Index: chrome/common/sandbox_policy.cc |
=================================================================== |
--- chrome/common/sandbox_policy.cc (revision 53881) |
+++ chrome/common/sandbox_policy.cc (working copy) |
@@ -300,6 +300,42 @@ |
return true; |
} |
+// Creates a sandbox for the built-in flash plugin running in a restricted |
+// environment. This is a work in progress and for the time being do not |
+// pay attention to the duplication between this function and the above |
+// function. For more information see bug 50796. |
+bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { |
+ // TODO(cpu): Lock down the job level more. |
+ policy->SetJobLevel(sandbox::JOB_INTERACTIVE, 0); |
+ |
+ sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; |
+ if (win_util::GetWinVersion() > win_util::WINVERSION_XP) |
+ initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; |
+ policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); |
+ |
+ policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); |
+ |
+ // TODO(cpu): Proxy registry access and remove this policies. |
+ if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", |
+ sandbox::TargetPolicy::REG_ALLOW_ANY, |
+ policy)) |
+ return false; |
+ |
+ if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", |
+ sandbox::TargetPolicy::REG_ALLOW_ANY, |
+ policy)) |
+ return false; |
+ |
+ if (win_util::GetWinVersion() >= win_util::WINVERSION_VISTA) { |
+ if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\AppDataLow", |
+ sandbox::TargetPolicy::REG_ALLOW_ANY, |
+ policy)) |
+ return false; |
+ } |
+ |
+ return true; |
+} |
+ |
// Adds the custom policy rules for a given plugin. |trusted_plugins| contains |
// the comma separate list of plugin dll names that should not be sandboxed. |
bool AddPolicyForPlugin(const CommandLine* cmd_line, |
@@ -318,6 +354,14 @@ |
return false; |
} |
+ // The built-in flash gets a custom, more restricted sandbox. |
+ FilePath builtin_flash; |
+ if (PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) { |
+ FilePath plugin_path(plugin_dll); |
+ if (plugin_path == builtin_flash) |
+ return ApplyPolicyForBuiltInFlashPlugin(policy); |
+ } |
+ |
PluginPolicyCategory policy_category = |
GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); |