Merge 97732 - Try to catch dlls that crash the plugin process.

content/common/sandbox_policy.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_policy.h"
 
 #include <string>
 
 #include "base/command_line.h"
 #include "base/debug/debugger.h"
@@ skipping 50 matching lines @@
   L"pavshookwow.dll",             // Panda Antivirus.
   L"pctavhook.dll",               // PC Tools Antivirus.
   L"pctgmhk.dll",                 // PC Tools Spyware Doctor.
   L"prntrack.dll",                // Pharos Systems.
   L"radhslib.dll",                // Radiant Naomi Internet Filter.
   L"radprlib.dll",                // Radiant Naomi Internet Filter.
   L"rapportnikko.dll",            // Trustware Rapport.
   L"rlhook.dll",                  // Trustware Bufferzone.
   L"rooksdol.dll",                // Trustware Rapport.
   L"rpchromebrowserrecordhelper.dll",  // RealPlayer.
-  L"rpmainbrowserrecordplugin.dll",    // RealPlayer.
   L"r3hook.dll",                  // Kaspersky Internet Security.
   L"sahook.dll",                  // McAfee Site Advisor.
   L"sbrige.dll",                  // Unknown.
   L"sc2hook.dll",                 // Supercopier 2.
   L"sguard.dll",                  // Iolo (System Guard).
   L"smum32.dll",                  // Spyware Doctor version 6.
   L"smumhook.dll",                // Spyware Doctor version 5.
   L"ssldivx.dll",                 // DivX.
   L"syncor11.dll",                // SynthCore Midi interface.
   L"systools.dll",                // Panda Antivirus.
   L"tfwah.dll",                   // Threatfire (PC tools).
-  L"ycwebcamerasource.ax",        // Cyberlink Camera helper.
   L"wblind.dll",                  // Stardock Object desktop.
   L"wbhelp.dll",                  // Stardock Object desktop.
   L"winstylerthemehelper.dll"     // Tuneup utilities 2006.
 };
 
+// The DLLs listed here are known (or under strong suspicion) of causing crashes
+// when they are loaded in the plugin process.
+const wchar_t* const kTroublesomePluginDlls[] = {
+  L"rpmainbrowserrecordplugin.dll",    // RealPlayer.
+  L"ycwebcamerasource.ax"              // Cyberlink Camera helper.
+};
+
 // Adds the policy rules for the path and path\ with the semantic |access|.
 // If |children| is set to true, we need to add the wildcard rules to also
 // apply the rule to the subfiles and subfolders.
 bool AddDirectory(int path, const wchar_t* sub_dir, bool children,
                   sandbox::TargetPolicy::Semantics access,
                   sandbox::TargetPolicy* policy) {
   FilePath directory;
   if (!PathService::Get(path, &directory))
     return false;
 
@@ skipping 49 matching lines @@
     // XP does not set the last error properly, so we bail out anyway.
     return false;
   }
   if (!::GetLongPathName(path, path, arraysize(path)))
     return false;
   FilePath fname(path);
   return (fname.BaseName().value() == module_name);
 }
 
 // Adds a single dll by |module_name| into the |policy| blacklist.
-// To minimize the list we only add an unload policy only if the dll is
-// also loaded in this process. All the injected dlls of interest do this.
+// If |check_in_browser| is true we only add an unload policy only if the dll
+// is also loaded in this process.
 void BlacklistAddOneDll(const wchar_t* module_name,
+                        bool check_in_browser,
                         sandbox::TargetPolicy* policy) {
-  HMODULE module = ::GetModuleHandleW(module_name);
+  HMODULE module = check_in_browser ? ::GetModuleHandleW(module_name) : NULL;
   if (!module) {
     // The module could have been loaded with a 8.3 short name. We use
     // the most common case: 'thelongname.dll' becomes 'thelon~1.dll'.
     std::wstring name(module_name);
     size_t period = name.rfind(L'.');
     DCHECK_NE(std::string::npos, period);
     DCHECK_LE(3U, (name.size() - period));
     if (period <= 8)
       return;
     std::wstring alt_name = name.substr(0, 6) + L"~1";
     alt_name += name.substr(period, name.size());
-    module = ::GetModuleHandleW(alt_name.c_str());
-    if (!module)
-      return;
-    // We found it, but because it only has 6 significant letters, we
-    // want to make sure it is the right one.
-    if (!IsExpandedModuleName(module, module_name))
-      return;
+    if (check_in_browser) {
+      module = ::GetModuleHandleW(alt_name.c_str());
+      if (!module)
+        return;
+      // We found it, but because it only has 6 significant letters, we
+      // want to make sure it is the right one.
+      if (!IsExpandedModuleName(module, module_name))
+        return;
+    }
     // Found a match. We add both forms to the policy.
     policy->AddDllToUnload(alt_name.c_str());
   }
   policy->AddDllToUnload(module_name);
   VLOG(1) << "dll to unload found: " << module_name;
   return;
 }
 
 // Adds policy rules for unloaded the known dlls that cause chrome to crash.
 // Eviction of injected DLLs is done by the sandbox so that the injected module
 // does not get a chance to execute any code.
-void AddDllEvictionPolicy(sandbox::TargetPolicy* policy) {
+void AddGenericDllEvictionPolicy(sandbox::TargetPolicy* policy) {
   for (int ix = 0; ix != arraysize(kTroublesomeDlls); ++ix)
-    BlacklistAddOneDll(kTroublesomeDlls[ix], policy);
+    BlacklistAddOneDll(kTroublesomeDlls[ix], true, policy);
+}
+
+// Same as AddGenericDllEvictionPolicy but specifically for plugins. In this
+// case we add the blacklisted dlls even if they are not loaded in this process.
+void AddPluginDllEvictionPolicy(sandbox::TargetPolicy* policy) {
+  for (int ix = 0; ix != arraysize(kTroublesomePluginDlls); ++ix)
+    BlacklistAddOneDll(kTroublesomePluginDlls[ix], false, policy);
 }
 
 // Returns the object path prepended with the current logon session.
 string16 PrependWindowsSessionPath(const char16* object) {
   // Cache this because it can't change after process creation.
   uintptr_t s_session_id = 0;
   if (s_session_id == 0) {
     HANDLE token;
     DWORD session_id_length;
     DWORD session_id = 0;
@@ skipping 70 matching lines @@
 
   if (base::win::GetVersion() > base::win::VERSION_XP) {
     policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
                           sandbox::USER_LIMITED);
     policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
   } else {
     policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
                           sandbox::USER_LIMITED);
   }
 
-  AddDllEvictionPolicy(policy);
+  AddGenericDllEvictionPolicy(policy);
   return true;
 }
 
 void AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
   policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
   if (base::win::GetVersion() > base::win::VERSION_XP) {
     // On 2003/Vista the initial token has to be restricted if the main
     // token is restricted.
     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
   }
 
   policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
 
   bool use_winsta = !CommandLine::ForCurrentProcess()->HasSwitch(
                         switches::kDisableAltWinstation);
 
   if (sandbox::SBOX_ALL_OK !=  policy->SetAlternateDesktop(use_winsta)) {
     DLOG(WARNING) << "Failed to apply desktop security to the renderer";
   }
 
-  AddDllEvictionPolicy(policy);
+  AddGenericDllEvictionPolicy(policy);
 }
 
 // The Pepper process as locked-down as a renderer execpt that it can
 // create the server side of chrome pipes.
 bool AddPolicyForPepperPlugin(sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result;
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                            L"\\\\.\\pipe\\chrome.*");
   if (result != sandbox::SBOX_ALL_OK) {
@@ skipping 106 matching lines @@
     in_sandbox = true;
   }
 
   if (!in_sandbox) {
     policy->Release();
     base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process);
     return process;
   }
 
   if (type == ChildProcessInfo::PLUGIN_PROCESS) {
-    AddDllEvictionPolicy(policy);
+    AddGenericDllEvictionPolicy(policy);
+    AddPluginDllEvictionPolicy(policy);
   } else if (type == ChildProcessInfo::GPU_PROCESS) {
     if (!AddPolicyForGPU(cmd_line, policy))
       return 0;
   } else if (type == ChildProcessInfo::PPAPI_PLUGIN_PROCESS) {
     if (!AddPolicyForPepperPlugin(policy))
       return 0;
   } else {
     AddPolicyForRenderer(policy);
     // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
     // Just have to figure out what needs to be warmed up first.
@@ skipping 69 matching lines @@
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     base::debug::SpawnDebuggerOnProcess(target.dwProcessId);
 
   return process;
 }
 
 }  // namespace sandbox