Add a sandbox API for broker handle duplication

BUG=119250
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=129627
Review URL: https://chromiumcodereview.appspot.com/9838083

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@130029 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 77 insertions, 11 deletions

diff --git a/content/common/sandbox_init_win.cc b/content/common/sandbox_init_win.cc
index 3a58ca2..a5d8baa 100644
--- a/content/common/sandbox_init_win.cc
+++ b/content/common/sandbox_init_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,7 +25,8 @@ bool InitializeSandbox(
     // broken. This has to run before threads and windows are created.
     sandbox::BrokerServices* broker_services = sandbox_info->broker_services;
     if (broker_services) {
-      sandbox::InitBrokerServices(broker_services);
+      if (!sandbox::InitBrokerServices(broker_services))
+        return false;
       if (!command_line.HasSwitch(switches::kNoSandbox)) {
         bool use_winsta = !command_line.HasSwitch(
             switches::kDisableAltWinstation);
@@ -57,7 +58,7 @@ bool InitializeSandbox(
     if (!target_services)
       return true;
   }
-  return (sandbox::SBOX_ALL_OK == target_services->Init());
+  return sandbox::InitTargetServices(target_services);
 }
 
 }  // namespace content
diff --git a/content/common/sandbox_policy.cc b/content/common/sandbox_policy.cc
index dc98fc0..01eeaef 100644
--- a/content/common/sandbox_policy.cc
+++ b/content/common/sandbox_policy.cc
@@ -15,6 +15,7 @@
 #include "base/process_util.h"
 #include "base/stringprintf.h"
 #include "base/string_util.h"
+#include "base/win/scoped_handle.h"
 #include "base/win/windows_version.h"
 #include "content/common/debug_flags.h"
 #include "content/public/common/content_client.h"
@@ -24,6 +25,7 @@
 #include "ui/gfx/gl/gl_switches.h"
 
 static sandbox::BrokerServices* g_broker_services = NULL;
+static sandbox::TargetServices* g_target_services = NULL;
 
 namespace {
 
@@ -365,7 +367,17 @@ bool AddPolicyForGPU(CommandLine* cmd_line, sandbox::TargetPolicy* policy) {
   return true;
 }
 
-void AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
+bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
+  // Renderers need to copy sections for plugin DIBs.
+  sandbox::ResultCode result;
+  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
+                           L"Section");
+  if (result != sandbox::SBOX_ALL_OK) {
+    NOTREACHED();
+    return false;
+  }
+
   policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
@@ -386,6 +398,8 @@ void AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
   }
 
   AddGenericDllEvictionPolicy(policy);
+
+  return true;
 }
 
 // The Pepper process as locked-down as a renderer execpt that it can
@@ -399,23 +413,63 @@ bool AddPolicyForPepperPlugin(sandbox::TargetPolicy* policy) {
     NOTREACHED();
     return false;
   }
-  AddPolicyForRenderer(policy);
-  return true;
+  return AddPolicyForRenderer(policy);
 }
 
 }  // namespace
 
 namespace sandbox {
 
-void InitBrokerServices(sandbox::BrokerServices* broker_services) {
+bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
   // TODO(abarth): DCHECK(CalledOnValidThread());
   //               See <http://b/1287166>.
   DCHECK(broker_services);
   DCHECK(!g_broker_services);
-  broker_services->Init();
+  sandbox::ResultCode result = broker_services->Init();
   g_broker_services = broker_services;
+  return SBOX_ALL_OK == result;
 }
 
+bool InitTargetServices(sandbox::TargetServices* target_services) {
+  DCHECK(target_services);
+  DCHECK(!g_target_services);
+  sandbox::ResultCode result = target_services->Init();
+  g_target_services = target_services;
+  return SBOX_ALL_OK == result;
+}
+
+bool BrokerDuplicateHandle(HANDLE source_handle,
+                           DWORD target_process_id,
+                           HANDLE* target_handle,
+                           DWORD desired_access,
+                           DWORD options) {
+  // Just use DuplicateHandle() if we aren't in the sandbox.
+  if (!g_target_services) {
+    base::win::ScopedHandle target_process(::OpenProcess(PROCESS_DUP_HANDLE,
+                                                         FALSE,
+                                                         target_process_id));
+    if (!target_process.IsValid())
+      return false;
+
+    if (!::DuplicateHandle(::GetCurrentProcess(), source_handle,
+                           target_process, target_handle,
+                           desired_access, FALSE,
+                           options)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  ResultCode result = g_target_services->DuplicateHandle(source_handle,
+                                                         target_process_id,
+                                                         target_handle,
+                                                         desired_access,
+                                                         options);
+  return SBOX_ALL_OK == result;
+}
+
+
 base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
                                            const FilePath& exposed_dir) {
   base::ProcessHandle process = 0;
@@ -524,7 +578,8 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
     if (!AddPolicyForPepperPlugin(policy))
       return 0;
   } else {
-    AddPolicyForRenderer(policy);
+    if (!AddPolicyForRenderer(policy))
+      return 0;
     // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
     // Just have to figure out what needs to be warmed up first.
     if (type == content::PROCESS_TYPE_RENDERER ||
diff --git a/content/common/sandbox_policy.h b/content/common/sandbox_policy.h
index 4d87717..34c374e 100644
--- a/content/common/sandbox_policy.h
+++ b/content/common/sandbox_policy.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,10 +15,20 @@ class FilePath;
 namespace sandbox {
 
 class BrokerServices;
+class TargetServices;
 
-CONTENT_EXPORT void InitBrokerServices(
+CONTENT_EXPORT bool InitBrokerServices(
     sandbox::BrokerServices* broker_services);
 
+CONTENT_EXPORT bool InitTargetServices(
+    sandbox::TargetServices* target_services);
+
+CONTENT_EXPORT bool BrokerDuplicateHandle(HANDLE source_handle,
+                                          DWORD target_process_id,
+                                          HANDLE* target_handle,
+                                          DWORD desired_access,
+                                          DWORD options);
+
 // Starts a sandboxed process with the given directory unsandboxed
 // and returns a handle to it.
 CONTENT_EXPORT base::ProcessHandle StartProcessWithAccess(