Add support for alternate window station.

chrome/browser/sandbox_policy.cc

-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/sandbox_policy.h"
 
 #include "app/win_util.h"
 #include "base/command_line.h"
 #include "base/debug_util.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/path_service.h"
 #include "base/process_util.h"
 #include "base/registry.h"
 #include "base/string_util.h"
 #include "base/win_util.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/common/child_process_info.h"
 #include "chrome/common/chrome_constants.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/debug_flags.h"
 #include "chrome/common/ipc_logging.h"
 #include "chrome/common/notification_service.h"
 #include "sandbox/src/sandbox.h"
 #include "webkit/glue/plugins/plugin_list.h"
 
 namespace {
 
-const wchar_t* const kDesktopName = L"ChromeRendererDesktop";
-
 // The DLLs listed here are known (or under strong suspicion) of causing crashes
 // when they are loaded in the renderer.
 const wchar_t* const kTroublesomeDlls[] = {
   L"adialhk.dll",                 // Kaspersky Internet Security.
   L"acpiz.dll",                   // Unknown.
   L"avgrsstx.dll",                // AVG 8.
   L"btkeyind.dll",                // Widcomm Bluetooth.
   L"cmcsyshk.dll",                // CMC Internet Security.
   L"dockshellhook.dll",           // Stardock Objectdock.
   L"GoogleDesktopNetwork3.DLL",   // Google Desktop Search v5.
@@ skipping 266 matching lines @@
     case PLUGIN_GROUP_UNTRUSTED:
       return ApplyPolicyForUntrustedPlugin(policy);
     default:
       NOTREACHED();
       break;
   }
 
   return false;
 }
 
-void AddPolicyForRenderer(HDESK desktop, sandbox::TargetPolicy* policy) {
+void AddPolicyForRenderer(sandbox::TargetPolicy* policy,
+                          bool* on_sandbox_desktop) {
   policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
   if (win_util::GetWinVersion() > win_util::WINVERSION_XP) {
     // On 2003/Vista the initial token has to be restricted if the main
     // token is restricted.
     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
   }
 
   policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
 
-  if (desktop) {
-    policy->SetDesktop(kDesktopName);
+  bool use_winsta = !CommandLine::ForCurrentProcess()->HasSwitch(
+                        switches::kDisableAltWinstation);
+
+  if (sandbox::SBOX_ALL_OK ==  policy->SetAlternateDesktop(use_winsta)) {
+    *on_sandbox_desktop = true;
   } else {
+    *on_sandbox_desktop = false;
     DLOG(WARNING) << "Failed to apply desktop security to the renderer";
   }
 
   AddDllEvictionPolicy(policy);
 }
 
 }  // namespace
 
 namespace sandbox {
 
@@ skipping 40 matching lines @@
   }
 
   // spawn the child process in the sandbox
   sandbox::BrokerServices* broker_service =
       g_browser_process->broker_services();
 
   sandbox::ResultCode result;
   PROCESS_INFORMATION target = {0};
   sandbox::TargetPolicy* policy = broker_service->CreatePolicy();
 
-  HDESK desktop = NULL;
+  bool on_sandbox_desktop = false;
   if (type == ChildProcessInfo::PLUGIN_PROCESS) {
     if (!AddPolicyForPlugin(cmd_line, policy))
       return 0;
   } else {
-    desktop = CreateDesktop(
-      kDesktopName, NULL, NULL, 0, DESKTOP_CREATEWINDOW, NULL);
-    AddPolicyForRenderer(desktop, policy);
+    AddPolicyForRenderer(policy, &on_sandbox_desktop);
   }
 
   if (!exposed_dir.empty()) {
     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
                              exposed_dir.ToWStringHack().c_str());
     if (result != sandbox::SBOX_ALL_OK)
       return 0;
 
     FilePath exposed_files = exposed_dir.AppendASCII("*");
     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
                              exposed_files.ToWStringHack().c_str());
     if (result != sandbox::SBOX_ALL_OK)
       return 0;
   }
 
   if (!AddGenericPolicy(policy)) {
     NOTREACHED();
-    if (desktop)
-      CloseDesktop(desktop);
     return 0;
   }
 
   result = broker_service->SpawnTarget(
       cmd_line->program().c_str(),
       cmd_line->command_line_string().c_str(),
       policy, &target);
   policy->Release();
 
-  if (desktop)
-    CloseDesktop(desktop);
-
   if (sandbox::SBOX_ALL_OK != result)
     return 0;
 
   if (type == ChildProcessInfo::RENDER_PROCESS) {
-    bool on_sandbox_desktop = (desktop != NULL);
     NotificationService::current()->Notify(
         NotificationType::RENDERER_PROCESS_IN_SBOX,
         NotificationService::AllSources(),
         Details<bool>(&on_sandbox_desktop));
   }
 
   ResumeThread(target.hThread);
   CloseHandle(target.hThread);
   process = target.hProcess;
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     DebugUtil::SpawnDebuggerOnProcess(target.dwProcessId);
 
   return process;
 }
 
 } // namespace sandbox