1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #ifndef __IPC_GLUE_GECKOCHILDPROCESSHOST_H__ 8 #define __IPC_GLUE_GECKOCHILDPROCESSHOST_H__ 9 10 #include "base/file_path.h" 11 #include "base/process_util.h" 12 #include "base/waitable_event.h" 13 #include "chrome/common/child_process_host.h" 14 #include "chrome/common/ipc_message.h" 15 #include "mojo/core/ports/port_ref.h" 16 17 #include "mozilla/ipc/FileDescriptor.h" 18 #include "mozilla/ipc/ScopedPort.h" 19 #include "mozilla/Atomics.h" 20 #include "mozilla/Buffer.h" 21 #include "mozilla/LinkedList.h" 22 #include "mozilla/Monitor.h" 23 #include "mozilla/MozPromise.h" 24 #include "mozilla/StaticMutex.h" 25 #include "mozilla/StaticPtr.h" 26 #include "mozilla/UniquePtr.h" 27 28 #include "nsCOMPtr.h" 29 #include "nsExceptionHandler.h" 30 #include "nsXULAppAPI.h" // for GeckoProcessType 31 #include "nsString.h" 32 33 #if defined(XP_WIN) && defined(MOZ_SANDBOX) 34 # include "sandboxBroker.h" 35 #endif 36 37 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX) 38 # include "mozilla/Sandbox.h" 39 #endif 40 41 struct _MacSandboxInfo; 42 typedef _MacSandboxInfo MacSandboxInfo; 43 44 namespace mozilla { 45 namespace ipc { 46 47 struct LaunchError {}; 48 typedef mozilla::MozPromise<base::ProcessHandle, LaunchError, false> 49 ProcessHandlePromise; 50 51 struct LaunchResults { 52 base::ProcessHandle mHandle = 0; 53 #ifdef XP_MACOSX 54 task_t mChildTask = MACH_PORT_NULL; 55 #endif 56 #if defined(XP_WIN) && defined(MOZ_SANDBOX) 57 RefPtr<AbstractSandboxBroker> mSandboxBroker; 58 #endif 59 }; 60 typedef mozilla::MozPromise<LaunchResults, LaunchError, false> 61 ProcessLaunchPromise; 62 63 class GeckoChildProcessHost : public ChildProcessHost, 64 public LinkedListElement<GeckoChildProcessHost> { 65 protected: 66 typedef mozilla::Monitor Monitor; 67 typedef std::vector<std::string> StringVector; 68 69 public: 70 typedef base::ProcessHandle ProcessHandle; 71 72 explicit GeckoChildProcessHost(GeckoProcessType aProcessType, 73 bool aIsFileContent = false); 74 75 // Causes the object to be deleted, on the I/O thread, after any 76 // pending asynchronous work (like launching) is complete. This 77 // method can be called from any thread. If called from the I/O 78 // thread itself, deletion won't happen until the event loop spins; 79 // otherwise, it could happen immediately. 80 // 81 // GeckoChildProcessHost instances must not be deleted except 82 // through this method. 83 void Destroy(); 84 85 static uint32_t GetUniqueID(); 86 87 // Call this before launching to set an environment variable for the 88 // child process. The arguments must be UTF-8. 89 void SetEnv(const char* aKey, const char* aValue); 90 91 // Does not block. The IPC channel may not be initialized yet, and 92 // the child process may or may not have been created when this 93 // method returns. 94 bool AsyncLaunch(StringVector aExtraOpts = StringVector()); 95 96 virtual bool WaitUntilConnected(int32_t aTimeoutMs = 0); 97 98 // Block until the IPC channel for our subprocess is initialized and 99 // the OS process is created. The subprocess may or may not have 100 // connected back to us when this method returns. 101 // 102 // NB: on POSIX, this method is relatively cheap, and doesn't 103 // require disk IO. On win32 however, it requires at least the 104 // analogue of stat(). This difference induces a semantic 105 // difference in this method: on POSIX, when we return, we know the 106 // subprocess has been created, but we don't know whether its 107 // executable image can be loaded. On win32, we do know that when 108 // we return. But we don't know if dynamic linking succeeded on 109 // either platform. 110 bool LaunchAndWaitForProcessHandle(StringVector aExtraOpts = StringVector()); 111 bool WaitForProcessHandle(); 112 113 // Block until the child process has been created and it connects to 114 // the IPC channel, meaning it's fully initialized. (Or until an 115 // error occurs.) 116 bool SyncLaunch(StringVector aExtraOpts = StringVector(), 117 int32_t timeoutMs = 0); 118 119 virtual void OnChannelConnected(int32_t peer_pid) override; 120 virtual void OnMessageReceived(IPC::Message&& aMsg) override; 121 virtual void OnChannelError() override; 122 virtual void GetQueuedMessages(std::queue<IPC::Message>& queue) override; 123 124 // Resolves to the process handle when it's available (see 125 // LaunchAndWaitForProcessHandle); use with AsyncLaunch. 126 RefPtr<ProcessHandlePromise> WhenProcessHandleReady(); 127 128 void InitializeChannel( 129 const std::function<void(IPC::Channel*)>& aChannelReady); 130 CanShutdown()131 virtual bool CanShutdown() override { return true; } 132 GetChannel()133 IPC::Channel* GetChannel() { return channelp(); } GetChannelId()134 ChannelId GetChannelId() { return channel_id(); } 135 TakeInitialPort()136 ScopedPort TakeInitialPort() { return std::move(mInitialPort); } 137 138 // Returns a "borrowed" handle to the child process - the handle returned 139 // by this function must not be closed by the caller. GetChildProcessHandle()140 ProcessHandle GetChildProcessHandle() { return mChildProcessHandle; } 141 GetProcessType()142 GeckoProcessType GetProcessType() { return mProcessType; } 143 144 #ifdef XP_MACOSX GetChildTask()145 task_t GetChildTask() { return mChildTask; } 146 #endif 147 148 #ifdef XP_WIN 149 AddHandleToShare(HANDLE aHandle)150 void AddHandleToShare(HANDLE aHandle) { 151 mLaunchOptions->handles_to_inherit.push_back(aHandle); 152 } 153 #else AddFdToRemap(int aSrcFd,int aDstFd)154 void AddFdToRemap(int aSrcFd, int aDstFd) { 155 mLaunchOptions->fds_to_remap.push_back(std::make_pair(aSrcFd, aDstFd)); 156 } 157 #endif 158 159 /** 160 * Must run on the IO thread. Cause the OS process to exit and 161 * ensure its OS resources are cleaned up. 162 */ 163 void Join(); 164 165 // For bug 943174: Skip the EnsureProcessTerminated call in the destructor. 166 void SetAlreadyDead(); 167 168 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX) 169 // Start the sandbox from the child process. 170 static bool StartMacSandbox(int aArgc, char** aArgv, 171 std::string& aErrorMessage); 172 173 // The sandbox type that will be use when sandboxing is 174 // enabled in the derived class and FillMacSandboxInfo 175 // has not been overridden. GetDefaultMacSandboxType()176 static MacSandboxType GetDefaultMacSandboxType() { 177 return MacSandboxType_Utility; 178 }; 179 180 // Must be called before the process is launched. Determines if 181 // child processes will be launched with OS_ACTIVITY_MODE set to 182 // "disabled" or not. When |mDisableOSActivityMode| is set to true, 183 // child processes will be launched with OS_ACTIVITY_MODE 184 // disabled to avoid connection attempts to diagnosticd(8) which are 185 // blocked in child processes due to sandboxing. 186 void DisableOSActivityMode(); 187 #endif 188 typedef std::function<void(GeckoChildProcessHost*)> GeckoProcessCallback; 189 190 // Iterates over all instances and calls aCallback with each one of them. 191 // This method will lock any addition/removal of new processes 192 // so you need to make sure the callback is as fast as possible. 193 // 194 // To reiterate: the callbacks are executed synchronously. 195 static void GetAll(const GeckoProcessCallback& aCallback); 196 197 friend class BaseProcessLauncher; 198 friend class PosixProcessLauncher; 199 friend class WindowsProcessLauncher; 200 201 protected: 202 ~GeckoChildProcessHost(); 203 GeckoProcessType mProcessType; 204 bool mIsFileContent; 205 Monitor mMonitor; 206 FilePath mProcessPath; 207 // GeckoChildProcessHost holds the launch options so they can be set 208 // up on the main thread using main-thread-only APIs like prefs, and 209 // then used for the actual launch on another thread. This pointer 210 // is set to null to free the options after the child is launched. 211 UniquePtr<base::LaunchOptions> mLaunchOptions; 212 ScopedPort mInitialPort; 213 214 // This value must be accessed while holding mMonitor. 215 enum { 216 // This object has been constructed, but the OS process has not 217 // yet. 218 CREATING_CHANNEL = 0, 219 // The IPC channel for our subprocess has been created, but the OS 220 // process has still not been created. 221 CHANNEL_INITIALIZED, 222 // The OS process has been created, but it hasn't yet connected to 223 // our IPC channel. 224 PROCESS_CREATED, 225 // The process is launched and connected to our IPC channel. All 226 // is well. 227 PROCESS_CONNECTED, 228 PROCESS_ERROR 229 } mProcessState; 230 231 void PrepareLaunch(); 232 233 #ifdef XP_WIN 234 void InitWindowsGroupID(); 235 nsString mGroupId; 236 CrashReporter::WindowsErrorReportingData mWerData; 237 # ifdef MOZ_SANDBOX 238 RefPtr<AbstractSandboxBroker> mSandboxBroker; 239 std::vector<std::wstring> mAllowedFilesRead; 240 bool mEnableSandboxLogging; 241 int32_t mSandboxLevel; 242 # endif 243 #endif // XP_WIN 244 245 ProcessHandle mChildProcessHandle; 246 #if defined(OS_MACOSX) 247 task_t mChildTask; 248 #endif 249 RefPtr<ProcessHandlePromise> mHandlePromise; 250 251 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX) 252 bool mDisableOSActivityMode; 253 #endif 254 255 bool OpenPrivilegedHandle(base::ProcessId aPid); 256 257 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX) 258 // Override this method to return true to launch the child process 259 // using the Mac utility (by default) sandbox. Override 260 // FillMacSandboxInfo() to change the sandbox type and settings. IsMacSandboxLaunchEnabled()261 virtual bool IsMacSandboxLaunchEnabled() { return false; } 262 263 // Fill a MacSandboxInfo to configure the sandbox 264 virtual bool FillMacSandboxInfo(MacSandboxInfo& aInfo); 265 266 // Adds the command line arguments needed to enable 267 // sandboxing of the child process at startup before 268 // the child event loop is up. 269 virtual bool AppendMacSandboxParams(StringVector& aArgs); 270 #endif 271 272 private: 273 DISALLOW_EVIL_CONSTRUCTORS(GeckoChildProcessHost); 274 275 // Removes the instance from sGeckoChildProcessHosts 276 void RemoveFromProcessList(); 277 278 // In between launching the subprocess and handing off its IPC 279 // channel, there's a small window of time in which *we* might still 280 // be the channel listener, and receive messages. That's bad 281 // because we have no idea what to do with those messages. So queue 282 // them here until we hand off the eventual listener. 283 // 284 // FIXME/cjones: this strongly indicates bad design. Shame on us. 285 std::queue<IPC::Message> mQueue; 286 287 // Linux-Only. Set this up before we're called from a different thread. 288 nsCString mTmpDirName; 289 // Mac and Windows. Set this up before we're called from a different thread. 290 nsCOMPtr<nsIFile> mProfileDir; 291 292 mozilla::Atomic<bool> mDestroying; 293 294 static uint32_t sNextUniqueID; 295 static StaticAutoPtr<LinkedList<GeckoChildProcessHost>> 296 sGeckoChildProcessHosts; 297 static StaticMutex sMutex; 298 }; 299 300 nsCOMPtr<nsIEventTarget> GetIPCLauncher(); 301 302 } /* namespace ipc */ 303 } /* namespace mozilla */ 304 305 #endif /* __IPC_GLUE_GECKOCHILDPROCESSHOST_H__ */ 306