ipc/glue/GeckoChildProcessHost.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef __IPC_GLUE_GECKOCHILDPROCESSHOST_H__
   8 #define __IPC_GLUE_GECKOCHILDPROCESSHOST_H__
   9
  10 #include "base/file_path.h"
  11 #include "base/process_util.h"
  12 #include "base/waitable_event.h"
  13 #include "chrome/common/child_process_host.h"
  14 #include "chrome/common/ipc_message.h"
  15 #include "mojo/core/ports/port_ref.h"
  16
  17 #include "mozilla/ipc/Endpoint.h"
  18 #include "mozilla/ipc/FileDescriptor.h"
  19 #include "mozilla/ipc/NodeChannel.h"
  20 #include "mozilla/ipc/ScopedPort.h"
  21 #include "mozilla/Atomics.h"
  22 #include "mozilla/Buffer.h"
  23 #include "mozilla/LinkedList.h"
  24 #include "mozilla/Monitor.h"
  25 #include "mozilla/MozPromise.h"
  26 #include "mozilla/StaticMutex.h"
  27 #include "mozilla/StaticPtr.h"
  28 #include "mozilla/UniquePtr.h"
  29
  30 #include "nsCOMPtr.h"
  31 #include "nsExceptionHandler.h"
  32 #include "nsXULAppAPI.h"  // for GeckoProcessType
  33 #include "nsString.h"
  34
  35 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
  36 #  include "sandboxBroker.h"
  37 #endif
  38
  39 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
  40 #  include "mozilla/Sandbox.h"
  41 #endif
  42
  43 #if defined(MOZ_SANDBOX)
  44 #  include "mozilla/ipc/UtilityProcessSandboxing.h"
  45 #endif
  46
  47 struct _MacSandboxInfo;
  48 typedef _MacSandboxInfo MacSandboxInfo;
  49
  50 namespace mozilla {
  51 namespace ipc {
  52
  53 struct LaunchError {};
  54 typedef mozilla::MozPromise<base::ProcessHandle, LaunchError, false>
  55     ProcessHandlePromise;
  56
  57 class GeckoChildProcessHost : public ChildProcessHost,
  58                               public LinkedListElement<GeckoChildProcessHost> {
  59  protected:
  60   typedef mozilla::Monitor Monitor;
  61   typedef std::vector<std::string> StringVector;
  62
  63  public:
  64   typedef base::ProcessHandle ProcessHandle;
  65
  66   explicit GeckoChildProcessHost(GeckoProcessType aProcessType,
  67                                  bool aIsFileContent = false);
  68
  69   // Causes the object to be deleted, on the I/O thread, after any
  70   // pending asynchronous work (like launching) is complete.  This
  71   // method can be called from any thread.  If called from the I/O
  72   // thread itself, deletion won't happen until the event loop spins;
  73   // otherwise, it could happen immediately.
  74   //
  75   // GeckoChildProcessHost instances must not be deleted except
  76   // through this method.
  77   void Destroy();
  78
  79   static uint32_t GetUniqueID();
  80
  81   // Call this before launching to set an environment variable for the
  82   // child process.  The arguments must be UTF-8.
  83   void SetEnv(const char* aKey, const char* aValue);
  84
  85   // Does not block.  The IPC channel may not be initialized yet, and
  86   // the child process may or may not have been created when this
  87   // method returns.
  88   bool AsyncLaunch(StringVector aExtraOpts = StringVector());
  89
  90   virtual bool WaitUntilConnected(int32_t aTimeoutMs = 0);
  91
  92   // Block until the IPC channel for our subprocess is initialized and
  93   // the OS process is created.  The subprocess may or may not have
  94   // connected back to us when this method returns.
  95   //
  96   // NB: on POSIX, this method is relatively cheap, and doesn't
  97   // require disk IO.  On win32 however, it requires at least the
  98   // analogue of stat().  This difference induces a semantic
  99   // difference in this method: on POSIX, when we return, we know the
 100   // subprocess has been created, but we don't know whether its
 101   // executable image can be loaded.  On win32, we do know that when
 102   // we return.  But we don't know if dynamic linking succeeded on
 103   // either platform.
 104   bool LaunchAndWaitForProcessHandle(StringVector aExtraOpts = StringVector());
 105   bool WaitForProcessHandle();
 106
 107   // Block until the child process has been created and it connects to
 108   // the IPC channel, meaning it's fully initialized.  (Or until an
 109   // error occurs.)
 110   bool SyncLaunch(StringVector aExtraOpts = StringVector(),
 111                   int32_t timeoutMs = 0);
 112
 113   virtual void OnChannelConnected(base::ProcessId peer_pid) override;
 114   virtual void OnMessageReceived(UniquePtr<IPC::Message> aMsg) override;
 115   virtual void OnChannelError() override;
 116   virtual void GetQueuedMessages(
 117       std::queue<UniquePtr<IPC::Message>>& queue) override;
 118
 119   // Resolves to the process handle when it's available (see
 120   // LaunchAndWaitForProcessHandle); use with AsyncLaunch.
 121   RefPtr<ProcessHandlePromise> WhenProcessHandleReady();
 122
 123   void InitializeChannel(
 124       const std::function<void(IPC::Channel*)>& aChannelReady);
 125
 126   virtual bool CanShutdown() override { return true; }
 127
 128   IPC::Channel* GetChannel() { return channelp(); }
 129   ChannelId GetChannelId() { return channel_id(); }
 130
 131   UntypedEndpoint TakeInitialEndpoint() {
 132     return UntypedEndpoint{PrivateIPDLInterface{}, std::move(mInitialPort),
 133                            mInitialChannelId, base::GetCurrentProcId(),
 134                            base::GetProcId(mChildProcessHandle)};
 135   }
 136
 137   // Returns a "borrowed" handle to the child process - the handle returned
 138   // by this function must not be closed by the caller.
 139   ProcessHandle GetChildProcessHandle() { return mChildProcessHandle; }
 140
 141   GeckoProcessType GetProcessType() { return mProcessType; }
 142
 143 #ifdef XP_MACOSX
 144   task_t GetChildTask() { return mChildTask; }
 145 #endif
 146
 147 #ifdef XP_WIN
 148
 149   void AddHandleToShare(HANDLE aHandle) {
 150     mLaunchOptions->handles_to_inherit.push_back(aHandle);
 151   }
 152 #else
 153   void AddFdToRemap(int aSrcFd, int aDstFd) {
 154     mLaunchOptions->fds_to_remap.push_back(std::make_pair(aSrcFd, aDstFd));
 155   }
 156 #endif
 157
 158   // For bug 943174: Skip the EnsureProcessTerminated call in the destructor.
 159   void SetAlreadyDead();
 160
 161 #if defined(MOZ_SANDBOX) && defined(XP_MACOSX)
 162   // Start the sandbox from the child process.
 163   static bool StartMacSandbox(int aArgc, char** aArgv,
 164                               std::string& aErrorMessage);
 165
 166   // The sandbox type that will be use when sandboxing is
 167   // enabled in the derived class and FillMacSandboxInfo
 168   // has not been overridden.
 169   static MacSandboxType GetDefaultMacSandboxType() {
 170     return MacSandboxType_Utility;
 171   };
 172
 173   // Must be called before the process is launched. Determines if
 174   // child processes will be launched with OS_ACTIVITY_MODE set to
 175   // "disabled" or not. When |mDisableOSActivityMode| is set to true,
 176   // child processes will be launched with OS_ACTIVITY_MODE
 177   // disabled to avoid connection attempts to diagnosticd(8) which are
 178   // blocked in child processes due to sandboxing.
 179   void DisableOSActivityMode();
 180 #endif  // defined(MOZ_SANDBOX) && defined(XP_MACOSX)
 181   typedef std::function<void(GeckoChildProcessHost*)> GeckoProcessCallback;
 182
 183   // Iterates over all instances and calls aCallback with each one of them.
 184   // This method will lock any addition/removal of new processes
 185   // so you need to make sure the callback is as fast as possible.
 186   //
 187   // To reiterate: the callbacks are executed synchronously.
 188   static void GetAll(const GeckoProcessCallback& aCallback);
 189
 190   friend class BaseProcessLauncher;
 191   friend class PosixProcessLauncher;
 192   friend class WindowsProcessLauncher;
 193
 194  protected:
 195   ~GeckoChildProcessHost();
 196   GeckoProcessType mProcessType;
 197   bool mIsFileContent;
 198   Monitor mMonitor;
 199   FilePath mProcessPath;
 200   // GeckoChildProcessHost holds the launch options so they can be set
 201   // up on the main thread using main-thread-only APIs like prefs, and
 202   // then used for the actual launch on another thread.  This pointer
 203   // is set to null to free the options after the child is launched.
 204   UniquePtr<base::LaunchOptions> mLaunchOptions;
 205   ScopedPort mInitialPort;
 206   nsID mInitialChannelId;
 207   RefPtr<NodeController> mNodeController;
 208   RefPtr<NodeChannel> mNodeChannel;
 209
 210   // This value must be accessed while holding mMonitor.
 211   enum {
 212     // This object has been constructed, but the OS process has not
 213     // yet.
 214     CREATING_CHANNEL = 0,
 215     // The IPC channel for our subprocess has been created, but the OS
 216     // process has still not been created.
 217     CHANNEL_INITIALIZED,
 218     // The OS process has been created, but it hasn't yet connected to
 219     // our IPC channel.
 220     PROCESS_CREATED,
 221     // The process is launched and connected to our IPC channel.  All
 222     // is well.
 223     PROCESS_CONNECTED,
 224     PROCESS_ERROR
 225   } mProcessState MOZ_GUARDED_BY(mMonitor);
 226
 227   void PrepareLaunch();
 228
 229 #ifdef XP_WIN
 230   void InitWindowsGroupID();
 231   nsString mGroupId;
 232   CrashReporter::WindowsErrorReportingData mWerData;
 233 #  ifdef MOZ_SANDBOX
 234   RefPtr<AbstractSandboxBroker> mSandboxBroker;
 235   std::vector<std::wstring> mAllowedFilesRead;
 236   bool mEnableSandboxLogging;
 237   int32_t mSandboxLevel;
 238 #  endif
 239 #endif  // XP_WIN
 240
 241 #if defined(MOZ_SANDBOX)
 242   SandboxingKind mSandbox;
 243 #endif
 244
 245   ProcessHandle mChildProcessHandle;
 246 #if defined(OS_MACOSX)
 247   task_t mChildTask;
 248 #endif
 249   RefPtr<ProcessHandlePromise> mHandlePromise;
 250
 251 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
 252   bool mDisableOSActivityMode;
 253 #endif
 254
 255   bool OpenPrivilegedHandle(base::ProcessId aPid);
 256
 257 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
 258   // Override this method to return true to launch the child process
 259   // using the Mac utility (by default) sandbox. Override
 260   // FillMacSandboxInfo() to change the sandbox type and settings.
 261   virtual bool IsMacSandboxLaunchEnabled() { return false; }
 262
 263   // Fill a MacSandboxInfo to configure the sandbox
 264   virtual bool FillMacSandboxInfo(MacSandboxInfo& aInfo);
 265
 266   // Adds the command line arguments needed to enable
 267   // sandboxing of the child process at startup before
 268   // the child event loop is up.
 269   virtual bool AppendMacSandboxParams(StringVector& aArgs);
 270 #endif
 271
 272  private:
 273   DISALLOW_EVIL_CONSTRUCTORS(GeckoChildProcessHost);
 274
 275   // Removes the instance from sGeckoChildProcessHosts
 276   void RemoveFromProcessList();
 277
 278   // In between launching the subprocess and handing off its IPC
 279   // channel, there's a small window of time in which *we* might still
 280   // be the channel listener, and receive messages.  That's bad
 281   // because we have no idea what to do with those messages.  So queue
 282   // them here until we hand off the eventual listener.
 283   //
 284   // FIXME/cjones: this strongly indicates bad design.  Shame on us.
 285   std::queue<UniquePtr<IPC::Message>> mQueue;
 286
 287   // Linux-Only. Set this up before we're called from a different thread.
 288   nsCString mTmpDirName;
 289   // Mac and Windows. Set this up before we're called from a different thread.
 290   nsCOMPtr<nsIFile> mProfileDir;
 291
 292   mozilla::Atomic<bool> mDestroying;
 293
 294   static uint32_t sNextUniqueID;
 295   static StaticAutoPtr<LinkedList<GeckoChildProcessHost>>
 296       sGeckoChildProcessHosts MOZ_GUARDED_BY(sMutex);
 297   static StaticMutex sMutex;
 298 };
 299
 300 nsCOMPtr<nsIEventTarget> GetIPCLauncher();
 301
 302 } /* namespace ipc */
 303 } /* namespace mozilla */
 304
 305 #endif /* __IPC_GLUE_GECKOCHILDPROCESSHOST_H__ */