NaCl integration

chrome/browser/sandbox_policy.cc

 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/sandbox_policy.h"
 
 #include "app/win_util.h"
 #include "base/command_line.h"
 #include "base/debug_util.h"
 #include "base/file_util.h"
@@ skipping 341 matching lines @@
   base::ProcessHandle process = 0;
   const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess();
   ChildProcessInfo::ProcessType type;
   std::wstring type_str = cmd_line->GetSwitchValue(switches::kProcessType);
   if (type_str == switches::kRendererProcess) {
     type = ChildProcessInfo::RENDER_PROCESS;
   } else if (type_str == switches::kPluginProcess) {
     type = ChildProcessInfo::PLUGIN_PROCESS;
   } else if (type_str == switches::kWorkerProcess) {
     type = ChildProcessInfo::WORKER_PROCESS;
+  } else if (type_str == switches::kNaClProcess) {
+    type = ChildProcessInfo::NACL_PROCESS;
   } else if (type_str == switches::kUtilityProcess) {
     type = ChildProcessInfo::UTILITY_PROCESS;
   } else {
     NOTREACHED();
     return 0;
   }
 
   bool in_sandbox =
       !browser_command_line.HasSwitch(switches::kNoSandbox) &&
       (type != ChildProcessInfo::PLUGIN_PROCESS ||
        browser_command_line.HasSwitch(switches::kSafePlugins));
 #if !defined (GOOGLE_CHROME_BUILD)
-  if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) {
+  if (browser_command_line.HasSwitch(switches::kInProcessPlugins) ||
+      browser_command_line.HasSwitch(switches::kInternalNaCl)) {
     // In process plugins won't work if the sandbox is enabled.
+    // The internal NaCl plugin doesn't work in the sandbox for now.
     in_sandbox = false;
   }
 #endif
 
   bool child_needs_help =
       DebugFlags::ProcessDebugFlags(cmd_line, type, in_sandbox);
 
   if (!in_sandbox) {
     base::LaunchApp(*cmd_line, false, false, &process);
     return process;
   }
 
   // spawn the child process in the sandbox
   sandbox::BrokerServices* broker_service =
       g_browser_process->broker_services();
 
   sandbox::ResultCode result;
   PROCESS_INFORMATION target = {0};
   sandbox::TargetPolicy* policy = broker_service->CreatePolicy();
 
   bool on_sandbox_desktop = false;
+  // TODO(gregoryd): try locked-down policy for sel_ldr after we fix IMC.
+  // TODO(gregoryd): do we need a new desktop for sel_ldr?
   if (type == ChildProcessInfo::PLUGIN_PROCESS) {
     if (!AddPolicyForPlugin(cmd_line, policy))
       return 0;
   } else {
     AddPolicyForRenderer(policy, &on_sandbox_desktop);
   }
 
   if (!exposed_dir.empty()) {
     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
@@ skipping 36 matching lines @@
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     DebugUtil::SpawnDebuggerOnProcess(target.dwProcessId);
 
   return process;
 }
 
 } // namespace sandbox