diff options
| -rw-r--r-- | chrome/browser/plugin_process_host.cc | 64 | ||||
| -rw-r--r-- | chrome/browser/renderer_host/browser_render_process_host.cc | 129 | ||||
| -rw-r--r-- | chrome/browser/renderer_host/browser_render_process_host.h | 5 | ||||
| -rw-r--r-- | chrome/browser/sandbox_policy.cc | 182 | ||||
| -rw-r--r-- | chrome/browser/sandbox_policy.h | 41 | ||||
| -rw-r--r-- | chrome/browser/worker_host/worker_process_host.cc | 18 | ||||
| -rw-r--r-- | chrome/common/debug_flags.h | 5 | ||||
| -rw-r--r-- | chrome/common/sandbox_init_wrapper.cc | 1 | ||||
| -rw-r--r-- | chrome/worker/worker_main.cc | 15 |
9 files changed, 216 insertions, 244 deletions
diff --git a/chrome/browser/plugin_process_host.cc b/chrome/browser/plugin_process_host.cc index 1e8d87b..7168e36 100644 --- a/chrome/browser/plugin_process_host.cc +++ b/chrome/browser/plugin_process_host.cc @@ -13,7 +13,6 @@ #include <vector> #include "base/command_line.h" -#include "base/debug_util.h" #include "base/file_path.h" #include "base/file_util.h" #include "base/file_version_info.h" @@ -33,7 +32,6 @@ #include "chrome/common/chrome_paths.h" #include "chrome/common/chrome_plugin_lib.h" #include "chrome/common/chrome_switches.h" -#include "chrome/common/debug_flags.h" #include "chrome/common/logging_chrome.h" #include "chrome/common/render_messages.h" #include "net/base/cookie_monster.h" @@ -374,7 +372,7 @@ PluginProcessHost::PluginProcessHost() PluginProcessHost::~PluginProcessHost() { // Cancel all requests for plugin process. PluginService::GetInstance()->resource_dispatcher_host()-> - CancelRequestsForProcess(pid()); + CancelRequestsForProcess(GetProcessId()); #if defined(OS_WIN) // We erase HWNDs from the plugin_parent_windows_set_ when we receive a @@ -472,61 +470,17 @@ bool PluginProcessHost::Init(const WebPluginInfo& info, cmd_line.AppendSwitchWithValue(switches::kPluginPath, info.path.ToWStringHack()); - bool in_sandbox = !browser_command_line.HasSwitch(switches::kNoSandbox) && - browser_command_line.HasSwitch(switches::kSafePlugins); - - if (in_sandbox) { + base::ProcessHandle process = 0; #if defined(OS_WIN) - bool child_needs_help = DebugFlags::ProcessDebugFlags(&cmd_line, type(), - in_sandbox); - // spawn the child process in the sandbox - sandbox::BrokerServices* broker_service = - g_browser_process->broker_services(); - - sandbox::ResultCode result; - PROCESS_INFORMATION target = {0}; - sandbox::TargetPolicy* policy = broker_service->CreatePolicy(); - - std::wstring trusted_plugins = - browser_command_line.GetSwitchValue(switches::kTrustedPlugins); - if (!AddPolicyForPlugin(info.path, activex_clsid, trusted_plugins, - policy)) { - NOTREACHED(); - return false; - } - - if (!AddGenericPolicy(policy)) { - NOTREACHED(); - return false; - } - - result = - broker_service->SpawnTarget(exe_path.c_str(), - cmd_line.command_line_string().c_str(), - policy, &target); - policy->Release(); - if (sandbox::SBOX_ALL_OK != result) - return false; - - ResumeThread(target.hThread); - CloseHandle(target.hThread); - SetHandle(target.hProcess); - - // Help the process a little. It can't start the debugger by itself if - // the process is in a sandbox. - if (child_needs_help) - DebugUtil::SpawnDebuggerOnProcess(target.dwProcessId); + process = sandbox::StartProcess(&cmd_line); #else - // TODO(port): Implement sandboxing. - NOTIMPLEMENTED() << "no support for sandboxing."; + // spawn child process + base::LaunchApp(cmd_line, false, false, &process); #endif - } else { - // spawn child process - base::ProcessHandle handle; - if (!base::LaunchApp(cmd_line, false, false, &handle)) - return false; - SetHandle(handle); - } + + if (!process) + return false; + SetHandle(process); FilePath gears_path; if (PathService::Get(chrome::FILE_GEARS_PLUGIN, &gears_path)) { diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc index 8155b4e..810ec1d 100644 --- a/chrome/browser/renderer_host/browser_render_process_host.cc +++ b/chrome/browser/renderer_host/browser_render_process_host.cc @@ -12,7 +12,6 @@ #include <algorithm> #include "base/command_line.h" -#include "base/debug_util.h" #include "base/linked_ptr.h" #include "base/logging.h" #include "base/path_service.h" @@ -35,7 +34,6 @@ #include "chrome/browser/visitedlink_master.h" #include "chrome/common/chrome_switches.h" #include "chrome/common/child_process_info.h" -#include "chrome/common/debug_flags.h" #include "chrome/common/logging_chrome.h" #include "chrome/common/notification_service.h" #include "chrome/common/pref_names.h" @@ -119,8 +117,6 @@ bool GetRendererPath(std::wstring* cmd_line) { return PathService::Get(base::FILE_EXE, cmd_line); } -const wchar_t* const kDesktopName = L"ChromeRendererDesktop"; - BrowserRenderProcessHost::BrowserRenderProcessHost(Profile* profile) : RenderProcessHost(profile), visible_widgets_(0), @@ -281,21 +277,7 @@ bool BrowserRenderProcessHost::Init() { const std::wstring locale = g_browser_process->GetApplicationLocale(); cmd_line.AppendSwitchWithValue(switches::kLang, locale); -#if defined(OS_WIN) - bool in_sandbox = !browser_command_line.HasSwitch(switches::kNoSandbox); -#if !defined (GOOGLE_CHROME_BUILD) - if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) { - // In process plugins won't work if the sandbox is enabled. - in_sandbox = false; - } -#endif - - bool child_needs_help = - DebugFlags::ProcessDebugFlags(&cmd_line, - ChildProcessInfo::RENDER_PROCESS, - in_sandbox); -// OS_WIN ends here -#elif defined(OS_POSIX) +#if defined(OS_POSIX) if (browser_command_line.HasSwitch(switches::kRendererCmdPrefix)) { // launch the renderer child with some prefix (usually "gdb --args") const std::wstring prefix = @@ -333,85 +315,22 @@ bool BrowserRenderProcessHost::Init() { options.message_loop_type = MessageLoop::TYPE_IO; in_process_renderer_->StartWithOptions(options); } else { + base::ProcessHandle process = 0; #if defined(OS_WIN) - if (in_sandbox) { - // spawn the child process in the sandbox - sandbox::BrokerServices* broker_service = - g_browser_process->broker_services(); - - sandbox::ResultCode result; - PROCESS_INFORMATION target = {0}; - sandbox::TargetPolicy* policy = broker_service->CreatePolicy(); - policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); - - sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; - if (win_util::GetWinVersion() > win_util::WINVERSION_XP) { - // On 2003/Vista the initial token has to be restricted if the main - // token is restricted. - initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; - } - - policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN); - policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); - - HDESK desktop = CreateDesktop(kDesktopName, NULL, NULL, 0, - DESKTOP_CREATEWINDOW, NULL); - if (desktop) { - policy->SetDesktop(kDesktopName); - } else { - DLOG(WARNING) << "Failed to apply desktop security to the renderer"; - } - - if (!AddGenericPolicy(policy)) { - NOTREACHED(); - channel_.reset(); - return false; - } - - if (!AddDllEvictionPolicy(policy)) { - NOTREACHED(); - channel_.reset(); - return false; - } - - result = - broker_service->SpawnTarget(renderer_path.c_str(), - cmd_line.command_line_string().c_str(), - policy, &target); - policy->Release(); - - if (desktop) - CloseDesktop(desktop); - - if (sandbox::SBOX_ALL_OK != result) { - channel_.reset(); - return false; - } - - bool on_sandbox_desktop = (desktop != NULL); - NotificationService::current()->Notify( - NotificationType::RENDERER_PROCESS_IN_SBOX, - Source<BrowserRenderProcessHost>(this), - Details<bool>(&on_sandbox_desktop)); - - ResumeThread(target.hThread); - CloseHandle(target.hThread); - process_.set_handle(target.hProcess); - - // Help the process a little. It can't start the debugger by itself if - // the process is in a sandbox. - if (child_needs_help) - DebugUtil::SpawnDebuggerOnProcess(target.dwProcessId); - } else -#endif // OS_WIN and sandbox - { - // spawn child process - base::ProcessHandle process = 0; - if (!SpawnChild(cmd_line, channel_.get(), &process)) - return false; - process_.set_handle(process); + process = sandbox::StartProcess(&cmd_line); +#else + base::file_handle_mapping_vector fds_to_map; + int src_fd = -1, dest_fd = -1; + channel_->GetClientFileDescriptorMapping(&src_fd, &dest_fd); + if (src_fd > -1) + fds_to_map.push_back(std::pair<int, int>(src_fd, dest_fd)); + base::LaunchApp(cmd_line.argv(), fds_to_map, false, &process); +#endif + if (!process) { + channel_.reset(); + return false; } - + process_.set_handle(process); SetProcessID(process_.pid()); } @@ -431,24 +350,6 @@ bool BrowserRenderProcessHost::Init() { return true; } -#if defined(OS_WIN) -bool BrowserRenderProcessHost::SpawnChild(const CommandLine& command_line, - IPC::SyncChannel* channel, base::ProcessHandle* process_handle) { - return base::LaunchApp(command_line, false, false, process_handle); -} -#elif defined(OS_POSIX) -bool BrowserRenderProcessHost::SpawnChild(const CommandLine& command_line, - IPC::SyncChannel* channel, base::ProcessHandle* process_handle) { - base::file_handle_mapping_vector fds_to_map; - int src_fd = -1, dest_fd = -1; - channel->GetClientFileDescriptorMapping(&src_fd, &dest_fd); - if (src_fd > -1) - fds_to_map.push_back(std::pair<int, int>(src_fd, dest_fd)); - return base::LaunchApp(command_line.argv(), fds_to_map, false, - process_handle); -} -#endif - int BrowserRenderProcessHost::GetNextRoutingID() { return widget_helper_->GetNextRoutingID(); } diff --git a/chrome/browser/renderer_host/browser_render_process_host.h b/chrome/browser/renderer_host/browser_render_process_host.h index 7e149ce..3cc05a8 100644 --- a/chrome/browser/renderer_host/browser_render_process_host.h +++ b/chrome/browser/renderer_host/browser_render_process_host.h @@ -109,11 +109,6 @@ class BrowserRenderProcessHost : public RenderProcessHost, // set of scripts and listen for updates to scripts. void InitUserScripts(); - // Handles actually spawning the renderer process with the appropriate options - // for each platform. - bool SpawnChild(const CommandLine& command_line, - IPC::SyncChannel* channel, base::ProcessHandle* process_handle); - // Sends the renderer process a new set of user scripts. void SendUserScriptsUpdate(base::SharedMemory* shared_memory); diff --git a/chrome/browser/sandbox_policy.cc b/chrome/browser/sandbox_policy.cc index d491aff..24d3c2e 100644 --- a/chrome/browser/sandbox_policy.cc +++ b/chrome/browser/sandbox_policy.cc @@ -4,20 +4,31 @@ #include "chrome/browser/sandbox_policy.h" +#include "base/command_line.h" +#include "base/debug_util.h" #include "base/file_util.h" #include "base/logging.h" #include "base/path_service.h" +#include "base/process_util.h" #include "base/registry.h" #include "base/string_util.h" #include "base/win_util.h" +#include "chrome/browser/browser_process.h" +#include "chrome/common/child_process_info.h" #include "chrome/common/chrome_constants.h" #include "chrome/common/chrome_paths.h" +#include "chrome/common/chrome_switches.h" +#include "chrome/common/debug_flags.h" #include "chrome/common/ipc_logging.h" +#include "chrome/common/notification_service.h" #include "chrome/common/win_util.h" +#include "sandbox/src/sandbox.h" #include "webkit/glue/plugins/plugin_list.h" namespace { +const wchar_t* const kDesktopName = L"ChromeRendererDesktop"; + // The DLLs listed here are known (or under strong suspicion) of causing crashes // when they are loaded in the renderer. const wchar_t* const kTroublesomeDlls[] = { @@ -67,16 +78,18 @@ const wchar_t* const kTroublesomeDlls[] = { L"winstylerthemehelper.dll" // Tuneup utilities 2006. }; -} // namespace +enum PluginPolicyCategory { + PLUGIN_GROUP_TRUSTED, + PLUGIN_GROUP_UNTRUSTED, +}; +// Returns the policy category for the plugin dll. PluginPolicyCategory GetPolicyCategoryForPlugin( - const FilePath& dll, - const std::wstring& clsid, + const std::wstring& dll, const std::wstring& list) { - std::wstring filename = dll.BaseName().value(); + std::wstring filename = FilePath(dll).BaseName().value(); std::wstring plugin_dll = StringToLowerASCII(filename); std::wstring trusted_plugins = StringToLowerASCII(list); - std::wstring activex_clsid = StringToLowerASCII(clsid); size_t pos = 0; size_t end_item = 0; @@ -86,10 +99,8 @@ PluginPolicyCategory GetPolicyCategoryForPlugin( size_t size_item = (end_item == std::wstring::npos) ? end_item : end_item - pos; std::wstring item = list.substr(pos, size_item); - if (!item.empty()) { - if (item == activex_clsid || item == plugin_dll) - return PLUGIN_GROUP_TRUSTED; - } + if (!item.empty() && item == plugin_dll) + return PLUGIN_GROUP_TRUSTED; pos = end_item + 1; } @@ -145,22 +156,21 @@ bool AddKeyAndSubkeys(std::wstring key, return true; } +// Adds policy rules for unloaded the known dlls that cause chrome to crash. // Eviction of injected DLLs is done by the sandbox so that the injected module // does not get a chance to execute any code. -bool AddDllEvictionPolicy(sandbox::TargetPolicy* policy) { +void AddDllEvictionPolicy(sandbox::TargetPolicy* policy) { for (int ix = 0; ix != arraysize(kTroublesomeDlls); ++ix) { // To minimize the list we only add an unload policy if the dll is also // loaded in this process. All the injected dlls of interest do this. if (::GetModuleHandleW(kTroublesomeDlls[ix])) { LOG(WARNING) << "dll to unload found: " << kTroublesomeDlls[ix]; - if (sandbox::SBOX_ALL_OK != policy->AddDllToUnload(kTroublesomeDlls[ix])) - return false; + policy->AddDllToUnload(kTroublesomeDlls[ix]); } } - - return true; } +// Adds the generic policy rules to a sandbox TargetPolicy. bool AddGenericPolicy(sandbox::TargetPolicy* policy) { sandbox::ResultCode result; @@ -204,12 +214,16 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) { return true; } +// Creates a sandbox without any restriction. bool ApplyPolicyForTrustedPlugin(sandbox::TargetPolicy* policy) { policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); return true; } +// Creates a sandbox with the plugin running in a restricted environment. +// Only the "Users" and "Everyone" groups are enabled in the token. The User SID +// is disabled. bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) { policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); @@ -266,22 +280,28 @@ bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) { return true; } -bool AddPolicyForPlugin(const FilePath &plugin_dll, - const std::string &activex_clsid, - const std::wstring &trusted_plugins, +// Adds the custom policy rules for a given plugin. |trusted_plugins| contains +// the comma separate list of plugins that should not be sandboxed. The plugin +// in the list can be either the plugin dll name of the class id if it's an +// ActiveX. +bool AddPolicyForPlugin(const CommandLine* cmd_line, sandbox::TargetPolicy* policy) { + std::wstring plugin_dll = cmd_line-> + GetSwitchValue(switches::kPluginPath); + std::wstring trusted_plugins = CommandLine::ForCurrentProcess()-> + GetSwitchValue(switches::kTrustedPlugins); // Add the policy for the pipes. sandbox::ResultCode result = sandbox::SBOX_ALL_OK; result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, L"\\\\.\\pipe\\chrome.*"); - if (result != sandbox::SBOX_ALL_OK) + if (result != sandbox::SBOX_ALL_OK) { + NOTREACHED(); return false; - - std::wstring clsid = UTF8ToWide(activex_clsid); + } PluginPolicyCategory policy_category = - GetPolicyCategoryForPlugin(plugin_dll, clsid, trusted_plugins); + GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); switch (policy_category) { case PLUGIN_GROUP_TRUSTED: @@ -295,3 +315,123 @@ bool AddPolicyForPlugin(const FilePath &plugin_dll, return false; } + +void AddPolicyForRenderer(HDESK desktop, sandbox::TargetPolicy* policy) { + policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); + + sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; + if (win_util::GetWinVersion() > win_util::WINVERSION_XP) { + // On 2003/Vista the initial token has to be restricted if the main + // token is restricted. + initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; + } + + policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN); + policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); + + if (desktop) { + policy->SetDesktop(kDesktopName); + } else { + DLOG(WARNING) << "Failed to apply desktop security to the renderer"; + } + + AddDllEvictionPolicy(policy); +} + +} // namespace + +namespace sandbox { + +base::ProcessHandle StartProcess(CommandLine* cmd_line) { + base::ProcessHandle process = 0; + const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess(); + ChildProcessInfo::ProcessType type; + std::wstring type_str = cmd_line->GetSwitchValue(switches::kProcessType); + if (type_str == switches::kRendererProcess) { + type = ChildProcessInfo::RENDER_PROCESS; + } else if (type_str == switches::kPluginProcess) { + type = ChildProcessInfo::PLUGIN_PROCESS; + } else if (type_str == switches::kWorkerProcess) { + type = ChildProcessInfo::WORKER_PROCESS; + } else { + NOTREACHED(); + return 0; + } + + bool in_sandbox = + !browser_command_line.HasSwitch(switches::kNoSandbox) && + (type != ChildProcessInfo::PLUGIN_PROCESS || + browser_command_line.HasSwitch(switches::kSafePlugins)); +#if !defined (GOOGLE_CHROME_BUILD) + if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) { + // In process plugins won't work if the sandbox is enabled. + in_sandbox = false; + } +#endif + + bool child_needs_help = + DebugFlags::ProcessDebugFlags(cmd_line, type, in_sandbox); + + if (!in_sandbox) { + base::LaunchApp(*cmd_line, false, false, &process); + return process; + } + + // spawn the child process in the sandbox + sandbox::BrokerServices* broker_service = + g_browser_process->broker_services(); + + sandbox::ResultCode result; + PROCESS_INFORMATION target = {0}; + sandbox::TargetPolicy* policy = broker_service->CreatePolicy(); + + HDESK desktop = NULL; + if (type == ChildProcessInfo::PLUGIN_PROCESS) { + if (!AddPolicyForPlugin(cmd_line, policy)) + return 0; + } else { + desktop = CreateDesktop( + kDesktopName, NULL, NULL, 0, DESKTOP_CREATEWINDOW, NULL); + AddPolicyForRenderer(desktop, policy); + } + + if (!AddGenericPolicy(policy)) { + NOTREACHED(); + if (desktop) + CloseDesktop(desktop); + return 0; + } + + result = broker_service->SpawnTarget( + cmd_line->program().c_str(), + cmd_line->command_line_string().c_str(), + policy, &target); + policy->Release(); + + if (desktop) + CloseDesktop(desktop); + + if (sandbox::SBOX_ALL_OK != result) + return 0; + + if (type == ChildProcessInfo::RENDER_PROCESS) { + bool on_sandbox_desktop = (desktop != NULL); + NotificationService::current()->Notify( + NotificationType::RENDERER_PROCESS_IN_SBOX, + NotificationService::AllSources(), + Details<bool>(&on_sandbox_desktop)); + } + + ResumeThread(target.hThread); + CloseHandle(target.hThread); + process = target.hProcess; + + // Help the process a little. It can't start the debugger by itself if + // the process is in a sandbox. + if (child_needs_help) + DebugUtil::SpawnDebuggerOnProcess(target.dwProcessId); + + return process; +} + +} // namespace sandbox diff --git a/chrome/browser/sandbox_policy.h b/chrome/browser/sandbox_policy.h index 18f58a8..cc9b538 100644 --- a/chrome/browser/sandbox_policy.h +++ b/chrome/browser/sandbox_policy.h @@ -5,44 +5,15 @@ #ifndef CHROME_BROWSER_SANDBOX_POLICY_H_ #define CHROME_BROWSER_SANDBOX_POLICY_H_ -#include <string> +#include "base/process.h" -#include "base/file_path.h" -#include "sandbox/src/sandbox.h" +class CommandLine; -// Adds the generic policy rules to a sandbox TargetPolicy. -bool AddGenericPolicy(sandbox::TargetPolicy* policy); +namespace sandbox { -// Adds policy rules for unloaded the known dlls that cause chrome to crash. -bool AddDllEvictionPolicy(sandbox::TargetPolicy* policy); +// Starts a sandboxed process and returns a handle to it. +base::ProcessHandle StartProcess(CommandLine* cmd_line); -// Adds the custom policy rules for a given plugin. If dll is activex-shim, -// then clsid is the clsid of ActiveX control. Otherwise clsid is ignored. -// |trusted_plugins| contains the comma separate list of plugins that should -// not be sandboxed. The plugin in the list can be either the plugin dll name -// of the class id if it's an ActiveX. -bool AddPolicyForPlugin(const FilePath &plugin_dll, - const std::string &activex_clsid, - const std::wstring &trusted_plugins, - sandbox::TargetPolicy* policy); - -enum PluginPolicyCategory { - PLUGIN_GROUP_TRUSTED, - PLUGIN_GROUP_UNTRUSTED, -}; - -// Returns the policy category for the plugin dll. -PluginPolicyCategory GetPolicyCategoryForPlugin( - const FilePath& plugin_dll, - const std::wstring& activex_clsid, - const std::wstring& trusted_plugins); - -// Creates a sandbox without any restriction. -bool ApplyPolicyForTrustedPlugin(sandbox::TargetPolicy* policy); - -// Creates a sandbox with the plugin running in a restricted environment. -// Only the "Users" and "Everyone" groups are enabled in the token. The User SID -// is disabled. -bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy); +} // namespace sandbox; #endif // CHROME_BROWSER_SANDBOX_POLICY_H_ diff --git a/chrome/browser/worker_host/worker_process_host.cc b/chrome/browser/worker_host/worker_process_host.cc index bf68bff..d696df6 100644 --- a/chrome/browser/worker_host/worker_process_host.cc +++ b/chrome/browser/worker_host/worker_process_host.cc @@ -17,6 +17,10 @@ #include "chrome/common/render_messages.h" #include "chrome/common/worker_messages.h" +#if defined(OS_WIN) +#include "chrome/browser/sandbox_policy.h" +#endif + WorkerProcessHost::WorkerProcessHost( ResourceDispatcherHost* resource_dispatcher_host_) @@ -38,16 +42,18 @@ bool WorkerProcessHost::Init() { return false; CommandLine cmd_line(exe_path); - - // TODO(jabdelmalek): factor out common code from renderer/plugin that does - // sandboxing and command line copying and reuse here. cmd_line.AppendSwitchWithValue(switches::kProcessType, switches::kWorkerProcess); cmd_line.AppendSwitchWithValue(switches::kProcessChannelID, channel_id()); - base::ProcessHandle handle; - if (!base::LaunchApp(cmd_line, false, false, &handle)) + base::ProcessHandle process; +#if defined(OS_WIN) + process = sandbox::StartProcess(&cmd_line); +#else + base::LaunchApp(cmd_line, false, false, &process); +#endif + if (!process) return false; - SetHandle(handle); + SetHandle(process); return true; } diff --git a/chrome/common/debug_flags.h b/chrome/common/debug_flags.h index c855781..231d2ca 100644 --- a/chrome/common/debug_flags.h +++ b/chrome/common/debug_flags.h @@ -11,11 +11,6 @@ class CommandLine; class DebugFlags { public: - enum ChildProcessType { - RENDERER, - PLUGIN, - UNKNOWN - }; // Updates the command line arguments with debug-related flags. If // debug flags have been used with this process, they will be diff --git a/chrome/common/sandbox_init_wrapper.cc b/chrome/common/sandbox_init_wrapper.cc index 5eb45cb..8d264ce 100644 --- a/chrome/common/sandbox_init_wrapper.cc +++ b/chrome/common/sandbox_init_wrapper.cc @@ -26,6 +26,7 @@ void SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line, #endif if (!command_line.HasSwitch(switches::kNoSandbox)) { if ((process_type == switches::kRendererProcess) || + (process_type == switches::kWorkerProcess) || (process_type == switches::kPluginProcess && command_line.HasSwitch(switches::kSafePlugins))) { #if defined(OS_WIN) diff --git a/chrome/worker/worker_main.cc b/chrome/worker/worker_main.cc index b3c4256..1b973c3 100644 --- a/chrome/worker/worker_main.cc +++ b/chrome/worker/worker_main.cc @@ -12,7 +12,11 @@ #include "chrome/common/main_function_params.h" #include "chrome/common/win_util.h" #include "chrome/worker/worker_process.h" + +#if defined(OS_WIN) +#include "chrome/common/sandbox_init_wrapper.h" #include "sandbox/src/sandbox.h" +#endif // Mainline routine for running as the worker process. int WorkerMain(const MainFunctionParams& parameters) { @@ -26,10 +30,15 @@ int WorkerMain(const MainFunctionParams& parameters) { // Initialize the SystemMonitor base::SystemMonitor::Start(); - // TODO(jabdelmalek): refactor sandboxing code from renderer so that the - // workers are sandboxed. - WorkerProcess worker_process; +#if defined(OS_WIN) + sandbox::TargetServices* target_services = + parameters.sandbox_info_.TargetServices(); + if (!target_services) + return false; + + target_services->LowerToken(); +#endif // Load the accelerator table from the browser executable and tell the // message loop to use it when translating messages. |