Add a sandbox API for broker handle duplication

BUG=119250
Review URL: https://chromiumcodereview.appspot.com/9838083

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@129627 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 11 insertions, 36 deletions

diff --git a/content/plugin/plugin_channel.cc b/content/plugin/plugin_channel.cc
index 56bdf47..f6095b9 100644
--- a/content/plugin/plugin_channel.cc
+++ b/content/plugin/plugin_channel.cc
@@ -161,8 +161,7 @@ void PluginChannel::NotifyRenderersOfPendingShutdown() {
 }
 
 PluginChannel::PluginChannel()
-    : renderer_handle_(0),
-      renderer_id_(-1),
+    : renderer_id_(-1),
       in_send_(0),
       incognito_(false),
       filter_(new MessageFilter()) {
@@ -173,9 +172,6 @@ PluginChannel::PluginChannel()
 }
 
 PluginChannel::~PluginChannel() {
-  if (renderer_handle_)
-    base::CloseProcessHandle(renderer_handle_);
-
   MessageLoop::current()->PostDelayedTask(
       FROM_HERE,
       base::Bind(&PluginReleaseCallback),
@@ -292,18 +288,7 @@ base::WaitableEvent* PluginChannel::GetModalDialogEvent(
   return filter_->GetModalDialogEvent(containing_window);
 }
 
-void PluginChannel::OnChannelConnected(int32 peer_pid) {
-  base::ProcessHandle handle;
-  if (!base::OpenProcessHandle(peer_pid, &handle)) {
-    NOTREACHED();
-  }
-  renderer_handle_ = handle;
-  NPChannelBase::OnChannelConnected(peer_pid);
-}
-
 void PluginChannel::OnChannelError() {
-  base::CloseProcessHandle(renderer_handle_);
-  renderer_handle_ = 0;
   NPChannelBase::OnChannelError();
   CleanUp();
 }
diff --git a/content/plugin/plugin_channel.h b/content/plugin/plugin_channel.h
index 27acc4c..cb72391 100644
--- a/content/plugin/plugin_channel.h
+++ b/content/plugin/plugin_channel.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -36,7 +36,6 @@ class PluginChannel : public NPChannelBase {
   virtual bool Send(IPC::Message* msg) OVERRIDE;
   virtual bool OnMessageReceived(const IPC::Message& message) OVERRIDE;
 
-  base::ProcessHandle renderer_handle() const { return renderer_handle_; }
   int renderer_id() { return renderer_id_; }
 
   virtual int GenerateRouteID() OVERRIDE;
@@ -59,7 +58,6 @@ class PluginChannel : public NPChannelBase {
 
  protected:
   // IPC::Channel::Listener implementation:
-  virtual void OnChannelConnected(int32 peer_pid) OVERRIDE;
   virtual void OnChannelError() OVERRIDE;
 
   virtual void CleanUp() OVERRIDE;
@@ -88,9 +86,6 @@ class PluginChannel : public NPChannelBase {
 
   std::vector<scoped_refptr<WebPluginDelegateStub> > plugin_stubs_;
 
-  // Handle to the renderer process who is on the other side of the channel.
-  base::ProcessHandle renderer_handle_;
-
   // The id of the renderer who is on the other side of the channel.
   int renderer_id_;
 
diff --git a/content/plugin/webplugin_proxy.cc b/content/plugin/webplugin_proxy.cc
index 919f847..443c035 100644
--- a/content/plugin/webplugin_proxy.cc
+++ b/content/plugin/webplugin_proxy.cc
@@ -35,6 +35,10 @@
 #include "ui/base/x/x11_util_internal.h"
 #endif
 
+#if defined(OS_WIN)
+#include "content/common/sandbox_policy.h"
+#endif
+
 using WebKit::WebBindings;
 
 using webkit::npapi::WebPluginResourceClient;
@@ -129,10 +133,9 @@ void WebPluginProxy::WillDestroyWindow(gfx::PluginWindowHandle window) {
 #if defined(OS_WIN)
 void WebPluginProxy::SetWindowlessPumpEvent(HANDLE pump_messages_event) {
   HANDLE pump_messages_event_for_renderer = NULL;
-  DuplicateHandle(GetCurrentProcess(), pump_messages_event,
-                  channel_->renderer_handle(),
-                  &pump_messages_event_for_renderer,
-                  0, FALSE, DUPLICATE_SAME_ACCESS);
+  sandbox::BrokerDuplicateHandle(pump_messages_event, channel_->peer_pid(),
+                                 &pump_messages_event_for_renderer,
+                                 0, DUPLICATE_SAME_ACCESS);
   DCHECK(pump_messages_event_for_renderer != NULL);
   Send(new PluginHostMsg_SetWindowlessPumpEvent(
       route_id_, pump_messages_event_for_renderer));
@@ -470,25 +473,17 @@ void WebPluginProxy::CreateCanvasFromHandle(
     const TransportDIB::Handle& dib_handle,
     const gfx::Rect& window_rect,
     scoped_ptr<skia::PlatformCanvas>* canvas_out) {
-  // Create a canvas that will reference the shared bits. We have to handle
-  // errors here since we're mapping a large amount of memory that may not fit
-  // in our address space, or go wrong in some other way.
-  HANDLE section;
-  DuplicateHandle(channel_->renderer_handle(), dib_handle, GetCurrentProcess(),
-                  &section,
-                  STANDARD_RIGHTS_REQUIRED | FILE_MAP_READ | FILE_MAP_WRITE,
-                  FALSE, 0);
   scoped_ptr<skia::PlatformCanvas> canvas(new skia::PlatformCanvas);
   if (!canvas->initialize(
           window_rect.width(),
           window_rect.height(),
           true,
-          section)) {
+          dib_handle)) {
     canvas_out->reset();
   }
   canvas_out->reset(canvas.release());
   // The canvas does not own the section so we need to close it now.
-  CloseHandle(section);
+  CloseHandle(dib_handle);
 }
 
 void WebPluginProxy::SetWindowlessBuffers(