Add a sandbox API for broker handle duplication

content/common/sandbox_policy.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_policy.h"
 
 #include <string>
 
 #include "base/command_line.h"
 #include "base/debug/debugger.h"
 #include "base/debug/trace_event.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/path_service.h"
 #include "base/process_util.h"
 #include "base/stringprintf.h"
 #include "base/string_util.h"
+#include "base/win/scoped_handle.h"
 #include "base/win/windows_version.h"
 #include "content/common/debug_flags.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/process_type.h"
 #include "sandbox/src/sandbox.h"
 #include "ui/gfx/gl/gl_switches.h"
 
 static sandbox::BrokerServices* g_broker_services = NULL;
+static sandbox::TargetServices* g_target_services = NULL;
 
 namespace {
 
 // The DLLs listed here are known (or under strong suspicion) of causing crashes
 // when they are loaded in the renderer. Note: at runtime we generate short
 // versions of the dll name only if the dll has an extension.
 const wchar_t* const kTroublesomeDlls[] = {
   L"adialhk.dll",                 // Kaspersky Internet Security.
   L"acpiz.dll",                   // Unknown.
   L"avgrsstx.dll",                // AVG 8.
@@ skipping 321 matching lines @@
       sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
       L"\\\\.\\pipe\\chrome.gpu.*");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
   AddGenericDllEvictionPolicy(policy);
 #endif
   return true;
 }
 
-void AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
+bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
+  // Renderers need to copy sections for plugin DIBs.
+  sandbox::ResultCode result;
+  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
+                           L"Section");
+  if (result != sandbox::SBOX_ALL_OK) {
+    NOTREACHED();
+    return false;
+  }
+
   policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
   if (base::win::GetVersion() > base::win::VERSION_XP) {
     // On 2003/Vista the initial token has to be restricted if the main
     // token is restricted.
     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
   }
 
   policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
 
   bool use_winsta = !CommandLine::ForCurrentProcess()->HasSwitch(
                         switches::kDisableAltWinstation);
 
   if (sandbox::SBOX_ALL_OK !=  policy->SetAlternateDesktop(use_winsta)) {
     DLOG(WARNING) << "Failed to apply desktop security to the renderer";
   }
 
   AddGenericDllEvictionPolicy(policy);
+
+  return true;
 }
 
 // The Pepper process as locked-down as a renderer execpt that it can
 // create the server side of chrome pipes.
 bool AddPolicyForPepperPlugin(sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result;
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                            L"\\\\.\\pipe\\chrome.*");
   if (result != sandbox::SBOX_ALL_OK) {
     NOTREACHED();
     return false;
   }
-  AddPolicyForRenderer(policy);
-  return true;
+  return AddPolicyForRenderer(policy);
 }
 
 }  // namespace
 
 namespace sandbox {
 
-void InitBrokerServices(sandbox::BrokerServices* broker_services) {
+bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
   // TODO(abarth): DCHECK(CalledOnValidThread());
   //               See <http://b/1287166>.
   DCHECK(broker_services);
   DCHECK(!g_broker_services);
-  broker_services->Init();
+  sandbox::ResultCode result = broker_services->Init();
   g_broker_services = broker_services;
+  return SBOX_ALL_OK == result;
 }
 
+bool InitTargetServices(sandbox::TargetServices* target_services) {
+  DCHECK(target_services);
+  DCHECK(!g_target_services);
+  sandbox::ResultCode result = target_services->Init();
+  g_target_services = target_services;
+  return SBOX_ALL_OK == result;
+}
+
+bool BrokerDuplicateHandle(HANDLE source_handle,
+                           DWORD target_process_id,
+                           HANDLE* target_handle,
+                           DWORD desired_access,
+                           BOOL inherit_handle,

[nsylvain, 2012/03/28 13:11:46]

i dont think you should be supporting inherit_handle.   inherit_handle should
probably be always false.   Although does not matter much if you want your call
to look as much like DuplicateHandle as possible.

[jschuh, 2012/03/28 22:09:29]

Fair point. I'll remove it entirely.

+                           DWORD options) {
+  // Just use DuplicateHandle() if we aren't in the sandbox.
+  if (!g_target_services) {
+    base::win::ScopedHandle target_process(::OpenProcess(PROCESS_DUP_HANDLE,
+                                                         FALSE,
+                                                         target_process_id));
+    if (!target_process.IsValid())
+      return false;
+
+    if (!::DuplicateHandle(::GetCurrentProcess(), source_handle,
+                           target_process, target_handle,
+                           desired_access, inherit_handle,
+                           options)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  ResultCode result = g_target_services->DuplicateHandle(source_handle,
+                                                         target_process_id,
+                                                         target_handle,
+                                                         desired_access,
+                                                         inherit_handle,
+                                                         options);
+  return SBOX_ALL_OK == result;
+}
+
+
 base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
                                            const FilePath& exposed_dir) {
   base::ProcessHandle process = 0;
   const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess();
   content::ProcessType type;
   std::string type_str = cmd_line->GetSwitchValueASCII(switches::kProcessType);
   if (type_str == switches::kRendererProcess) {
     type = content::PROCESS_TYPE_RENDERER;
   } else if (type_str == switches::kPluginProcess) {
     type = content::PROCESS_TYPE_PLUGIN;
@@ skipping 88 matching lines @@
   if (type == content::PROCESS_TYPE_PLUGIN) {
     AddGenericDllEvictionPolicy(policy);
     AddPluginDllEvictionPolicy(policy);
   } else if (type == content::PROCESS_TYPE_GPU) {
     if (!AddPolicyForGPU(cmd_line, policy))
       return 0;
   } else if (type == content::PROCESS_TYPE_PPAPI_PLUGIN) {
     if (!AddPolicyForPepperPlugin(policy))
       return 0;
   } else {
-    AddPolicyForRenderer(policy);
+    if (!AddPolicyForRenderer(policy))
+      return 0;
     // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
     // Just have to figure out what needs to be warmed up first.
     if (type == content::PROCESS_TYPE_RENDERER ||
         type == content::PROCESS_TYPE_WORKER) {
       AddBaseHandleClosePolicy(policy);
     }
 
     if (type_str != switches::kRendererProcess) {
       // Hack for Google Desktop crash. Trick GD into not injecting its DLL into
       // this subprocess. See
@@ skipping 63 matching lines @@
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     base::debug::SpawnDebuggerOnProcess(target.dwProcessId);
 
   return process;
 }
 
 }  // namespace sandbox