Sandboxing built-in flash

This is the last change needed to have an experimental sandboxed flash for windows - Adds an export so flash can lower the token - Thightents the policy a bit - Sets a separate flash data directory. BUG=50796 TES=see bug Review URL: http://codereview.chromium.org/3245006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57899 0039d316-1c4b-4281-b951-d872f2087c98
author: cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-08-30 20:40:45 +0000
committer: cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-08-30 20:40:45 +0000
commit: e29b96a75e3d7209226f77c47310a7773c31a116 (patch)
tree: 1c96c3ab2a2c0bdb1d9b97bdceb154de12d40d6a
parent: c45a61ca508f3beba4a9f23dd6468b6f488820d7 (diff)
download: chromium_src-e29b96a75e3d7209226f77c47310a7773c31a116.zip
chromium_src-e29b96a75e3d7209226f77c47310a7773c31a116.tar.gz
chromium_src-e29b96a75e3d7209226f77c47310a7773c31a116.tar.bz2
2 files changed, 41 insertions, 12 deletions
diff --git a/chrome/common/sandbox_policy.cc b/chrome/common/sandbox_policy.cc
index b8d9b8a..e772fc9 100644
--- a/chrome/common/sandbox_policy.cc
+++ b/chrome/common/sandbox_policy.cc
@@ -306,7 +306,7 @@ bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) {
 // function. For more information see bug 50796.
 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) {
   // TODO(cpu): Lock down the job level more.
-  policy->SetJobLevel(sandbox::JOB_INTERACTIVE, 0);
+  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
   if (win_util::GetWinVersion() > win_util::WINVERSION_XP)
@@ -315,7 +315,7 @@ bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) {
 
   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
 
-  // TODO(cpu): Proxy registry access and remove this policies.
+  // TODO(cpu): Proxy registry access and remove these policies.
   if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE",
                         sandbox::TargetPolicy::REG_ALLOW_ANY,
                         policy))
@@ -326,13 +326,13 @@ bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) {
                         policy))
     return false;
 
-  if (win_util::GetWinVersion() >= win_util::WINVERSION_VISTA) {
-    if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\AppDataLow",
-                          sandbox::TargetPolicy::REG_ALLOW_ANY,
-                          policy))
-      return false;
-  }
-
+  // Use a different data folder for flash data. This needs to be
+  // reverted once we stop the experiments.
+  FilePath flash_path;
+  PathService::Get(chrome::DIR_USER_DATA, &flash_path);
+  flash_path = flash_path.AppendASCII("swflash");
+  ::SetEnvironmentVariableW(L"CHROME_FLASH_ROOT",
+                            flash_path.ToWStringHack().c_str());
   return true;
 }
 
diff --git a/chrome/plugin/plugin_main.cc b/chrome/plugin/plugin_main.cc
index 8313b68..3267fa0 100644
--- a/chrome/plugin/plugin_main.cc
+++ b/chrome/plugin/plugin_main.cc
@@ -47,6 +47,27 @@ void InitializeChromeApplication();
 void WorkaroundFlashLAHF();
 #endif
 
+#if defined(OS_WIN)
+// This function is provided so that the built-in flash can lock down the
+// sandbox by calling DelayedLowerToken(0).
+extern "C" DWORD __declspec(dllexport) __stdcall DelayedLowerToken(void* ts) {
+  // s_ts is only set the first time the function is called, which happens
+  // in PluginMain.
+  static sandbox::TargetServices* s_ts =
+      reinterpret_cast<sandbox::TargetServices*>(ts);
+  if (ts)
+    return 0;
+  s_ts->LowerToken();
+  return 1;
+};
+
+// Returns true if the plugin to be loaded is the internal flash.
+bool IsPluginBuiltInFlash(const CommandLine& cmd_line) {
+  FilePath path =  cmd_line.GetSwitchValuePath(switches::kPluginPath);
+  return (path.BaseName() == FilePath(L"gcswf32.dll"));
+}
+#endif
+
 // main() routine for running as the plugin process.
 int PluginMain(const MainFunctionParams& parameters) {
 #if defined(USE_LINUX_BREAKPAD)
@@ -108,9 +129,17 @@ int PluginMain(const MainFunctionParams& parameters) {
     ChildProcess plugin_process;
     plugin_process.set_main_thread(new PluginThread());
 #if defined(OS_WIN)
-    if (!no_sandbox && target_services)
-      target_services->LowerToken();
-
+    if (!no_sandbox && target_services) {
+      // We are sandboxing the plugin. If it is a generic plug-in, we lock down
+      // the sandbox right away, but if it is the built-in flash we let flash
+      // start elevated and it will call DelayedLowerToken(0) when it's ready.
+      if (IsPluginBuiltInFlash(parsed_command_line)) {
+        DLOG(INFO) << "Sandboxing flash";
+        DelayedLowerToken(target_services);
+      } else {
+        target_services->LowerToken();
+      }
+    }
     if (sandbox_test_module) {
       RunRendererTests run_security_tests =
           reinterpret_cast<RunPluginTests>(GetProcAddress(sandbox_test_module,
author	cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-08-30 20:40:45 +0000
committer	cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-08-30 20:40:45 +0000
commit	e29b96a75e3d7209226f77c47310a7773c31a116 (patch)
tree	1c96c3ab2a2c0bdb1d9b97bdceb154de12d40d6a
parent	c45a61ca508f3beba4a9f23dd6468b6f488820d7 (diff)
download	chromium_src-e29b96a75e3d7209226f77c47310a7773c31a116.zip chromium_src-e29b96a75e3d7209226f77c47310a7773c31a116.tar.gz chromium_src-e29b96a75e3d7209226f77c47310a7773c31a116.tar.bz2