ipc/glue/GeckoChildProcessHost.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef __IPC_GLUE_GECKOCHILDPROCESSHOST_H__
   8 #define __IPC_GLUE_GECKOCHILDPROCESSHOST_H__
   9
  10 #include "base/file_path.h"
  11 #include "base/process_util.h"
  12 #include "base/waitable_event.h"
  13 #include "chrome/common/child_process_host.h"
  14
  15 #include "mozilla/ipc/FileDescriptor.h"
  16 #include "mozilla/Atomics.h"
  17 #include "mozilla/Buffer.h"
  18 #include "mozilla/LinkedList.h"
  19 #include "mozilla/Monitor.h"
  20 #include "mozilla/MozPromise.h"
  21 #include "mozilla/StaticPtr.h"
  22 #include "mozilla/UniquePtr.h"
  23
  24 #include "nsCOMPtr.h"
  25 #include "nsXULAppAPI.h"  // for GeckoProcessType
  26 #include "nsString.h"
  27
  28 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
  29 #  include "sandboxBroker.h"
  30 #endif
  31
  32 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
  33 #  include "mozilla/Sandbox.h"
  34 #endif
  35
  36 struct _MacSandboxInfo;
  37 typedef _MacSandboxInfo MacSandboxInfo;
  38
  39 namespace mozilla {
  40 namespace ipc {
  41
  42 struct LaunchError {};
  43 typedef mozilla::MozPromise<base::ProcessHandle, LaunchError, false>
  44     ProcessHandlePromise;
  45
  46 struct LaunchResults {
  47   base::ProcessHandle mHandle = 0;
  48 #ifdef XP_MACOSX
  49   task_t mChildTask = MACH_PORT_NULL;
  50 #endif
  51 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
  52   RefPtr<AbstractSandboxBroker> mSandboxBroker;
  53 #endif
  54 };
  55 typedef mozilla::MozPromise<LaunchResults, LaunchError, false>
  56     ProcessLaunchPromise;
  57
  58 class GeckoChildProcessHost : public ChildProcessHost,
  59                               public LinkedListElement<GeckoChildProcessHost> {
  60  protected:
  61   typedef mozilla::Monitor Monitor;
  62   typedef std::vector<std::string> StringVector;
  63
  64  public:
  65   typedef base::ProcessHandle ProcessHandle;
  66
  67   explicit GeckoChildProcessHost(GeckoProcessType aProcessType,
  68                                  bool aIsFileContent = false);
  69
  70   // Causes the object to be deleted, on the I/O thread, after any
  71   // pending asynchronous work (like launching) is complete.  This
  72   // method can be called from any thread.  If called from the I/O
  73   // thread itself, deletion won't happen until the event loop spins;
  74   // otherwise, it could happen immediately.
  75   //
  76   // GeckoChildProcessHost instances must not be deleted except
  77   // through this method.
  78   void Destroy();
  79
  80   static uint32_t GetUniqueID();
  81
  82   // Does not block.  The IPC channel may not be initialized yet, and
  83   // the child process may or may not have been created when this
  84   // method returns.
  85   bool AsyncLaunch(StringVector aExtraOpts = StringVector());
  86
  87   virtual bool WaitUntilConnected(int32_t aTimeoutMs = 0);
  88
  89   // Block until the IPC channel for our subprocess is initialized and
  90   // the OS process is created.  The subprocess may or may not have
  91   // connected back to us when this method returns.
  92   //
  93   // NB: on POSIX, this method is relatively cheap, and doesn't
  94   // require disk IO.  On win32 however, it requires at least the
  95   // analogue of stat().  This difference induces a semantic
  96   // difference in this method: on POSIX, when we return, we know the
  97   // subprocess has been created, but we don't know whether its
  98   // executable image can be loaded.  On win32, we do know that when
  99   // we return.  But we don't know if dynamic linking succeeded on
 100   // either platform.
 101   bool LaunchAndWaitForProcessHandle(StringVector aExtraOpts = StringVector());
 102   bool WaitForProcessHandle();
 103
 104   // Block until the child process has been created and it connects to
 105   // the IPC channel, meaning it's fully initialized.  (Or until an
 106   // error occurs.)
 107   bool SyncLaunch(StringVector aExtraOpts = StringVector(),
 108                   int32_t timeoutMs = 0);
 109
 110   virtual void OnChannelConnected(int32_t peer_pid) override;
 111   virtual void OnMessageReceived(IPC::Message&& aMsg) override;
 112   virtual void OnChannelError() override;
 113   virtual void GetQueuedMessages(std::queue<IPC::Message>& queue) override;
 114
 115   // Resolves to the process handle when it's available (see
 116   // LaunchAndWaitForProcessHandle); use with AsyncLaunch.
 117   RefPtr<ProcessHandlePromise> WhenProcessHandleReady();
 118
 119   virtual void InitializeChannel();
 120
 121   virtual bool CanShutdown() override { return true; }
 122
 123   using ChildProcessHost::TakeChannel;
 124   IPC::Channel* GetChannel() { return channelp(); }
 125   ChannelId GetChannelId() { return channel_id(); }
 126
 127   // Returns a "borrowed" handle to the child process - the handle returned
 128   // by this function must not be closed by the caller.
 129   ProcessHandle GetChildProcessHandle() { return mChildProcessHandle; }
 130
 131   GeckoProcessType GetProcessType() { return mProcessType; }
 132
 133 #ifdef XP_MACOSX
 134   task_t GetChildTask() { return mChildTask; }
 135 #endif
 136
 137 #ifdef XP_WIN
 138   static void CacheNtDllThunk();
 139
 140   void AddHandleToShare(HANDLE aHandle) {
 141     mLaunchOptions->handles_to_inherit.push_back(aHandle);
 142   }
 143 #else
 144   void AddFdToRemap(int aSrcFd, int aDstFd) {
 145     mLaunchOptions->fds_to_remap.push_back(std::make_pair(aSrcFd, aDstFd));
 146   }
 147 #endif
 148
 149   /**
 150    * Must run on the IO thread.  Cause the OS process to exit and
 151    * ensure its OS resources are cleaned up.
 152    */
 153   void Join();
 154
 155   // For bug 943174: Skip the EnsureProcessTerminated call in the destructor.
 156   void SetAlreadyDead();
 157
 158 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
 159   // Start the sandbox from the child process.
 160   static bool StartMacSandbox(int aArgc, char** aArgv,
 161                               std::string& aErrorMessage);
 162
 163   // The sandbox type that will be use when sandboxing is
 164   // enabled in the derived class and FillMacSandboxInfo
 165   // has not been overridden.
 166   static MacSandboxType GetDefaultMacSandboxType() {
 167     return MacSandboxType_Utility;
 168   };
 169
 170   // Must be called before the process is launched. Determines if
 171   // child processes will be launched with OS_ACTIVITY_MODE set to
 172   // "disabled" or not. When |mDisableOSActivityMode| is set to true,
 173   // child processes will be launched with OS_ACTIVITY_MODE
 174   // disabled to avoid connection attempts to diagnosticd(8) which are
 175   // blocked in child processes due to sandboxing.
 176   void DisableOSActivityMode();
 177 #endif
 178   typedef std::function<void(GeckoChildProcessHost*)> GeckoProcessCallback;
 179
 180   // Iterates over all instances and calls aCallback with each one of them.
 181   // This method will lock any addition/removal of new processes
 182   // so you need to make sure the callback is as fast as possible.
 183   //
 184   // To reiterate: the callbacks are executed synchronously.
 185   static void GetAll(const GeckoProcessCallback& aCallback);
 186
 187   friend class BaseProcessLauncher;
 188   friend class PosixProcessLauncher;
 189   friend class WindowsProcessLauncher;
 190
 191  protected:
 192   ~GeckoChildProcessHost();
 193   GeckoProcessType mProcessType;
 194   bool mIsFileContent;
 195   Monitor mMonitor;
 196   FilePath mProcessPath;
 197   // GeckoChildProcessHost holds the launch options so they can be set
 198   // up on the main thread using main-thread-only APIs like prefs, and
 199   // then used for the actual launch on another thread.  This pointer
 200   // is set to null to free the options after the child is launched.
 201   UniquePtr<base::LaunchOptions> mLaunchOptions;
 202
 203   // This value must be accessed while holding mMonitor.
 204   enum {
 205     // This object has been constructed, but the OS process has not
 206     // yet.
 207     CREATING_CHANNEL = 0,
 208     // The IPC channel for our subprocess has been created, but the OS
 209     // process has still not been created.
 210     CHANNEL_INITIALIZED,
 211     // The OS process has been created, but it hasn't yet connected to
 212     // our IPC channel.
 213     PROCESS_CREATED,
 214     // The process is launched and connected to our IPC channel.  All
 215     // is well.
 216     PROCESS_CONNECTED,
 217     PROCESS_ERROR
 218   } mProcessState;
 219
 220   void PrepareLaunch();
 221
 222 #ifdef XP_WIN
 223   void InitWindowsGroupID();
 224   nsString mGroupId;
 225
 226 #  ifdef MOZ_SANDBOX
 227   RefPtr<AbstractSandboxBroker> mSandboxBroker;
 228   std::vector<std::wstring> mAllowedFilesRead;
 229   bool mEnableSandboxLogging;
 230   int32_t mSandboxLevel;
 231 #  endif
 232 #endif  // XP_WIN
 233
 234   ProcessHandle mChildProcessHandle;
 235 #if defined(OS_MACOSX)
 236   task_t mChildTask;
 237 #endif
 238   RefPtr<ProcessHandlePromise> mHandlePromise;
 239
 240 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
 241   bool mDisableOSActivityMode;
 242 #endif
 243
 244   bool OpenPrivilegedHandle(base::ProcessId aPid);
 245
 246 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
 247   // Override this method to return true to launch the child process
 248   // using the Mac utility (by default) sandbox. Override
 249   // FillMacSandboxInfo() to change the sandbox type and settings.
 250   virtual bool IsMacSandboxLaunchEnabled() { return false; }
 251
 252   // Fill a MacSandboxInfo to configure the sandbox
 253   virtual bool FillMacSandboxInfo(MacSandboxInfo& aInfo);
 254
 255   // Adds the command line arguments needed to enable
 256   // sandboxing of the child process at startup before
 257   // the child event loop is up.
 258   virtual bool AppendMacSandboxParams(StringVector& aArgs);
 259 #endif
 260
 261  private:
 262   DISALLOW_EVIL_CONSTRUCTORS(GeckoChildProcessHost);
 263
 264   // Removes the instance from sGeckoChildProcessHosts
 265   void RemoveFromProcessList();
 266
 267   // In between launching the subprocess and handing off its IPC
 268   // channel, there's a small window of time in which *we* might still
 269   // be the channel listener, and receive messages.  That's bad
 270   // because we have no idea what to do with those messages.  So queue
 271   // them here until we hand off the eventual listener.
 272   //
 273   // FIXME/cjones: this strongly indicates bad design.  Shame on us.
 274   std::queue<IPC::Message> mQueue;
 275
 276   // Linux-Only. Set this up before we're called from a different thread.
 277   nsCString mTmpDirName;
 278   // Mac and Windows. Set this up before we're called from a different thread.
 279   nsCOMPtr<nsIFile> mProfileDir;
 280
 281   mozilla::Atomic<bool> mDestroying;
 282
 283   static uint32_t sNextUniqueID;
 284   static StaticAutoPtr<LinkedList<GeckoChildProcessHost>>
 285       sGeckoChildProcessHosts;
 286 #ifdef XP_WIN
 287   static StaticAutoPtr<Buffer<IMAGE_THUNK_DATA>> sCachedNtDllThunk;
 288 #endif
 289   static StaticMutex sMutex;
 290 };
 291
 292 nsCOMPtr<nsIEventTarget> GetIPCLauncher();
 293
 294 } /* namespace ipc */
 295 } /* namespace mozilla */
 296
 297 #endif /* __IPC_GLUE_GECKOCHILDPROCESSHOST_H__ */