Network Service:Make network service process a privileged process
On Android, regular utility process is sandboxed,
and won't be able to access network.
This CL parses the sandbox type from the commandline,
and make the process a privileged process if the sandbox type is network.
BUG=715630
Change-Id: I5ed3edcf45de13aba838f7bbf3e0faf5e39568fb
Reviewed-on: https://chromium-review.googlesource.com/807152
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#521781}diff --git a/content/public/android/java/src/org/chromium/content/browser/ChildProcessLauncherHelper.java b/content/public/android/java/src/org/chromium/content/browser/ChildProcessLauncherHelper.java
index a883ff4..24489ef 100644
--- a/content/public/android/java/src/org/chromium/content/browser/ChildProcessLauncherHelper.java
+++ b/content/public/android/java/src/org/chromium/content/browser/ChildProcessLauncherHelper.java
@@ -192,6 +192,12 @@
} else {
// We only support sandboxed utility processes now.
assert ContentSwitches.SWITCH_UTILITY_PROCESS.equals(processType);
+
+ // Remove sandbox restriction on network service process.
+ if (ContentSwitches.NETWORK_SANDBOX_TYPE.equals(ContentSwitches.getSwitchValue(
+ commandLine, ContentSwitches.SWITCH_SERVICE_SANDBOX_TYPE))) {
+ sandboxed = false;
+ }
}
}
diff --git a/content/public/android/java/src/org/chromium/content/common/ContentSwitches.java b/content/public/android/java/src/org/chromium/content/common/ContentSwitches.java
index 81b6863..cec7615 100644
--- a/content/public/android/java/src/org/chromium/content/common/ContentSwitches.java
+++ b/content/public/android/java/src/org/chromium/content/common/ContentSwitches.java
@@ -71,6 +71,12 @@
// Native switch kHostResolverRules
public static final String HOST_RESOLVER_RULES = "host-resolver-rules";
+ // Native switch kServiceSandboxType
+ public static final String SWITCH_SERVICE_SANDBOX_TYPE = "service-sandbox-type";
+
+ // Native switch value kNetworkSandbox
+ public static final String NETWORK_SANDBOX_TYPE = "network";
+
// Prevent instantiation.
private ContentSwitches() {}
diff --git a/net/android/java/src/org/chromium/net/X509Util.java b/net/android/java/src/org/chromium/net/X509Util.java
index ff50261..0d362d0 100644
--- a/net/android/java/src/org/chromium/net/X509Util.java
+++ b/net/android/java/src/org/chromium/net/X509Util.java
@@ -17,6 +17,7 @@
import org.chromium.base.ContextUtils;
import org.chromium.base.annotations.JNINamespace;
+import org.chromium.base.metrics.RecordHistogram;
import java.io.ByteArrayInputStream;
import java.io.File;
@@ -243,8 +244,12 @@
// Could not load AndroidCAStore. Continue anyway; isKnownRoot will always
// return false.
}
- if (!sDisableNativeCodeForTest) {
- nativeRecordCertVerifyCapabilitiesHistogram(sSystemKeyStore != null);
+ if (!sDisableNativeCodeForTest
+ && Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
+ // Only record the histogram for 4.2 and up. Before 4.2, the platform doesn't
+ // return the certificate chain anyway.
+ RecordHistogram.recordBooleanHistogram(
+ "Net.FoundSystemTrustRootsAndroid", sSystemKeyStore != null);
}
sLoadedSystemKeyStore = true;
}
@@ -561,11 +566,4 @@
* Notify the native net::CertDatabase instance that the system database has been updated.
*/
private static native void nativeNotifyKeyChainChanged();
-
- /**
- * Record histograms on the platform's certificate verification capabilities.
- */
- private static native void nativeRecordCertVerifyCapabilitiesHistogram(
- boolean foundSystemTrustRoots);
-
}
diff --git a/net/cert/x509_util_android.cc b/net/cert/x509_util_android.cc
index 8da297b0..8ee18742 100644
--- a/net/cert/x509_util_android.cc
+++ b/net/cert/x509_util_android.cc
@@ -2,8 +2,6 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "base/android/build_info.h"
-#include "base/metrics/histogram_macros.h"
#include "jni/X509Util_jni.h"
#include "net/cert/cert_database.h"
@@ -16,16 +14,4 @@
CertDatabase::GetInstance()->OnAndroidKeyChainChanged();
}
-void JNI_X509Util_RecordCertVerifyCapabilitiesHistogram(
- JNIEnv* env,
- const JavaParamRef<jclass>& clazz,
- jboolean found_system_trust_roots) {
- // Only record the histogram for 4.2 and up. Before 4.2, the platform doesn't
- // return the certificate chain anyway.
- if (base::android::BuildInfo::GetInstance()->sdk_int() >= 17) {
- UMA_HISTOGRAM_BOOLEAN("Net.FoundSystemTrustRootsAndroid",
- found_system_trust_roots);
- }
-}
-
} // namespace net
