diff options
| author | nsylvain@chromium.org <nsylvain@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-20 16:05:56 +0000 |
|---|---|---|
| committer | nsylvain@chromium.org <nsylvain@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-20 16:05:56 +0000 |
| commit | ff608eb386a2662bbe076a2a59b21eb90bc34532 (patch) | |
| tree | 63c82289115c4b64d6d444816aab4f895f43917c /chrome/browser | |
| parent | 1e3af029048d55a3b7c39100683121d71c8ea673 (diff) | |
| download | chromium_src-ff608eb386a2662bbe076a2a59b21eb90bc34532.zip chromium_src-ff608eb386a2662bbe076a2a59b21eb90bc34532.tar.gz chromium_src-ff608eb386a2662bbe076a2a59b21eb90bc34532.tar.bz2 | |
Add support for alternate window station.
TEST: Start chrome, make sure it loads pages, then user process explorer to make sure the WindowStation handle name is not the same as the browser process.
BUG:10996
Review URL: http://codereview.chromium.org/113190
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16483 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser')
| -rw-r--r-- | chrome/browser/browser_main.cc | 28 | ||||
| -rw-r--r-- | chrome/browser/sandbox_policy.cc | 27 |
2 files changed, 33 insertions, 22 deletions
diff --git a/chrome/browser/browser_main.cc b/chrome/browser/browser_main.cc index 2412d26..0f023c3 100644 --- a/chrome/browser/browser_main.cc +++ b/chrome/browser/browser_main.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. +// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -291,6 +291,27 @@ int BrowserMain(const MainFunctionParams& parameters) { // BrowserProcessImpl's constructor should set g_browser_process. DCHECK(g_browser_process); +#if defined(OS_WIN) + // IMPORTANT: This piece of code needs to run as early as possible in the + // process because it will initialize the sandbox broker, which requires the + // process to swap its window station. During this time all the UI will be + // broken. This has to run before threads and windows are created. + sandbox::BrokerServices* broker_services = + parameters.sandbox_info_.BrokerServices(); + if (broker_services) { + browser_process->InitBrokerServices(broker_services); + if (!parsed_command_line.HasSwitch(switches::kNoSandbox)) { + bool use_winsta = !parsed_command_line.HasSwitch( + switches::kDisableAltWinstation); + // Precreate the desktop and window station used by the renderers. + sandbox::TargetPolicy* policy = broker_services->CreatePolicy(); + sandbox::ResultCode result = policy->CreateAlternateDesktop(use_winsta); + CHECK(sandbox::SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION != result); + policy->Release(); + } + } +#endif + std::wstring local_state_path; PathService::Get(chrome::FILE_LOCAL_STATE, &local_state_path); bool local_state_file_exists = file_util::PathExists(local_state_path); @@ -573,11 +594,6 @@ int BrowserMain(const MainFunctionParams& parameters) { #if defined(OS_WIN) RegisterExtensionProtocols(); - - sandbox::BrokerServices* broker_services = - parameters.sandbox_info_.BrokerServices(); - if (broker_services) - browser_process->InitBrokerServices(broker_services); #endif // In unittest mode, this will do nothing. In normal mode, this will create diff --git a/chrome/browser/sandbox_policy.cc b/chrome/browser/sandbox_policy.cc index a50e01b..fa7023a 100644 --- a/chrome/browser/sandbox_policy.cc +++ b/chrome/browser/sandbox_policy.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. +// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -27,8 +27,6 @@ namespace { -const wchar_t* const kDesktopName = L"ChromeRendererDesktop"; - // The DLLs listed here are known (or under strong suspicion) of causing crashes // when they are loaded in the renderer. const wchar_t* const kTroublesomeDlls[] = { @@ -315,7 +313,8 @@ bool AddPolicyForPlugin(const CommandLine* cmd_line, return false; } -void AddPolicyForRenderer(HDESK desktop, sandbox::TargetPolicy* policy) { +void AddPolicyForRenderer(sandbox::TargetPolicy* policy, + bool* on_sandbox_desktop) { policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; @@ -328,9 +327,13 @@ void AddPolicyForRenderer(HDESK desktop, sandbox::TargetPolicy* policy) { policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN); policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); - if (desktop) { - policy->SetDesktop(kDesktopName); + bool use_winsta = !CommandLine::ForCurrentProcess()->HasSwitch( + switches::kDisableAltWinstation); + + if (sandbox::SBOX_ALL_OK == policy->SetAlternateDesktop(use_winsta)) { + *on_sandbox_desktop = true; } else { + *on_sandbox_desktop = false; DLOG(WARNING) << "Failed to apply desktop security to the renderer"; } @@ -391,14 +394,12 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, PROCESS_INFORMATION target = {0}; sandbox::TargetPolicy* policy = broker_service->CreatePolicy(); - HDESK desktop = NULL; + bool on_sandbox_desktop = false; if (type == ChildProcessInfo::PLUGIN_PROCESS) { if (!AddPolicyForPlugin(cmd_line, policy)) return 0; } else { - desktop = CreateDesktop( - kDesktopName, NULL, NULL, 0, DESKTOP_CREATEWINDOW, NULL); - AddPolicyForRenderer(desktop, policy); + AddPolicyForRenderer(policy, &on_sandbox_desktop); } if (!exposed_dir.empty()) { @@ -418,8 +419,6 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, if (!AddGenericPolicy(policy)) { NOTREACHED(); - if (desktop) - CloseDesktop(desktop); return 0; } @@ -429,14 +428,10 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, policy, &target); policy->Release(); - if (desktop) - CloseDesktop(desktop); - if (sandbox::SBOX_ALL_OK != result) return 0; if (type == ChildProcessInfo::RENDER_PROCESS) { - bool on_sandbox_desktop = (desktop != NULL); NotificationService::current()->Notify( NotificationType::RENDERER_PROCESS_IN_SBOX, NotificationService::AllSources(), |