Get rid of content dependency from sandbox_policy.h

BUG=76697
Review URL: http://codereview.chromium.org/7074025

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87093 0039d316-1c4b-4281-b951-d872f2087c98

15 files changed, 170 insertions, 337 deletions

diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc
index 28ede90..9f9e316 100644
--- a/chrome/browser/chrome_content_browser_client.cc
+++ b/chrome/browser/chrome_content_browser_client.cc
@@ -5,6 +5,9 @@
 #include "chrome/browser/chrome_content_browser_client.h"
 
 #include "base/command_line.h"
+#include "base/path_service.h"
+#include "base/string_number_conversions.h"
+#include "base/win/windows_version.h"
 #include "chrome/app/breakpad_mac.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/character_encoding.h"
@@ -28,6 +31,7 @@
 #include "chrome/browser/spellcheck_message_filter.h"
 #include "chrome/browser/ui/webui/chrome_web_ui_factory.h"
 #include "chrome/common/child_process_logging.h"
+#include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/extensions/extension_messages.h"
 #include "chrome/common/pref_names.h"
@@ -51,6 +55,11 @@
 #include "chrome/browser/crash_handler_host_linux.h"
 #endif  // OS_LINUX
 
+#if defined(OS_WIN)
+#include "chrome/common/sandbox_policy.h"
+#include "sandbox/src/sandbox.h"
+#endif
+
 namespace {
 
 void InitRenderViewHostForExtensions(RenderViewHost* render_view_host) {
@@ -109,6 +118,62 @@ void InitRenderViewHostForExtensions(RenderViewHost* render_view_host) {
   }
 }
 
+#if defined(OS_WIN)
+// Launches the privileged flash broker, used when flash is sandboxed.
+// The broker is the same flash dll, except that it uses a different
+// entrypoint (BrokerMain) and it is hosted in windows' generic surrogate
+// process rundll32. After launching the broker we need to pass to
+// the flash plugin the process id of the broker via the command line
+// using --flash-broker=pid.
+// More info about rundll32 at http://support.microsoft.com/kb/164787.
+bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) {
+  FilePath rundll;
+  if (!PathService::Get(base::DIR_SYSTEM, &rundll))
+    return false;
+  rundll = rundll.AppendASCII("rundll32.exe");
+  // Rundll32 cannot handle paths with spaces, so we use the short path.
+  wchar_t short_path[MAX_PATH];
+  if (0 == ::GetShortPathNameW(plugin_path.value().c_str(),
+                               short_path, arraysize(short_path)))
+    return false;
+  // Here is the kicker, if the user has disabled 8.3 (short path) support
+  // on the volume GetShortPathNameW does not fail but simply returns the
+  // input path. In this case if the path had any spaces then rundll32 will
+  // incorrectly interpret its parameters. So we quote the path, even though
+  // the kb/164787 says you should not.
+  std::wstring cmd_final =
+      base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome",
+                         rundll.value().c_str(),
+                         short_path);
+  base::ProcessHandle process;
+  if (!base::LaunchApp(cmd_final, false, true, &process))
+    return false;
+
+  cmd_line->AppendSwitchASCII("flash-broker",
+                              base::Int64ToString(::GetProcessId(process)));
+
+  // The flash broker, unders some circumstances can linger beyond the lifetime
+  // of the flash player, so we put it in a job object, when the browser
+  // terminates the job object is destroyed (by the OS) and the flash broker
+  // is terminated.
+  HANDLE job = ::CreateJobObjectW(NULL, NULL);
+  JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_limits = {0};
+  job_limits.BasicLimitInformation.LimitFlags =
+      JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
+  if (::SetInformationJobObject(job, JobObjectExtendedLimitInformation,
+                                &job_limits, sizeof(job_limits))) {
+    ::AssignProcessToJobObject(job, process);
+    // Yes, we are leaking the object here. Read comment above.
+  } else {
+    ::CloseHandle(job);
+    return false;
+  }
+
+  ::CloseHandle(process);
+  return true;
+}
+#endif  // OS_WIN
+
 }
 
 namespace chrome {
@@ -323,4 +388,52 @@ int ChromeContentBrowserClient::GetCrashSignalFD(
 }
 #endif
 
+#if defined(OS_WIN)
+bool ChromeContentBrowserClient::SandboxPlugin(CommandLine* command_line,
+                                               sandbox::TargetPolicy* policy) {
+  std::wstring plugin_dll = command_line->
+      GetSwitchValueNative(switches::kPluginPath);
+
+  FilePath builtin_flash;
+  if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash))
+    return false;
+
+  FilePath plugin_path(plugin_dll);
+  if (plugin_path != builtin_flash)
+    return false;
+
+  if (base::win::GetVersion() <= base::win::VERSION_XP ||
+      CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableFlashSandbox)) {
+    return false;
+  }
+
+  // Add the policy for the pipes.
+  sandbox::ResultCode result = sandbox::SBOX_ALL_OK;
+  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
+                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
+                           L"\\\\.\\pipe\\chrome.*");
+  if (result != sandbox::SBOX_ALL_OK) {
+    NOTREACHED();
+    return false;
+  }
+
+  // Spawn the flash broker and apply sandbox policy.
+  if (LoadFlashBroker(plugin_path, command_line)) {
+    policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
+    policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                          sandbox::USER_INTERACTIVE);
+    policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+  } else {
+    // Could not start the broker, use a very weak policy instead.
+    DLOG(WARNING) << "Failed to start flash broker";
+    policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
+    policy->SetTokenLevel(
+        sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
+  }
+
+  return true;
+}
+#endif
+
 }  // namespace chrome
diff --git a/chrome/browser/chrome_content_browser_client.h b/chrome/browser/chrome_content_browser_client.h
index c1fbbfc..6b253d4 100644
--- a/chrome/browser/chrome_content_browser_client.h
+++ b/chrome/browser/chrome_content_browser_client.h
@@ -44,6 +44,11 @@ class ChromeContentBrowserClient : public content::ContentBrowserClient {
   // Can return an optional fd for crash handling, otherwise returns -1.
   virtual int GetCrashSignalFD(const std::string& process_type);
 #endif
+
+#if defined(OS_WIN)
+  virtual bool SandboxPlugin(CommandLine* command_line,
+                             sandbox::TargetPolicy* policy);
+#endif
 };
 
 }  // namespace chrome
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index 5864d8b..dbe024a 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -108,10 +108,6 @@ const char kBrowserCrashTest[]              = "crash-test";
 // testing purposes.
 const char kCheckForUpdateIntervalSec[]     = "check-for-update-interval";
 
-// Run Chrome in Chrome Frame mode. This means that Chrome expects to be run
-// as a dependent process of the Chrome Frame plugin.
-const char kChromeFrame[]                   = "chrome-frame";
-
 // Tells chrome to load the specified version of chrome.dll on Windows. If
 // this version cannot be loaded, Chrome will exit.
 const char kChromeVersion[]                 = "chrome-version";
@@ -178,9 +174,6 @@ const char kDisableAcceleratedLayers[]      = "disable-accelerated-layers";
 // Disables GPU accelerated video display.
 const char kDisableAcceleratedVideo[]       = "disable-accelerated-video";
 
-// Disables the alternate window station for the renderer.
-const char kDisableAltWinstation[]          = "disable-winsta";
-
 // Replaces the audio IPC layer for <audio> and <video> with a mock audio
 // device, useful when using remote desktop or machines without sound cards.
 // This is temporary until we fix the underlying problem.
@@ -714,10 +707,6 @@ const char kNaClDebugIP[]                   = "nacl-debug-ip";
 // Sets the default port range for debugging.
 const char kNaClDebugPorts[]                = "nacl-debug-ports";
 
-// Causes the process to run as a NativeClient broker
-// (used for launching NaCl loader processes on 64-bit Windows).
-const char kNaClBrokerProcess[]             = "nacl-broker";
-
 // On POSIX only: the contents of this flag are prepended to the nacl-loader
 // command line. Useful values might be "valgrind" or "xterm -e gdb --args".
 const char kNaClLoaderCmdPrefix[]           = "nacl-loader-cmd-prefix";
@@ -974,10 +963,6 @@ const char kTestType[]                      = "test-type";
 // testing-related messages on IPC channel with the given ID.
 const char kTestingChannelID[]              = "testing-channel";
 
-// Excludes these plugins from the plugin sandbox.
-// This is a comma-separated list of plugin library names.
-const char kTrustedPlugins[]                = "trusted-plugins";
-
 // Experimental. Shows a dialog asking the user to try chrome. This flag
 // is to be used only by the upgrade process.
 const char kTryChromeAgain[]                = "try-chrome-again";
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index 634f8b6..25ca5a2 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -47,7 +47,6 @@ extern const char kBlockReadingThirdPartyCookies[];
 extern const char kBrowserAssertTest[];
 extern const char kBrowserCrashTest[];
 extern const char kCheckForUpdateIntervalSec[];
-extern const char kChromeFrame[];
 extern const char kChromeVersion[];
 extern const char kCloudPrintDeleteFile[];
 extern const char kCloudPrintFile[];
@@ -65,7 +64,6 @@ extern const char kDiagnostics[];
 extern const char kDisableAccelerated2dCanvas[];
 extern const char kDisableAcceleratedLayers[];
 extern const char kDisableAcceleratedVideo[];
-extern const char kDisableAltWinstation[];
 extern const char kDisableAuthNegotiateCnameLookup[];
 extern const char kDisableBackgroundMode[];
 extern const char kDisableBackgroundNetworking[];
@@ -202,7 +200,6 @@ extern const char kMinClearSiteDataFlashVersion[];
 extern const char kMultiProfiles[];
 extern const char kNaClDebugIP[];
 extern const char kNaClDebugPorts[];
-extern const char kNaClBrokerProcess[];
 extern const char kNaClLoaderCmdPrefix[];
 extern const char kNaClStartupDialog[];
 extern const char kNetLogLevel[];
@@ -267,7 +264,6 @@ extern const char kTestNaClSandbox[];
 extern const char kTestName[];
 extern const char kTestType[];
 extern const char kTestingChannelID[];
-extern const char kTrustedPlugins[];
 extern const char kTryChromeAgain[];
 extern const char kUninstall[];
 extern const char kUsePureViews[];
diff --git a/chrome/common/sandbox_policy.cc b/chrome/common/sandbox_policy.cc
index 97142aa..55841cc 100644
--- a/chrome/common/sandbox_policy.cc
+++ b/chrome/common/sandbox_policy.cc
@@ -14,12 +14,10 @@
 #include "base/path_service.h"
 #include "base/process_util.h"
 #include "base/stringprintf.h"
-#include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/win/windows_version.h"
-#include "chrome/common/chrome_constants.h"
-#include "chrome/common/chrome_paths.h"
-#include "chrome/common/chrome_switches.h"
+#include "content/browser/content_browser_client.h"
+#include "content/common/content_switches.h"
 #include "content/common/child_process_info.h"
 #include "content/common/debug_flags.h"
 #include "sandbox/src/sandbox.h"
@@ -88,36 +86,6 @@ const wchar_t* const kTroublesomeDlls[] = {
   L"winstylerthemehelper.dll"     // Tuneup utilities 2006.
 };
 
-enum PluginPolicyCategory {
-  PLUGIN_GROUP_TRUSTED,
-  PLUGIN_GROUP_UNTRUSTED,
-};
-
-// Returns the policy category for the plugin dll.
-PluginPolicyCategory GetPolicyCategoryForPlugin(
-    const std::wstring& dll,
-    const std::wstring& list) {
-  std::wstring filename = FilePath(dll).BaseName().value();
-  std::wstring plugin_dll = StringToLowerASCII(filename);
-  std::wstring trusted_plugins = StringToLowerASCII(list);
-
-  size_t pos = 0;
-  size_t end_item = 0;
-  while (end_item != std::wstring::npos) {
-    end_item = list.find(L",", pos);
-
-    size_t size_item = (end_item == std::wstring::npos) ? end_item :
-                                                          end_item - pos;
-    std::wstring item = list.substr(pos, size_item);
-    if (!item.empty() && item == plugin_dll)
-      return PLUGIN_GROUP_TRUSTED;
-
-    pos = end_item + 1;
-  }
-
-  return PLUGIN_GROUP_UNTRUSTED;
-}
-
 // Adds the policy rules for the path and path\ with the semantic |access|.
 // If |children| is set to true, we need to add the wildcard rules to also
 // apply the rule to the subfiles and subfolders.
@@ -246,7 +214,7 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
   // Add the policy for debug message only in debug
 #ifndef NDEBUG
   FilePath app_dir;
-  if (!PathService::Get(chrome::DIR_APP, &app_dir))
+  if (!PathService::Get(base::DIR_MODULE, &app_dir))
     return false;
 
   wchar_t long_path_buf[MAX_PATH];
@@ -268,247 +236,6 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
   return true;
 }
 
-// Creates a sandbox without any restriction.
-bool ApplyPolicyForTrustedPlugin(sandbox::TargetPolicy* policy) {
-  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-  policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
-  return true;
-}
-
-// Creates a sandbox with the plugin running in a restricted environment.
-// Only the "Users" and "Everyone" groups are enabled in the token. The User SID
-// is disabled.
-bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) {
-  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-
-  sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
-  if (base::win::GetVersion() > base::win::VERSION_XP) {
-    // On 2003/Vista the initial token has to be restricted if the main token
-    // is restricted.
-    initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
-  }
-  policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED);
-  policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-
-  if (!AddDirectory(base::DIR_TEMP, NULL, true,
-                    sandbox::TargetPolicy::FILES_ALLOW_ANY, policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_IE_INTERNET_CACHE, NULL, true,
-                    sandbox::TargetPolicy::FILES_ALLOW_ANY, policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_APP_DATA, NULL, true,
-                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                    policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_PROFILE, NULL, false,  /*not recursive*/
-                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                    policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_APP_DATA, L"Adobe", true,
-                    sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                    policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_APP_DATA, L"Macromedia", true,
-                    sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                    policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_LOCAL_APP_DATA, NULL, true,
-                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                    policy))
-    return false;
-
-  if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE",
-                        sandbox::TargetPolicy::REG_ALLOW_ANY,
-                        policy))
-    return false;
-
-  if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA",
-                        sandbox::TargetPolicy::REG_ALLOW_ANY,
-                        policy))
-    return false;
-
-  if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
-    if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\AppDataLow",
-                          sandbox::TargetPolicy::REG_ALLOW_ANY,
-                          policy))
-      return false;
-
-    if (!AddDirectory(base::DIR_LOCAL_APP_DATA_LOW, NULL, true,
-                      sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                      policy))
-      return false;
-
-    // DIR_APP_DATA is AppData\Roaming, but Adobe needs to do a directory
-    // listing in AppData directly, so we add a non-recursive policy for
-    // AppData itself.
-    if (!AddDirectory(base::DIR_APP_DATA, L"..", false,
-                      sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                      policy))
-      return false;
-  }
-
-  return true;
-}
-
-// Launches the privileged flash broker, used when flash is sandboxed.
-// The broker is the same flash dll, except that it uses a different
-// entrypoint (BrokerMain) and it is hosted in windows' generic surrogate
-// process rundll32. After launching the broker we need to pass to
-// the flash plugin the process id of the broker via the command line
-// using --flash-broker=pid.
-// More info about rundll32 at http://support.microsoft.com/kb/164787.
-bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) {
-  FilePath rundll;
-  if (!PathService::Get(base::DIR_SYSTEM, &rundll))
-    return false;
-  rundll = rundll.AppendASCII("rundll32.exe");
-  // Rundll32 cannot handle paths with spaces, so we use the short path.
-  wchar_t short_path[MAX_PATH];
-  if (0 == ::GetShortPathNameW(plugin_path.value().c_str(),
-                               short_path, arraysize(short_path)))
-    return false;
-  // Here is the kicker, if the user has disabled 8.3 (short path) support
-  // on the volume GetShortPathNameW does not fail but simply returns the
-  // input path. In this case if the path had any spaces then rundll32 will
-  // incorrectly interpret its parameters. So we quote the path, even though
-  // the kb/164787 says you should not.
-  std::wstring cmd_final =
-      base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome",
-                         rundll.value().c_str(),
-                         short_path);
-  base::ProcessHandle process;
-  if (!base::LaunchApp(cmd_final, false, true, &process))
-    return false;
-
-  cmd_line->AppendSwitchASCII("flash-broker",
-                              base::Int64ToString(::GetProcessId(process)));
-
-  // The flash broker, unders some circumstances can linger beyond the lifetime
-  // of the flash player, so we put it in a job object, when the browser
-  // terminates the job object is destroyed (by the OS) and the flash broker
-  // is terminated.
-  HANDLE job = ::CreateJobObjectW(NULL, NULL);
-  JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_limits = {0};
-  job_limits.BasicLimitInformation.LimitFlags =
-      JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
-  if (::SetInformationJobObject(job, JobObjectExtendedLimitInformation,
-                                &job_limits, sizeof(job_limits))) {
-    ::AssignProcessToJobObject(job, process);
-    // Yes, we are leaking the object here. Read comment above.
-  } else {
-    ::CloseHandle(job);
-    return false;
-  }
-
-  ::CloseHandle(process);
-  return true;
-}
-
-// Creates a sandbox for the built-in flash plugin running in a restricted
-// environment. This policy is in continual flux as flash changes
-// capabilities. For more information see bug 50796.
-bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) {
-  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-  // Vista and Win7 get a weaker token but have low integrity.
-  if (base::win::GetVersion() > base::win::VERSION_XP) {
-    policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                          sandbox::USER_INTERACTIVE);
-    policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-  } else {
-    policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
-                          sandbox::USER_LIMITED);
-
-    if (!AddKeyAndSubkeys(L"HKEY_LOCAL_MACHINE\\SOFTWARE",
-                          sandbox::TargetPolicy::REG_ALLOW_READONLY,
-                          policy))
-      return false;
-    if (!AddKeyAndSubkeys(L"HKEY_LOCAL_MACHINE\\SYSTEM",
-                          sandbox::TargetPolicy::REG_ALLOW_READONLY,
-                          policy))
-      return false;
-
-    if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE",
-                          sandbox::TargetPolicy::REG_ALLOW_READONLY,
-                          policy))
-      return false;
-  }
-
-  AddDllEvictionPolicy(policy);
-  return true;
-}
-
-// Returns true of the plugin specified in |cmd_line| is the built-in
-// flash plugin and optionally returns its full path in |flash_path|
-bool IsBuiltInFlash(const CommandLine* cmd_line, FilePath* flash_path) {
-  std::wstring plugin_dll = cmd_line->
-      GetSwitchValueNative(switches::kPluginPath);
-
-  FilePath builtin_flash;
-  if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash))
-    return false;
-
-  FilePath plugin_path(plugin_dll);
-  if (plugin_path != builtin_flash)
-    return false;
-
-  if (flash_path)
-    *flash_path = plugin_path;
-  return true;
-}
-
-
-// Adds the custom policy rules for a given plugin. |trusted_plugins| contains
-// the comma separate list of plugin dll names that should not be sandboxed.
-bool AddPolicyForPlugin(CommandLine* cmd_line,
-                        sandbox::TargetPolicy* policy) {
-  std::wstring plugin_dll = cmd_line->
-      GetSwitchValueNative(switches::kPluginPath);
-  std::wstring trusted_plugins = CommandLine::ForCurrentProcess()->
-      GetSwitchValueNative(switches::kTrustedPlugins);
-  // Add the policy for the pipes.
-  sandbox::ResultCode result = sandbox::SBOX_ALL_OK;
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-                           L"\\\\.\\pipe\\chrome.*");
-  if (result != sandbox::SBOX_ALL_OK) {
-    NOTREACHED();
-    return false;
-  }
-
-  // The built-in flash gets a custom, more restricted sandbox.
-  FilePath flash_path;
-  if (IsBuiltInFlash(cmd_line, &flash_path)) {
-    // Spawn the flash broker and apply sandbox policy.
-    if (!LoadFlashBroker(flash_path, cmd_line)) {
-      // Could not start the broker, use a very weak policy instead.
-      DLOG(WARNING) << "Failed to start flash broker";
-      return ApplyPolicyForTrustedPlugin(policy);
-    }
-    return ApplyPolicyForBuiltInFlashPlugin(policy);
-  }
-
-  PluginPolicyCategory policy_category =
-      GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins);
-
-  switch (policy_category) {
-    case PLUGIN_GROUP_TRUSTED:
-      return ApplyPolicyForTrustedPlugin(policy);
-    case PLUGIN_GROUP_UNTRUSTED:
-      return ApplyPolicyForUntrustedPlugin(policy);
-    default:
-      NOTREACHED();
-      break;
-  }
-
-  return false;
-}
-
 // For the GPU process we gotten as far as USER_LIMITED. The next level
 // which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL
 // backend. Note that the GPU process is connected to the interactive
@@ -621,18 +348,7 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
       (type != ChildProcessInfo::NACL_BROKER_PROCESS) &&
       (type != ChildProcessInfo::PLUGIN_PROCESS);
 
-  // Second case: If it is the plugin process then it depends on it being
-  // the built-in flash, the user forcing plugins into sandbox or the
-  // the user explicitly excluding flash from the sandbox.
-  if (!in_sandbox && (type == ChildProcessInfo::PLUGIN_PROCESS)) {
-      in_sandbox = browser_command_line.HasSwitch(switches::kSafePlugins) ||
-          (IsBuiltInFlash(cmd_line, NULL) &&
-           (base::win::GetVersion() > base::win::VERSION_XP) &&
-           !browser_command_line.HasSwitch(switches::kDisableFlashSandbox));
-  }
-
-  // Third case: If it is the GPU process then it can be disabled by a
-  // command line flag.
+  // If it is the GPU process then it can be disabled by a command line flag.
   if ((type == ChildProcessInfo::GPU_PROCESS) &&
       (browser_command_line.HasSwitch(switches::kDisableGpuSandbox))) {
     in_sandbox = false;
@@ -672,19 +388,24 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
   // to create separate pretetch settings for browser, renderer etc.
   cmd_line->AppendArg(base::StringPrintf("/prefetch:%d", type));
 
+  sandbox::ResultCode result;
+  PROCESS_INFORMATION target = {0};
+  sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
+
+  if (type == ChildProcessInfo::PLUGIN_PROCESS &&
+      !browser_command_line.HasSwitch(switches::kNoSandbox) &&
+      content::GetContentClient()->browser()->SandboxPlugin(cmd_line, policy)) {
+    in_sandbox = true;
+    AddDllEvictionPolicy(policy);
+  }
+
   if (!in_sandbox) {
+    policy->Release();
     base::LaunchApp(*cmd_line, false, false, &process);
     return process;
   }
 
-  sandbox::ResultCode result;
-  PROCESS_INFORMATION target = {0};
-  sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
-
-  if (type == ChildProcessInfo::PLUGIN_PROCESS) {
-    if (!AddPolicyForPlugin(cmd_line, policy))
-      return 0;
-  } else if (type == ChildProcessInfo::GPU_PROCESS) {
+  if (type == ChildProcessInfo::GPU_PROCESS) {
     if (!AddPolicyForGPU(cmd_line, policy))
       return 0;
   } else if (type == ChildProcessInfo::PPAPI_PLUGIN_PROCESS) {
diff --git a/chrome/test/automation/proxy_launcher.cc b/chrome/test/automation/proxy_launcher.cc
index 6260b94..385d8f4 100644
--- a/chrome/test/automation/proxy_launcher.cc
+++ b/chrome/test/automation/proxy_launcher.cc
@@ -102,7 +102,6 @@ const char ProxyLauncher::kDefaultInterfacePath[] =
 bool ProxyLauncher::in_process_renderer_ = false;
 bool ProxyLauncher::no_sandbox_ = false;
 bool ProxyLauncher::full_memory_dump_ = false;
-bool ProxyLauncher::safe_plugins_ = false;
 bool ProxyLauncher::show_error_dialogs_ = true;
 bool ProxyLauncher::dump_histograms_on_exit_ = false;
 bool ProxyLauncher::enable_dcheck_ = false;
@@ -426,8 +425,6 @@ void ProxyLauncher::PrepareTestCommandline(CommandLine* command_line,
     command_line->AppendSwitch(switches::kNoSandbox);
   if (full_memory_dump_)
     command_line->AppendSwitch(switches::kFullMemoryCrashReport);
-  if (safe_plugins_)
-    command_line->AppendSwitch(switches::kSafePlugins);
   if (enable_dcheck_)
     command_line->AppendSwitch(switches::kEnableDCHECK);
   if (silent_dump_on_dcheck_)
diff --git a/chrome/test/automation/proxy_launcher.h b/chrome/test/automation/proxy_launcher.h
index 89b0d94..edd3ad4 100644
--- a/chrome/test/automation/proxy_launcher.h
+++ b/chrome/test/automation/proxy_launcher.h
@@ -176,13 +176,6 @@ class ProxyLauncher {
     disable_breakpad_ = value;
   }
 
-  // Get/Set a flag to run the plugin processes inside the sandbox when running
-  // the tests
-  static bool safe_plugins() { return safe_plugins_; }
-  static void set_safe_plugins(bool value) {
-    safe_plugins_ = value;
-  }
-
   static bool show_error_dialogs() { return show_error_dialogs_; }
   static void set_show_error_dialogs(bool value) {
     show_error_dialogs_ = value;
@@ -263,9 +256,6 @@ class ProxyLauncher {
   // If true, runs the renderer outside the sandbox.
   static bool no_sandbox_;
 
-  // If true, runs plugin processes inside the sandbox.
-  static bool safe_plugins_;
-
   // If true, write full memory dump during crash.
   static bool full_memory_dump_;
 
diff --git a/chrome/test/ui/ui_test_suite.cc b/chrome/test/ui/ui_test_suite.cc
index 0f804f6..36968c5 100644
--- a/chrome/test/ui/ui_test_suite.cc
+++ b/chrome/test/ui/ui_test_suite.cc
@@ -37,8 +37,6 @@ void UITestSuite::Initialize() {
       parsed_command_line.HasSwitch(switches::kNoSandbox));
   ProxyLauncher::set_full_memory_dump(
       parsed_command_line.HasSwitch(switches::kFullMemoryCrashReport));
-  ProxyLauncher::set_safe_plugins(
-      parsed_command_line.HasSwitch(switches::kSafePlugins));
   ProxyLauncher::set_dump_histograms_on_exit(
       parsed_command_line.HasSwitch(switches::kDumpHistogramsOnExit));
   ProxyLauncher::set_enable_dcheck(
diff --git a/content/browser/child_process_launcher.cc b/content/browser/child_process_launcher.cc
index a812b26..6a53d75 100644
--- a/content/browser/child_process_launcher.cc
+++ b/content/browser/child_process_launcher.cc
@@ -11,10 +11,10 @@
 #include "base/memory/scoped_ptr.h"
 #include "base/synchronization/lock.h"
 #include "base/threading/thread.h"
-#include "chrome/common/chrome_switches.h"
 #include "content/browser/browser_thread.h"
 #include "content/browser/content_browser_client.h"
 #include "content/common/chrome_descriptors.h"
+#include "content/common/content_switches.h"
 #include "content/common/process_watcher.h"
 #include "content/common/result_codes.h"
 
diff --git a/content/browser/content_browser_client.cc b/content/browser/content_browser_client.cc
index 79759d3..9528f6d 100644
--- a/content/browser/content_browser_client.cc
+++ b/content/browser/content_browser_client.cc
@@ -86,4 +86,11 @@ int ContentBrowserClient::GetCrashSignalFD(const std::string& process_type) {
 }
 #endif
 
+#if defined(OS_WIN)
+bool ContentBrowserClient::SandboxPlugin(CommandLine* command_line,
+                                         sandbox::TargetPolicy* policy) {
+  return false;
+}
+#endif
+
 }  // namespace content
diff --git a/content/browser/content_browser_client.h b/content/browser/content_browser_client.h
index 5cb2be8..1c46499 100644
--- a/content/browser/content_browser_client.h
+++ b/content/browser/content_browser_client.h
@@ -24,6 +24,10 @@ class CookieList;
 class CookieOptions;
 }
 
+namespace sandbox {
+class TargetPolicy;
+}
+
 namespace content {
 
 class ResourceContext;
@@ -105,6 +109,12 @@ class ContentBrowserClient {
   // Can return an optional fd for crash handling, otherwise returns -1.
   virtual int GetCrashSignalFD(const std::string& process_type);
 #endif
+
+#if defined(OS_WIN)
+  // Allows the embedder to sandbox a plugin, and apply a custom policy.
+  virtual bool SandboxPlugin(CommandLine* command_line,
+                             sandbox::TargetPolicy* policy);
+#endif
 };
 
 }  // namespace content
diff --git a/content/browser/plugin_process_host.cc b/content/browser/plugin_process_host.cc
index 9d2e7d4..b755305 100644
--- a/content/browser/plugin_process_host.cc
+++ b/content/browser/plugin_process_host.cc
@@ -170,7 +170,6 @@ bool PluginProcessHost::Init(const webkit::npapi::WebPluginInfo& info,
     switches::kMemoryProfiling,
     switches::kNoSandbox,
     switches::kPluginStartupDialog,
-    switches::kSafePlugins,
     switches::kSilentDumpOnDCHECK,
     switches::kTestSandbox,
     switches::kUseGL,
diff --git a/content/common/content_switches.cc b/content/common/content_switches.cc
index ccbc378..444b0ce 100644
--- a/content/common/content_switches.cc
+++ b/content/common/content_switches.cc
@@ -20,6 +20,10 @@ const char kAllowSandboxDebugging[]         = "allow-sandbox-debugging";
 // Path to the exe to run for the renderer and plugin subprocesses.
 const char kBrowserSubprocessPath[]         = "browser-subprocess-path";
 
+// Run Chrome in Chrome Frame mode. This means that Chrome expects to be run
+// as a dependent process of the Chrome Frame plugin.
+const char kChromeFrame[]                   = "chrome-frame";
+
 // Disables client-visible 3D APIs, in particular WebGL and Pepper 3D.
 // This is controlled by policy and is kept separate from the other
 // enable/disable switches to avoid accidentally regressing the policy
@@ -29,6 +33,9 @@ const char kDisable3DAPIs[]                 = "disable-3d-apis";
 // Disables accelerated compositing.
 const char kDisableAcceleratedCompositing[] = "disable-accelerated-compositing";
 
+// Disables the alternate window station for the renderer.
+const char kDisableAltWinstation[]          = "disable-winsta";
+
 // Disable the ApplicationCache.
 const char kDisableApplicationCache[]       = "disable-application-cache";
 //
@@ -228,6 +235,10 @@ const char kLoggingLevel[]                  = "log-level";
 // Make plugin processes log their sent and received messages to VLOG(1).
 const char kLogPluginMessages[]             = "log-plugin-messages";
 
+// Causes the process to run as a NativeClient broker
+// (used for launching NaCl loader processes on 64-bit Windows).
+const char kNaClBrokerProcess[]             = "nacl-broker";
+
 // Causes the process to run as a NativeClient loader.
 const char kNaClLoaderProcess[]             = "nacl-loader";
 
@@ -336,9 +347,6 @@ const char kRendererProcess[]               = "renderer";
 // Causes the renderer process to display a dialog on launch.
 const char kRendererStartupDialog[]         = "renderer-startup-dialog";
 
-// Runs the plugin processes inside the sandbox.
-const char kSafePlugins[]                   = "safe-plugins";
-
 // Causes the process to run as a service process.
 const char kServiceProcess[]                = "service";
 
diff --git a/content/common/content_switches.h b/content/common/content_switches.h
index 111a010..1677a1e 100644
--- a/content/common/content_switches.h
+++ b/content/common/content_switches.h
@@ -14,8 +14,11 @@ extern const char kAllowFileAccessFromFiles[];
 extern const char kAllowRunningInsecureContent[];
 extern const char kAllowSandboxDebugging[];
 extern const char kBrowserSubprocessPath[];
+// TODO(jam): this doesn't belong in content.
+extern const char kChromeFrame[];
 extern const char kDisable3DAPIs[];
 extern const char kDisableAcceleratedCompositing[];
+extern const char kDisableAltWinstation[];
 extern const char kDisableApplicationCache[];
 extern const char kDisableAudio[];
 extern const char kDisableBackingStoreLimit[];
@@ -75,6 +78,7 @@ extern const char kLoadPlugin[];
 extern const char kLoggingLevel[];
 extern const char kLogPluginMessages[];
 // TODO(jam): this doesn't belong in content.
+extern const char kNaClBrokerProcess[];
 extern const char kNaClLoaderProcess[];
 extern const char kNoDisplayingInsecureContent[];
 extern const char kNoJsRandomness[];
@@ -105,7 +109,6 @@ extern const char kRendererCmdPrefix[];
 extern const char kRendererCrashTest[];
 extern const char kRendererProcess[];
 extern const char kRendererStartupDialog[];
-extern const char kSafePlugins[];
 // TODO(jam): this doesn't belong in content.
 extern const char kServiceProcess[];
 extern const char kShowPaintRects[];
diff --git a/sandbox/src/sandbox_policy_base.h b/sandbox/src/sandbox_policy_base.h
index b6f2693..6294ed8 100644
--- a/sandbox/src/sandbox_policy_base.h
+++ b/sandbox/src/sandbox_policy_base.h
@@ -31,7 +31,6 @@ struct PolicyGlobal;
 class PolicyBase : public Dispatcher, public TargetPolicy {
  public:
   PolicyBase();
-  ~PolicyBase();
 
   virtual void AddRef() {
     ::InterlockedIncrement(&ref_count);
@@ -124,6 +123,8 @@ class PolicyBase : public Dispatcher, public TargetPolicy {
   virtual EvalResult EvalPolicy(int service, CountedParameterSetBase* params);
 
  private:
+  ~PolicyBase();
+
   // Test IPC providers.
   bool Ping(IPCInfo* ipc, void* cookie);