diff options
Diffstat (limited to 'content/common/sandbox_policy.cc')
| -rw-r--r-- | content/common/sandbox_policy.cc | 38 |
1 files changed, 0 insertions, 38 deletions
diff --git a/content/common/sandbox_policy.cc b/content/common/sandbox_policy.cc index 2d01bde..dd0473e 100644 --- a/content/common/sandbox_policy.cc +++ b/content/common/sandbox_policy.cc @@ -194,41 +194,6 @@ void AddDllEvictionPolicy(sandbox::TargetPolicy* policy) { BlacklistAddOneDll(kTroublesomeDlls[ix], policy); } -// Returns the object path prepended with the current logon session. -string16 PrependWindowsSessionPath(const char16* object) { - // Cache this because it can't change after process creation. - static string16* session_prefix = NULL; - if (!session_prefix) { - HANDLE token; - DWORD session_id; - DWORD session_id_length; - - CHECK(::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token)); - CHECK(::GetTokenInformation(token, TokenSessionId, &session_id, - sizeof(session_id), &session_id_length)); - CloseHandle(token); - - session_prefix = new string16(base::StringPrintf(L"\\Sessions\\%d", - session_id)); - } - - return *session_prefix + object; -} - -// Closes handles that are opened at process creation and initialization. -void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) { - // Being able to manipulate anything BaseNamedObjects is bad. - policy->AddKernelObjectToClose(L"Directory", PrependWindowsSessionPath( - L"\\BaseNamedObjects").data()); - policy->AddKernelObjectToClose(L"Section", PrependWindowsSessionPath( - L"\\BaseNamedObjects\\windows_shell_global_counters").data()); -} - -void AddStrictHandleClosePolicy(sandbox::TargetPolicy* policy) { - // This is loaded when rand_s is seeded, but not needed again. - policy->AddKernelObjectToClose(L"File", L"\\Device\\KsecDD"); -} - // Adds the generic policy rules to a sandbox TargetPolicy. bool AddGenericPolicy(sandbox::TargetPolicy* policy) { sandbox::ResultCode result; @@ -314,7 +279,6 @@ void AddPolicyForRenderer(sandbox::TargetPolicy* policy) { } AddDllEvictionPolicy(policy); - AddBaseHandleClosePolicy(policy); } // The Pepper process as locked-down as a renderer execpt that it can @@ -450,8 +414,6 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, return 0; } else { AddPolicyForRenderer(policy); - if (type == ChildProcessInfo::RENDER_PROCESS) - AddStrictHandleClosePolicy(policy); if (type_str != switches::kRendererProcess) { // Hack for Google Desktop crash. Trick GD into not injecting its DLL into |