Start of a more restricitve sandbox policy for flash on windows...

chrome/common/sandbox_policy.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/sandbox_policy.h"
 
 #include <string>
 
 #include "app/win_util.h"
 #include "base/command_line.h"
@@ skipping 282 matching lines @@
     // AppData itself.
     if (!AddDirectory(base::DIR_APP_DATA, L"..", false,
                       sandbox::TargetPolicy::FILES_ALLOW_READONLY,
                       policy))
       return false;
   }
 
   return true;
 }
 
+// Creates a sandbox for the built-in flash plugin running in a restricted
+// environment. This is a work in progress and for the time being do not
+// pay attention to the duplication between this function and the above
+// function. For more information see bug 50796.
+bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) {
+  // TODO(cpu): Lock down the job level more.
+  policy->SetJobLevel(sandbox::JOB_INTERACTIVE, 0);
+
+  sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
+  if (win_util::GetWinVersion() > win_util::WINVERSION_XP)
+    initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
+  policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED);
+
+  policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+
+  // TODO(cpu): Proxy registry access and remove this policies.
+  if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE",
+                        sandbox::TargetPolicy::REG_ALLOW_ANY,
+                        policy))
+    return false;
+
+  if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA",
+                        sandbox::TargetPolicy::REG_ALLOW_ANY,
+                        policy))
+    return false;
+
+  if (win_util::GetWinVersion() >= win_util::WINVERSION_VISTA) {
+    if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\AppDataLow",
+                          sandbox::TargetPolicy::REG_ALLOW_ANY,
+                          policy))
+      return false;
+  }
+
+  return true;
+}
+
 // Adds the custom policy rules for a given plugin. |trusted_plugins| contains
 // the comma separate list of plugin dll names that should not be sandboxed.
 bool AddPolicyForPlugin(const CommandLine* cmd_line,
                         sandbox::TargetPolicy* policy) {
   std::wstring plugin_dll = cmd_line->
       GetSwitchValue(switches::kPluginPath);
   std::wstring trusted_plugins = CommandLine::ForCurrentProcess()->
       GetSwitchValue(switches::kTrustedPlugins);
   // Add the policy for the pipes.
   sandbox::ResultCode result = sandbox::SBOX_ALL_OK;
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                            L"\\\\.\\pipe\\chrome.*");
   if (result != sandbox::SBOX_ALL_OK) {
     NOTREACHED();
     return false;
   }
 
+  // The built-in flash gets a custom, more restricted sandbox.
+  FilePath builtin_flash;
+  if (PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) {
+    FilePath plugin_path(plugin_dll);
+    if (plugin_path == builtin_flash)
+      return ApplyPolicyForBuiltInFlashPlugin(policy);
+  }
+
   PluginPolicyCategory policy_category =
       GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins);
 
   switch (policy_category) {
     case PLUGIN_GROUP_TRUSTED:
       return ApplyPolicyForTrustedPlugin(policy);
     case PLUGIN_GROUP_UNTRUSTED:
       return ApplyPolicyForUntrustedPlugin(policy);
     default:
       NOTREACHED();
@@ skipping 163 matching lines @@
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     DebugUtil::SpawnDebuggerOnProcess(target.dwProcessId);
 
   return process;
 }
 
 }  // namespace sandbox