Use the new dll injection blocking api of the sandbox to block

the loading of dlls that cause renderer crashes.
- Remove the old FreeLibrary() method

Review URL: http://codereview.chromium.org/2458

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2441 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 35 insertions, 32 deletions

diff --git a/chrome/app/chrome_dll_main.cc b/chrome/app/chrome_dll_main.cc
index 01d68c0..0f0b29f 100644
--- a/chrome/app/chrome_dll_main.cc
+++ b/chrome/app/chrome_dll_main.cc
@@ -86,27 +86,6 @@ void ChromeAssert(const std::string& str) {
 
 #pragma optimize("", on)
 
-
-// Try to unload DLLs that malfunction with the sandboxed processes.
-static void EvictTroublesomeDlls() {
-  const wchar_t* troublesome_dlls[] = {
-      L"smumhook.dll",  // spyware doctor version 5 and above.
-      NULL              // Must be null. Here you can add with the debugger.
-  };
-
-  for(int ix = 0; ix != arraysize(troublesome_dlls); ++ix) {
-    if (!troublesome_dlls[ix])
-      break;
-    HMODULE module = ::GetModuleHandleW(troublesome_dlls[ix]);
-    if (module) {
-      LOG(WARNING) << "dll to evict found: " << ix;
-      if (::FreeLibrary(module)) {
-        DCHECK(NULL == ::GetModuleHandleW(troublesome_dlls[ix]));
-      }
-    }
-  }
-}
-
 }  // namespace
 
 DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
@@ -184,8 +163,6 @@ DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
   std::wstring process_type =
     parsed_command_line.GetSwitchValue(switches::kProcessType);
 
-  bool do_dll_eviction = false;
-
   // Checks if the sandbox is enabled in this process and initializes it if this
   // is the case. The crash handler depends on this so it has to be done before
   // its initialization.
@@ -194,7 +171,6 @@ DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
         (process_type == switches::kPluginProcess &&
          parsed_command_line.HasSwitch(switches::kSafePlugins))) {
       target_services->Init();
-      do_dll_eviction = true;
     }
   }
 
@@ -235,11 +211,6 @@ DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
     ResourceBundle::InitSharedInstance(std::wstring());
   }
 
-  // Eviction of injected DLLs is done early enough that it is likely
-  // to only cover DLLs injected by means of appInit_dlls registry key.
-  if (do_dll_eviction)
-      EvictTroublesomeDlls();
-
   startup_timer.Stop();  // End of Startup Time Measurement.
 
   int rv;
diff --git a/chrome/browser/render_process_host.cc b/chrome/browser/render_process_host.cc
index dfa5755..34eba76 100644
--- a/chrome/browser/render_process_host.cc
+++ b/chrome/browser/render_process_host.cc
@@ -371,6 +371,11 @@ bool RenderProcessHost::Init() {
           return false;
         }
 
+        if (!AddDllEvictionPolicy(policy)) {
+          NOTREACHED();
+          return false;          
+        }
+
         result = broker_service->SpawnTarget(renderer_path.c_str(),
                                              cmd_line.c_str(),
                                              policy, &target);
diff --git a/chrome/browser/sandbox_policy.cc b/chrome/browser/sandbox_policy.cc
index 1782823..0969bd3 100644
--- a/chrome/browser/sandbox_policy.cc
+++ b/chrome/browser/sandbox_policy.cc
@@ -92,6 +92,30 @@ bool AddKeyAndSubkeys(std::wstring key,
   return true;
 }
 
+// Eviction of injected DLLs is done by the sandbox. An interception on a
+// system call is added such that the blacklisted dll, don't fully load so
+// the injected module does not get a chance to execute any code.
+bool AddDllEvictionPolicy(sandbox::TargetPolicy* policy) {
+  // List of dlls to unmap.
+  const wchar_t* troublesome_dlls[] = {
+      L"smumhook.dll",  // Spyware Doctor version 5 and above.
+      L"GoogleDesktopNetwork3.DLL",  // Google Desktop Search v5.
+      L"npggNT.des",   // GameGuard version 2008. It is a packed dll.
+  };
+
+  for(int ix = 0; ix != arraysize(troublesome_dlls); ++ix) {
+    // To minimize the list we only add an unload policy if the dll is also
+    // loaded in this process. All the injected dlls of interest do this.
+    if (::GetModuleHandleW(troublesome_dlls[ix])) {
+      LOG(WARNING) << "dll to unload found: " << troublesome_dlls[ix];
+      if (sandbox::SBOX_ALL_OK != policy->AddDllToUnload(troublesome_dlls[ix]))
+        return false;
+    }
+  }
+
+  return true;
+}
+
 bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result;
 
diff --git a/chrome/browser/sandbox_policy.h b/chrome/browser/sandbox_policy.h
index 1a1a794..b32e5d8 100644
--- a/chrome/browser/sandbox_policy.h
+++ b/chrome/browser/sandbox_policy.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CHROME_BROWSER_SANDBOX_POLICY_H__
-#define CHROME_BROWSER_SANDBOX_POLICY_H__
+#ifndef CHROME_BROWSER_SANDBOX_POLICY_H_
+#define CHROME_BROWSER_SANDBOX_POLICY_H_
 
 #include <string>
 #include "sandbox/src/sandbox.h"
@@ -12,6 +12,9 @@
 // Adds the generic policy rules to a sandbox TargetPolicy.
 bool AddGenericPolicy(sandbox::TargetPolicy* policy);
 
+// Adds policy rules for unloaded the known dlls that cause chrome to crash.
+bool AddDllEvictionPolicy(sandbox::TargetPolicy* policy);
+
 // Adds the custom policy rules for a given plugin. If dll is activex-shim,
 // then clsid is the clsid of ActiveX control. Otherwise clsid is ignored.
 // |trusted_plugins| contains the comma separate list of plugins that should
@@ -41,5 +44,5 @@ bool ApplyPolicyForTrustedPlugin(sandbox::TargetPolicy* policy);
 // is disabled.
 bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy);
 
-#endif  // CHROME_BROWSER_SANDBOX_POLICY_H__
+#endif  // CHROME_BROWSER_SANDBOX_POLICY_H_