1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "content/browser/ppapi_plugin_process_host.h" 6 7 #include <string> 8 9 #include "base/base_switches.h" 10 #include "base/command_line.h" 11 #include "base/files/file_path.h" 12 #include "base/metrics/field_trial.h" 13 #include "base/strings/utf_string_conversions.h" 14 #include "content/browser/browser_child_process_host_impl.h" 15 #include "content/browser/plugin_service_impl.h" 16 #include "content/browser/renderer_host/render_message_filter.h" 17 #include "content/common/child_process_host_impl.h" 18 #include "content/common/child_process_messages.h" 19 #include "content/public/browser/content_browser_client.h" 20 #include "content/public/common/content_constants.h" 21 #include "content/public/common/content_switches.h" 22 #include "content/public/common/pepper_plugin_info.h" 23 #include "content/public/common/process_type.h" 24 #include "content/public/common/sandboxed_process_launcher_delegate.h" 25 #include "ipc/ipc_switches.h" 26 #include "net/base/network_change_notifier.h" 27 #include "ppapi/proxy/ppapi_messages.h" 28 #include "ui/base/ui_base_switches.h" 29 30 #if defined(OS_WIN) 31 #include "content/common/sandbox_win.h" 32 #include "sandbox/win/src/sandbox_policy.h" 33 #endif 34 35 namespace content { 36 37 // NOTE: changes to this class need to be reviewed by the security team. 38 class PpapiPluginSandboxedProcessLauncherDelegate 39 : public content::SandboxedProcessLauncherDelegate { 40 public: 41 PpapiPluginSandboxedProcessLauncherDelegate(bool is_broker, 42 const PepperPluginInfo& info, 43 ChildProcessHost* host) 44 : 45 #if defined(OS_POSIX) 46 info_(info), 47 ipc_fd_(host->TakeClientFileDescriptor()), 48 #endif // OS_POSIX 49 is_broker_(is_broker) {} 50 51 virtual ~PpapiPluginSandboxedProcessLauncherDelegate() {} 52 53 #if defined(OS_WIN) 54 virtual bool ShouldSandbox() OVERRIDE { 55 return !is_broker_; 56 } 57 58 virtual void PreSpawnTarget(sandbox::TargetPolicy* policy, 59 bool* success) { 60 if (is_broker_) 61 return; 62 // The Pepper process as locked-down as a renderer execpt that it can 63 // create the server side of chrome pipes. 64 sandbox::ResultCode result; 65 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, 66 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, 67 L"\\\\.\\pipe\\chrome.*"); 68 *success = (result == sandbox::SBOX_ALL_OK); 69 } 70 71 #elif defined(OS_POSIX) 72 virtual bool ShouldUseZygote() OVERRIDE { 73 const base::CommandLine& browser_command_line = 74 *base::CommandLine::ForCurrentProcess(); 75 base::CommandLine::StringType plugin_launcher = browser_command_line 76 .GetSwitchValueNative(switches::kPpapiPluginLauncher); 77 return !is_broker_ && plugin_launcher.empty() && info_.is_sandboxed; 78 } 79 virtual int GetIpcFd() OVERRIDE { 80 return ipc_fd_; 81 } 82 #endif // OS_WIN 83 84 private: 85 #if defined(OS_POSIX) 86 const PepperPluginInfo& info_; 87 int ipc_fd_; 88 #endif // OS_POSIX 89 bool is_broker_; 90 91 DISALLOW_COPY_AND_ASSIGN(PpapiPluginSandboxedProcessLauncherDelegate); 92 }; 93 94 class PpapiPluginProcessHost::PluginNetworkObserver 95 : public net::NetworkChangeNotifier::IPAddressObserver, 96 public net::NetworkChangeNotifier::ConnectionTypeObserver { 97 public: 98 explicit PluginNetworkObserver(PpapiPluginProcessHost* process_host) 99 : process_host_(process_host) { 100 net::NetworkChangeNotifier::AddIPAddressObserver(this); 101 net::NetworkChangeNotifier::AddConnectionTypeObserver(this); 102 } 103 104 virtual ~PluginNetworkObserver() { 105 net::NetworkChangeNotifier::RemoveConnectionTypeObserver(this); 106 net::NetworkChangeNotifier::RemoveIPAddressObserver(this); 107 } 108 109 // IPAddressObserver implementation. 110 virtual void OnIPAddressChanged() OVERRIDE { 111 // TODO(brettw) bug 90246: This doesn't seem correct. The online/offline 112 // notification seems like it should be sufficient, but I don't see that 113 // when I unplug and replug my network cable. Sending this notification when 114 // "something" changes seems to make Flash reasonably happy, but seems 115 // wrong. We should really be able to provide the real online state in 116 // OnConnectionTypeChanged(). 117 process_host_->Send(new PpapiMsg_SetNetworkState(true)); 118 } 119 120 // ConnectionTypeObserver implementation. 121 virtual void OnConnectionTypeChanged( 122 net::NetworkChangeNotifier::ConnectionType type) OVERRIDE { 123 process_host_->Send(new PpapiMsg_SetNetworkState( 124 type != net::NetworkChangeNotifier::CONNECTION_NONE)); 125 } 126 127 private: 128 PpapiPluginProcessHost* const process_host_; 129 }; 130 131 PpapiPluginProcessHost::~PpapiPluginProcessHost() { 132 DVLOG(1) << "PpapiPluginProcessHost" << (is_broker_ ? "[broker]" : "") 133 << "~PpapiPluginProcessHost()"; 134 CancelRequests(); 135 } 136 137 // static 138 PpapiPluginProcessHost* PpapiPluginProcessHost::CreatePluginHost( 139 const PepperPluginInfo& info, 140 const base::FilePath& profile_data_directory) { 141 PpapiPluginProcessHost* plugin_host = new PpapiPluginProcessHost( 142 info, profile_data_directory); 143 DCHECK(plugin_host); 144 if (plugin_host->Init(info)) 145 return plugin_host; 146 147 NOTREACHED(); // Init is not expected to fail. 148 return NULL; 149 } 150 151 // static 152 PpapiPluginProcessHost* PpapiPluginProcessHost::CreateBrokerHost( 153 const PepperPluginInfo& info) { 154 PpapiPluginProcessHost* plugin_host = 155 new PpapiPluginProcessHost(); 156 if (plugin_host->Init(info)) 157 return plugin_host; 158 159 NOTREACHED(); // Init is not expected to fail. 160 return NULL; 161 } 162 163 // static 164 void PpapiPluginProcessHost::DidCreateOutOfProcessInstance( 165 int plugin_process_id, 166 int32 pp_instance, 167 const PepperRendererInstanceData& instance_data) { 168 for (PpapiPluginProcessHostIterator iter; !iter.Done(); ++iter) { 169 if (iter->process_.get() && 170 iter->process_->GetData().id == plugin_process_id) { 171 // Found the plugin. 172 iter->host_impl_->AddInstance(pp_instance, instance_data); 173 return; 174 } 175 } 176 // We'll see this passed with a 0 process ID for the browser tag stuff that 177 // is currently in the process of being removed. 178 // 179 // TODO(brettw) When old browser tag impl is removed 180 // (PepperPluginDelegateImpl::CreateBrowserPluginModule passes a 0 plugin 181 // process ID) this should be converted to a NOTREACHED(). 182 DCHECK(plugin_process_id == 0) 183 << "Renderer sent a bad plugin process host ID"; 184 } 185 186 // static 187 void PpapiPluginProcessHost::DidDeleteOutOfProcessInstance( 188 int plugin_process_id, 189 int32 pp_instance) { 190 for (PpapiPluginProcessHostIterator iter; !iter.Done(); ++iter) { 191 if (iter->process_.get() && 192 iter->process_->GetData().id == plugin_process_id) { 193 // Found the plugin. 194 iter->host_impl_->DeleteInstance(pp_instance); 195 return; 196 } 197 } 198 // Note: It's possible that the plugin process has already been deleted by 199 // the time this message is received. For example, it could have crashed. 200 // That's OK, we can just ignore this message. 201 } 202 203 // static 204 void PpapiPluginProcessHost::FindByName( 205 const base::string16& name, 206 std::vector<PpapiPluginProcessHost*>* hosts) { 207 for (PpapiPluginProcessHostIterator iter; !iter.Done(); ++iter) { 208 if (iter->process_.get() && iter->process_->GetData().name == name) 209 hosts->push_back(*iter); 210 } 211 } 212 213 bool PpapiPluginProcessHost::Send(IPC::Message* message) { 214 return process_->Send(message); 215 } 216 217 void PpapiPluginProcessHost::OpenChannelToPlugin(Client* client) { 218 if (process_->GetHost()->IsChannelOpening()) { 219 // The channel is already in the process of being opened. Put 220 // this "open channel" request into a queue of requests that will 221 // be run once the channel is open. 222 pending_requests_.push_back(client); 223 return; 224 } 225 226 // We already have an open channel, send a request right away to plugin. 227 RequestPluginChannel(client); 228 } 229 230 PpapiPluginProcessHost::PpapiPluginProcessHost( 231 const PepperPluginInfo& info, 232 const base::FilePath& profile_data_directory) 233 : profile_data_directory_(profile_data_directory), 234 is_broker_(false) { 235 uint32 base_permissions = info.permissions; 236 237 // We don't have to do any whitelisting for APIs in this process host, so 238 // don't bother passing a browser context or document url here. 239 if (GetContentClient()->browser()->IsPluginAllowedToUseDevChannelAPIs( 240 NULL, GURL())) 241 base_permissions |= ppapi::PERMISSION_DEV_CHANNEL; 242 permissions_ = ppapi::PpapiPermissions::GetForCommandLine(base_permissions); 243 244 process_.reset(new BrowserChildProcessHostImpl( 245 PROCESS_TYPE_PPAPI_PLUGIN, this)); 246 247 host_impl_.reset(new BrowserPpapiHostImpl(this, permissions_, info.name, 248 info.path, profile_data_directory, 249 false /* in_process */, 250 false /* external_plugin */)); 251 252 filter_ = new PepperMessageFilter(); 253 process_->AddFilter(filter_.get()); 254 process_->GetHost()->AddFilter(host_impl_->message_filter().get()); 255 256 GetContentClient()->browser()->DidCreatePpapiPlugin(host_impl_.get()); 257 258 // Only request network status updates if the plugin has dev permissions. 259 if (permissions_.HasPermission(ppapi::PERMISSION_DEV)) 260 network_observer_.reset(new PluginNetworkObserver(this)); 261 } 262 263 PpapiPluginProcessHost::PpapiPluginProcessHost() 264 : is_broker_(true) { 265 process_.reset(new BrowserChildProcessHostImpl( 266 PROCESS_TYPE_PPAPI_BROKER, this)); 267 268 ppapi::PpapiPermissions permissions; // No permissions. 269 // The plugin name, path and profile data directory shouldn't be needed for 270 // the broker. 271 host_impl_.reset(new BrowserPpapiHostImpl(this, permissions, 272 std::string(), base::FilePath(), 273 base::FilePath(), 274 false /* in_process */, 275 false /* external_plugin */)); 276 } 277 278 bool PpapiPluginProcessHost::Init(const PepperPluginInfo& info) { 279 plugin_path_ = info.path; 280 if (info.name.empty()) { 281 process_->SetName(plugin_path_.BaseName().LossyDisplayName()); 282 } else { 283 process_->SetName(base::UTF8ToUTF16(info.name)); 284 } 285 286 std::string channel_id = process_->GetHost()->CreateChannel(); 287 if (channel_id.empty()) { 288 VLOG(1) << "Could not create pepper host channel."; 289 return false; 290 } 291 292 const base::CommandLine& browser_command_line = 293 *base::CommandLine::ForCurrentProcess(); 294 base::CommandLine::StringType plugin_launcher = 295 browser_command_line.GetSwitchValueNative(switches::kPpapiPluginLauncher); 296 297 #if defined(OS_LINUX) 298 int flags = plugin_launcher.empty() ? ChildProcessHost::CHILD_ALLOW_SELF : 299 ChildProcessHost::CHILD_NORMAL; 300 #else 301 int flags = ChildProcessHost::CHILD_NORMAL; 302 #endif 303 base::FilePath exe_path = ChildProcessHost::GetChildPath(flags); 304 if (exe_path.empty()) { 305 VLOG(1) << "Pepper plugin exe path is empty."; 306 return false; 307 } 308 309 base::CommandLine* cmd_line = new base::CommandLine(exe_path); 310 cmd_line->AppendSwitchASCII(switches::kProcessType, 311 is_broker_ ? switches::kPpapiBrokerProcess 312 : switches::kPpapiPluginProcess); 313 cmd_line->AppendSwitchASCII(switches::kProcessChannelID, channel_id); 314 315 // These switches are forwarded to both plugin and broker pocesses. 316 static const char* kCommonForwardSwitches[] = { 317 switches::kVModule 318 }; 319 cmd_line->CopySwitchesFrom(browser_command_line, kCommonForwardSwitches, 320 arraysize(kCommonForwardSwitches)); 321 322 if (!is_broker_) { 323 static const char* kPluginForwardSwitches[] = { 324 switches::kDisableSeccompFilterSandbox, 325 #if defined(OS_MACOSX) 326 switches::kEnableSandboxLogging, 327 #endif 328 switches::kNoSandbox, 329 switches::kPpapiStartupDialog, 330 }; 331 cmd_line->CopySwitchesFrom(browser_command_line, kPluginForwardSwitches, 332 arraysize(kPluginForwardSwitches)); 333 334 // Copy any flash args over and introduce field trials if necessary. 335 // TODO(vtl): Stop passing flash args in the command line, or windows is 336 // going to explode. 337 std::string field_trial = 338 base::FieldTrialList::FindFullName(kFlashHwVideoDecodeFieldTrialName); 339 std::string existing_args = 340 browser_command_line.GetSwitchValueASCII(switches::kPpapiFlashArgs); 341 if (field_trial == kFlashHwVideoDecodeFieldTrialEnabledName) { 342 // Arguments passed to Flash are comma delimited. 343 if (!existing_args.empty()) 344 existing_args.append(","); 345 existing_args.append("enable_hw_video_decode=1"); 346 } 347 cmd_line->AppendSwitchASCII(switches::kPpapiFlashArgs, existing_args); 348 } 349 350 std::string locale = GetContentClient()->browser()->GetApplicationLocale(); 351 if (!locale.empty()) { 352 // Pass on the locale so the plugin will know what language we're using. 353 cmd_line->AppendSwitchASCII(switches::kLang, locale); 354 } 355 356 if (!plugin_launcher.empty()) 357 cmd_line->PrependWrapper(plugin_launcher); 358 359 // On posix, never use the zygote for the broker. Also, only use the zygote if 360 // the plugin is sandboxed, and we are not using a plugin launcher - having a 361 // plugin launcher means we need to use another process instead of just 362 // forking the zygote. 363 #if defined(OS_POSIX) 364 if (!info.is_sandboxed) 365 cmd_line->AppendSwitchASCII(switches::kNoSandbox, std::string()); 366 #endif // OS_POSIX 367 process_->Launch( 368 new PpapiPluginSandboxedProcessLauncherDelegate(is_broker_, 369 info, 370 process_->GetHost()), 371 cmd_line); 372 return true; 373 } 374 375 void PpapiPluginProcessHost::RequestPluginChannel(Client* client) { 376 base::ProcessHandle process_handle; 377 int renderer_child_id; 378 client->GetPpapiChannelInfo(&process_handle, &renderer_child_id); 379 380 base::ProcessId process_id = (process_handle == base::kNullProcessHandle) ? 381 0 : base::GetProcId(process_handle); 382 383 // We can't send any sync messages from the browser because it might lead to 384 // a hang. See the similar code in PluginProcessHost for more description. 385 PpapiMsg_CreateChannel* msg = new PpapiMsg_CreateChannel( 386 process_id, renderer_child_id, client->OffTheRecord()); 387 msg->set_unblock(true); 388 if (Send(msg)) { 389 sent_requests_.push(client); 390 } else { 391 client->OnPpapiChannelOpened(IPC::ChannelHandle(), base::kNullProcessId, 0); 392 } 393 } 394 395 void PpapiPluginProcessHost::OnProcessLaunched() { 396 VLOG(2) << "ppapi plugin process launched."; 397 host_impl_->set_plugin_process_handle(process_->GetHandle()); 398 } 399 400 void PpapiPluginProcessHost::OnProcessCrashed(int exit_code) { 401 VLOG(1) << "ppapi plugin process crashed."; 402 PluginServiceImpl::GetInstance()->RegisterPluginCrash(plugin_path_); 403 } 404 405 bool PpapiPluginProcessHost::OnMessageReceived(const IPC::Message& msg) { 406 bool handled = true; 407 IPC_BEGIN_MESSAGE_MAP(PpapiPluginProcessHost, msg) 408 IPC_MESSAGE_HANDLER(PpapiHostMsg_ChannelCreated, 409 OnRendererPluginChannelCreated) 410 IPC_MESSAGE_UNHANDLED(handled = false) 411 IPC_END_MESSAGE_MAP() 412 DCHECK(handled); 413 return handled; 414 } 415 416 // Called when the browser <--> plugin channel has been established. 417 void PpapiPluginProcessHost::OnChannelConnected(int32 peer_pid) { 418 // This will actually load the plugin. Errors will actually not be reported 419 // back at this point. Instead, the plugin will fail to establish the 420 // connections when we request them on behalf of the renderer(s). 421 Send(new PpapiMsg_LoadPlugin(plugin_path_, permissions_)); 422 423 // Process all pending channel requests from the renderers. 424 for (size_t i = 0; i < pending_requests_.size(); i++) 425 RequestPluginChannel(pending_requests_[i]); 426 pending_requests_.clear(); 427 } 428 429 // Called when the browser <--> plugin channel has an error. This normally 430 // means the plugin has crashed. 431 void PpapiPluginProcessHost::OnChannelError() { 432 VLOG(1) << "PpapiPluginProcessHost" << (is_broker_ ? "[broker]" : "") 433 << "::OnChannelError()"; 434 // We don't need to notify the renderers that were communicating with the 435 // plugin since they have their own channels which will go into the error 436 // state at the same time. Instead, we just need to notify any renderers 437 // that have requested a connection but have not yet received one. 438 CancelRequests(); 439 } 440 441 void PpapiPluginProcessHost::CancelRequests() { 442 DVLOG(1) << "PpapiPluginProcessHost" << (is_broker_ ? "[broker]" : "") 443 << "CancelRequests()"; 444 for (size_t i = 0; i < pending_requests_.size(); i++) { 445 pending_requests_[i]->OnPpapiChannelOpened(IPC::ChannelHandle(), 446 base::kNullProcessId, 0); 447 } 448 pending_requests_.clear(); 449 450 while (!sent_requests_.empty()) { 451 sent_requests_.front()->OnPpapiChannelOpened(IPC::ChannelHandle(), 452 base::kNullProcessId, 0); 453 sent_requests_.pop(); 454 } 455 } 456 457 // Called when a new plugin <--> renderer channel has been created. 458 void PpapiPluginProcessHost::OnRendererPluginChannelCreated( 459 const IPC::ChannelHandle& channel_handle) { 460 if (sent_requests_.empty()) 461 return; 462 463 // All requests should be processed FIFO, so the next item in the 464 // sent_requests_ queue should be the one that the plugin just created. 465 Client* client = sent_requests_.front(); 466 sent_requests_.pop(); 467 468 const ChildProcessData& data = process_->GetData(); 469 client->OnPpapiChannelOpened(channel_handle, base::GetProcId(data.handle), 470 data.id); 471 } 472 473 } // namespace content 474
