summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorcpu@google.com <cpu@google.com@0039d316-1c4b-4281-b951-d872f2087c98>2008-09-22 17:11:04 +0000
committercpu@google.com <cpu@google.com@0039d316-1c4b-4281-b951-d872f2087c98>2008-09-22 17:11:04 +0000
commit0f8a6b4de386b469859f6cd12c0ba091453c9a4d (patch)
tree3d1b0af7d6cbd80872d1178b6f2d62a20a24e9f6
parent9bbb0b88f274f767358644dd97b1ee0c9604010b (diff)
downloadchromium_src-0f8a6b4de386b469859f6cd12c0ba091453c9a4d.zip
chromium_src-0f8a6b4de386b469859f6cd12c0ba091453c9a4d.tar.gz
chromium_src-0f8a6b4de386b469859f6cd12c0ba091453c9a4d.tar.bz2
Use the new dll injection blocking api of the sandbox to block
the loading of dlls that cause renderer crashes. - Remove the old FreeLibrary() method Review URL: http://codereview.chromium.org/2458 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2441 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--chrome/app/chrome_dll_main.cc29
-rw-r--r--chrome/browser/render_process_host.cc5
-rw-r--r--chrome/browser/sandbox_policy.cc24
-rw-r--r--chrome/browser/sandbox_policy.h9
4 files changed, 35 insertions, 32 deletions
diff --git a/chrome/app/chrome_dll_main.cc b/chrome/app/chrome_dll_main.cc
index 01d68c0..0f0b29f 100644
--- a/chrome/app/chrome_dll_main.cc
+++ b/chrome/app/chrome_dll_main.cc
@@ -86,27 +86,6 @@ void ChromeAssert(const std::string& str) {
#pragma optimize("", on)
-
-// Try to unload DLLs that malfunction with the sandboxed processes.
-static void EvictTroublesomeDlls() {
- const wchar_t* troublesome_dlls[] = {
- L"smumhook.dll", // spyware doctor version 5 and above.
- NULL // Must be null. Here you can add with the debugger.
- };
-
- for(int ix = 0; ix != arraysize(troublesome_dlls); ++ix) {
- if (!troublesome_dlls[ix])
- break;
- HMODULE module = ::GetModuleHandleW(troublesome_dlls[ix]);
- if (module) {
- LOG(WARNING) << "dll to evict found: " << ix;
- if (::FreeLibrary(module)) {
- DCHECK(NULL == ::GetModuleHandleW(troublesome_dlls[ix]));
- }
- }
- }
-}
-
} // namespace
DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
@@ -184,8 +163,6 @@ DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
std::wstring process_type =
parsed_command_line.GetSwitchValue(switches::kProcessType);
- bool do_dll_eviction = false;
-
// Checks if the sandbox is enabled in this process and initializes it if this
// is the case. The crash handler depends on this so it has to be done before
// its initialization.
@@ -194,7 +171,6 @@ DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
(process_type == switches::kPluginProcess &&
parsed_command_line.HasSwitch(switches::kSafePlugins))) {
target_services->Init();
- do_dll_eviction = true;
}
}
@@ -235,11 +211,6 @@ DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
ResourceBundle::InitSharedInstance(std::wstring());
}
- // Eviction of injected DLLs is done early enough that it is likely
- // to only cover DLLs injected by means of appInit_dlls registry key.
- if (do_dll_eviction)
- EvictTroublesomeDlls();
-
startup_timer.Stop(); // End of Startup Time Measurement.
int rv;
diff --git a/chrome/browser/render_process_host.cc b/chrome/browser/render_process_host.cc
index dfa5755..34eba76 100644
--- a/chrome/browser/render_process_host.cc
+++ b/chrome/browser/render_process_host.cc
@@ -371,6 +371,11 @@ bool RenderProcessHost::Init() {
return false;
}
+ if (!AddDllEvictionPolicy(policy)) {
+ NOTREACHED();
+ return false;
+ }
+
result = broker_service->SpawnTarget(renderer_path.c_str(),
cmd_line.c_str(),
policy, &target);
diff --git a/chrome/browser/sandbox_policy.cc b/chrome/browser/sandbox_policy.cc
index 1782823..0969bd3 100644
--- a/chrome/browser/sandbox_policy.cc
+++ b/chrome/browser/sandbox_policy.cc
@@ -92,6 +92,30 @@ bool AddKeyAndSubkeys(std::wstring key,
return true;
}
+// Eviction of injected DLLs is done by the sandbox. An interception on a
+// system call is added such that the blacklisted dll, don't fully load so
+// the injected module does not get a chance to execute any code.
+bool AddDllEvictionPolicy(sandbox::TargetPolicy* policy) {
+ // List of dlls to unmap.
+ const wchar_t* troublesome_dlls[] = {
+ L"smumhook.dll", // Spyware Doctor version 5 and above.
+ L"GoogleDesktopNetwork3.DLL", // Google Desktop Search v5.
+ L"npggNT.des", // GameGuard version 2008. It is a packed dll.
+ };
+
+ for(int ix = 0; ix != arraysize(troublesome_dlls); ++ix) {
+ // To minimize the list we only add an unload policy if the dll is also
+ // loaded in this process. All the injected dlls of interest do this.
+ if (::GetModuleHandleW(troublesome_dlls[ix])) {
+ LOG(WARNING) << "dll to unload found: " << troublesome_dlls[ix];
+ if (sandbox::SBOX_ALL_OK != policy->AddDllToUnload(troublesome_dlls[ix]))
+ return false;
+ }
+ }
+
+ return true;
+}
+
bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
sandbox::ResultCode result;
diff --git a/chrome/browser/sandbox_policy.h b/chrome/browser/sandbox_policy.h
index 1a1a794..b32e5d8 100644
--- a/chrome/browser/sandbox_policy.h
+++ b/chrome/browser/sandbox_policy.h
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#ifndef CHROME_BROWSER_SANDBOX_POLICY_H__
-#define CHROME_BROWSER_SANDBOX_POLICY_H__
+#ifndef CHROME_BROWSER_SANDBOX_POLICY_H_
+#define CHROME_BROWSER_SANDBOX_POLICY_H_
#include <string>
#include "sandbox/src/sandbox.h"
@@ -12,6 +12,9 @@
// Adds the generic policy rules to a sandbox TargetPolicy.
bool AddGenericPolicy(sandbox::TargetPolicy* policy);
+// Adds policy rules for unloaded the known dlls that cause chrome to crash.
+bool AddDllEvictionPolicy(sandbox::TargetPolicy* policy);
+
// Adds the custom policy rules for a given plugin. If dll is activex-shim,
// then clsid is the clsid of ActiveX control. Otherwise clsid is ignored.
// |trusted_plugins| contains the comma separate list of plugins that should
@@ -41,5 +44,5 @@ bool ApplyPolicyForTrustedPlugin(sandbox::TargetPolicy* policy);
// is disabled.
bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy);
-#endif // CHROME_BROWSER_SANDBOX_POLICY_H__
+#endif // CHROME_BROWSER_SANDBOX_POLICY_H_