Add a sandbox API for broker handle duplication

content/common/sandbox_policy.cc

Index: content/common/sandbox_policy.cc
===================================================================
--- content/common/sandbox_policy.cc	(revision 128951)
+++ content/common/sandbox_policy.cc	(working copy)
@@ -15,6 +15,7 @@
 #include "base/process_util.h"
 #include "base/stringprintf.h"
 #include "base/string_util.h"
+#include "base/win/scoped_handle.h"
 #include "base/win/windows_version.h"
 #include "content/common/debug_flags.h"
 #include "content/public/common/content_client.h"
@@ -24,6 +25,7 @@
 #include "ui/gfx/gl/gl_switches.h"
 
 static sandbox::BrokerServices* g_broker_services = NULL;
+static sandbox::TargetServices* g_target_services = NULL;
 
 namespace {
 
@@ -365,7 +367,17 @@
   return true;
 }
 
-void AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
+bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
+  // Renderers need to copy sections for plugin DIBs.
+  sandbox::ResultCode result;
+  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
+                           L"Section");
+  if (result != sandbox::SBOX_ALL_OK) {
+    NOTREACHED();
+    return false;
+  }
+
   policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
@@ -386,6 +398,8 @@
   }
 
   AddGenericDllEvictionPolicy(policy);
+
+  return true;
 }
 
 // The Pepper process as locked-down as a renderer execpt that it can
@@ -399,23 +413,65 @@
     NOTREACHED();
     return false;
   }
-  AddPolicyForRenderer(policy);
-  return true;
+  return AddPolicyForRenderer(policy);
 }
 
 }  // namespace
 
 namespace sandbox {
 
-void InitBrokerServices(sandbox::BrokerServices* broker_services) {
+bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
   // TODO(abarth): DCHECK(CalledOnValidThread());
   //               See <http://b/1287166>.
   DCHECK(broker_services);
   DCHECK(!g_broker_services);
-  broker_services->Init();
+  sandbox::ResultCode result = broker_services->Init();
   g_broker_services = broker_services;
+  return SBOX_ALL_OK == result;
 }
 
+bool InitTargetServices(sandbox::TargetServices* target_services) {
+  DCHECK(target_services);
+  DCHECK(!g_target_services);
+  sandbox::ResultCode result = target_services->Init();
+  g_target_services = target_services;
+  return SBOX_ALL_OK == result;
+}
+
+bool BrokerDuplicateHandle(HANDLE source_handle,
+                           DWORD target_process_id,
+                           HANDLE* target_handle,
+                           DWORD desired_access,
+                           BOOL inherit_handle,

[nsylvain, 2012/03/28 13:11:46]

i dont think you should be supporting inherit_handle.   inherit_handle should
probably be always false.   Although does not matter much if you want your call
to look as much like DuplicateHandle as possible.

[jschuh, 2012/03/28 22:09:29]

Fair point. I'll remove it entirely.

+                           DWORD options) {
+  // Just use DuplicateHandle() if we aren't in the sandbox.
+  if (!g_target_services) {
+    base::win::ScopedHandle target_process(::OpenProcess(PROCESS_DUP_HANDLE,
+                                                         FALSE,
+                                                         target_process_id));
+    if (!target_process.IsValid())
+      return false;
+
+    if (!::DuplicateHandle(::GetCurrentProcess(), source_handle,
+                           target_process, target_handle,
+                           desired_access, inherit_handle,
+                           options)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  ResultCode result = g_target_services->DuplicateHandle(source_handle,
+                                                         target_process_id,
+                                                         target_handle,
+                                                         desired_access,
+                                                         inherit_handle,
+                                                         options);
+  return SBOX_ALL_OK == result;
+}
+
+
 base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
                                            const FilePath& exposed_dir) {
   base::ProcessHandle process = 0;
@@ -524,7 +580,8 @@
     if (!AddPolicyForPepperPlugin(policy))
       return 0;
   } else {
-    AddPolicyForRenderer(policy);
+    if (!AddPolicyForRenderer(policy))
+      return 0;
     // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
     // Just have to figure out what needs to be warmed up first.
     if (type == content::PROCESS_TYPE_RENDERER ||