4 files changed, 34 insertions, 9 deletions

diff --git a/chrome/app/chrome_exe_main.cc b/chrome/app/chrome_exe_main.cc
index cd1f1b3..fdd2cac 100644
--- a/chrome/app/chrome_exe_main.cc
+++ b/chrome/app/chrome_exe_main.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -33,7 +33,6 @@ int APIENTRY wWinMain(HINSTANCE instance, HINSTANCE, wchar_t*, int) {
 
   // Initialize the sandbox services.
   sandbox::SandboxInterfaceInfo sandbox_info = {0};
-#ifndef _WIN64  // Sandbox does not support Win64 yet - remove when it does
   sandbox_info.broker_services = sandbox::SandboxFactory::GetBrokerServices();
   if (!sandbox_info.broker_services)
     sandbox_info.target_services = sandbox::SandboxFactory::GetTargetServices();
@@ -42,7 +41,6 @@ int APIENTRY wWinMain(HINSTANCE instance, HINSTANCE, wchar_t*, int) {
     // Enforces strong DEP support. Vista uses the NXCOMPAT flag in the exe.
     sandbox::SetCurrentProcessDEP(sandbox::DEP_ENABLED);
   }
-#endif  // _WIN64
   // Load and launch the chrome dll. *Everything* happens inside.
   MainDllLoader* loader = MakeMainDllLoader();
   int rc = loader->Launch(instance, &sandbox_info);
diff --git a/chrome/chrome_exe.gypi b/chrome/chrome_exe.gypi
index cd247ce..5181084 100644
--- a/chrome/chrome_exe.gypi
+++ b/chrome/chrome_exe.gypi
@@ -1,4 +1,4 @@
-# Copyright (c) 2009 The Chromium Authors. All rights reserved.
+# Copyright (c) 2009-2010 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -503,8 +503,7 @@
             '../breakpad/breakpad.gyp:breakpad_sender_win64',
             '../base/base.gyp:base_nacl_win64',
             '../chrome_frame/chrome_frame.gyp:npchrome_frame',
-            # TODO(gregoryd): build sandbox for 64 bit
-            # '../sandbox/sandbox.gyp:sandbox',
+            '../sandbox/sandbox.gyp:sandbox_win64',
           ],
           'defines': [
             '<@(nacl_win64_defines)',
diff --git a/chrome/common/sandbox_policy.cc b/chrome/common/sandbox_policy.cc
index ff5e5c5..d0766e9 100644
--- a/chrome/common/sandbox_policy.cc
+++ b/chrome/common/sandbox_policy.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
+// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -176,6 +176,20 @@ void AddDllEvictionPolicy(sandbox::TargetPolicy* policy) {
   }
 }
 
+bool Is64BitWindows()
+{
+#if defined(_WIN64)
+  return true;  // 64-bit programs run only on Win64
+#elif defined(_WIN32)
+  // 32-bit programs run on both 32-bit and 64-bit Windows
+  // so must sniff.
+  BOOL f64 = FALSE;
+  return IsWow64Process(GetCurrentProcess(), &f64) && f64;
+#else
+  return false;  // no other code can run on 64-bit Windows
+#endif
+}
+
 // Adds the generic policy rules to a sandbox TargetPolicy.
 bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result;
@@ -187,6 +201,14 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
+  if (Is64BitWindows()) {
+    result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
+                             sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
+                             L"\\\\.\\pipe\\chrome.nacl.*");
+    if (result != sandbox::SBOX_ALL_OK)
+      return false;
+  }
+
   // Add the policy for debug message only in debug
 #ifndef NDEBUG
   std::wstring debug_message;
@@ -396,6 +418,7 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
   }
 
   bool in_sandbox =
+      (type != ChildProcessInfo::NACL_BROKER_PROCESS) &&
       !browser_command_line.HasSwitch(switches::kNoSandbox) &&
       (type != ChildProcessInfo::PLUGIN_PROCESS ||
        browser_command_line.HasSwitch(switches::kSafePlugins));
diff --git a/chrome/nacl/nacl_main.cc b/chrome/nacl/nacl_main.cc
index a7325cd..4dc2691 100644
--- a/chrome/nacl/nacl_main.cc
+++ b/chrome/nacl/nacl_main.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright (c) 2009-2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -93,8 +93,13 @@ static void LaunchNaClChildProcess(bool no_sandbox,
                                    sandbox::TargetServices* target_services) {
   ChildProcess nacl_process;
   nacl_process.set_main_thread(new NaClThread());
-  if (!no_sandbox && target_services)
+  if (!no_sandbox && target_services) {
+    // Cause advapi32 to load before the sandbox is turned on.
+    unsigned int dummy_rand;
+    rand_s(&dummy_rand);
+    // Turn the sanbox on.
     target_services->LowerToken();
+  }
   MessageLoop::current()->Run();
 }
 #elif defined(OS_MACOSX) || defined(OS_LINUX)