Move sandbox_policy to content.

BUG=76697 Review URL: http://codereview.chromium.org/7084010 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87183 0039d316-1c4b-4281-b951-d872f2087c98
marcosholgado · May 28, 2011 · cd5fa1a · cd5fa1a
1 parent 431427c
commit cd5fa1a
Show file tree

Hide file tree

Showing 21 changed files with 155 additions and 157 deletions.
diff --git a/chrome/browser/browser_main.cc b/chrome/browser/browser_main.cc
@@ -169,11 +169,11 @@
 #include "chrome/browser/net/url_fixer_upper.h"
 #include "chrome/browser/rlz/rlz.h"
 #include "chrome/browser/ui/views/user_data_dir_dialog.h"
-#include "chrome/common/sandbox_policy.h"
 #include "chrome/installer/util/helper.h"
 #include "chrome/installer/util/install_util.h"
 #include "chrome/installer/util/shell_util.h"
 #include "content/browser/user_metrics.h"
+#include "content/common/sandbox_policy.h"
 #include "net/base/net_util.h"
 #include "net/base/sdch_manager.h"
 #include "printing/printed_document.h"

diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc
@@ -5,9 +5,6 @@
 #include "chrome/browser/chrome_content_browser_client.h"
 
 #include "base/command_line.h"
-#include "base/path_service.h"
-#include "base/string_number_conversions.h"
-#include "base/win/windows_version.h"
 #include "chrome/app/breakpad_mac.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/character_encoding.h"
@@ -31,7 +28,6 @@
 #include "chrome/browser/spellcheck_message_filter.h"
 #include "chrome/browser/ui/webui/chrome_web_ui_factory.h"
 #include "chrome/common/child_process_logging.h"
-#include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/extensions/extension_messages.h"
 #include "chrome/common/pref_names.h"
@@ -55,11 +51,6 @@
 #include "chrome/browser/crash_handler_host_linux.h"
 #endif
 
-#if defined(OS_WIN)
-#include "chrome/common/sandbox_policy.h"
-#include "sandbox/src/sandbox.h"
-#endif
-
 namespace {
 
 void InitRenderViewHostForExtensions(RenderViewHost* render_view_host) {
@@ -118,62 +109,6 @@ void InitRenderViewHostForExtensions(RenderViewHost* render_view_host) {
   }
 }
 
-#if defined(OS_WIN)
-// Launches the privileged flash broker, used when flash is sandboxed.
-// The broker is the same flash dll, except that it uses a different
-// entrypoint (BrokerMain) and it is hosted in windows' generic surrogate
-// process rundll32. After launching the broker we need to pass to
-// the flash plugin the process id of the broker via the command line
-// using --flash-broker=pid.
-// More info about rundll32 at http://support.microsoft.com/kb/164787.
-bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) {
-  FilePath rundll;
-  if (!PathService::Get(base::DIR_SYSTEM, &rundll))
-    return false;
-  rundll = rundll.AppendASCII("rundll32.exe");
-  // Rundll32 cannot handle paths with spaces, so we use the short path.
-  wchar_t short_path[MAX_PATH];
-  if (0 == ::GetShortPathNameW(plugin_path.value().c_str(),
-                               short_path, arraysize(short_path)))
-    return false;
-  // Here is the kicker, if the user has disabled 8.3 (short path) support
-  // on the volume GetShortPathNameW does not fail but simply returns the
-  // input path. In this case if the path had any spaces then rundll32 will
-  // incorrectly interpret its parameters. So we quote the path, even though
-  // the kb/164787 says you should not.
-  std::wstring cmd_final =
-      base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome",
-                         rundll.value().c_str(),
-                         short_path);
-  base::ProcessHandle process;
-  if (!base::LaunchApp(cmd_final, false, true, &process))
-    return false;
-
-  cmd_line->AppendSwitchASCII("flash-broker",
-                              base::Int64ToString(::GetProcessId(process)));
-
-  // The flash broker, unders some circumstances can linger beyond the lifetime
-  // of the flash player, so we put it in a job object, when the browser
-  // terminates the job object is destroyed (by the OS) and the flash broker
-  // is terminated.
-  HANDLE job = ::CreateJobObjectW(NULL, NULL);
-  JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_limits = {0};
-  job_limits.BasicLimitInformation.LimitFlags =
-      JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
-  if (::SetInformationJobObject(job, JobObjectExtendedLimitInformation,
-                                &job_limits, sizeof(job_limits))) {
-    ::AssignProcessToJobObject(job, process);
-    // Yes, we are leaking the object here. Read comment above.
-  } else {
-    ::CloseHandle(job);
-    return false;
-  }
-
-  ::CloseHandle(process);
-  return true;
-}
-#endif  // OS_WIN
-
 }
 
 namespace chrome {
@@ -388,52 +323,4 @@ int ChromeContentBrowserClient::GetCrashSignalFD(
 }
 #endif
 
-#if defined(OS_WIN)
-bool ChromeContentBrowserClient::SandboxPlugin(CommandLine* command_line,
-                                               sandbox::TargetPolicy* policy) {
-  std::wstring plugin_dll = command_line->
-      GetSwitchValueNative(switches::kPluginPath);
-
-  FilePath builtin_flash;
-  if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash))
-    return false;
-
-  FilePath plugin_path(plugin_dll);
-  if (plugin_path != builtin_flash)
-    return false;
-
-  if (base::win::GetVersion() <= base::win::VERSION_XP ||
-      CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kDisableFlashSandbox)) {
-    return false;
-  }
-
-  // Add the policy for the pipes.
-  sandbox::ResultCode result = sandbox::SBOX_ALL_OK;
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-                           L"\\\\.\\pipe\\chrome.*");
-  if (result != sandbox::SBOX_ALL_OK) {
-    NOTREACHED();
-    return false;
-  }
-
-  // Spawn the flash broker and apply sandbox policy.
-  if (LoadFlashBroker(plugin_path, command_line)) {
-    policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-    policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                          sandbox::USER_INTERACTIVE);
-    policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-  } else {
-    // Could not start the broker, use a very weak policy instead.
-    DLOG(WARNING) << "Failed to start flash broker";
-    policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-    policy->SetTokenLevel(
-        sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
-  }
-
-  return true;
-}
-#endif
-
 }  // namespace chrome
diff --git a/chrome/browser/chrome_content_browser_client.h b/chrome/browser/chrome_content_browser_client.h
@@ -44,11 +44,6 @@ class ChromeContentBrowserClient : public content::ContentBrowserClient {
   // Can return an optional fd for crash handling, otherwise returns -1.
   virtual int GetCrashSignalFD(const std::string& process_type);
 #endif
-
-#if defined(OS_WIN)
-  virtual bool SandboxPlugin(CommandLine* command_line,
-                             sandbox::TargetPolicy* policy);
-#endif
 };
 
 }  // namespace chrome

diff --git a/chrome/chrome_common.gypi b/chrome/chrome_common.gypi
@@ -69,8 +69,6 @@
           'common/profiling.h',
           'common/ref_counted_util.h',
           'common/safe_browsing/safebrowsing_messages.h',
-          'common/sandbox_policy.cc',
-          'common/sandbox_policy.h',
           'common/switch_utils.cc',
           'common/switch_utils.h',
           'common/time_format.cc',
@@ -330,11 +328,6 @@
             '../third_party/GTM',
           ],
         }],
-        ['OS!="win"', {
-          'sources!': [
-            'common/sandbox_policy.cc',
-          ],
-        }],
         ['remoting==1', {
           'dependencies': [
             '../remoting/remoting.gyp:remoting_client_plugin',

diff --git a/chrome/chrome_dll.gypi b/chrome/chrome_dll.gypi
@@ -631,6 +631,7 @@
             '../content/common/notification_details.cc',
             '../content/common/notification_service.cc',
             '../content/common/notification_source.cc',
+            '../content/common/sandbox_policy.cc',
             '../content/common/sandbox_init_wrapper_win.cc',
             '../content/common/url_constants.cc',
           ],

diff --git a/chrome/common/chrome_content_client.cc b/chrome/common/chrome_content_client.cc
@@ -7,15 +7,23 @@
 #include "base/command_line.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
+#include "base/process_util.h"
+#include "base/string_number_conversions.h"
 #include "base/string_split.h"
 #include "base/string_util.h"
+#include "base/win/windows_version.h"
 #include "chrome/common/child_process_logging.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/render_messages.h"
 #include "content/common/pepper_plugin_registry.h"
 #include "remoting/client/plugin/pepper_entrypoints.h"
 
+#if defined(OS_WIN)
+#include "content/common/sandbox_policy.h"
+#include "sandbox/src/sandbox.h"
+#endif
+
 namespace {
 
 const char* kPDFPluginName = "Chrome PDF Viewer";
@@ -178,6 +186,62 @@ void AddOutOfProcessFlash(std::vector<PepperPluginInfo>* plugins) {
 
 #endif  // !defined(NACL_WIN64)
 
+#if defined(OS_WIN)
+// Launches the privileged flash broker, used when flash is sandboxed.
+// The broker is the same flash dll, except that it uses a different
+// entrypoint (BrokerMain) and it is hosted in windows' generic surrogate
+// process rundll32. After launching the broker we need to pass to
+// the flash plugin the process id of the broker via the command line
+// using --flash-broker=pid.
+// More info about rundll32 at http://support.microsoft.com/kb/164787.
+bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) {
+  FilePath rundll;
+  if (!PathService::Get(base::DIR_SYSTEM, &rundll))
+    return false;
+  rundll = rundll.AppendASCII("rundll32.exe");
+  // Rundll32 cannot handle paths with spaces, so we use the short path.
+  wchar_t short_path[MAX_PATH];
+  if (0 == ::GetShortPathNameW(plugin_path.value().c_str(),
+                               short_path, arraysize(short_path)))
+    return false;
+  // Here is the kicker, if the user has disabled 8.3 (short path) support
+  // on the volume GetShortPathNameW does not fail but simply returns the
+  // input path. In this case if the path had any spaces then rundll32 will
+  // incorrectly interpret its parameters. So we quote the path, even though
+  // the kb/164787 says you should not.
+  std::wstring cmd_final =
+      base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome",
+                         rundll.value().c_str(),
+                         short_path);
+  base::ProcessHandle process;
+  if (!base::LaunchApp(cmd_final, false, true, &process))
+    return false;
+
+  cmd_line->AppendSwitchASCII("flash-broker",
+                              base::Int64ToString(::GetProcessId(process)));
+
+  // The flash broker, unders some circumstances can linger beyond the lifetime
+  // of the flash player, so we put it in a job object, when the browser
+  // terminates the job object is destroyed (by the OS) and the flash broker
+  // is terminated.
+  HANDLE job = ::CreateJobObjectW(NULL, NULL);
+  JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_limits = {0};
+  job_limits.BasicLimitInformation.LimitFlags =
+      JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
+  if (::SetInformationJobObject(job, JobObjectExtendedLimitInformation,
+                                &job_limits, sizeof(job_limits))) {
+    ::AssignProcessToJobObject(job, process);
+    // Yes, we are leaking the object here. Read comment above.
+  } else {
+    ::CloseHandle(job);
+    return false;
+  }
+
+  ::CloseHandle(process);
+  return true;
+}
+#endif  // OS_WIN
+
 }  // namespace
 
 namespace chrome {
@@ -227,4 +291,52 @@ bool ChromeContentClient::CanHandleWhileSwappedOut(
   return false;
 }
 
+#if defined(OS_WIN)
+bool ChromeContentClient::SandboxPlugin(CommandLine* command_line,
+                                        sandbox::TargetPolicy* policy) {
+  std::wstring plugin_dll = command_line->
+      GetSwitchValueNative(switches::kPluginPath);
+
+  FilePath builtin_flash;
+  if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash))
+    return false;
+
+  FilePath plugin_path(plugin_dll);
+  if (plugin_path != builtin_flash)
+    return false;
+
+  if (base::win::GetVersion() <= base::win::VERSION_XP ||
+      CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableFlashSandbox)) {
+    return false;
+  }
+
+  // Add the policy for the pipes.
+  sandbox::ResultCode result = sandbox::SBOX_ALL_OK;
+  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
+                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
+                           L"\\\\.\\pipe\\chrome.*");
+  if (result != sandbox::SBOX_ALL_OK) {
+    NOTREACHED();
+    return false;
+  }
+
+  // Spawn the flash broker and apply sandbox policy.
+  if (LoadFlashBroker(plugin_path, command_line)) {
+    policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
+    policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                          sandbox::USER_INTERACTIVE);
+    policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+  } else {
+    // Could not start the broker, use a very weak policy instead.
+    DLOG(WARNING) << "Failed to start flash broker";
+    policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
+    policy->SetTokenLevel(
+        sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
+  }
+
+  return true;
+}
+#endif
+
 }  // namespace chrome
diff --git a/chrome/common/chrome_content_client.h b/chrome/common/chrome_content_client.h
@@ -20,6 +20,10 @@ class ChromeContentClient : public content::ContentClient {
   virtual void AddPepperPlugins(std::vector<PepperPluginInfo>* plugins);
   virtual bool CanSendWhileSwappedOut(const IPC::Message* msg);
   virtual bool CanHandleWhileSwappedOut(const IPC::Message& msg);
+#if defined(OS_WIN)
+  virtual bool SandboxPlugin(CommandLine* command_line,
+                             sandbox::TargetPolicy* policy);
+#endif
 };
 
 }  // namespace chrome

diff --git a/chrome/nacl/broker_thread.cc b/chrome/nacl/broker_thread.cc
@@ -11,8 +11,8 @@
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/nacl_cmd_line.h"
 #include "chrome/common/nacl_messages.h"
-#include "chrome/common/sandbox_policy.h"
 #include "content/common/child_process.h"
+#include "content/common/sandbox_policy.h"
 #include "ipc/ipc_switches.h"
 
 NaClBrokerThread::NaClBrokerThread()

diff --git a/chrome/nacl/nacl_main.cc b/chrome/nacl/nacl_main.cc
@@ -15,13 +15,13 @@
 #include "chrome/common/chrome_constants.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/logging_chrome.h"
-#include "chrome/common/sandbox_policy.h"
 #include "chrome/nacl/nacl_launcher_thread.h"
 #include "chrome/nacl/nacl_main_platform_delegate.h"
 #include "content/common/child_process.h"
 #include "content/common/hi_res_timer_manager.h"
 #include "content/common/main_function_params.h"
 #include "content/common/result_codes.h"
+#include "content/common/sandbox_policy.h"
 
 #if defined(OS_WIN)
 #include "chrome/nacl/broker_thread.h"

diff --git a/chrome/service/service_child_process_host.cc b/chrome/service/service_child_process_host.cc
@@ -12,7 +12,7 @@
 
 #if defined(OS_WIN)
 #include "base/file_path.h"
-#include "chrome/common/sandbox_policy.h"
+#include "content/common/sandbox_policy.h"
 #endif  // defined(OS_WIN)
 
 ServiceChildProcessHost::ServiceChildProcessHost(ProcessType type)

diff --git a/chrome/service/service_main.cc b/chrome/service/service_main.cc
@@ -10,7 +10,7 @@
 #include "content/common/main_function_params.h"
 
 #if defined(OS_WIN)
-#include "chrome/common/sandbox_policy.h"
+#include "content/common/sandbox_policy.h"
 #elif defined(OS_MACOSX)
 #include "content/common/chrome_application_mac.h"
 #endif  // defined(OS_WIN)