Make acrobat work with --safe-plugins by giving it write access

to HKCU\Software\Adobe.  Since we already have write access
to HKCU\Software\Macromedia, I don't believe this is making it
less secure than it actually is.  We also give it write access to
AppData\Adobe.

Finally, we also need to let it do a directory listing
in c:\users\<user> and c:\users\<user>\AppData, otherwise
it crashes.

Review URL: http://codereview.chromium.org/554095

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@37719 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 62 insertions, 25 deletions

diff --git a/base/base_paths_win.cc b/base/base_paths_win.cc
index bc8566c..47d7d4a 100644
--- a/base/base_paths_win.cc
+++ b/base/base_paths_win.cc
@@ -80,6 +80,12 @@ bool PathProviderWin(int key, FilePath* result) {
         return false;
       cur = FilePath(system_buffer);
       break;
+    case base::DIR_PROFILE:
+      if (FAILED(SHGetFolderPath(NULL, CSIDL_PROFILE, NULL, SHGFP_TYPE_CURRENT,
+                                 system_buffer)))
+        return false;
+      cur = FilePath(system_buffer);
+      break;
     case base::DIR_LOCAL_APP_DATA_LOW:
       if (win_util::GetWinVersion() < win_util::WINVERSION_VISTA) {
         return false;
diff --git a/base/base_paths_win.h b/base/base_paths_win.h
index 2e585d9..7cf0314 100644
--- a/base/base_paths_win.h
+++ b/base/base_paths_win.h
@@ -23,7 +23,8 @@ enum {
                           // Start Menu\Programs"
   DIR_START_MENU,         // Usually "C:\Documents and Settings\<user>\
                           // Start Menu\Programs"
-  DIR_APP_DATA,  // Application Data directory under the user profile.
+  DIR_APP_DATA,           // Application Data directory under the user profile.
+  DIR_PROFILE,            // Usually "C:\Documents and settings\<user>.
   DIR_LOCAL_APP_DATA_LOW,  // Local AppData directory for low integrity level.
   DIR_LOCAL_APP_DATA,  // "Local Settings\Application Data" directory under the
                        // user profile.
diff --git a/chrome/common/sandbox_policy.cc b/chrome/common/sandbox_policy.cc
index 9e70b08..7acb513 100644
--- a/chrome/common/sandbox_policy.cc
+++ b/chrome/common/sandbox_policy.cc
@@ -106,18 +106,20 @@ PluginPolicyCategory GetPolicyCategoryForPlugin(
   return PLUGIN_GROUP_UNTRUSTED;
 }
 
-// Adds the policy rules for the path and path\* with the semantic |access|.
-// We need to add the wildcard rules to also apply the rule to the subfiles
-// and subfolders.
-bool AddDirectoryAndChildren(int path, const wchar_t* sub_dir,
-                             sandbox::TargetPolicy::Semantics access,
-                             sandbox::TargetPolicy* policy) {
+// Adds the policy rules for the path and path\ with the semantic |access|.
+// If |children| is set to true, we need to add the wildcard rules to also
+// apply the rule to the subfiles and subfolders.
+bool AddDirectory(int path, const wchar_t* sub_dir, bool children,
+                  sandbox::TargetPolicy::Semantics access,
+                  sandbox::TargetPolicy* policy) {
   std::wstring directory;
   if (!PathService::Get(path, &directory))
     return false;
 
-  if (sub_dir)
+  if (sub_dir) {
     file_util::AppendToPath(&directory, sub_dir);
+    file_util::AbsolutePath(&directory);
+  }
 
   sandbox::ResultCode result;
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, access,
@@ -125,7 +127,12 @@ bool AddDirectoryAndChildren(int path, const wchar_t* sub_dir,
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
-  file_util::AppendToPath(&directory, L"*");
+  if (children)
+    file_util::AppendToPath(&directory, L"*");
+  else
+    // Add the version of the path that ends with a separator.
+    file_util::AppendToPath(&directory, L"");
+
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, access,
                            directory.c_str());
   if (result != sandbox::SBOX_ALL_OK)
@@ -219,27 +226,42 @@ bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) {
   policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED);
   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
 
-  if (!AddDirectoryAndChildren(base::DIR_TEMP, NULL,
-                               sandbox::TargetPolicy::FILES_ALLOW_ANY, policy))
+  if (!AddDirectory(base::DIR_TEMP, NULL, true,
+                    sandbox::TargetPolicy::FILES_ALLOW_ANY, policy))
+    return false;
+
+  if (!AddDirectory(base::DIR_IE_INTERNET_CACHE, NULL, true,
+                    sandbox::TargetPolicy::FILES_ALLOW_ANY, policy))
+    return false;
+
+  if (!AddDirectory(base::DIR_APP_DATA, NULL, true,
+                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+                    policy))
     return false;
 
-  if (!AddDirectoryAndChildren(base::DIR_IE_INTERNET_CACHE, NULL,
-                               sandbox::TargetPolicy::FILES_ALLOW_ANY, policy))
+  if (!AddDirectory(base::DIR_PROFILE, NULL, false,  /*not recursive*/
+                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+                    policy))
     return false;
 
-  if (!AddDirectoryAndChildren(base::DIR_APP_DATA, NULL,
-                               sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                               policy))
+  if (!AddDirectory(base::DIR_APP_DATA, L"Adobe", true,
+                    sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                    policy))
     return false;
 
-  if (!AddDirectoryAndChildren(base::DIR_APP_DATA, L"Macromedia",
-                               sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                               policy))
+  if (!AddDirectory(base::DIR_APP_DATA, L"Macromedia", true,
+                    sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                    policy))
     return false;
 
-  if (!AddDirectoryAndChildren(base::DIR_LOCAL_APP_DATA, NULL,
-                               sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                               policy))
+  if (!AddDirectory(base::DIR_LOCAL_APP_DATA, NULL, true,
+                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+                    policy))
+    return false;
+
+  if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE",
+                        sandbox::TargetPolicy::REG_ALLOW_ANY,
+                        policy))
     return false;
 
   if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA",
@@ -253,9 +275,17 @@ bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) {
                           policy))
       return false;
 
-    if (!AddDirectoryAndChildren(base::DIR_LOCAL_APP_DATA_LOW, NULL,
-                                 sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                                 policy))
+    if (!AddDirectory(base::DIR_LOCAL_APP_DATA_LOW, NULL, true,
+                      sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                      policy))
+      return false;
+
+    // DIR_APP_DATA is AppData\Roaming, but Adobe needs to do a directory
+    // listing in AppData directly, so we add a non-recursive policy for
+    // AppData itself.
+    if (!AddDirectory(base::DIR_APP_DATA, L"..", false,
+                      sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+                      policy))
       return false;
   }