diff options
author | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-27 21:48:41 +0000 |
---|---|---|
committer | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-27 21:48:41 +0000 |
commit | 25fe7fc560ac4350eb57f070194e2755279f7fb4 (patch) | |
tree | 933dfc1d585da191c98634f1dddb883d0bbf62d1 | |
parent | 7a7c9ed12b42a690ce294903de49d69ddd11b3c4 (diff) | |
download | chromium_src-25fe7fc560ac4350eb57f070194e2755279f7fb4.zip chromium_src-25fe7fc560ac4350eb57f070194e2755279f7fb4.tar.gz chromium_src-25fe7fc560ac4350eb57f070194e2755279f7fb4.tar.bz2 |
Get rid of content dependency from sandbox_policy.h
BUG=76697
Review URL: http://codereview.chromium.org/7074025
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87093 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/browser/chrome_content_browser_client.cc | 113 | ||||
-rw-r--r-- | chrome/browser/chrome_content_browser_client.h | 5 | ||||
-rw-r--r-- | chrome/common/chrome_switches.cc | 15 | ||||
-rw-r--r-- | chrome/common/chrome_switches.h | 4 | ||||
-rw-r--r-- | chrome/common/sandbox_policy.cc | 313 | ||||
-rw-r--r-- | chrome/test/automation/proxy_launcher.cc | 3 | ||||
-rw-r--r-- | chrome/test/automation/proxy_launcher.h | 10 | ||||
-rw-r--r-- | chrome/test/ui/ui_test_suite.cc | 2 | ||||
-rw-r--r-- | content/browser/child_process_launcher.cc | 2 | ||||
-rw-r--r-- | content/browser/content_browser_client.cc | 7 | ||||
-rw-r--r-- | content/browser/content_browser_client.h | 10 | ||||
-rw-r--r-- | content/browser/plugin_process_host.cc | 1 | ||||
-rw-r--r-- | content/common/content_switches.cc | 14 | ||||
-rw-r--r-- | content/common/content_switches.h | 5 | ||||
-rw-r--r-- | sandbox/src/sandbox_policy_base.h | 3 |
15 files changed, 170 insertions, 337 deletions
diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc index 28ede90..9f9e316 100644 --- a/chrome/browser/chrome_content_browser_client.cc +++ b/chrome/browser/chrome_content_browser_client.cc @@ -5,6 +5,9 @@ #include "chrome/browser/chrome_content_browser_client.h" #include "base/command_line.h" +#include "base/path_service.h" +#include "base/string_number_conversions.h" +#include "base/win/windows_version.h" #include "chrome/app/breakpad_mac.h" #include "chrome/browser/browser_process.h" #include "chrome/browser/character_encoding.h" @@ -28,6 +31,7 @@ #include "chrome/browser/spellcheck_message_filter.h" #include "chrome/browser/ui/webui/chrome_web_ui_factory.h" #include "chrome/common/child_process_logging.h" +#include "chrome/common/chrome_paths.h" #include "chrome/common/chrome_switches.h" #include "chrome/common/extensions/extension_messages.h" #include "chrome/common/pref_names.h" @@ -51,6 +55,11 @@ #include "chrome/browser/crash_handler_host_linux.h" #endif // OS_LINUX +#if defined(OS_WIN) +#include "chrome/common/sandbox_policy.h" +#include "sandbox/src/sandbox.h" +#endif + namespace { void InitRenderViewHostForExtensions(RenderViewHost* render_view_host) { @@ -109,6 +118,62 @@ void InitRenderViewHostForExtensions(RenderViewHost* render_view_host) { } } +#if defined(OS_WIN) +// Launches the privileged flash broker, used when flash is sandboxed. +// The broker is the same flash dll, except that it uses a different +// entrypoint (BrokerMain) and it is hosted in windows' generic surrogate +// process rundll32. After launching the broker we need to pass to +// the flash plugin the process id of the broker via the command line +// using --flash-broker=pid. +// More info about rundll32 at http://support.microsoft.com/kb/164787. +bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) { + FilePath rundll; + if (!PathService::Get(base::DIR_SYSTEM, &rundll)) + return false; + rundll = rundll.AppendASCII("rundll32.exe"); + // Rundll32 cannot handle paths with spaces, so we use the short path. + wchar_t short_path[MAX_PATH]; + if (0 == ::GetShortPathNameW(plugin_path.value().c_str(), + short_path, arraysize(short_path))) + return false; + // Here is the kicker, if the user has disabled 8.3 (short path) support + // on the volume GetShortPathNameW does not fail but simply returns the + // input path. In this case if the path had any spaces then rundll32 will + // incorrectly interpret its parameters. So we quote the path, even though + // the kb/164787 says you should not. + std::wstring cmd_final = + base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome", + rundll.value().c_str(), + short_path); + base::ProcessHandle process; + if (!base::LaunchApp(cmd_final, false, true, &process)) + return false; + + cmd_line->AppendSwitchASCII("flash-broker", + base::Int64ToString(::GetProcessId(process))); + + // The flash broker, unders some circumstances can linger beyond the lifetime + // of the flash player, so we put it in a job object, when the browser + // terminates the job object is destroyed (by the OS) and the flash broker + // is terminated. + HANDLE job = ::CreateJobObjectW(NULL, NULL); + JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_limits = {0}; + job_limits.BasicLimitInformation.LimitFlags = + JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE; + if (::SetInformationJobObject(job, JobObjectExtendedLimitInformation, + &job_limits, sizeof(job_limits))) { + ::AssignProcessToJobObject(job, process); + // Yes, we are leaking the object here. Read comment above. + } else { + ::CloseHandle(job); + return false; + } + + ::CloseHandle(process); + return true; +} +#endif // OS_WIN + } namespace chrome { @@ -323,4 +388,52 @@ int ChromeContentBrowserClient::GetCrashSignalFD( } #endif +#if defined(OS_WIN) +bool ChromeContentBrowserClient::SandboxPlugin(CommandLine* command_line, + sandbox::TargetPolicy* policy) { + std::wstring plugin_dll = command_line-> + GetSwitchValueNative(switches::kPluginPath); + + FilePath builtin_flash; + if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) + return false; + + FilePath plugin_path(plugin_dll); + if (plugin_path != builtin_flash) + return false; + + if (base::win::GetVersion() <= base::win::VERSION_XP || + CommandLine::ForCurrentProcess()->HasSwitch( + switches::kDisableFlashSandbox)) { + return false; + } + + // Add the policy for the pipes. + sandbox::ResultCode result = sandbox::SBOX_ALL_OK; + result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, + sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, + L"\\\\.\\pipe\\chrome.*"); + if (result != sandbox::SBOX_ALL_OK) { + NOTREACHED(); + return false; + } + + // Spawn the flash broker and apply sandbox policy. + if (LoadFlashBroker(plugin_path, command_line)) { + policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); + policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, + sandbox::USER_INTERACTIVE); + policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); + } else { + // Could not start the broker, use a very weak policy instead. + DLOG(WARNING) << "Failed to start flash broker"; + policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); + policy->SetTokenLevel( + sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); + } + + return true; +} +#endif + } // namespace chrome diff --git a/chrome/browser/chrome_content_browser_client.h b/chrome/browser/chrome_content_browser_client.h index c1fbbfc..6b253d4 100644 --- a/chrome/browser/chrome_content_browser_client.h +++ b/chrome/browser/chrome_content_browser_client.h @@ -44,6 +44,11 @@ class ChromeContentBrowserClient : public content::ContentBrowserClient { // Can return an optional fd for crash handling, otherwise returns -1. virtual int GetCrashSignalFD(const std::string& process_type); #endif + +#if defined(OS_WIN) + virtual bool SandboxPlugin(CommandLine* command_line, + sandbox::TargetPolicy* policy); +#endif }; } // namespace chrome diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc index 5864d8b..dbe024a 100644 --- a/chrome/common/chrome_switches.cc +++ b/chrome/common/chrome_switches.cc @@ -108,10 +108,6 @@ const char kBrowserCrashTest[] = "crash-test"; // testing purposes. const char kCheckForUpdateIntervalSec[] = "check-for-update-interval"; -// Run Chrome in Chrome Frame mode. This means that Chrome expects to be run -// as a dependent process of the Chrome Frame plugin. -const char kChromeFrame[] = "chrome-frame"; - // Tells chrome to load the specified version of chrome.dll on Windows. If // this version cannot be loaded, Chrome will exit. const char kChromeVersion[] = "chrome-version"; @@ -178,9 +174,6 @@ const char kDisableAcceleratedLayers[] = "disable-accelerated-layers"; // Disables GPU accelerated video display. const char kDisableAcceleratedVideo[] = "disable-accelerated-video"; -// Disables the alternate window station for the renderer. -const char kDisableAltWinstation[] = "disable-winsta"; - // Replaces the audio IPC layer for <audio> and <video> with a mock audio // device, useful when using remote desktop or machines without sound cards. // This is temporary until we fix the underlying problem. @@ -714,10 +707,6 @@ const char kNaClDebugIP[] = "nacl-debug-ip"; // Sets the default port range for debugging. const char kNaClDebugPorts[] = "nacl-debug-ports"; -// Causes the process to run as a NativeClient broker -// (used for launching NaCl loader processes on 64-bit Windows). -const char kNaClBrokerProcess[] = "nacl-broker"; - // On POSIX only: the contents of this flag are prepended to the nacl-loader // command line. Useful values might be "valgrind" or "xterm -e gdb --args". const char kNaClLoaderCmdPrefix[] = "nacl-loader-cmd-prefix"; @@ -974,10 +963,6 @@ const char kTestType[] = "test-type"; // testing-related messages on IPC channel with the given ID. const char kTestingChannelID[] = "testing-channel"; -// Excludes these plugins from the plugin sandbox. -// This is a comma-separated list of plugin library names. -const char kTrustedPlugins[] = "trusted-plugins"; - // Experimental. Shows a dialog asking the user to try chrome. This flag // is to be used only by the upgrade process. const char kTryChromeAgain[] = "try-chrome-again"; diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h index 634f8b6..25ca5a2 100644 --- a/chrome/common/chrome_switches.h +++ b/chrome/common/chrome_switches.h @@ -47,7 +47,6 @@ extern const char kBlockReadingThirdPartyCookies[]; extern const char kBrowserAssertTest[]; extern const char kBrowserCrashTest[]; extern const char kCheckForUpdateIntervalSec[]; -extern const char kChromeFrame[]; extern const char kChromeVersion[]; extern const char kCloudPrintDeleteFile[]; extern const char kCloudPrintFile[]; @@ -65,7 +64,6 @@ extern const char kDiagnostics[]; extern const char kDisableAccelerated2dCanvas[]; extern const char kDisableAcceleratedLayers[]; extern const char kDisableAcceleratedVideo[]; -extern const char kDisableAltWinstation[]; extern const char kDisableAuthNegotiateCnameLookup[]; extern const char kDisableBackgroundMode[]; extern const char kDisableBackgroundNetworking[]; @@ -202,7 +200,6 @@ extern const char kMinClearSiteDataFlashVersion[]; extern const char kMultiProfiles[]; extern const char kNaClDebugIP[]; extern const char kNaClDebugPorts[]; -extern const char kNaClBrokerProcess[]; extern const char kNaClLoaderCmdPrefix[]; extern const char kNaClStartupDialog[]; extern const char kNetLogLevel[]; @@ -267,7 +264,6 @@ extern const char kTestNaClSandbox[]; extern const char kTestName[]; extern const char kTestType[]; extern const char kTestingChannelID[]; -extern const char kTrustedPlugins[]; extern const char kTryChromeAgain[]; extern const char kUninstall[]; extern const char kUsePureViews[]; diff --git a/chrome/common/sandbox_policy.cc b/chrome/common/sandbox_policy.cc index 97142aa..55841cc 100644 --- a/chrome/common/sandbox_policy.cc +++ b/chrome/common/sandbox_policy.cc @@ -14,12 +14,10 @@ #include "base/path_service.h" #include "base/process_util.h" #include "base/stringprintf.h" -#include "base/string_number_conversions.h" #include "base/string_util.h" #include "base/win/windows_version.h" -#include "chrome/common/chrome_constants.h" -#include "chrome/common/chrome_paths.h" -#include "chrome/common/chrome_switches.h" +#include "content/browser/content_browser_client.h" +#include "content/common/content_switches.h" #include "content/common/child_process_info.h" #include "content/common/debug_flags.h" #include "sandbox/src/sandbox.h" @@ -88,36 +86,6 @@ const wchar_t* const kTroublesomeDlls[] = { L"winstylerthemehelper.dll" // Tuneup utilities 2006. }; -enum PluginPolicyCategory { - PLUGIN_GROUP_TRUSTED, - PLUGIN_GROUP_UNTRUSTED, -}; - -// Returns the policy category for the plugin dll. -PluginPolicyCategory GetPolicyCategoryForPlugin( - const std::wstring& dll, - const std::wstring& list) { - std::wstring filename = FilePath(dll).BaseName().value(); - std::wstring plugin_dll = StringToLowerASCII(filename); - std::wstring trusted_plugins = StringToLowerASCII(list); - - size_t pos = 0; - size_t end_item = 0; - while (end_item != std::wstring::npos) { - end_item = list.find(L",", pos); - - size_t size_item = (end_item == std::wstring::npos) ? end_item : - end_item - pos; - std::wstring item = list.substr(pos, size_item); - if (!item.empty() && item == plugin_dll) - return PLUGIN_GROUP_TRUSTED; - - pos = end_item + 1; - } - - return PLUGIN_GROUP_UNTRUSTED; -} - // Adds the policy rules for the path and path\ with the semantic |access|. // If |children| is set to true, we need to add the wildcard rules to also // apply the rule to the subfiles and subfolders. @@ -246,7 +214,7 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) { // Add the policy for debug message only in debug #ifndef NDEBUG FilePath app_dir; - if (!PathService::Get(chrome::DIR_APP, &app_dir)) + if (!PathService::Get(base::DIR_MODULE, &app_dir)) return false; wchar_t long_path_buf[MAX_PATH]; @@ -268,247 +236,6 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) { return true; } -// Creates a sandbox without any restriction. -bool ApplyPolicyForTrustedPlugin(sandbox::TargetPolicy* policy) { - policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); - policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); - return true; -} - -// Creates a sandbox with the plugin running in a restricted environment. -// Only the "Users" and "Everyone" groups are enabled in the token. The User SID -// is disabled. -bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) { - policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); - - sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; - if (base::win::GetVersion() > base::win::VERSION_XP) { - // On 2003/Vista the initial token has to be restricted if the main token - // is restricted. - initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; - } - policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); - policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); - - if (!AddDirectory(base::DIR_TEMP, NULL, true, - sandbox::TargetPolicy::FILES_ALLOW_ANY, policy)) - return false; - - if (!AddDirectory(base::DIR_IE_INTERNET_CACHE, NULL, true, - sandbox::TargetPolicy::FILES_ALLOW_ANY, policy)) - return false; - - if (!AddDirectory(base::DIR_APP_DATA, NULL, true, - sandbox::TargetPolicy::FILES_ALLOW_READONLY, - policy)) - return false; - - if (!AddDirectory(base::DIR_PROFILE, NULL, false, /*not recursive*/ - sandbox::TargetPolicy::FILES_ALLOW_READONLY, - policy)) - return false; - - if (!AddDirectory(base::DIR_APP_DATA, L"Adobe", true, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - policy)) - return false; - - if (!AddDirectory(base::DIR_APP_DATA, L"Macromedia", true, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - policy)) - return false; - - if (!AddDirectory(base::DIR_LOCAL_APP_DATA, NULL, true, - sandbox::TargetPolicy::FILES_ALLOW_READONLY, - policy)) - return false; - - if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", - sandbox::TargetPolicy::REG_ALLOW_ANY, - policy)) - return false; - - if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", - sandbox::TargetPolicy::REG_ALLOW_ANY, - policy)) - return false; - - if (base::win::GetVersion() >= base::win::VERSION_VISTA) { - if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\AppDataLow", - sandbox::TargetPolicy::REG_ALLOW_ANY, - policy)) - return false; - - if (!AddDirectory(base::DIR_LOCAL_APP_DATA_LOW, NULL, true, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - policy)) - return false; - - // DIR_APP_DATA is AppData\Roaming, but Adobe needs to do a directory - // listing in AppData directly, so we add a non-recursive policy for - // AppData itself. - if (!AddDirectory(base::DIR_APP_DATA, L"..", false, - sandbox::TargetPolicy::FILES_ALLOW_READONLY, - policy)) - return false; - } - - return true; -} - -// Launches the privileged flash broker, used when flash is sandboxed. -// The broker is the same flash dll, except that it uses a different -// entrypoint (BrokerMain) and it is hosted in windows' generic surrogate -// process rundll32. After launching the broker we need to pass to -// the flash plugin the process id of the broker via the command line -// using --flash-broker=pid. -// More info about rundll32 at http://support.microsoft.com/kb/164787. -bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) { - FilePath rundll; - if (!PathService::Get(base::DIR_SYSTEM, &rundll)) - return false; - rundll = rundll.AppendASCII("rundll32.exe"); - // Rundll32 cannot handle paths with spaces, so we use the short path. - wchar_t short_path[MAX_PATH]; - if (0 == ::GetShortPathNameW(plugin_path.value().c_str(), - short_path, arraysize(short_path))) - return false; - // Here is the kicker, if the user has disabled 8.3 (short path) support - // on the volume GetShortPathNameW does not fail but simply returns the - // input path. In this case if the path had any spaces then rundll32 will - // incorrectly interpret its parameters. So we quote the path, even though - // the kb/164787 says you should not. - std::wstring cmd_final = - base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome", - rundll.value().c_str(), - short_path); - base::ProcessHandle process; - if (!base::LaunchApp(cmd_final, false, true, &process)) - return false; - - cmd_line->AppendSwitchASCII("flash-broker", - base::Int64ToString(::GetProcessId(process))); - - // The flash broker, unders some circumstances can linger beyond the lifetime - // of the flash player, so we put it in a job object, when the browser - // terminates the job object is destroyed (by the OS) and the flash broker - // is terminated. - HANDLE job = ::CreateJobObjectW(NULL, NULL); - JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_limits = {0}; - job_limits.BasicLimitInformation.LimitFlags = - JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE; - if (::SetInformationJobObject(job, JobObjectExtendedLimitInformation, - &job_limits, sizeof(job_limits))) { - ::AssignProcessToJobObject(job, process); - // Yes, we are leaking the object here. Read comment above. - } else { - ::CloseHandle(job); - return false; - } - - ::CloseHandle(process); - return true; -} - -// Creates a sandbox for the built-in flash plugin running in a restricted -// environment. This policy is in continual flux as flash changes -// capabilities. For more information see bug 50796. -bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { - policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); - // Vista and Win7 get a weaker token but have low integrity. - if (base::win::GetVersion() > base::win::VERSION_XP) { - policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, - sandbox::USER_INTERACTIVE); - policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); - } else { - policy->SetTokenLevel(sandbox::USER_UNPROTECTED, - sandbox::USER_LIMITED); - - if (!AddKeyAndSubkeys(L"HKEY_LOCAL_MACHINE\\SOFTWARE", - sandbox::TargetPolicy::REG_ALLOW_READONLY, - policy)) - return false; - if (!AddKeyAndSubkeys(L"HKEY_LOCAL_MACHINE\\SYSTEM", - sandbox::TargetPolicy::REG_ALLOW_READONLY, - policy)) - return false; - - if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE", - sandbox::TargetPolicy::REG_ALLOW_READONLY, - policy)) - return false; - } - - AddDllEvictionPolicy(policy); - return true; -} - -// Returns true of the plugin specified in |cmd_line| is the built-in -// flash plugin and optionally returns its full path in |flash_path| -bool IsBuiltInFlash(const CommandLine* cmd_line, FilePath* flash_path) { - std::wstring plugin_dll = cmd_line-> - GetSwitchValueNative(switches::kPluginPath); - - FilePath builtin_flash; - if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) - return false; - - FilePath plugin_path(plugin_dll); - if (plugin_path != builtin_flash) - return false; - - if (flash_path) - *flash_path = plugin_path; - return true; -} - - -// Adds the custom policy rules for a given plugin. |trusted_plugins| contains -// the comma separate list of plugin dll names that should not be sandboxed. -bool AddPolicyForPlugin(CommandLine* cmd_line, - sandbox::TargetPolicy* policy) { - std::wstring plugin_dll = cmd_line-> - GetSwitchValueNative(switches::kPluginPath); - std::wstring trusted_plugins = CommandLine::ForCurrentProcess()-> - GetSwitchValueNative(switches::kTrustedPlugins); - // Add the policy for the pipes. - sandbox::ResultCode result = sandbox::SBOX_ALL_OK; - result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, - sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, - L"\\\\.\\pipe\\chrome.*"); - if (result != sandbox::SBOX_ALL_OK) { - NOTREACHED(); - return false; - } - - // The built-in flash gets a custom, more restricted sandbox. - FilePath flash_path; - if (IsBuiltInFlash(cmd_line, &flash_path)) { - // Spawn the flash broker and apply sandbox policy. - if (!LoadFlashBroker(flash_path, cmd_line)) { - // Could not start the broker, use a very weak policy instead. - DLOG(WARNING) << "Failed to start flash broker"; - return ApplyPolicyForTrustedPlugin(policy); - } - return ApplyPolicyForBuiltInFlashPlugin(policy); - } - - PluginPolicyCategory policy_category = - GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); - - switch (policy_category) { - case PLUGIN_GROUP_TRUSTED: - return ApplyPolicyForTrustedPlugin(policy); - case PLUGIN_GROUP_UNTRUSTED: - return ApplyPolicyForUntrustedPlugin(policy); - default: - NOTREACHED(); - break; - } - - return false; -} - // For the GPU process we gotten as far as USER_LIMITED. The next level // which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL // backend. Note that the GPU process is connected to the interactive @@ -621,18 +348,7 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, (type != ChildProcessInfo::NACL_BROKER_PROCESS) && (type != ChildProcessInfo::PLUGIN_PROCESS); - // Second case: If it is the plugin process then it depends on it being - // the built-in flash, the user forcing plugins into sandbox or the - // the user explicitly excluding flash from the sandbox. - if (!in_sandbox && (type == ChildProcessInfo::PLUGIN_PROCESS)) { - in_sandbox = browser_command_line.HasSwitch(switches::kSafePlugins) || - (IsBuiltInFlash(cmd_line, NULL) && - (base::win::GetVersion() > base::win::VERSION_XP) && - !browser_command_line.HasSwitch(switches::kDisableFlashSandbox)); - } - - // Third case: If it is the GPU process then it can be disabled by a - // command line flag. + // If it is the GPU process then it can be disabled by a command line flag. if ((type == ChildProcessInfo::GPU_PROCESS) && (browser_command_line.HasSwitch(switches::kDisableGpuSandbox))) { in_sandbox = false; @@ -672,19 +388,24 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, // to create separate pretetch settings for browser, renderer etc. cmd_line->AppendArg(base::StringPrintf("/prefetch:%d", type)); + sandbox::ResultCode result; + PROCESS_INFORMATION target = {0}; + sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy(); + + if (type == ChildProcessInfo::PLUGIN_PROCESS && + !browser_command_line.HasSwitch(switches::kNoSandbox) && + content::GetContentClient()->browser()->SandboxPlugin(cmd_line, policy)) { + in_sandbox = true; + AddDllEvictionPolicy(policy); + } + if (!in_sandbox) { + policy->Release(); base::LaunchApp(*cmd_line, false, false, &process); return process; } - sandbox::ResultCode result; - PROCESS_INFORMATION target = {0}; - sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy(); - - if (type == ChildProcessInfo::PLUGIN_PROCESS) { - if (!AddPolicyForPlugin(cmd_line, policy)) - return 0; - } else if (type == ChildProcessInfo::GPU_PROCESS) { + if (type == ChildProcessInfo::GPU_PROCESS) { if (!AddPolicyForGPU(cmd_line, policy)) return 0; } else if (type == ChildProcessInfo::PPAPI_PLUGIN_PROCESS) { diff --git a/chrome/test/automation/proxy_launcher.cc b/chrome/test/automation/proxy_launcher.cc index 6260b94..385d8f4 100644 --- a/chrome/test/automation/proxy_launcher.cc +++ b/chrome/test/automation/proxy_launcher.cc @@ -102,7 +102,6 @@ const char ProxyLauncher::kDefaultInterfacePath[] = bool ProxyLauncher::in_process_renderer_ = false; bool ProxyLauncher::no_sandbox_ = false; bool ProxyLauncher::full_memory_dump_ = false; -bool ProxyLauncher::safe_plugins_ = false; bool ProxyLauncher::show_error_dialogs_ = true; bool ProxyLauncher::dump_histograms_on_exit_ = false; bool ProxyLauncher::enable_dcheck_ = false; @@ -426,8 +425,6 @@ void ProxyLauncher::PrepareTestCommandline(CommandLine* command_line, command_line->AppendSwitch(switches::kNoSandbox); if (full_memory_dump_) command_line->AppendSwitch(switches::kFullMemoryCrashReport); - if (safe_plugins_) - command_line->AppendSwitch(switches::kSafePlugins); if (enable_dcheck_) command_line->AppendSwitch(switches::kEnableDCHECK); if (silent_dump_on_dcheck_) diff --git a/chrome/test/automation/proxy_launcher.h b/chrome/test/automation/proxy_launcher.h index 89b0d94..edd3ad4 100644 --- a/chrome/test/automation/proxy_launcher.h +++ b/chrome/test/automation/proxy_launcher.h @@ -176,13 +176,6 @@ class ProxyLauncher { disable_breakpad_ = value; } - // Get/Set a flag to run the plugin processes inside the sandbox when running - // the tests - static bool safe_plugins() { return safe_plugins_; } - static void set_safe_plugins(bool value) { - safe_plugins_ = value; - } - static bool show_error_dialogs() { return show_error_dialogs_; } static void set_show_error_dialogs(bool value) { show_error_dialogs_ = value; @@ -263,9 +256,6 @@ class ProxyLauncher { // If true, runs the renderer outside the sandbox. static bool no_sandbox_; - // If true, runs plugin processes inside the sandbox. - static bool safe_plugins_; - // If true, write full memory dump during crash. static bool full_memory_dump_; diff --git a/chrome/test/ui/ui_test_suite.cc b/chrome/test/ui/ui_test_suite.cc index 0f804f6..36968c5 100644 --- a/chrome/test/ui/ui_test_suite.cc +++ b/chrome/test/ui/ui_test_suite.cc @@ -37,8 +37,6 @@ void UITestSuite::Initialize() { parsed_command_line.HasSwitch(switches::kNoSandbox)); ProxyLauncher::set_full_memory_dump( parsed_command_line.HasSwitch(switches::kFullMemoryCrashReport)); - ProxyLauncher::set_safe_plugins( - parsed_command_line.HasSwitch(switches::kSafePlugins)); ProxyLauncher::set_dump_histograms_on_exit( parsed_command_line.HasSwitch(switches::kDumpHistogramsOnExit)); ProxyLauncher::set_enable_dcheck( diff --git a/content/browser/child_process_launcher.cc b/content/browser/child_process_launcher.cc index a812b26..6a53d75 100644 --- a/content/browser/child_process_launcher.cc +++ b/content/browser/child_process_launcher.cc @@ -11,10 +11,10 @@ #include "base/memory/scoped_ptr.h" #include "base/synchronization/lock.h" #include "base/threading/thread.h" -#include "chrome/common/chrome_switches.h" #include "content/browser/browser_thread.h" #include "content/browser/content_browser_client.h" #include "content/common/chrome_descriptors.h" +#include "content/common/content_switches.h" #include "content/common/process_watcher.h" #include "content/common/result_codes.h" diff --git a/content/browser/content_browser_client.cc b/content/browser/content_browser_client.cc index 79759d3..9528f6d 100644 --- a/content/browser/content_browser_client.cc +++ b/content/browser/content_browser_client.cc @@ -86,4 +86,11 @@ int ContentBrowserClient::GetCrashSignalFD(const std::string& process_type) { } #endif +#if defined(OS_WIN) +bool ContentBrowserClient::SandboxPlugin(CommandLine* command_line, + sandbox::TargetPolicy* policy) { + return false; +} +#endif + } // namespace content diff --git a/content/browser/content_browser_client.h b/content/browser/content_browser_client.h index 5cb2be8..1c46499 100644 --- a/content/browser/content_browser_client.h +++ b/content/browser/content_browser_client.h @@ -24,6 +24,10 @@ class CookieList; class CookieOptions; } +namespace sandbox { +class TargetPolicy; +} + namespace content { class ResourceContext; @@ -105,6 +109,12 @@ class ContentBrowserClient { // Can return an optional fd for crash handling, otherwise returns -1. virtual int GetCrashSignalFD(const std::string& process_type); #endif + +#if defined(OS_WIN) + // Allows the embedder to sandbox a plugin, and apply a custom policy. + virtual bool SandboxPlugin(CommandLine* command_line, + sandbox::TargetPolicy* policy); +#endif }; } // namespace content diff --git a/content/browser/plugin_process_host.cc b/content/browser/plugin_process_host.cc index 9d2e7d4..b755305 100644 --- a/content/browser/plugin_process_host.cc +++ b/content/browser/plugin_process_host.cc @@ -170,7 +170,6 @@ bool PluginProcessHost::Init(const webkit::npapi::WebPluginInfo& info, switches::kMemoryProfiling, switches::kNoSandbox, switches::kPluginStartupDialog, - switches::kSafePlugins, switches::kSilentDumpOnDCHECK, switches::kTestSandbox, switches::kUseGL, diff --git a/content/common/content_switches.cc b/content/common/content_switches.cc index ccbc378..444b0ce 100644 --- a/content/common/content_switches.cc +++ b/content/common/content_switches.cc @@ -20,6 +20,10 @@ const char kAllowSandboxDebugging[] = "allow-sandbox-debugging"; // Path to the exe to run for the renderer and plugin subprocesses. const char kBrowserSubprocessPath[] = "browser-subprocess-path"; +// Run Chrome in Chrome Frame mode. This means that Chrome expects to be run +// as a dependent process of the Chrome Frame plugin. +const char kChromeFrame[] = "chrome-frame"; + // Disables client-visible 3D APIs, in particular WebGL and Pepper 3D. // This is controlled by policy and is kept separate from the other // enable/disable switches to avoid accidentally regressing the policy @@ -29,6 +33,9 @@ const char kDisable3DAPIs[] = "disable-3d-apis"; // Disables accelerated compositing. const char kDisableAcceleratedCompositing[] = "disable-accelerated-compositing"; +// Disables the alternate window station for the renderer. +const char kDisableAltWinstation[] = "disable-winsta"; + // Disable the ApplicationCache. const char kDisableApplicationCache[] = "disable-application-cache"; // @@ -228,6 +235,10 @@ const char kLoggingLevel[] = "log-level"; // Make plugin processes log their sent and received messages to VLOG(1). const char kLogPluginMessages[] = "log-plugin-messages"; +// Causes the process to run as a NativeClient broker +// (used for launching NaCl loader processes on 64-bit Windows). +const char kNaClBrokerProcess[] = "nacl-broker"; + // Causes the process to run as a NativeClient loader. const char kNaClLoaderProcess[] = "nacl-loader"; @@ -336,9 +347,6 @@ const char kRendererProcess[] = "renderer"; // Causes the renderer process to display a dialog on launch. const char kRendererStartupDialog[] = "renderer-startup-dialog"; -// Runs the plugin processes inside the sandbox. -const char kSafePlugins[] = "safe-plugins"; - // Causes the process to run as a service process. const char kServiceProcess[] = "service"; diff --git a/content/common/content_switches.h b/content/common/content_switches.h index 111a010..1677a1e 100644 --- a/content/common/content_switches.h +++ b/content/common/content_switches.h @@ -14,8 +14,11 @@ extern const char kAllowFileAccessFromFiles[]; extern const char kAllowRunningInsecureContent[]; extern const char kAllowSandboxDebugging[]; extern const char kBrowserSubprocessPath[]; +// TODO(jam): this doesn't belong in content. +extern const char kChromeFrame[]; extern const char kDisable3DAPIs[]; extern const char kDisableAcceleratedCompositing[]; +extern const char kDisableAltWinstation[]; extern const char kDisableApplicationCache[]; extern const char kDisableAudio[]; extern const char kDisableBackingStoreLimit[]; @@ -75,6 +78,7 @@ extern const char kLoadPlugin[]; extern const char kLoggingLevel[]; extern const char kLogPluginMessages[]; // TODO(jam): this doesn't belong in content. +extern const char kNaClBrokerProcess[]; extern const char kNaClLoaderProcess[]; extern const char kNoDisplayingInsecureContent[]; extern const char kNoJsRandomness[]; @@ -105,7 +109,6 @@ extern const char kRendererCmdPrefix[]; extern const char kRendererCrashTest[]; extern const char kRendererProcess[]; extern const char kRendererStartupDialog[]; -extern const char kSafePlugins[]; // TODO(jam): this doesn't belong in content. extern const char kServiceProcess[]; extern const char kShowPaintRects[]; diff --git a/sandbox/src/sandbox_policy_base.h b/sandbox/src/sandbox_policy_base.h index b6f2693..6294ed8 100644 --- a/sandbox/src/sandbox_policy_base.h +++ b/sandbox/src/sandbox_policy_base.h @@ -31,7 +31,6 @@ struct PolicyGlobal; class PolicyBase : public Dispatcher, public TargetPolicy { public: PolicyBase(); - ~PolicyBase(); virtual void AddRef() { ::InterlockedIncrement(&ref_count); @@ -124,6 +123,8 @@ class PolicyBase : public Dispatcher, public TargetPolicy { virtual EvalResult EvalPolicy(int service, CountedParameterSetBase* params); private: + ~PolicyBase(); + // Test IPC providers. bool Ping(IPCInfo* ipc, void* cookie); |