Chromium Code Reviews Chromium Code Reviews
Issue 4870001:
Enable sandboxed flash on windows by default.... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/common/sandbox_policy.h" | 5 #include "chrome/common/sandbox_policy.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "app/win_util.h" | 9 #include "app/win_util.h" |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 340 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { | 340 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { |
| 341 // TODO(cpu): Lock down the job level more. | 341 // TODO(cpu): Lock down the job level more. |
| 342 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); | 342 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); |
| 343 | 343 |
| 344 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; | 344 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; |
| 345 | 345 |
| 346 if (base::win::GetVersion() > base::win::VERSION_XP) | 346 if (base::win::GetVersion() > base::win::VERSION_XP) |
| 347 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; | 347 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; |
| 348 | 348 |
| 349 policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); | 349 policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); |
| 350 | |
| 351 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); | 350 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); |
| 352 | 351 |
| 353 // TODO(cpu): Proxy registry access and remove these policies. | 352 // TODO(cpu): Proxy registry access and remove these policies. |
| 354 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", | 353 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", |
| 355 sandbox::TargetPolicy::REG_ALLOW_ANY, | 354 sandbox::TargetPolicy::REG_ALLOW_ANY, |
| 356 policy)) | 355 policy)) |
| 357 return false; | 356 return false; |
| 358 | 357 |
| 359 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", | 358 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", |
| 360 sandbox::TargetPolicy::REG_ALLOW_ANY, | 359 sandbox::TargetPolicy::REG_ALLOW_ANY, |
| 361 policy)) | 360 policy)) |
| 362 return false; | 361 return false; |
| 363 return true; | 362 return true; |
| 364 } | 363 } |
| 365 | 364 |
| 365 // Returns true of the plugin specified in |cmd_line| is the built-in | |
| 366 // flash plugin and optionally returns its full path in |flash_path| | |
| 367 bool IsBuiltInFlash(const CommandLine* cmd_line, FilePath* flash_path) { | |
| 368 std::wstring plugin_dll = cmd_line-> | |
| 369 GetSwitchValueNative(switches::kPluginPath); | |
| 370 | |
| 371 FilePath builtin_flash; | |
| 372 if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) | |
| 373 return false; | |
| 374 | |
| 375 FilePath plugin_path(plugin_dll); | |
| 376 if (plugin_path != builtin_flash) | |
| 377 return false; | |
| 378 | |
| 379 if (flash_path) | |
| 380 *flash_path = plugin_path; | |
| 381 return true; | |
| 382 } | |
| 383 | |
| 384 | |
| 366 // Adds the custom policy rules for a given plugin. |trusted_plugins| contains | 385 // Adds the custom policy rules for a given plugin. |trusted_plugins| contains |
| 367 // the comma separate list of plugin dll names that should not be sandboxed. | 386 // the comma separate list of plugin dll names that should not be sandboxed. |
| 368 bool AddPolicyForPlugin(CommandLine* cmd_line, | 387 bool AddPolicyForPlugin(CommandLine* cmd_line, |
| 369 sandbox::TargetPolicy* policy) { | 388 sandbox::TargetPolicy* policy) { |
| 370 std::wstring plugin_dll = cmd_line-> | 389 std::wstring plugin_dll = cmd_line-> |
| 371 GetSwitchValueNative(switches::kPluginPath); | 390 GetSwitchValueNative(switches::kPluginPath); |
| 372 std::wstring trusted_plugins = CommandLine::ForCurrentProcess()-> | 391 std::wstring trusted_plugins = CommandLine::ForCurrentProcess()-> |
| 373 GetSwitchValueNative(switches::kTrustedPlugins); | 392 GetSwitchValueNative(switches::kTrustedPlugins); |
| 374 // Add the policy for the pipes. | 393 // Add the policy for the pipes. |
| 375 sandbox::ResultCode result = sandbox::SBOX_ALL_OK; | 394 sandbox::ResultCode result = sandbox::SBOX_ALL_OK; |
| 376 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, | 395 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, |
| 377 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, | 396 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, |
| 378 L"\\\\.\\pipe\\chrome.*"); | 397 L"\\\\.\\pipe\\chrome.*"); |
| 379 if (result != sandbox::SBOX_ALL_OK) { | 398 if (result != sandbox::SBOX_ALL_OK) { |
| 380 NOTREACHED(); | 399 NOTREACHED(); |
| 381 return false; | 400 return false; |
| 382 } | 401 } |
| 383 | 402 |
| 384 // The built-in flash gets a custom, more restricted sandbox. | 403 // The built-in flash gets a custom, more restricted sandbox. |
| 385 FilePath builtin_flash; | 404 FilePath flash_path; |
| 386 if (PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) { | 405 if (IsBuiltInFlash(cmd_line, &flash_path)) { |
| 387 FilePath plugin_path(plugin_dll); | 406 // Spawn the flash broker and apply sandbox policy. |
| 388 if (plugin_path == builtin_flash) { | 407 if (!LoadFlashBroker(flash_path, cmd_line)) { |
| 389 // Spawn the flash broker and apply sandbox policy. | 408 // Could not start the broker, use a very weak policy instead. |
| 390 if (!LoadFlashBroker(plugin_path, cmd_line)) { | 409 DLOG(WARNING) << "Failed to start flash broker"; |
| 391 // Could not start the broker, use a very weak policy instead. | 410 return ApplyPolicyForTrustedPlugin(policy); |
| 392 DLOG(WARNING) << "Failed to start flash broker"; | |
| 393 return ApplyPolicyForTrustedPlugin(policy); | |
| 394 } | |
| 395 return ApplyPolicyForBuiltInFlashPlugin(policy); | |
| 396 } | 411 } |
| 412 return ApplyPolicyForBuiltInFlashPlugin(policy); | |
| 397 } | 413 } |
| 398 | 414 |
| 399 PluginPolicyCategory policy_category = | 415 PluginPolicyCategory policy_category = |
| 400 GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); | 416 GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); |
| 401 | 417 |
| 402 switch (policy_category) { | 418 switch (policy_category) { |
| 403 case PLUGIN_GROUP_TRUSTED: | 419 case PLUGIN_GROUP_TRUSTED: |
| 404 return ApplyPolicyForTrustedPlugin(policy); | 420 return ApplyPolicyForTrustedPlugin(policy); |
| 405 case PLUGIN_GROUP_UNTRUSTED: | 421 case PLUGIN_GROUP_UNTRUSTED: |
| 406 return ApplyPolicyForUntrustedPlugin(policy); | 422 return ApplyPolicyForUntrustedPlugin(policy); |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 475 type = ChildProcessInfo::NACL_BROKER_PROCESS; | 491 type = ChildProcessInfo::NACL_BROKER_PROCESS; |
| 476 } else if (type_str == switches::kGpuProcess) { | 492 } else if (type_str == switches::kGpuProcess) { |
| 477 type = ChildProcessInfo::GPU_PROCESS; | 493 type = ChildProcessInfo::GPU_PROCESS; |
| 478 } else { | 494 } else { |
| 479 NOTREACHED(); | 495 NOTREACHED(); |
| 480 return 0; | 496 return 0; |
| 481 } | 497 } |
| 482 | 498 |
| 483 TRACE_EVENT_BEGIN("StartProcessWithAccess", 0, type_str); | 499 TRACE_EVENT_BEGIN("StartProcessWithAccess", 0, type_str); |
| 484 | 500 |
| 501 // To decide if the process is going to be sandboxed we have two cases. | |
| 502 // First case: all process types except the nacl broker, gpu process and | |
| 503 // the plugin process are sandboxed by default. | |
| 485 bool in_sandbox = | 504 bool in_sandbox = |
| 505 !browser_command_line.HasSwitch(switches::kNoSandbox) && | |
| 486 (type != ChildProcessInfo::NACL_BROKER_PROCESS) && | 506 (type != ChildProcessInfo::NACL_BROKER_PROCESS) && |
| 487 !browser_command_line.HasSwitch(switches::kNoSandbox) && | 507 (type != ChildProcessInfo::GPU_PROCESS) && |
| 488 (type != ChildProcessInfo::PLUGIN_PROCESS || | 508 (type != ChildProcessInfo::PLUGIN_PROCESS); |
| 489 browser_command_line.HasSwitch(switches::kSafePlugins)) && | 509 |
| 490 (type != ChildProcessInfo::GPU_PROCESS); | 510 // Second case: If it is the plugin process then it depends on it being |
| 511 // the built-in flash, the user forcing plugins into sandbox or the | |
| 512 // the user explicitly excluding flash from the sandbox. | |
| 513 if (!in_sandbox && (type == ChildProcessInfo::PLUGIN_PROCESS)) { | |
| 514 in_sandbox = browser_command_line.HasSwitch(switches::kSafePlugins) || | |
| 515 (IsBuiltInFlash(cmd_line, NULL) && | |
| 516 !browser_command_line.HasSwitch(switches::kDisableFlashSandbox)); | |
|
nsylvain
2010/11/12 19:41:58
I think we still want to add kNoSandbox here. If
cpu_(ooo_6.6-7.5)
2010/11/12 20:42:19
Sounds reasonable.
| |
| 517 } | |
| 518 | |
| 491 #if !defined (GOOGLE_CHROME_BUILD) | 519 #if !defined (GOOGLE_CHROME_BUILD) |
| 492 if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) { | 520 if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) { |
| 493 // In process plugins won't work if the sandbox is enabled. | 521 // In process plugins won't work if the sandbox is enabled. |
| 494 in_sandbox = false; | 522 in_sandbox = false; |
| 495 } | 523 } |
| 496 #endif | 524 #endif |
| 497 if (!browser_command_line.HasSwitch(switches::kDisableExperimentalWebGL) && | 525 if (!browser_command_line.HasSwitch(switches::kDisableExperimentalWebGL) && |
| 498 browser_command_line.HasSwitch(switches::kInProcessWebGL)) { | 526 browser_command_line.HasSwitch(switches::kInProcessWebGL)) { |
| 499 // In process WebGL won't work if the sandbox is enabled. | 527 // In process WebGL won't work if the sandbox is enabled. |
| 500 in_sandbox = false; | 528 in_sandbox = false; |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 578 | 606 |
| 579 // Help the process a little. It can't start the debugger by itself if | 607 // Help the process a little. It can't start the debugger by itself if |
| 580 // the process is in a sandbox. | 608 // the process is in a sandbox. |
| 581 if (child_needs_help) | 609 if (child_needs_help) |
| 582 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); | 610 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); |
| 583 | 611 |
| 584 return process; | 612 return process; |
| 585 } | 613 } |
| 586 | 614 |
| 587 } // namespace sandbox | 615 } // namespace sandbox |
| OLD | NEW |
