Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(287)

Side by Side Diff: chrome/common/chrome_content_client.cc

Issue 7084010: Move sandbox_policy to content. (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/
Patch Set: '' Created 9 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/common/chrome_content_client.h" 5 #include "chrome/common/chrome_content_client.h"
6 6
7 #include "base/command_line.h" 7 #include "base/command_line.h"
8 #include "base/file_util.h" 8 #include "base/file_util.h"
9 #include "base/path_service.h" 9 #include "base/path_service.h"
10 #include "base/process_util.h"
11 #include "base/string_number_conversions.h"
10 #include "base/string_split.h" 12 #include "base/string_split.h"
11 #include "base/string_util.h" 13 #include "base/string_util.h"
14 #include "base/win/windows_version.h"
12 #include "chrome/common/child_process_logging.h" 15 #include "chrome/common/child_process_logging.h"
13 #include "chrome/common/chrome_paths.h" 16 #include "chrome/common/chrome_paths.h"
14 #include "chrome/common/chrome_switches.h" 17 #include "chrome/common/chrome_switches.h"
15 #include "chrome/common/render_messages.h" 18 #include "chrome/common/render_messages.h"
16 #include "content/common/pepper_plugin_registry.h" 19 #include "content/common/pepper_plugin_registry.h"
17 #include "remoting/client/plugin/pepper_entrypoints.h" 20 #include "remoting/client/plugin/pepper_entrypoints.h"
18 21
22 #if defined(OS_WIN)
23 #include "content/common/sandbox_policy.h"
24 #include "sandbox/src/sandbox.h"
25 #endif
26
19 namespace { 27 namespace {
20 28
21 const char* kPDFPluginName = "Chrome PDF Viewer"; 29 const char* kPDFPluginName = "Chrome PDF Viewer";
22 const char* kPDFPluginMimeType = "application/pdf"; 30 const char* kPDFPluginMimeType = "application/pdf";
23 const char* kPDFPluginExtension = "pdf"; 31 const char* kPDFPluginExtension = "pdf";
24 const char* kPDFPluginDescription = "Portable Document Format"; 32 const char* kPDFPluginDescription = "Portable Document Format";
25 33
26 const char* kNaClPluginName = "Chrome NaCl"; 34 const char* kNaClPluginName = "Chrome NaCl";
27 const char* kNaClPluginMimeType = "application/x-nacl"; 35 const char* kNaClPluginMimeType = "application/x-nacl";
28 const char* kNaClPluginExtension = "nexe"; 36 const char* kNaClPluginExtension = "nexe";
(...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after
175 plugin.mime_types.push_back(swf_mime_type); 183 plugin.mime_types.push_back(swf_mime_type);
176 webkit::npapi::WebPluginMimeType spl_mime_type(kFlashPluginSplMimeType, 184 webkit::npapi::WebPluginMimeType spl_mime_type(kFlashPluginSplMimeType,
177 kFlashPluginSplExtension, 185 kFlashPluginSplExtension,
178 kFlashPluginSplDescription); 186 kFlashPluginSplDescription);
179 plugin.mime_types.push_back(spl_mime_type); 187 plugin.mime_types.push_back(spl_mime_type);
180 plugins->push_back(plugin); 188 plugins->push_back(plugin);
181 } 189 }
182 190
183 #endif // !defined(NACL_WIN64) 191 #endif // !defined(NACL_WIN64)
184 192
193 #if defined(OS_WIN)
194 // Launches the privileged flash broker, used when flash is sandboxed.
195 // The broker is the same flash dll, except that it uses a different
196 // entrypoint (BrokerMain) and it is hosted in windows' generic surrogate
197 // process rundll32. After launching the broker we need to pass to
198 // the flash plugin the process id of the broker via the command line
199 // using --flash-broker=pid.
200 // More info about rundll32 at http://support.microsoft.com/kb/164787.
201 bool LoadFlashBroker(const FilePath& plugin_path, CommandLine* cmd_line) {
202 FilePath rundll;
203 if (!PathService::Get(base::DIR_SYSTEM, &rundll))
204 return false;
205 rundll = rundll.AppendASCII("rundll32.exe");
206 // Rundll32 cannot handle paths with spaces, so we use the short path.
207 wchar_t short_path[MAX_PATH];
208 if (0 == ::GetShortPathNameW(plugin_path.value().c_str(),
209 short_path, arraysize(short_path)))
210 return false;
211 // Here is the kicker, if the user has disabled 8.3 (short path) support
212 // on the volume GetShortPathNameW does not fail but simply returns the
213 // input path. In this case if the path had any spaces then rundll32 will
214 // incorrectly interpret its parameters. So we quote the path, even though
215 // the kb/164787 says you should not.
216 std::wstring cmd_final =
217 base::StringPrintf(L"%ls \"%ls\",BrokerMain browser=chrome",
218 rundll.value().c_str(),
219 short_path);
220 base::ProcessHandle process;
221 if (!base::LaunchApp(cmd_final, false, true, &process))
222 return false;
223
224 cmd_line->AppendSwitchASCII("flash-broker",
225 base::Int64ToString(::GetProcessId(process)));
226
227 // The flash broker, unders some circumstances can linger beyond the lifetime
228 // of the flash player, so we put it in a job object, when the browser
229 // terminates the job object is destroyed (by the OS) and the flash broker
230 // is terminated.
231 HANDLE job = ::CreateJobObjectW(NULL, NULL);
232 JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_limits = {0};
233 job_limits.BasicLimitInformation.LimitFlags =
234 JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
235 if (::SetInformationJobObject(job, JobObjectExtendedLimitInformation,
236 &job_limits, sizeof(job_limits))) {
237 ::AssignProcessToJobObject(job, process);
238 // Yes, we are leaking the object here. Read comment above.
239 } else {
240 ::CloseHandle(job);
241 return false;
242 }
243
244 ::CloseHandle(process);
245 return true;
246 }
247 #endif // OS_WIN
248
185 } // namespace 249 } // namespace
186 250
187 namespace chrome { 251 namespace chrome {
188 252
189 const char* ChromeContentClient::kPDFPluginName = ::kPDFPluginName; 253 const char* ChromeContentClient::kPDFPluginName = ::kPDFPluginName;
190 const char* ChromeContentClient::kNaClPluginName = ::kNaClPluginName; 254 const char* ChromeContentClient::kNaClPluginName = ::kNaClPluginName;
191 255
192 void ChromeContentClient::SetActiveURL(const GURL& url) { 256 void ChromeContentClient::SetActiveURL(const GURL& url) {
193 child_process_logging::SetActiveURL(url); 257 child_process_logging::SetActiveURL(url);
194 } 258 }
(...skipping 29 matching lines...) Expand all
224 // swapped out renderers. 288 // swapped out renderers.
225 switch (msg.type()) { 289 switch (msg.type()) {
226 case ViewHostMsg_Snapshot::ID: 290 case ViewHostMsg_Snapshot::ID:
227 return true; 291 return true;
228 default: 292 default:
229 break; 293 break;
230 } 294 }
231 return false; 295 return false;
232 } 296 }
233 297
298 #if defined(OS_WIN)
299 bool ChromeContentClient::SandboxPlugin(CommandLine* command_line,
300 sandbox::TargetPolicy* policy) {
301 std::wstring plugin_dll = command_line->
302 GetSwitchValueNative(switches::kPluginPath);
303
304 FilePath builtin_flash;
305 if (!PathService::Get(chrome::FILE_FLASH_PLUGIN, &builtin_flash))
306 return false;
307
308 FilePath plugin_path(plugin_dll);
309 if (plugin_path != builtin_flash)
310 return false;
311
312 if (base::win::GetVersion() <= base::win::VERSION_XP ||
313 CommandLine::ForCurrentProcess()->HasSwitch(
314 switches::kDisableFlashSandbox)) {
315 return false;
316 }
317
318 // Add the policy for the pipes.
319 sandbox::ResultCode result = sandbox::SBOX_ALL_OK;
320 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
321 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
322 L"\\\\.\\pipe\\chrome.*");
323 if (result != sandbox::SBOX_ALL_OK) {
324 NOTREACHED();
325 return false;
326 }
327
328 // Spawn the flash broker and apply sandbox policy.
329 if (LoadFlashBroker(plugin_path, command_line)) {
330 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
331 policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
332 sandbox::USER_INTERACTIVE);
333 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
334 } else {
335 // Could not start the broker, use a very weak policy instead.
336 DLOG(WARNING) << "Failed to start flash broker";
337 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
338 policy->SetTokenLevel(
339 sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
340 }
341
342 return true;
343 }
344 #endif
345
234 } // namespace chrome 346 } // namespace chrome
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698