Get rid of content dependency from sandbox_policy.h

chrome/common/sandbox_policy.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/sandbox_policy.h"
 
 #include <string>
 
 #include "base/command_line.h"
 #include "base/debug/debugger.h"
 #include "base/debug/trace_event.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/path_service.h"
 #include "base/process_util.h"
 #include "base/stringprintf.h"
-#include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/win/windows_version.h"
-#include "chrome/common/chrome_constants.h"
-#include "chrome/common/chrome_paths.h"
-#include "chrome/common/chrome_switches.h"
+#include "content/browser/content_browser_client.h"
+#include "content/common/content_switches.h"
 #include "content/common/child_process_info.h"
 #include "content/common/debug_flags.h"
 #include "sandbox/src/sandbox.h"
 
 static sandbox::BrokerServices* g_broker_services = NULL;
 
 namespace {
 
 // The DLLs listed here are known (or under strong suspicion) of causing crashes
 // when they are loaded in the renderer. Note: at runtime we generate short
@@ skipping 48 matching lines @@
   L"ssldivx.dll",                 // DivX.
   L"syncor11.dll",                // SynthCore Midi interface.
   L"systools.dll",                // Panda Antivirus.
   L"tfwah.dll",                   // Threatfire (PC tools).
   L"ycwebcamerasource.ax",        // Cyberlink Camera helper.
   L"wblind.dll",                  // Stardock Object desktop.
   L"wbhelp.dll",                  // Stardock Object desktop.
   L"winstylerthemehelper.dll"     // Tuneup utilities 2006.
 };
 
-enum PluginPolicyCategory {
-  PLUGIN_GROUP_TRUSTED,
-  PLUGIN_GROUP_UNTRUSTED,
-};
-
-// Returns the policy category for the plugin dll.
-PluginPolicyCategory GetPolicyCategoryForPlugin(
-    const std::wstring& dll,
-    const std::wstring& list) {
-  std::wstring filename = FilePath(dll).BaseName().value();
-  std::wstring plugin_dll = StringToLowerASCII(filename);
-  std::wstring trusted_plugins = StringToLowerASCII(list);
-
-  size_t pos = 0;
-  size_t end_item = 0;
-  while (end_item != std::wstring::npos) {
-    end_item = list.find(L",", pos);
-
-    size_t size_item = (end_item == std::wstring::npos) ? end_item :
-                                                          end_item - pos;
-    std::wstring item = list.substr(pos, size_item);
-    if (!item.empty() && item == plugin_dll)
-      return PLUGIN_GROUP_TRUSTED;
-
-    pos = end_item + 1;
-  }
-
-  return PLUGIN_GROUP_UNTRUSTED;
-}
-
 // Adds the policy rules for the path and path\ with the semantic |access|.
 // If |children| is set to true, we need to add the wildcard rules to also
 // apply the rule to the subfiles and subfolders.
 bool AddDirectory(int path, const wchar_t* sub_dir, bool children,
                   sandbox::TargetPolicy::Semantics access,
                   sandbox::TargetPolicy* policy) {
   FilePath directory;
   if (!PathService::Get(path, &directory))
     return false;
 
@@ skipping 108 matching lines @@
 
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                            L"\\\\.\\pipe\\chrome.nacl.*");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
   // Add the policy for debug message only in debug
 #ifndef NDEBUG
   FilePath app_dir;
-  if (!PathService::Get(chrome::DIR_APP, &app_dir))
+  if (!PathService::Get(base::DIR_MODULE, &app_dir))
     return false;
 
   wchar_t long_path_buf[MAX_PATH];
   DWORD long_path_return_value = GetLongPathName(app_dir.value().c_str(),
                                                  long_path_buf,
                                                  MAX_PATH);
   if (long_path_return_value == 0 || long_path_return_value >= MAX_PATH)
     return false;
 
   string16 debug_message(long_path_buf);
   file_util::AppendToPath(&debug_message, L"debug_message.exe");
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
                            sandbox::TargetPolicy::PROCESS_MIN_EXEC,
                            debug_message.c_str());
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 #endif  // NDEBUG
 
   return true;
 }
 
-// Creates a sandbox without any restriction.
-bool ApplyPolicyForTrustedPlugin(sandbox::TargetPolicy* policy) {
-  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-  policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
-  return true;
-}
-
-// Creates a sandbox with the plugin running in a restricted environment.
-// Only the "Users" and "Everyone" groups are enabled in the token. The User SID
-// is disabled.
-bool ApplyPolicyForUntrustedPlugin(sandbox::TargetPolicy* policy) {
-  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-
-  sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
-  if (base::win::GetVersion() > base::win::VERSION_XP) {
-    // On 2003/Vista the initial token has to be restricted if the main token
-    // is restricted.
-    initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
-  }
-  policy->SetTokenLevel(initial_token, sandbox::USER_LIMITED);
-  policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-
-  if (!AddDirectory(base::DIR_TEMP, NULL, true,
-                    sandbox::TargetPolicy::FILES_ALLOW_ANY, policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_IE_INTERNET_CACHE, NULL, true,
-                    sandbox::TargetPolicy::FILES_ALLOW_ANY, policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_APP_DATA, NULL, true,
-                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                    policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_PROFILE, NULL, false,  /*not recursive*/
-                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                    policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_APP_DATA, L"Adobe", true,
-                    sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                    policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_APP_DATA, L"Macromedia", true,
-                    sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                    policy))
-    return false;
-
-  if (!AddDirectory(base::DIR_LOCAL_APP_DATA, NULL, true,
-                    sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                    policy))
-    return false;
-
-  if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\ADOBE",
-                        sandbox::TargetPolicy::REG_ALLOW_ANY,
-                        policy))
-    return false;
-
-  if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\MACROMEDIA",
-                        sandbox::TargetPolicy::REG_ALLOW_ANY,
-                        policy))
-    return false;
-
-  if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
-    if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE\\AppDataLow",
-                          sandbox::TargetPolicy::REG_ALLOW_ANY,
-                          policy))
-      return false;
-
-    if (!AddDirectory(base::DIR_LOCAL_APP_DATA_LOW, NULL, true,
-                      sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                      policy))
-      return false;
-
-    // DIR_APP_DATA is AppData\Roaming, but Adobe needs to do a directory
-    // listing in AppData directly, so we add a non-recursive policy for
-    // AppData itself.
-    if (!AddDirectory(base::DIR_APP_DATA, L"..", false,
-                      sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                      policy))
-      return false;
-  }
-
-  return true;
-}
-
-// Launches the privileged flash broker, used when flash is sandboxed.
-// The broker is the same flash dll, except that it uses a different
-// entrypoint (BrokerMain) and it is hosted in windows' generic surrogate
-// process rundll32. After launching the broker we need to pass to
-// the flash plugin the process id of the broker via the command line
-// using --flash-broker=pid.
-// More info about rundll32 at http://support.microsoft.com/kb/164787.
-bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) {
-  FilePath rundll;
-  if (!PathService::Get(base::DIR_SYSTEM, &rundll))
-    return false;
-  rundll = rundll.AppendASCII("rundll32.exe");
-  // Rundll32 cannot handle paths with spaces, so we use the short path.
-  wchar_t short_path[MAX_PATH];
-  if (0 == ::GetShortPathNameW(plugin_path.value().c_str(),
-                               short_path, arraysize(short_path)))
-    return false;
-  // Here is the kicker, if the user has disabled 8.3 (short path) support
-  // on the volume GetShortPathNameW does not fail but simply returns the
-  // input path. In this case if the path had any spaces then rundll32 will
-  // incorrectly interpret its parameters. So we quote the path, even though
-  // the kb/164787 says you should not.
-  std::wstring cmd_final =
-      base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome",
-                         rundll.value().c_str(),
-                         short_path);
-  base::ProcessHandle process;
-  if (!base::LaunchApp(cmd_final, false, true, &process))
-    return false;
-
-  cmd_line->AppendSwitchASCII("flash-broker",
-                              base::Int64ToString(::GetProcessId(process)));
-
-  // The flash broker, unders some circumstances can linger beyond the lifetime
-  // of the flash player, so we put it in a job object, when the browser
-  // terminates the job object is destroyed (by the OS) and the flash broker
-  // is terminated.
-  HANDLE job = ::CreateJobObjectW(NULL, NULL);
-  JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_limits = {0};
-  job_limits.BasicLimitInformation.LimitFlags =
-      JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
-  if (::SetInformationJobObject(job, JobObjectExtendedLimitInformation,
-                                &job_limits, sizeof(job_limits))) {
-    ::AssignProcessToJobObject(job, process);
-    // Yes, we are leaking the object here. Read comment above.
-  } else {
-    ::CloseHandle(job);
-    return false;
-  }
-
-  ::CloseHandle(process);
-  return true;
-}
-
-// Creates a sandbox for the built-in flash plugin running in a restricted
-// environment. This policy is in continual flux as flash changes
-// capabilities. For more information see bug 50796.
-bool ApplyPolicyForBuiltInFlashPlugin(sandbox::TargetPolicy* policy) {
-  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-  // Vista and Win7 get a weaker token but have low integrity.
-  if (base::win::GetVersion() > base::win::VERSION_XP) {
-    policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                          sandbox::USER_INTERACTIVE);
-    policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-  } else {
-    policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
-                          sandbox::USER_LIMITED);
-
-    if (!AddKeyAndSubkeys(L"HKEY_LOCAL_MACHINE\\SOFTWARE",
-                          sandbox::TargetPolicy::REG_ALLOW_READONLY,
-                          policy))
-      return false;
-    if (!AddKeyAndSubkeys(L"HKEY_LOCAL_MACHINE\\SYSTEM",
-                          sandbox::TargetPolicy::REG_ALLOW_READONLY,
-                          policy))
-      return false;
-
-    if (!AddKeyAndSubkeys(L"HKEY_CURRENT_USER\\SOFTWARE",
-                          sandbox::TargetPolicy::REG_ALLOW_READONLY,
-                          policy))
-      return false;
-  }
-
-  AddDllEvictionPolicy(policy);
-  return true;
-}
-
-// Returns true of the plugin specified in |cmd_line| is the built-in
-// flash plugin and optionally returns its full path in |flash_path|
-bool IsBuiltInFlash(const CommandLine* cmd_line, FilePath* flash_path) {
-  std::wstring plugin_dll = cmd_line->
-      GetSwitchValueNative(switches::kPluginPath);
-
-  FilePath builtin_flash;
-  if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash))
-    return false;
-
-  FilePath plugin_path(plugin_dll);
-  if (plugin_path != builtin_flash)
-    return false;
-
-  if (flash_path)
-    *flash_path = plugin_path;
-  return true;
-}
-
-
-// Adds the custom policy rules for a given plugin. |trusted_plugins| contains
-// the comma separate list of plugin dll names that should not be sandboxed.
-bool AddPolicyForPlugin(CommandLine* cmd_line,
-                        sandbox::TargetPolicy* policy) {
-  std::wstring plugin_dll = cmd_line->
-      GetSwitchValueNative(switches::kPluginPath);
-  std::wstring trusted_plugins = CommandLine::ForCurrentProcess()->
-      GetSwitchValueNative(switches::kTrustedPlugins);
-  // Add the policy for the pipes.
-  sandbox::ResultCode result = sandbox::SBOX_ALL_OK;
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-                           L"\\\\.\\pipe\\chrome.*");
-  if (result != sandbox::SBOX_ALL_OK) {
-    NOTREACHED();
-    return false;
-  }
-
-  // The built-in flash gets a custom, more restricted sandbox.
-  FilePath flash_path;
-  if (IsBuiltInFlash(cmd_line, &flash_path)) {
-    // Spawn the flash broker and apply sandbox policy.
-    if (!LoadFlashBroker(flash_path, cmd_line)) {
-      // Could not start the broker, use a very weak policy instead.
-      DLOG(WARNING) << "Failed to start flash broker";
-      return ApplyPolicyForTrustedPlugin(policy);
-    }
-    return ApplyPolicyForBuiltInFlashPlugin(policy);
-  }
-
-  PluginPolicyCategory policy_category =
-      GetPolicyCategoryForPlugin(plugin_dll, trusted_plugins);
-
-  switch (policy_category) {
-    case PLUGIN_GROUP_TRUSTED:
-      return ApplyPolicyForTrustedPlugin(policy);
-    case PLUGIN_GROUP_UNTRUSTED:
-      return ApplyPolicyForUntrustedPlugin(policy);
-    default:
-      NOTREACHED();
-      break;
-  }
-
-  return false;
-}
-
 // For the GPU process we gotten as far as USER_LIMITED. The next level
 // which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL
 // backend. Note that the GPU process is connected to the interactive
 // desktop.
 // TODO(cpu): Lock down the sandbox more if possible.
 // TODO(apatrick): Use D3D9Ex to render windowless.
 bool AddPolicyForGPU(CommandLine*, sandbox::TargetPolicy* policy) {
   policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
 
   if (base::win::GetVersion() > base::win::VERSION_XP) {
@@ skipping 92 matching lines @@
 
   TRACE_EVENT_BEGIN_ETW("StartProcessWithAccess", 0, type_str);
 
   // To decide if the process is going to be sandboxed we have two cases.
   // First case: all process types except the nacl broker, and the plugin
   // process are sandboxed by default.
   bool in_sandbox =
       (type != ChildProcessInfo::NACL_BROKER_PROCESS) &&
       (type != ChildProcessInfo::PLUGIN_PROCESS);
 
-  // Second case: If it is the plugin process then it depends on it being
-  // the built-in flash, the user forcing plugins into sandbox or the
-  // the user explicitly excluding flash from the sandbox.
-  if (!in_sandbox && (type == ChildProcessInfo::PLUGIN_PROCESS)) {
-      in_sandbox = browser_command_line.HasSwitch(switches::kSafePlugins) ||
-          (IsBuiltInFlash(cmd_line, NULL) &&
-           (base::win::GetVersion() > base::win::VERSION_XP) &&
-           !browser_command_line.HasSwitch(switches::kDisableFlashSandbox));
-  }
-
-  // Third case: If it is the GPU process then it can be disabled by a
-  // command line flag.
+  // If it is the GPU process then it can be disabled by a command line flag.
   if ((type == ChildProcessInfo::GPU_PROCESS) &&
       (browser_command_line.HasSwitch(switches::kDisableGpuSandbox))) {
     in_sandbox = false;
     VLOG(1) << "GPU sandbox is disabled";
   }
 
   if (browser_command_line.HasSwitch(switches::kNoSandbox)) {
     // The user has explicity opted-out from all sandboxing.
     in_sandbox = false;
   }
@@ skipping 19 matching lines @@
   }
 
   bool child_needs_help =
       DebugFlags::ProcessDebugFlags(cmd_line, type, in_sandbox);
 
   // Prefetch hints on windows:
   // Using a different prefetch profile per process type will allow Windows
   // to create separate pretetch settings for browser, renderer etc.
   cmd_line->AppendArg(base::StringPrintf("/prefetch:%d", type));
 
-  if (!in_sandbox) {
-    base::LaunchApp(*cmd_line, false, false, &process);
-    return process;
-  }
-
   sandbox::ResultCode result;
   PROCESS_INFORMATION target = {0};
   sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
 
-  if (type == ChildProcessInfo::PLUGIN_PROCESS) {
-    if (!AddPolicyForPlugin(cmd_line, policy))
-      return 0;
-  } else if (type == ChildProcessInfo::GPU_PROCESS) {
+  if (type == ChildProcessInfo::PLUGIN_PROCESS &&
+      content::GetContentClient()->browser()->SandboxPlugin(cmd_line, policy)) {
+    in_sandbox = true;
+    AddDllEvictionPolicy(policy);
+  }
+
+  if (!in_sandbox) {

[cpu_(ooo_6.6-7.5), 2011/05/27 20:19:09]

needs to be above.

[jam, 2011/05/27 20:25:54]

we don't know if we'll need to call LaunchApp or not until after calling to the
embedder.  i added a check for kNoSandbox above

+    policy->Release();
+    base::LaunchApp(*cmd_line, false, false, &process);
+    return process;
+  }
+
+  if (type == ChildProcessInfo::GPU_PROCESS) {
     if (!AddPolicyForGPU(cmd_line, policy))
       return 0;
   } else if (type == ChildProcessInfo::PPAPI_PLUGIN_PROCESS) {
     if (!AddPolicyForPepperPlugin(policy))
       return 0;
   } else {
     AddPolicyForRenderer(policy);
 
     if (type_str != switches::kRendererProcess) {
       // Hack for Google Desktop crash. Trick GD into not injecting its DLL into
@@ skipping 42 matching lines @@
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     base::debug::SpawnDebuggerOnProcess(target.dwProcessId);
 
   return process;
 }
 
 }  // namespace sandbox