|
2021-11-24 08:45:59 +00:00
|
|
|
std::unique_ptr<SandboxedProcessLauncherDelegate> sandbox_delegate =
|
|
|
|
std::make_unique<RendererSandboxedProcessLauncherDelegateWin>(
|
2024-02-29 09:31:13 +00:00
|
|
|
*cmd_line, IsPdf(), /*is_jit_disabled=*/IsPdf());
|
2021-11-24 08:45:59 +00:00
|
|
|
+#else
|
2023-02-03 11:43:42 +00:00
|
|
|
+#if BUILDFLAG(USE_ZYGOTE)
|
2021-11-24 08:45:59 +00:00
|
|
|
+ bool use_zygote = !cmd_line->HasSwitch(switches::kNoZygote);
|
|
|
|
+ std::unique_ptr<SandboxedProcessLauncherDelegate> sandbox_delegate =
|
|
|
|
+ std::make_unique<RendererSandboxedProcessLauncherDelegate>(use_zygote);
|
|
|
|
#else
|
|
|
|
std::unique_ptr<SandboxedProcessLauncherDelegate> sandbox_delegate =
|
|
|
|
std::make_unique<RendererSandboxedProcessLauncherDelegate>();
|
|
|
|
+#endif
|
|
|
|
#endif
|
2022-06-01 06:12:47 +00:00
|
|
|
|
2024-07-03 15:15:35 +00:00
|
|
|
auto tracing_config_memory_region =
|
2021-11-24 08:45:59 +00:00
|
|
|
diff --git a/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.cc b/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.cc
|
chore: bump chromium to 128.0.6611.0 (main) (#42779)
* chore: bump chromium in DEPS to 128.0.6577.0
* chore: bump chromium in DEPS to 128.0.6579.0
* 5675706: Reland "Reland "Reland "Reland "Add toolchains without PartitionAlloc-Everywhere for dump_syms et al""""
https://chromium-review.googlesource.com/c/chromium/src/+/5675706
* 5668597: [PDF Ink Signatures] Prompt download menu on save when there are edits
https://chromium-review.googlesource.com/c/chromium/src/+/5668597
* 5677014: Reland "Pull data_sharing_sdk from CIPD"
https://chromium-review.googlesource.com/c/chromium/src/+/5677014
* chore: fixup patch indices
* chore: bump chromium in DEPS to 128.0.6581.0
* chore: bump chromium in DEPS to 128.0.6583.0
* update patches
* 5455480: [Extensions] Allow service worker requests to continue without a cert
https://chromium-review.googlesource.com/c/chromium/src/+/5455480
* try to get some debugging output from script/push-patch.js
* chore: bump chromium in DEPS to 128.0.6585.0
* chore: bump chromium in DEPS to 128.0.6587.0
* update patches
* chore: bump chromium in DEPS to 128.0.6589.0
* more patch work
* maybe over here?
* chore: update patches
* 5673207: [HTTPS Upgrades] Disable in captive portal login webview
https://chromium-review.googlesource.com/c/chromium/src/+/5673207
* 5636785: Extensions: WAR: manifest.json's use_dynamic_url requires a dynamic url
https://chromium-review.googlesource.com/c/chromium/src/+/5636785
* chore: bump chromium in DEPS to 128.0.6591.0
* 5665458: Trigger WN2 page when feature is enabled
https://chromium-review.googlesource.com/c/chromium/src/+/5665458
* update patches
* chore: bump chromium in DEPS to 128.0.6593.0
* chore: bump chromium in DEPS to 128.0.6595.0
* chore: bump chromium in DEPS to 128.0.6597.0
* (patch update) 5694586: [compile hints] Remove the usage of v8::Isolate::SetJavaScriptCompileHintsMagicEnabledCallback API
https://chromium-review.googlesource.com/c/chromium/src/+/5694586
* update patches
* 5691287: Reland "Change blink::WebKeyboardEvent to use std::array in is members"
https://chromium-review.googlesource.com/c/chromium/src/+/5691287
The code changed here is modeled after code in `content/renderer/pepper/event_conversion.cc` that was also modified in this CL, so I took the same approach.
* 5529018: Cleanup EnableWebHidOnExtensionServiceWorker flag
https://chromium-review.googlesource.com/c/chromium/src/+/5529018
* 5526324: [Code Health] Add deprecation comment for base::SupportsWeakPtr.
https://chromium-review.googlesource.com/c/chromium/src/+/5526324
Note that this CL actually does make `SupportsWeakPtr` strictly restricted to existing implementations, no new ones. We could add a patch to add ourselves to this list, but it looks like we'll have to refactor this anyways in the near future. Since the refactor seems straightforward, let's try that first.
* chore: bump chromium in DEPS to 128.0.6598.0
* chore: update patches
* 5704737: Rename ExclusiveAccessContext::GetActiveWebContents to avoid conflict
https://chromium-review.googlesource.com/c/chromium/src/+/5704737
* chore: bump chromium in DEPS to 128.0.6601.0
* chore: update patches
* Add `base::StringPiece` header includes
Chromium is working on replacing `base::StringPiece` with `std::string_view`. (See the Chromium Bug below.) They're currently running mass codemods (across many multiple changes) to replace uses of `StringPiece` with `string_view`, including removing the header include for `StringPiece` in those files. This cascades down to our files that were implicitly depending on those includes through some other include.
They're on track to eventually deprecate and remove `StringPiece` so our code should be converted, but that can be done as an upgrade follow-up task. For now, adding the header back to files that need it should suffice for minimal upgrade changes.
Chromium Bug: https://issues.chromium.org/issues/40506050
* 5702737: GlobalRequestID: Avoid unwanted inlining and narrowing int conversions
https://chromium-review.googlesource.com/c/chromium/src/+/5702737
contender for smallest commit 2024
* 5706534: Rename GlobalFeatures to GlobalDesktopFeatures.
https://chromium-review.googlesource.com/c/chromium/src/+/5706534
* 5691321: ui: remove params variants of SelectFile listener functions
https://chromium-review.googlesource.com/c/chromium/src/+/5691321
* 5714949: [Extensions] Display re-enable dialog for MV2 disabled stage
https://chromium-review.googlesource.com/c/chromium/src/+/5714949
* chore: update libc++ filenames
* patch: disable scope reuse & associated dchecks in v8 (hopefully temp, upgrade follow-up)
* fixup! Add `base::StringPiece` header includes
* update MAS patch
5710330: Add crash keys to debug NativeWidgetMacNSWindowBorderlessFrame exception
https://chromium-review.googlesource.com/c/chromium/src/+/5710330
* chore: bump chromium in DEPS to 128.0.6603.0
* chore: update patches
* 5713258: Reland "Preparation for decoupling creation/initialization of context"
https://chromium-review.googlesource.com/c/chromium/src/+/5713258
When destroying a context, it must already be shutdown, and this change enforces it with a new CHECK.
We were overriding `BrowserContextKeyedServiceFactory::BrowserContextShutdown` with an empty implementation, which differed from the default implementation that notifies the `KeyedServiceFactory` that the context has shutdown. Since we were missing this notification, the CHECK would later trip when the service was being destoryed because it was not registered as shutdown when it was shutdown.
* chore: bump chromium in DEPS to 128.0.6605.2
* chore: update patches
* refactor: linux open/save dialog patch
Our existing implementation was relying on an opaque `void* params` parameter that was passed through `ui::SelectFileDialog`.
Recently, that parameter has been getting removed:
- 5691321: ui: remove params variants of SelectFile listener functions | https://chromium-review.googlesource.com/c/chromium/src/+/5691321
- 5709097: ui: remove SelectFileDialog impl params | https://chromium-review.googlesource.com/c/chromium/src/+/5709097
- https://issues.chromium.org/issues/340178601 "reconsider SelectFileDialog"
This restructures the patch to work with mostly the same mechanics, but directly on the `ui::SelectFileDialog` object. This nets us some wins in terms of a smaller patch.
* 5713262: DevTools UI binding AIDA client event returns response
https://chromium-review.googlesource.com/c/chromium/src/+/5713262
* fixup! refactor: linux open/save dialog patch
* chore: bump chromium in DEPS to 128.0.6606.0
* chore: update patches
* fixup! refactor: linux open/save dialog patch
* chore: bump chromium in DEPS to 128.0.6607.0
* chore: update printing.patch
Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5722937
* fix: pwd error in electron-test, nan-test
fix: unshallow depot_tools before 3-way apply
* chore: e patches all
* fixup! fix: pwd error in electron-test, nan-test
* chore: bump chromium in DEPS to 128.0.6609.0
* chore: bump chromium in DEPS to 128.0.6611.0
* chore: update patches
* chore: update libcxx filenames
---------
Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
Co-authored-by: Jeremy Rose <nornagon@nornagon.net>
Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
Co-authored-by: clavin <clavin@electronjs.org>
Co-authored-by: Charles Kerr <charles@charleskerr.com>
Co-authored-by: Alice Zhao <alice@makenotion.com>
2024-07-23 15:59:44 +00:00
|
|
|
index 2c724b73a55fa21154ff8cedd41d3ca5738dfa76..b3f5973a4b686542d46d8338722f5fe42c86c529 100644
|
2021-11-24 08:45:59 +00:00
|
|
|
--- a/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.cc
|
|
|
|
+++ b/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.cc
|
2024-04-15 22:10:32 +00:00
|
|
|
@@ -35,6 +35,9 @@ namespace content {
|
2021-11-24 08:45:59 +00:00
|
|
|
|
2023-02-03 11:43:42 +00:00
|
|
|
#if BUILDFLAG(USE_ZYGOTE)
|
|
|
|
ZygoteCommunication* RendererSandboxedProcessLauncherDelegate::GetZygote() {
|
2021-11-24 08:45:59 +00:00
|
|
|
+ if (!use_zygote_) {
|
|
|
|
+ return nullptr;
|
|
|
|
+ }
|
|
|
|
const base::CommandLine& browser_command_line =
|
|
|
|
*base::CommandLine::ForCurrentProcess();
|
|
|
|
base::CommandLine::StringType renderer_prefix =
|
chore: bump chromium to 128.0.6611.0 (main) (#42779)
* chore: bump chromium in DEPS to 128.0.6577.0
* chore: bump chromium in DEPS to 128.0.6579.0
* 5675706: Reland "Reland "Reland "Reland "Add toolchains without PartitionAlloc-Everywhere for dump_syms et al""""
https://chromium-review.googlesource.com/c/chromium/src/+/5675706
* 5668597: [PDF Ink Signatures] Prompt download menu on save when there are edits
https://chromium-review.googlesource.com/c/chromium/src/+/5668597
* 5677014: Reland "Pull data_sharing_sdk from CIPD"
https://chromium-review.googlesource.com/c/chromium/src/+/5677014
* chore: fixup patch indices
* chore: bump chromium in DEPS to 128.0.6581.0
* chore: bump chromium in DEPS to 128.0.6583.0
* update patches
* 5455480: [Extensions] Allow service worker requests to continue without a cert
https://chromium-review.googlesource.com/c/chromium/src/+/5455480
* try to get some debugging output from script/push-patch.js
* chore: bump chromium in DEPS to 128.0.6585.0
* chore: bump chromium in DEPS to 128.0.6587.0
* update patches
* chore: bump chromium in DEPS to 128.0.6589.0
* more patch work
* maybe over here?
* chore: update patches
* 5673207: [HTTPS Upgrades] Disable in captive portal login webview
https://chromium-review.googlesource.com/c/chromium/src/+/5673207
* 5636785: Extensions: WAR: manifest.json's use_dynamic_url requires a dynamic url
https://chromium-review.googlesource.com/c/chromium/src/+/5636785
* chore: bump chromium in DEPS to 128.0.6591.0
* 5665458: Trigger WN2 page when feature is enabled
https://chromium-review.googlesource.com/c/chromium/src/+/5665458
* update patches
* chore: bump chromium in DEPS to 128.0.6593.0
* chore: bump chromium in DEPS to 128.0.6595.0
* chore: bump chromium in DEPS to 128.0.6597.0
* (patch update) 5694586: [compile hints] Remove the usage of v8::Isolate::SetJavaScriptCompileHintsMagicEnabledCallback API
https://chromium-review.googlesource.com/c/chromium/src/+/5694586
* update patches
* 5691287: Reland "Change blink::WebKeyboardEvent to use std::array in is members"
https://chromium-review.googlesource.com/c/chromium/src/+/5691287
The code changed here is modeled after code in `content/renderer/pepper/event_conversion.cc` that was also modified in this CL, so I took the same approach.
* 5529018: Cleanup EnableWebHidOnExtensionServiceWorker flag
https://chromium-review.googlesource.com/c/chromium/src/+/5529018
* 5526324: [Code Health] Add deprecation comment for base::SupportsWeakPtr.
https://chromium-review.googlesource.com/c/chromium/src/+/5526324
Note that this CL actually does make `SupportsWeakPtr` strictly restricted to existing implementations, no new ones. We could add a patch to add ourselves to this list, but it looks like we'll have to refactor this anyways in the near future. Since the refactor seems straightforward, let's try that first.
* chore: bump chromium in DEPS to 128.0.6598.0
* chore: update patches
* 5704737: Rename ExclusiveAccessContext::GetActiveWebContents to avoid conflict
https://chromium-review.googlesource.com/c/chromium/src/+/5704737
* chore: bump chromium in DEPS to 128.0.6601.0
* chore: update patches
* Add `base::StringPiece` header includes
Chromium is working on replacing `base::StringPiece` with `std::string_view`. (See the Chromium Bug below.) They're currently running mass codemods (across many multiple changes) to replace uses of `StringPiece` with `string_view`, including removing the header include for `StringPiece` in those files. This cascades down to our files that were implicitly depending on those includes through some other include.
They're on track to eventually deprecate and remove `StringPiece` so our code should be converted, but that can be done as an upgrade follow-up task. For now, adding the header back to files that need it should suffice for minimal upgrade changes.
Chromium Bug: https://issues.chromium.org/issues/40506050
* 5702737: GlobalRequestID: Avoid unwanted inlining and narrowing int conversions
https://chromium-review.googlesource.com/c/chromium/src/+/5702737
contender for smallest commit 2024
* 5706534: Rename GlobalFeatures to GlobalDesktopFeatures.
https://chromium-review.googlesource.com/c/chromium/src/+/5706534
* 5691321: ui: remove params variants of SelectFile listener functions
https://chromium-review.googlesource.com/c/chromium/src/+/5691321
* 5714949: [Extensions] Display re-enable dialog for MV2 disabled stage
https://chromium-review.googlesource.com/c/chromium/src/+/5714949
* chore: update libc++ filenames
* patch: disable scope reuse & associated dchecks in v8 (hopefully temp, upgrade follow-up)
* fixup! Add `base::StringPiece` header includes
* update MAS patch
5710330: Add crash keys to debug NativeWidgetMacNSWindowBorderlessFrame exception
https://chromium-review.googlesource.com/c/chromium/src/+/5710330
* chore: bump chromium in DEPS to 128.0.6603.0
* chore: update patches
* 5713258: Reland "Preparation for decoupling creation/initialization of context"
https://chromium-review.googlesource.com/c/chromium/src/+/5713258
When destroying a context, it must already be shutdown, and this change enforces it with a new CHECK.
We were overriding `BrowserContextKeyedServiceFactory::BrowserContextShutdown` with an empty implementation, which differed from the default implementation that notifies the `KeyedServiceFactory` that the context has shutdown. Since we were missing this notification, the CHECK would later trip when the service was being destoryed because it was not registered as shutdown when it was shutdown.
* chore: bump chromium in DEPS to 128.0.6605.2
* chore: update patches
* refactor: linux open/save dialog patch
Our existing implementation was relying on an opaque `void* params` parameter that was passed through `ui::SelectFileDialog`.
Recently, that parameter has been getting removed:
- 5691321: ui: remove params variants of SelectFile listener functions | https://chromium-review.googlesource.com/c/chromium/src/+/5691321
- 5709097: ui: remove SelectFileDialog impl params | https://chromium-review.googlesource.com/c/chromium/src/+/5709097
- https://issues.chromium.org/issues/340178601 "reconsider SelectFileDialog"
This restructures the patch to work with mostly the same mechanics, but directly on the `ui::SelectFileDialog` object. This nets us some wins in terms of a smaller patch.
* 5713262: DevTools UI binding AIDA client event returns response
https://chromium-review.googlesource.com/c/chromium/src/+/5713262
* fixup! refactor: linux open/save dialog patch
* chore: bump chromium in DEPS to 128.0.6606.0
* chore: update patches
* fixup! refactor: linux open/save dialog patch
* chore: bump chromium in DEPS to 128.0.6607.0
* chore: update printing.patch
Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5722937
* fix: pwd error in electron-test, nan-test
fix: unshallow depot_tools before 3-way apply
* chore: e patches all
* fixup! fix: pwd error in electron-test, nan-test
* chore: bump chromium in DEPS to 128.0.6609.0
* chore: bump chromium in DEPS to 128.0.6611.0
* chore: update patches
* chore: update libcxx filenames
---------
Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
Co-authored-by: Jeremy Rose <nornagon@nornagon.net>
Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
Co-authored-by: clavin <clavin@electronjs.org>
Co-authored-by: Charles Kerr <charles@charleskerr.com>
Co-authored-by: Alice Zhao <alice@makenotion.com>
2024-07-23 15:59:44 +00:00
|
|
|
@@ -70,6 +73,9 @@ RendererSandboxedProcessLauncherDelegateWin::
|
2023-03-23 21:15:56 +00:00
|
|
|
is_pdf_renderer_(is_pdf_renderer) {
|
|
|
|
// PDF renderers must be jitless.
|
|
|
|
CHECK(!is_pdf_renderer || is_jit_disabled);
|
2023-02-03 11:43:42 +00:00
|
|
|
+#if BUILDFLAG(USE_ZYGOTE)
|
2021-11-24 08:45:59 +00:00
|
|
|
+ use_zygote_ = !cmd_line->HasSwitch(switches::kNoZygote);
|
|
|
|
+#endif
|
|
|
|
if (is_jit_disabled) {
|
|
|
|
dynamic_code_can_be_disabled_ = true;
|
|
|
|
return;
|
|
|
|
diff --git a/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.h b/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.h
|
2023-03-23 21:15:56 +00:00
|
|
|
index 00038da2c15696b361aea1469ccf73307e44963e..7ccfbf11ecfd56fd165915baa85919eaf2e923b9 100644
|
2021-11-24 08:45:59 +00:00
|
|
|
--- a/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.h
|
|
|
|
+++ b/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.h
|
2022-01-10 22:31:39 +00:00
|
|
|
@@ -18,6 +18,11 @@ class CONTENT_EXPORT RendererSandboxedProcessLauncherDelegate
|
2021-03-15 18:32:18 +00:00
|
|
|
public:
|
|
|
|
RendererSandboxedProcessLauncherDelegate() = default;
|
2019-09-18 19:58:00 +00:00
|
|
|
|
2023-02-03 11:43:42 +00:00
|
|
|
+#if BUILDFLAG(USE_ZYGOTE)
|
2018-12-06 01:42:12 +00:00
|
|
|
+ RendererSandboxedProcessLauncherDelegate(bool use_zygote):
|
|
|
|
+ use_zygote_(use_zygote) {}
|
|
|
|
+#endif
|
2019-09-18 19:58:00 +00:00
|
|
|
+
|
2021-01-12 23:31:23 +00:00
|
|
|
~RendererSandboxedProcessLauncherDelegate() override = default;
|
2018-12-06 01:42:12 +00:00
|
|
|
|
2023-02-03 11:43:42 +00:00
|
|
|
#if BUILDFLAG(USE_ZYGOTE)
|
2023-03-10 16:07:42 +00:00
|
|
|
@@ -30,6 +35,11 @@ class CONTENT_EXPORT RendererSandboxedProcessLauncherDelegate
|
2021-11-24 08:45:59 +00:00
|
|
|
|
2023-03-10 16:07:42 +00:00
|
|
|
// sandbox::policy::SandboxDelegate:
|
2021-11-24 08:45:59 +00:00
|
|
|
sandbox::mojom::Sandbox GetSandboxType() override;
|
2021-03-15 18:32:18 +00:00
|
|
|
+
|
|
|
|
+ private:
|
2023-02-03 11:43:42 +00:00
|
|
|
+#if BUILDFLAG(USE_ZYGOTE)
|
2018-12-06 01:42:12 +00:00
|
|
|
+ bool use_zygote_ = true;
|
|
|
|
+#endif
|
|
|
|
};
|
|
|
|
|
2022-02-10 02:58:52 +00:00
|
|
|
#if BUILDFLAG(IS_WIN)
|