OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/common/sandbox_policy.h" | 5 #include "chrome/common/sandbox_policy.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "app/win_util.h" | 9 #include "app/win_util.h" |
10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
(...skipping 329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
340 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { | 340 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { |
341 // TODO(cpu): Lock down the job level more. | 341 // TODO(cpu): Lock down the job level more. |
342 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); | 342 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); |
343 | 343 |
344 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; | 344 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; |
345 | 345 |
346 if (base::win::GetVersion() > base::win::VERSION_XP) | 346 if (base::win::GetVersion() > base::win::VERSION_XP) |
347 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; | 347 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; |
348 | 348 |
349 policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); | 349 policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); |
| 350 |
350 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); | 351 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); |
351 | 352 |
352 // TODO(cpu): Proxy registry access and remove these policies. | 353 // TODO(cpu): Proxy registry access and remove these policies. |
353 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", | 354 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", |
354 sandbox::TargetPolicy::REG_ALLOW_ANY, | 355 sandbox::TargetPolicy::REG_ALLOW_ANY, |
355 policy)) | 356 policy)) |
356 return false; | 357 return false; |
357 | 358 |
358 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", | 359 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", |
359 sandbox::TargetPolicy::REG_ALLOW_ANY, | 360 sandbox::TargetPolicy::REG_ALLOW_ANY, |
360 policy)) | 361 policy)) |
361 return false; | 362 return false; |
362 return true; | 363 return true; |
363 } | 364 } |
364 | 365 |
365 // Returns true of the plugin specified in |cmd_line| is the built-in | |
366 // flash plugin and optionally returns its full path in |flash_path| | |
367 bool IsBuiltInFlash(const CommandLine* cmd_line, FilePath* flash_path) { | |
368 std::wstring plugin_dll = cmd_line-> | |
369 GetSwitchValueNative(switches::kPluginPath); | |
370 | |
371 FilePath builtin_flash; | |
372 if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) | |
373 return false; | |
374 | |
375 FilePath plugin_path(plugin_dll); | |
376 if (plugin_path != builtin_flash) | |
377 return false; | |
378 | |
379 if (flash_path) | |
380 *flash_path = plugin_path; | |
381 return true; | |
382 } | |
383 | |
384 | |
385 // Adds the custom policy rules for a given plugin. |trusted_plugins| contains | 366 // Adds the custom policy rules for a given plugin. |trusted_plugins| contains |
386 // the comma separate list of plugin dll names that should not be sandboxed. | 367 // the comma separate list of plugin dll names that should not be sandboxed. |
387 bool AddPolicyForPlugin(CommandLine* cmd_line, | 368 bool AddPolicyForPlugin(CommandLine* cmd_line, |
388 sandbox::TargetPolicy* policy) { | 369 sandbox::TargetPolicy* policy) { |
389 std::wstring plugin_dll = cmd_line-> | 370 std::wstring plugin_dll = cmd_line-> |
390 GetSwitchValueNative(switches::kPluginPath); | 371 GetSwitchValueNative(switches::kPluginPath); |
391 std::wstring trusted_plugins = CommandLine::ForCurrentProcess()-> | 372 std::wstring trusted_plugins = CommandLine::ForCurrentProcess()-> |
392 GetSwitchValueNative(switches::kTrustedPlugins); | 373 GetSwitchValueNative(switches::kTrustedPlugins); |
393 // Add the policy for the pipes. | 374 // Add the policy for the pipes. |
394 sandbox::ResultCode result = sandbox::SBOX_ALL_OK; | 375 sandbox::ResultCode result = sandbox::SBOX_ALL_OK; |
395 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, | 376 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, |
396 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, | 377 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, |
397 L"\\\\.\\pipe\\chrome.*"); | 378 L"\\\\.\\pipe\\chrome.*"); |
398 if (result != sandbox::SBOX_ALL_OK) { | 379 if (result != sandbox::SBOX_ALL_OK) { |
399 NOTREACHED(); | 380 NOTREACHED(); |
400 return false; | 381 return false; |
401 } | 382 } |
402 | 383 |
403 // The built-in flash gets a custom, more restricted sandbox. | 384 // The built-in flash gets a custom, more restricted sandbox. |
404 FilePath flash_path; | 385 FilePath builtin_flash; |
405 if (IsBuiltInFlash(cmd_line, &flash_path)) { | 386 if (PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash)) { |
406 // Spawn the flash broker and apply sandbox policy. | 387 FilePath plugin_path(plugin_dll); |
407 if (!LoadFlashBroker(flash_path, cmd_line)) { | 388 if (plugin_path == builtin_flash) { |
408 // Could not start the broker, use a very weak policy instead. | 389 // Spawn the flash broker and apply sandbox policy. |
409 DLOG(WARNING) << "Failed to start flash broker"; | 390 if (!LoadFlashBroker(plugin_path, cmd_line)) { |
410 return ApplyPolicyForTrustedPlugin(policy); | 391 // Could not start the broker, use a very weak policy instead. |
| 392 DLOG(WARNING) << "Failed to start flash broker"; |
| 393 return ApplyPolicyForTrustedPlugin(policy); |
| 394 } |
| 395 return ApplyPolicyForBuiltInFlashPlugin(policy); |
411 } | 396 } |
412 return ApplyPolicyForBuiltInFlashPlugin(policy); | |
413 } | 397 } |
414 | 398 |
415 PluginPolicyCategory policy_category = | 399 PluginPolicyCategory policy_category = |
416 GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); | 400 GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins); |
417 | 401 |
418 switch (policy_category) { | 402 switch (policy_category) { |
419 case PLUGIN_GROUP_TRUSTED: | 403 case PLUGIN_GROUP_TRUSTED: |
420 return ApplyPolicyForTrustedPlugin(policy); | 404 return ApplyPolicyForTrustedPlugin(policy); |
421 case PLUGIN_GROUP_UNTRUSTED: | 405 case PLUGIN_GROUP_UNTRUSTED: |
422 return ApplyPolicyForUntrustedPlugin(policy); | 406 return ApplyPolicyForUntrustedPlugin(policy); |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
493 type = ChildProcessInfo::GPU_PROCESS; | 477 type = ChildProcessInfo::GPU_PROCESS; |
494 } else if (type_str == switches::kPpapiPluginProcess) { | 478 } else if (type_str == switches::kPpapiPluginProcess) { |
495 type = ChildProcessInfo::PPAPI_PLUGIN_PROCESS; | 479 type = ChildProcessInfo::PPAPI_PLUGIN_PROCESS; |
496 } else { | 480 } else { |
497 NOTREACHED(); | 481 NOTREACHED(); |
498 return 0; | 482 return 0; |
499 } | 483 } |
500 | 484 |
501 TRACE_EVENT_BEGIN("StartProcessWithAccess", 0, type_str); | 485 TRACE_EVENT_BEGIN("StartProcessWithAccess", 0, type_str); |
502 | 486 |
503 // To decide if the process is going to be sandboxed we have two cases. | |
504 // First case: all process types except the nacl broker, gpu process and | |
505 // the plugin process are sandboxed by default. | |
506 bool in_sandbox = | 487 bool in_sandbox = |
507 (type != ChildProcessInfo::NACL_BROKER_PROCESS) && | 488 (type != ChildProcessInfo::NACL_BROKER_PROCESS) && |
508 (type != ChildProcessInfo::GPU_PROCESS) && | 489 !browser_command_line.HasSwitch(switches::kNoSandbox) && |
509 (type != ChildProcessInfo::PLUGIN_PROCESS); | 490 (type != ChildProcessInfo::PLUGIN_PROCESS || |
510 | 491 browser_command_line.HasSwitch(switches::kSafePlugins)) && |
511 // Second case: If it is the plugin process then it depends on it being | 492 (type != ChildProcessInfo::GPU_PROCESS); |
512 // the built-in flash, the user forcing plugins into sandbox or the | |
513 // the user explicitly excluding flash from the sandbox. | |
514 if (!in_sandbox && (type == ChildProcessInfo::PLUGIN_PROCESS)) { | |
515 in_sandbox = browser_command_line.HasSwitch(switches::kSafePlugins) || | |
516 (IsBuiltInFlash(cmd_line, NULL) && | |
517 !browser_command_line.HasSwitch(switches::kDisableFlashSandbox)); | |
518 } | |
519 | |
520 if (browser_command_line.HasSwitch(switches::kNoSandbox)) { | |
521 // The user has explicity opted-out from all sandboxing. | |
522 in_sandbox = false; | |
523 } | |
524 | |
525 #if !defined (GOOGLE_CHROME_BUILD) | 493 #if !defined (GOOGLE_CHROME_BUILD) |
526 if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) { | 494 if (browser_command_line.HasSwitch(switches::kInProcessPlugins)) { |
527 // In process plugins won't work if the sandbox is enabled. | 495 // In process plugins won't work if the sandbox is enabled. |
528 in_sandbox = false; | 496 in_sandbox = false; |
529 } | 497 } |
530 #endif | 498 #endif |
531 if (!browser_command_line.HasSwitch(switches::kDisableExperimentalWebGL) && | 499 if (!browser_command_line.HasSwitch(switches::kDisableExperimentalWebGL) && |
532 browser_command_line.HasSwitch(switches::kInProcessWebGL)) { | 500 browser_command_line.HasSwitch(switches::kInProcessWebGL)) { |
533 // In process WebGL won't work if the sandbox is enabled. | 501 // In process WebGL won't work if the sandbox is enabled. |
534 in_sandbox = false; | 502 in_sandbox = false; |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
612 | 580 |
613 // Help the process a little. It can't start the debugger by itself if | 581 // Help the process a little. It can't start the debugger by itself if |
614 // the process is in a sandbox. | 582 // the process is in a sandbox. |
615 if (child_needs_help) | 583 if (child_needs_help) |
616 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); | 584 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); |
617 | 585 |
618 return process; | 586 return process; |
619 } | 587 } |
620 | 588 |
621 } // namespace sandbox | 589 } // namespace sandbox |
OLD | NEW |