Sandbox built-in flash player. Spawn broker

- Now is chrome duty to spawn flash broker. Flash cannot do it by itself on XP The flash broker is hosted in rundll32.exe. An extra switch is added to the command line of the plug-in process so flash player can contact its broker. BUG=50796 TEST=see bug for testing info Review URL: http://codereview.chromium.org/3432014 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@60018 0039d316-1c4b-4281-b951-d872f2087c98
author: cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-09-21 04:46:46 +0000
committer: cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-09-21 04:46:46 +0000
commit: afddb3f46fb49bcc95112da3643a75d283b691ff (patch)
tree: 701093e020dab4540d0df2ccb6822e8468f3d529 /chrome/common
parent: 57881299e7bb8cadd34f5bb5e90157a62ec8f5aa (diff)
download: chromium_src-afddb3f46fb49bcc95112da3643a75d283b691ff.zip
chromium_src-afddb3f46fb49bcc95112da3643a75d283b691ff.tar.gz
chromium_src-afddb3f46fb49bcc95112da3643a75d283b691ff.tar.bz2
1 files changed, 44 insertions, 10 deletions
diff --git a/chrome/common/sandbox_policy.cc b/chrome/common/sandbox_policy.cc
index dd9996c..7398734 100644
--- a/chrome/common/sandbox_policy.cc
+++ b/chrome/common/sandbox_policy.cc
@@ -13,6 +13,8 @@
 #include "base/logging.h"
 #include "base/path_service.h"
 #include "base/process_util.h"
+#include "base/stringprintf.h"
+#include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/trace_event.h"
 #include "base/win_util.h"
@@ -300,6 +302,37 @@ bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) {
   return true;
 }
 
+// Launches the privileged flash broker, used when flash is sandboxed.
+// The broker is the same flash dll, except that it uses a different
+// entrypoint (BrokerMain) and it is hosted in windows' generic surrogate
+// process rundll32. After launching the broker we need to pass to
+// the flash plugin the process id of the broker via the command line
+// using --flash-broker=pid.
+// More info about rundll32 at http://support.microsoft.com/kb/164787.
+bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) {
+  FilePath rundll;
+  if (!PathService::Get(base::DIR_SYSTEM, &rundll))
+    return false;
+  rundll = rundll.AppendASCII("rundll32.exe");
+  // Rundll32 cannot handle paths with spaces, so we use the short path.
+  wchar_t short_path[MAX_PATH];
+  if (0 == ::GetShortPathNameW(plugin_path.value().c_str(),
+                               short_path, arraysize(short_path)))
+    return false;
+  std::wstring cmd_final =
+      base::StringPrintf(L"%ls %ls,BrokerMain browser=chrome",
+                         rundll.value().c_str(),
+                         short_path);
+  base::ProcessHandle process;
+  if (!base::LaunchApp(cmd_final, false, true, &process))
+    return false;
+
+  cmd_line->AppendSwitchASCII("flash-broker",
+                              base::Int64ToString(::GetProcessId(process)));
+  ::CloseHandle(process);
+  return true;
+}
+
 // Creates a sandbox for the built-in flash plugin running in a restricted
 // environment. This is a work in progress and for the time being do not
 // pay attention to the duplication between this function and the above
@@ -309,8 +342,10 @@ bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) {
   policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
+
   if (win_util::GetWinVersion() > win_util::WINVERSION_XP)
     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
+
   policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED);
 
   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
@@ -325,20 +360,12 @@ bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) {
                         sandbox::TargetPolicy::REG_ALLOW_ANY,
                         policy))
     return false;
-
-  // Use a different data folder for flash data. This needs to be
-  // reverted once we stop the experiments.
-  FilePath flash_path;
-  PathService::Get(chrome::DIR_USER_DATA, &flash_path);
-  flash_path = flash_path.AppendASCII("swflash");
-  ::SetEnvironmentVariableW(L"CHROME_FLASH_ROOT",
-                            flash_path.ToWStringHack().c_str());
   return true;
 }
 
 // Adds the custom policy rules for a given plugin. |trusted_plugins| contains
 // the comma separate list of plugin dll names that should not be sandboxed.
-bool AddPolicyForPlugin(const CommandLine* cmd_line,
+bool AddPolicyForPlugin(CommandLine* cmd_line,
                         sandbox::TargetPolicy* policy) {
   std::wstring plugin_dll = cmd_line->
       GetSwitchValueNative(switches::kPluginPath);
@@ -358,8 +385,15 @@ bool AddPolicyForPlugin(const CommandLine* cmd_line,
   FilePath builtin_flash;
   if (PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) {
     FilePath plugin_path(plugin_dll);
-    if (plugin_path == builtin_flash)
+    if (plugin_path == builtin_flash) {
+      // Spawn the flash broker and apply sandbox policy.
+      if (!LoadFlashBroker(plugin_path, cmd_line)) {
+        // Could not start the broker, use a very weak policy instead.
+        DLOG(WARNING) << "Failed to start flash broker";
+        return ApplyPolicyForTrustedPlugin(policy);
+      }
       return ApplyPolicyForBuiltInFlashPlugin(policy);
+    }
   }
 
   PluginPolicyCategory policy_category =
author	cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-09-21 04:46:46 +0000
committer	cpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-09-21 04:46:46 +0000
commit	afddb3f46fb49bcc95112da3643a75d283b691ff (patch)
tree	701093e020dab4540d0df2ccb6822e8468f3d529 /chrome/common
parent	57881299e7bb8cadd34f5bb5e90157a62ec8f5aa (diff)
download	chromium_src-afddb3f46fb49bcc95112da3643a75d283b691ff.zip chromium_src-afddb3f46fb49bcc95112da3643a75d283b691ff.tar.gz chromium_src-afddb3f46fb49bcc95112da3643a75d283b691ff.tar.bz2