Chromium Code Reviews Chromium Code Reviews
Issue 6139006:
Change the flash sandbox policy to add support for:... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/common/sandbox_policy.h" | 5 #include "chrome/common/sandbox_policy.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "app/win/win_util.h" | 9 #include "app/win/win_util.h" |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 307 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 318 bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) { | 318 bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) { |
| 319 FilePath rundll; | 319 FilePath rundll; |
| 320 if (!PathService::Get(base::DIR_SYSTEM, &rundll)) | 320 if (!PathService::Get(base::DIR_SYSTEM, &rundll)) |
| 321 return false; | 321 return false; |
| 322 rundll = rundll.AppendASCII("rundll32.exe"); | 322 rundll = rundll.AppendASCII("rundll32.exe"); |
| 323 // Rundll32 cannot handle paths with spaces, so we use the short path. | 323 // Rundll32 cannot handle paths with spaces, so we use the short path. |
| 324 wchar_t short_path[MAX_PATH]; | 324 wchar_t short_path[MAX_PATH]; |
| 325 if (0 == ::GetShortPathNameW(plugin_path.value().c_str(), | 325 if (0 == ::GetShortPathNameW(plugin_path.value().c_str(), |
| 326 short_path, arraysize(short_path))) | 326 short_path, arraysize(short_path))) |
| 327 return false; | 327 return false; |
| 328 // Here is the kicker, if the user has disabled 8.3 (short path) support | |
| 329 // on the volume GetShortPathNameW does not fail but simply returns the | |
| 330 // input path. In this case if the path had any spaces then rundll32 will | |
|
rvargas (doing something else)
2011/01/11 03:46:32
oh, God ...
| |
| 331 // incorrectly interpret its parameters. So we quote the path, even though | |
| 332 // the kb/164787 says you should not. | |
| 328 std::wstring cmd_final = | 333 std::wstring cmd_final = |
| 329 base::StringPrintf(L"%ls %ls,BrokerMain browser=chrome", | 334 base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome", |
| 330 rundll.value().c_str(), | 335 rundll.value().c_str(), |
| 331 short_path); | 336 short_path); |
| 332 base::ProcessHandle process; | 337 base::ProcessHandle process; |
| 333 if (!base::LaunchApp(cmd_final, false, true, &process)) | 338 if (!base::LaunchApp(cmd_final, false, true, &process)) |
| 334 return false; | 339 return false; |
| 335 | 340 |
| 336 cmd_line->AppendSwitchASCII("flash-broker", | 341 cmd_line->AppendSwitchASCII("flash-broker", |
| 337 base::Int64ToString(::GetProcessId(process))); | 342 base::Int64ToString(::GetProcessId(process))); |
| 338 | 343 |
| 339 // The flash broker, unders some circumstances can linger beyond the lifetime | 344 // The flash broker, unders some circumstances can linger beyond the lifetime |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 351 } else { | 356 } else { |
| 352 ::CloseHandle(job); | 357 ::CloseHandle(job); |
| 353 return false; | 358 return false; |
| 354 } | 359 } |
| 355 | 360 |
| 356 ::CloseHandle(process); | 361 ::CloseHandle(process); |
| 357 return true; | 362 return true; |
| 358 } | 363 } |
| 359 | 364 |
| 360 // Creates a sandbox for the built-in flash plugin running in a restricted | 365 // Creates a sandbox for the built-in flash plugin running in a restricted |
| 361 // environment. This is a work in progress and for the time being do not | 366 // environment. This policy is in continual flux as flash changes |
| 362 // pay attention to the duplication between this function and the above | 367 // capabilities. For more information see bug 50796. |
| 363 // function. For more information see bug 50796. | |
| 364 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { | 368 bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) { |
| 365 // TODO(cpu): Lock down the job level more. | |
| 366 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); | 369 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); |
| 370 // Vista and Win7 get a weaker token but have low integrity. | |
| 371 if (base::win::GetVersion() > base::win::VERSION_XP) { | |
| 372 policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, | |
| 373 sandbox::USER_INTERACTIVE); | |
| 374 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); | |
| 375 } else { | |
| 376 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, | |
| 377 sandbox::USER_LIMITED); | |
| 367 | 378 |
| 368 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; | 379 if (!AddKeyAndSubkeys(L"HKEY_LOCAL_MACHINE\\SOFTWARE", |
| 380 sandbox::TargetPolicy::REG_ALLOW_READONLY, | |
| 381 policy)) | |
| 382 return false; | |
| 383 if (!AddKeyAndSubkeys(L"HKEY_LOCAL_MACHINE\\SYSTEM", | |
| 384 sandbox::TargetPolicy::REG_ALLOW_READONLY, | |
| 385 policy)) | |
| 386 return false; | |
| 369 | 387 |
| 370 if (base::win::GetVersion() > base::win::VERSION_XP) | 388 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE", |
| 371 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; | 389 sandbox::TargetPolicy::REG_ALLOW_READONLY, |
| 372 | 390 policy)) |
| 373 policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED); | |
| 374 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); | |
| 375 | |
| 376 // TODO(cpu): Proxy registry access and remove these policies. | |
| 377 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE", | |
| 378 sandbox::TargetPolicy::REG_ALLOW_ANY, | |
| 379 policy)) | |
| 380 return false; | 391 return false; |
| 381 | 392 } |
| 382 if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA", | |
| 383 sandbox::TargetPolicy::REG_ALLOW_ANY, | |
| 384 policy)) | |
| 385 return false; | |
| 386 return true; | 393 return true; |
| 387 } | 394 } |
| 388 | 395 |
| 389 // Returns true of the plugin specified in |cmd_line| is the built-in | 396 // Returns true of the plugin specified in |cmd_line| is the built-in |
| 390 // flash plugin and optionally returns its full path in |flash_path| | 397 // flash plugin and optionally returns its full path in |flash_path| |
| 391 bool IsBuiltInFlash(const CommandLine* cmd_line, FilePath* flash_path) { | 398 bool IsBuiltInFlash(const CommandLine* cmd_line, FilePath* flash_path) { |
| 392 std::wstring plugin_dll = cmd_line-> | 399 std::wstring plugin_dll = cmd_line-> |
| 393 GetSwitchValueNative(switches::kPluginPath); | 400 GetSwitchValueNative(switches::kPluginPath); |
| 394 | 401 |
| 395 FilePath builtin_flash; | 402 FilePath builtin_flash; |
| (...skipping 242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 638 | 645 |
| 639 // Help the process a little. It can't start the debugger by itself if | 646 // Help the process a little. It can't start the debugger by itself if |
| 640 // the process is in a sandbox. | 647 // the process is in a sandbox. |
| 641 if (child_needs_help) | 648 if (child_needs_help) |
| 642 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); | 649 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); |
| 643 | 650 |
| 644 return process; | 651 return process; |
| 645 } | 652 } |
| 646 | 653 |
| 647 } // namespace sandbox | 654 } // namespace sandbox |
| OLD | NEW |
