1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
|
// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/network_sandbox.h"
#include "base/dcheck_is_on.h"
#include "base/files/file_util.h"
#include "base/logging.h"
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/notreached.h"
#include "base/task/thread_pool.h"
#include "base/trace_event/base_tracing.h"
#include "build/build_config.h"
#include "content/browser/network_sandbox_grant_result.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/content_browser_client.h"
#include "content/public/browser/network_service_util.h"
#include "content/public/common/content_client.h"
#include "sql/database.h"
#if BUILDFLAG(IS_WIN)
#include <windows.h>
#include "base/win/security_util.h"
#include "base/win/sid.h"
#include "content/common/features.h"
#include "sandbox/policy/features.h"
#endif // BUILDFLAG(IS_WIN)
namespace content {
namespace {
// A filename that represents that the data contained within `data_directory`
// has been migrated successfully and the data in `unsandboxed_data_path` is now
// invalid.
const base::FilePath::CharType kCheckpointFileName[] =
FILE_PATH_LITERAL("NetworkDataMigrated");
// A platform specific set of parameters that is used when granting the sandbox
// access to the network context data.
struct SandboxParameters {
#if BUILDFLAG(IS_WIN)
std::wstring lpac_capability_name;
#if DCHECK_IS_ON()
bool sandbox_enabled;
#endif // DCHECK_IS_ON()
#endif // BUILDFLAG(IS_WIN)
};
// Deletes the old data for a data file called `filename` from `old_path`. If
// `file_path` refers to an SQL database then `is_sql` should be set to true,
// and the journal file will also be deleted.
//
// Returns SandboxGrantResult::kSuccess if the all delete operations completed
// successfully. Returns SandboxGrantResult::kFailedToDeleteData if a file could
// not be deleted.
SandboxGrantResult MaybeDeleteOldData(
const base::FilePath& old_path,
const std::optional<base::FilePath>& filename,
bool is_sql) {
// The path to the specific data file might not have been specified in the
// network context params. In that case, nothing to delete.
if (!filename.has_value())
return SandboxGrantResult::kSuccess;
// Check old path exists, and is a directory.
DCHECK(base::DirectoryExists(old_path));
base::FilePath old_file_path = old_path.Append(*filename);
SandboxGrantResult last_error = SandboxGrantResult::kSuccess;
// File might have already been deleted, or simply does not exist yet.
if (base::PathExists(old_file_path)) {
if (!base::DeleteFile(old_file_path)) {
PLOG(ERROR) << "Failed to delete file " << old_file_path;
// Continue on error.
last_error = SandboxGrantResult::kFailedToDeleteOldData;
}
}
if (!is_sql)
return last_error;
base::FilePath old_journal_path = sql::Database::JournalPath(old_file_path);
// There might not be a journal file, or it's already been deleted.
if (!base::PathExists(old_journal_path))
return last_error;
if (base::PathExists(old_journal_path)) {
if (!base::DeleteFile(old_journal_path)) {
PLOG(ERROR) << "Failed to delete file " << old_journal_path;
// Continue on error.
last_error = SandboxGrantResult::kFailedToDeleteOldData;
}
}
return last_error;
}
// Copies data file called `filename` from `old_path` to `new_path` (which must
// both be directories). If `file_path` refers to an SQL database then `is_sql`
// should be set to true, and the journal file will also be migrated.
// Destination files will be overwritten if they exist already.
//
// Returns SandboxGrantResult::kSuccess if the operation completed successfully.
// Returns SandboxGrantResult::kFailedToCopyData if a file could not be copied.
SandboxGrantResult MaybeCopyData(const base::FilePath& old_path,
const base::FilePath& new_path,
const std::optional<base::FilePath>& filename,
bool is_sql) {
// The path to the specific data file might not have been specified in the
// network context params. In that case, no files need to be moved.
if (!filename.has_value())
return SandboxGrantResult::kSuccess;
// Check both paths exist, and are directories.
DCHECK(base::DirectoryExists(old_path) && base::DirectoryExists(new_path));
base::FilePath old_file_path = old_path.Append(*filename);
base::FilePath new_file_path = new_path.Append(*filename);
// Note that this code will overwrite the new file with the old file even if
// it exists already.
if (base::PathExists(old_file_path)) {
// Delete file to make sure that inherited permissions are set on the new
// file.
base::DeleteFile(new_file_path);
if (!base::CopyFile(old_file_path, new_file_path)) {
PLOG(ERROR) << "Failed to copy file " << old_file_path << " to "
<< new_file_path;
// Do not attempt to copy journal file if copy of main database file
// fails.
return SandboxGrantResult::kFailedToCopyData;
}
}
if (!is_sql)
return SandboxGrantResult::kSuccess;
base::FilePath old_journal_path = sql::Database::JournalPath(old_file_path);
// There might not be a journal file, or it's already been moved.
if (!base::PathExists(old_journal_path))
return SandboxGrantResult::kSuccess;
base::FilePath new_journal_path = sql::Database::JournalPath(new_file_path);
// Delete file to make sure that inherited permissions are set on the new
// file.
base::DeleteFile(new_journal_path);
if (!base::CopyFile(old_journal_path, new_journal_path)) {
PLOG(ERROR) << "Failed to copy file " << old_journal_path << " to "
<< new_journal_path;
return SandboxGrantResult::kFailedToCopyData;
}
return SandboxGrantResult::kSuccess;
}
// Deletes old data from `unsandboxed_data_path` if a migration operation has
// been successful.
SandboxGrantResult CleanUpOldData(
network::mojom::NetworkContextParams* params) {
// Never delete old data unless the checkpoint file exists.
DCHECK(base::PathExists(
params->file_paths->data_directory.path().Append(kCheckpointFileName)));
SandboxGrantResult last_error = SandboxGrantResult::kSuccess;
SandboxGrantResult result = MaybeDeleteOldData(
*params->file_paths->unsandboxed_data_path,
params->file_paths->cookie_database_name, /*is_sql=*/true);
if (result != SandboxGrantResult::kSuccess)
last_error = result;
result = MaybeDeleteOldData(
*params->file_paths->unsandboxed_data_path,
params->file_paths->http_server_properties_file_name, /*is_sql=*/false);
if (result != SandboxGrantResult::kSuccess)
last_error = result;
result = MaybeDeleteOldData(
*params->file_paths->unsandboxed_data_path,
params->file_paths->transport_security_persister_file_name,
/*is_sql=*/false);
if (result != SandboxGrantResult::kSuccess)
last_error = result;
result = MaybeDeleteOldData(
*params->file_paths->unsandboxed_data_path,
params->file_paths->reporting_and_nel_store_database_name,
/*is_sql=*/true);
if (result != SandboxGrantResult::kSuccess)
last_error = result;
result = MaybeDeleteOldData(*params->file_paths->unsandboxed_data_path,
params->file_paths->trust_token_database_name,
/*is_sql=*/true);
if (result != SandboxGrantResult::kSuccess)
last_error = result;
return last_error;
}
// Grants the sandbox access to the specified `path`, which must be a directory
// that exists. On Windows, the LPAC capability name should be supplied in the
// `sandbox_params` to specify the name of the LPAC capability to be applied to
// the path. On platforms which support directory transfer, the directory is
// opened as a handle which is then sent to the NetworkService.
// Returns true if the sandbox was successfully granted access to the path.
bool MaybeGrantAccessToDataPath(const SandboxParameters& sandbox_params,
network::TransferableDirectory* directory) {
// There is no need to set file permissions if the network service is running
// in-process.
if (IsInProcessNetworkService())
return true;
// Only do this on directories.
if (!base::DirectoryExists(directory->path())) {
return false;
}
#if BUILDFLAG(IS_WIN)
// On platforms that don't support the LPAC sandbox, do nothing.
if (!sandbox::policy::features::IsNetworkSandboxSupported()) {
return true;
}
DCHECK(!sandbox_params.lpac_capability_name.empty());
auto ac_sids = base::win::Sid::FromNamedCapabilityVector(
{sandbox_params.lpac_capability_name});
static constexpr DWORD kAccessMask =
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE;
static constexpr DWORD kInheritance =
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE;
if (base::FeatureList::IsEnabled(
features::kSkipGrantAccessToDataPathIfAlreadySet)) {
// If LPAC capability already has access to the directory then avoid
// granting access again. This is a performance optimization.
if (HasAccessToPath(directory->path(), ac_sids, kAccessMask,
kInheritance)) {
return true;
}
}
// Grant recursive access to directory. This also means new files in the
// directory will inherit the ACE.
return base::win::GrantAccessToPath(directory->path(), ac_sids, kAccessMask,
kInheritance, /*recursive=*/true);
#else
if (directory->IsOpenForTransferRequired()) {
directory->OpenForTransfer();
return true;
}
return true;
#endif // BUILDFLAG(IS_WIN)
}
// See the description in the header file.
//
// This process has a few stages:
// 1. Create and grant the sandbox access to the cache dir.
// 2. If `data_directory` is not specified then the caller is using in-memory
// storage and so there's nothing to do. END.
// 3. If `unsandboxed_data_path` is not specified then the caller is not aware
// of the sandbox or migration, and the steps terminate here with
// `data_directory` used by the network context and END.
// 4. If migration has already taken place, regardless of whether it's requested
// this time, grant the sandbox access to the `data_directory` (since this needs
// to be done every time), and terminate here with `data_directory` being used.
// END.
// 5. If migration is not requested, then terminate here with
// `unsandboxed_data_path` being used. END.
// 6. At this point, migration has been requested and hasn't already happened,
// so begin a migration attempt. If any of these steps fail, then bail out, and
// `unsandboxed_data_path` is used.
// 7. Grant the sandbox access to the `data_directory` (this is done before
// copying the files to use inherited ACLs when copying files on Windows).
// 8. Copy all the data files one by one from the `unsandboxed_data_path` to the
// `data_directory`.
// 9. Once all the files have been copied, lay down the Checkpoint file in the
// `data_directory`.
// 10. Delete all the original files (if they exist) from
// `unsandboxed_data_path`.
SandboxGrantResult MaybeGrantSandboxAccessToNetworkContextData(
const SandboxParameters& sandbox_params,
network::mojom::NetworkContextParams* params) {
DCHECK(!BrowserThread::CurrentlyOn(BrowserThread::UI));
#if BUILDFLAG(IS_WIN)
#if DCHECK_IS_ON()
params->win_permissions_set = true;
#endif
#endif // BUILDFLAG(IS_WIN)
// No file paths (e.g. in-memory context) so nothing to do.
if (!params->file_paths) {
return SandboxGrantResult::kDidNotAttemptToGrantSandboxAccess;
}
// HTTP cache path is special, and not under `data_directory` so must also
// be granted access. Continue attempting to grant access to the other files
// if this part fails.
if (params->file_paths->http_cache_directory && params->http_cache_enabled) {
// The path must exist for the cache ACL to be set. Create if needed.
if (base::CreateDirectory(
params->file_paths->http_cache_directory->path())) {
// Note, this code always grants access to the cache directory even when
// the sandbox is not enabled. This is a optimization (on Windows)
// because by setting the ACL on the directory earlier rather than
// later, it ensures that any new files created by the cache subsystem
// get the inherited ACE rather than having to set them manually later.
SCOPED_UMA_HISTOGRAM_TIMER("NetworkService.TimeToGrantCacheAccess");
TRACE_EVENT("startup", "NetworkSandbox.MaybeGrantAccessToDataPath");
if (!MaybeGrantAccessToDataPath(
sandbox_params, &*params->file_paths->http_cache_directory)) {
PLOG(ERROR) << "Failed to grant sandbox access to cache directory "
<< params->file_paths->http_cache_directory->path();
}
}
}
if (params->file_paths->shared_dictionary_directory &&
params->shared_dictionary_enabled) {
SCOPED_UMA_HISTOGRAM_TIMER(
"NetworkService.TimeToGrantSharedDictionaryAccess");
// The path must exist for the cache ACL to be set. Create if needed.
if (base::CreateDirectory(
params->file_paths->shared_dictionary_directory->path())) {
if (!MaybeGrantAccessToDataPath(
sandbox_params,
&*params->file_paths->shared_dictionary_directory)) {
PLOG(ERROR) << "Failed to grant sandbox access to shared dictionary "
"directory "
<< params->file_paths->shared_dictionary_directory->path();
}
}
}
// No data directory, so rest of the files and databases are in memory.
// Nothing to do.
if (params->file_paths->data_directory.path().empty()) {
return SandboxGrantResult::kDidNotAttemptToGrantSandboxAccess;
}
if (!params->file_paths->unsandboxed_data_path.has_value()) {
#if BUILDFLAG(IS_WIN) && DCHECK_IS_ON()
// On Windows, if network sandbox is enabled then there a migration must
// happen, so a `unsandboxed_data_path` must be specified.
DCHECK(!sandbox_params.sandbox_enabled);
#endif
// Trigger migration should never be requested if `unsandboxed_data_path` is
// not set.
DCHECK(!params->file_paths->trigger_migration);
// Nothing to do here if `unsandboxed_data_path` is not specified.
return SandboxGrantResult::kDidNotAttemptToGrantSandboxAccess;
}
// If these paths are ever the same then this is a mistake, as the file
// permissions will be applied to the top level path which could contain other
// data that should not be accessible by the network sandbox.
DCHECK_NE(params->file_paths->data_directory.path(),
*params->file_paths->unsandboxed_data_path);
// Four cases need to be handled here.
//
// 1. No Checkpoint file, and `trigger_migration` is false: Data is still in
// `unsandboxed_data_path` and sandbox does not need to be granted access. No
// migration happens.
// 2. No Checkpoint file, and `trigger_migration` is true: Data is in
// `unsandboxed_data_path` and needs to be migrated to `data_directory`, and
// the sandbox needs to be granted access to `data_directory`.
// 3. Checkpoint file, and `trigger_migration` is false: Data is in
// `data_directory` (already migrated) and sandbox needs to be granted access
// to `data_directory`.
// 4. Checkpoint file, and `trigger_migration` is true: Data is in
// `data_directory` (already migrated) and sandbox needs to be granted access
// to `data_directory`. This is the same as above and `trigger_migration`
// changes nothing, as it's already happened.
base::FilePath checkpoint_filename =
params->file_paths->data_directory.path().Append(kCheckpointFileName);
bool migration_already_happened = base::PathExists(checkpoint_filename);
// Case 1. above where nothing is done.
if (!params->file_paths->trigger_migration && !migration_already_happened) {
#if BUILDFLAG(IS_WIN) && DCHECK_IS_ON()
// On Windows, if network sandbox is enabled then there a migration must
// happen, so `trigger_migration` must be true, or a migration must have
// already happened.
DCHECK(!sandbox_params.sandbox_enabled);
#endif
return SandboxGrantResult::kNoMigrationRequested;
}
// Create the `data_directory` if necessary so access can be granted to it.
// Note that if a migration has already happened then this does nothing, as
// the directory already exists.
if (!base::CreateDirectory(params->file_paths->data_directory.path())) {
PLOG(ERROR) << "Failed to create network context data directory "
<< params->file_paths->data_directory.path();
// This is a fatal error, if the `data_directory` does not exist then
// migration cannot be attempted. In this case the network context will
// operate using `unsandboxed_data_path` and the migration attempt will be
// retried the next time the same network context is created with
// `trigger_migration` set.
return SandboxGrantResult::kFailedToCreateDataDirectory;
}
{
SCOPED_UMA_HISTOGRAM_TIMER("NetworkService.TimeToGrantDataAccess");
// This must be done on each load of the network context for two
// platform-specific reasons:
//
// 1. On Windows Chrome, the LPAC SID for each channel is different so it is
// possible that this data might be read by a different channel and we need
// to explicitly support that.
// 2. Other platforms such as macOS and Linux need to grant access each time
// as they do not rely on filesystem permissions, but runtime sandbox broker
// permissions.
if (!MaybeGrantAccessToDataPath(sandbox_params,
¶ms->file_paths->data_directory)) {
PLOG(ERROR)
<< "Failed to grant sandbox access to network context data directory "
<< params->file_paths->data_directory.path();
// If migration has already happened there isn't much that can be done
// about this, the data has already moved, but the sandbox might not have
// access.
if (migration_already_happened)
return SandboxGrantResult::kMigrationAlreadySucceededWithNoAccess;
// If migration hasn't happened yet, then fail here, and do not attempt to
// migrate or proceed further. Better to just leave the data where it is.
// In this case `unsandboxed_data_path` will continue to be used and the
// migration attempt will be retried the next time the same network
// context is created with `trigger_migration` set.
return SandboxGrantResult::kFailedToGrantSandboxAccessToData;
}
} // SCOPED_UMA_HISTOGRAM_TIMER
// This covers cases 3. and 4. where a migration has already happened.
if (migration_already_happened) {
// Migration succeeded in an earlier attempt and `data_directory` is valid,
// but clean up any old data that might have failed to delete in the last
// attempt.
SandboxGrantResult cleanup_result = CleanUpOldData(params);
if (cleanup_result != SandboxGrantResult::kSuccess)
return cleanup_result;
return SandboxGrantResult::kMigrationAlreadySucceeded;
}
SandboxGrantResult result;
// Reaching here means case 2. where a migration hasn't yet happened, but it's
// been requested.
//
// Now attempt to migrate the data from the `unsandboxed_data_path` to the new
// `data_directory`. This code can be removed from content once migration has
// taken place.
//
// This code has a three stage process.
// 1. An attempt is made to copy all the data files from the old location to
// the new location.
// 2. A checkpoint file ("NetworkData") is then placed in the new directory to
// mark that the data there is valid and should be used.
// 3. The old files are deleted.
//
// A failure half way through stage 1 or 2 will mean that the old data should
// be used instead of the new data. A failure to delete the files will cause
// a retry attempt next time the same network context is created.
{
// Stage 1: Copy the data files. Note: This might copy files over the top of
// existing files if it was partially successful in an earlier attempt.
SCOPED_UMA_HISTOGRAM_TIMER("NetworkService.TimeToMigrateData");
result = MaybeCopyData(*params->file_paths->unsandboxed_data_path,
params->file_paths->data_directory.path(),
params->file_paths->cookie_database_name,
/*is_sql=*/true);
if (result != SandboxGrantResult::kSuccess)
return result;
result = MaybeCopyData(*params->file_paths->unsandboxed_data_path,
params->file_paths->data_directory.path(),
params->file_paths->http_server_properties_file_name,
/*is_sql=*/false);
if (result != SandboxGrantResult::kSuccess)
return result;
result = MaybeCopyData(
*params->file_paths->unsandboxed_data_path,
params->file_paths->data_directory.path(),
params->file_paths->transport_security_persister_file_name,
/*is_sql=*/false);
if (result != SandboxGrantResult::kSuccess)
return result;
result =
MaybeCopyData(*params->file_paths->unsandboxed_data_path,
params->file_paths->data_directory.path(),
params->file_paths->reporting_and_nel_store_database_name,
/*is_sql=*/true);
if (result != SandboxGrantResult::kSuccess)
return result;
result = MaybeCopyData(*params->file_paths->unsandboxed_data_path,
params->file_paths->data_directory.path(),
params->file_paths->trust_token_database_name,
/*is_sql=*/true);
if (result != SandboxGrantResult::kSuccess)
return result;
// Files all copied successfully. Can now proceed to Stage 2 and write the
// checkpoint filename.
base::File checkpoint_file(
checkpoint_filename,
base::File::FLAG_CREATE_ALWAYS | base::File::FLAG_WRITE);
if (!checkpoint_file.IsValid())
return SandboxGrantResult::kFailedToCreateCheckpointFile;
} // SCOPED_UMA_HISTOGRAM_TIMER
// Double check the checkpoint file is there. This should never happen.
if (!base::PathExists(checkpoint_filename))
return SandboxGrantResult::kFailedToCreateCheckpointFile;
// Success, proceed to Stage 3 and clean up old files.
SandboxGrantResult cleanup_result = CleanUpOldData(params);
if (cleanup_result != SandboxGrantResult::kSuccess)
return cleanup_result;
return SandboxGrantResult::kSuccess;
}
} // namespace
void GrantSandboxAccessOnThreadPool(
network::mojom::NetworkContextParamsPtr params,
base::OnceCallback<void(network::mojom::NetworkContextParamsPtr,
SandboxGrantResult)> result_callback) {
SandboxParameters sandbox_params = {};
#if BUILDFLAG(IS_WIN)
sandbox_params.lpac_capability_name =
GetContentClient()->browser()->GetLPACCapabilityNameForNetworkService();
#if DCHECK_IS_ON()
sandbox_params.sandbox_enabled =
GetContentClient()->browser()->ShouldSandboxNetworkService();
#endif // DCHECK_IS_ON()
#endif // BUILDFLAG(IS_WIN)
base::OnceCallback<SandboxGrantResult()> worker_task =
base::BindOnce(&MaybeGrantSandboxAccessToNetworkContextData,
sandbox_params, params.get());
base::ThreadPool::PostTaskAndReplyWithResult(
FROM_HERE, {base::MayBlock(), base::TaskPriority::USER_BLOCKING},
std::move(worker_task),
base::BindOnce(std::move(result_callback), std::move(params)));
}
} // namespace content
|
