OLD | NEW |
---|---|
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/common/sandbox_policy.h" | 5 #include "chrome/common/sandbox_policy.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "app/win_util.h" | 9 #include "app/win_util.h" |
10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
(...skipping 329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
340 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { | 340 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { |
341 // TODO(cpu): Lock down the job level more. | 341 // TODO(cpu): Lock down the job level more. |
342 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); | 342 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); |
343 | 343 |
344 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; | 344 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; |
345 | 345 |
346 if (base::win::GetVersion() > base::win::VERSION_XP) | 346 if (base::win::GetVersion() > base::win::VERSION_XP) |
347 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; | 347 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; |
348 | 348 |
349 policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); | 349 policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); |
350 | |
351 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); | 350 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); |
352 | 351 |
353 // TODO(cpu): Proxy registry access and remove these policies. | 352 // TODO(cpu): Proxy registry access and remove these policies. |
354 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", | 353 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", |
355 sandbox::TargetPolicy::REG_ALLOW_ANY, | 354 sandbox::TargetPolicy::REG_ALLOW_ANY, |
356 policy)) | 355 policy)) |
357 return false; | 356 return false; |
358 | 357 |
359 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", | 358 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", |
360 sandbox::TargetPolicy::REG_ALLOW_ANY, | 359 sandbox::TargetPolicy::REG_ALLOW_ANY, |
361 policy)) | 360 policy)) |
362 return false; | 361 return false; |
363 return true; | 362 return true; |
364 } | 363 } |
365 | 364 |
365 // Returns true of the plugin specified in |cmd_line| is the built-in | |
366 // flash plugin and optionally returns its full path in |flash_path| | |
367 bool IsBuiltInFlash(const CommandLine* cmd_line, FilePath* flash_path) { | |
368 std::wstring plugin_dll = cmd_line-> | |
369 GetSwitchValueNative(switches::kPluginPath); | |
370 | |
371 FilePath builtin_flash; | |
372 if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) | |
373 return false; | |
374 | |
375 FilePath plugin_path(plugin_dll); | |
376 if (plugin_path != builtin_flash) | |
377 return false; | |
378 | |
379 if (flash_path) | |
380 *flash_path = plugin_path; | |
381 return true; | |
382 } | |
383 | |
384 | |
366 // Adds the custom policy rules for a given plugin. |trusted_plugins| contains | 385 // Adds the custom policy rules for a given plugin. |trusted_plugins| contains |
367 // the comma separate list of plugin dll names that should not be sandboxed. | 386 // the comma separate list of plugin dll names that should not be sandboxed. |
368 bool AddPolicyForPlugin(CommandLine* cmd_line, | 387 bool AddPolicyForPlugin(CommandLine* cmd_line, |
369 sandbox::TargetPolicy* policy) { | 388 sandbox::TargetPolicy* policy) { |
370 std::wstring plugin_dll = cmd_line-> | 389 std::wstring plugin_dll = cmd_line-> |
371 GetSwitchValueNative(switches::kPluginPath); | 390 GetSwitchValueNative(switches::kPluginPath); |
372 std::wstring trusted_plugins = CommandLine::ForCurrentProcess()-> | 391 std::wstring trusted_plugins = CommandLine::ForCurrentProcess()-> |
373 GetSwitchValueNative(switches::kTrustedPlugins); | 392 GetSwitchValueNative(switches::kTrustedPlugins); |
374 // Add the policy for the pipes. | 393 // Add the policy for the pipes. |
375 sandbox::ResultCode result = sandbox::SBOX_ALL_OK; | 394 sandbox::ResultCode result = sandbox::SBOX_ALL_OK; |
376 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, | 395 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, |
377 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, | 396 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, |
378 L"\\\\.\\pipe\\chrome.*"); | 397 L"\\\\.\\pipe\\chrome.*"); |
379 if (result != sandbox::SBOX_ALL_OK) { | 398 if (result != sandbox::SBOX_ALL_OK) { |
380 NOTREACHED(); | 399 NOTREACHED(); |
381 return false; | 400 return false; |
382 } | 401 } |
383 | 402 |
384 // The built-in flash gets a custom, more restricted sandbox. | 403 // The built-in flash gets a custom, more restricted sandbox. |
385 FilePath builtin_flash; | 404 FilePath flash_path; |
386 if (PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) { | 405 if (IsBuiltInFlash(cmd_line, &flash_path)) { |
387 FilePath plugin_path(plugin_dll); | 406 // Spawn the flash broker and apply sandbox policy. |
388 if (plugin_path == builtin_flash) { | 407 if (!LoadFlashBroker(flash_path, cmd_line)) { |
389 // Spawn the flash broker and apply sandbox policy. | 408 // Could not start the broker, use a very weak policy instead. |
390 if (!LoadFlashBroker(plugin_path, cmd_line)) { | 409 DLOG(WARNING) << "Failed to start flash broker"; |
391 // Could not start the broker, use a very weak policy instead. | 410 return ApplyPolicyForTrustedPlugin(policy); |
392 DLOG(WARNING) << "Failed to start flash broker"; | |
393 return ApplyPolicyForTrustedPlugin(policy); | |
394 } | |
395 return ApplyPolicyForBuiltInFlashPlugin(policy); | |
396 } | 411 } |
412 return ApplyPolicyForBuiltInFlashPlugin(policy); | |
397 } | 413 } |
398 | 414 |
399 PluginPolicyCategory policy_category = | 415 PluginPolicyCategory policy_category = |
400 GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); | 416 GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); |
401 | 417 |
402 switch (policy_category) { | 418 switch (policy_category) { |
403 case PLUGIN_GROUP_TRUSTED: | 419 case PLUGIN_GROUP_TRUSTED: |
404 return ApplyPolicyForTrustedPlugin(policy); | 420 return ApplyPolicyForTrustedPlugin(policy); |
405 case PLUGIN_GROUP_UNTRUSTED: | 421 case PLUGIN_GROUP_UNTRUSTED: |
406 return ApplyPolicyForUntrustedPlugin(policy); | 422 return ApplyPolicyForUntrustedPlugin(policy); |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
475 type = ChildProcessInfo::NACL_BROKER_PROCESS; | 491 type = ChildProcessInfo::NACL_BROKER_PROCESS; |
476 } else if (type_str == switches::kGpuProcess) { | 492 } else if (type_str == switches::kGpuProcess) { |
477 type = ChildProcessInfo::GPU_PROCESS; | 493 type = ChildProcessInfo::GPU_PROCESS; |
478 } else { | 494 } else { |
479 NOTREACHED(); | 495 NOTREACHED(); |
480 return 0; | 496 return 0; |
481 } | 497 } |
482 | 498 |
483 TRACE_EVENT_BEGIN("StartProcessWithAccess", 0, type_str); | 499 TRACE_EVENT_BEGIN("StartProcessWithAccess", 0, type_str); |
484 | 500 |
501 // To decide if the process is going to be sandboxed we have two cases. | |
502 // First case: all process types except the nacl broker, gpu process and | |
503 // the plugin process are sandboxed by default. | |
485 bool in_sandbox = | 504 bool in_sandbox = |
505 !browser_command_line.HasSwitch(switches::kNoSandbox) && | |
486 (type != ChildProcessInfo::NACL_BROKER_PROCESS) && | 506 (type != ChildProcessInfo::NACL_BROKER_PROCESS) && |
487 !browser_command_line.HasSwitch(switches::kNoSandbox) && | 507 (type != ChildProcessInfo::GPU_PROCESS) && |
488 (type != ChildProcessInfo::PLUGIN_PROCESS || | 508 (type != ChildProcessInfo::PLUGIN_PROCESS); |
489 browser_command_line.HasSwitch(switches::kSafePlugins)) && | 509 |
490 (type != ChildProcessInfo::GPU_PROCESS); | 510 // Second case: If it is the plugin process then it depends on it being |
511 // the built-in flash, the user forcing plugins into sandbox or the | |
512 // the user explicitly excluding flash from the sandbox. | |
513 if (!in_sandbox && (type == ChildProcessInfo::PLUGIN_PROCESS)) { | |
514 in_sandbox = browser_command_line.HasSwitch(switches::kSafePlugins) || | |
515 (IsBuiltInFlash(cmd_line, NULL) && | |
516 !browser_command_line.HasSwitch(switches::kDisableFlashSandbox)); | |
nsylvain
2010/11/12 19:41:58
I think we still want to add kNoSandbox here. If
cpu_(ooo_6.6-7.5)
2010/11/12 20:42:19
Sounds reasonable.
| |
517 } | |
518 | |
491 #if !defined (GOOGLE_CHROME_BUILD) | 519 #if !defined (GOOGLE_CHROME_BUILD) |
492 if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) { | 520 if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) { |
493 // In process plugins won't work if the sandbox is enabled. | 521 // In process plugins won't work if the sandbox is enabled. |
494 in_sandbox = false; | 522 in_sandbox = false; |
495 } | 523 } |
496 #endif | 524 #endif |
497 if (!browser_command_line.HasSwitch(switches::kDisableExperimentalWebGL) && | 525 if (!browser_command_line.HasSwitch(switches::kDisableExperimentalWebGL) && |
498 browser_command_line.HasSwitch(switches::kInProcessWebGL)) { | 526 browser_command_line.HasSwitch(switches::kInProcessWebGL)) { |
499 // In process WebGL won't work if the sandbox is enabled. | 527 // In process WebGL won't work if the sandbox is enabled. |
500 in_sandbox = false; | 528 in_sandbox = false; |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
578 | 606 |
579 // Help the process a little. It can't start the debugger by itself if | 607 // Help the process a little. It can't start the debugger by itself if |
580 // the process is in a sandbox. | 608 // the process is in a sandbox. |
581 if (child_needs_help) | 609 if (child_needs_help) |
582 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); | 610 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); |
583 | 611 |
584 return process; | 612 return process; |
585 } | 613 } |
586 | 614 |
587 } // namespace sandbox | 615 } // namespace sandbox |
OLD | NEW |