Convert plugin and GPU process to brokered handle duplication.

content/common/sandbox_policy.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_policy.h"
 
 #include <string>
 
 #include "base/command_line.h"
 #include "base/debug/debugger.h"
@@ skipping 355 matching lines @@
 
   // Allow the server side of GPU sockets, which are pipes that have
   // the "chrome.gpu" namespace and an arbitrary suffix.
   sandbox::ResultCode result = policy->AddRule(
       sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
       sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
       L"\\\\.\\pipe\\chrome.gpu.*");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
+  // GPU needs to copy sections to renderers.
+  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
+                           L"Section");
+  if (result != sandbox::SBOX_ALL_OK)
+    return false;
+
   AddGenericDllEvictionPolicy(policy);
 #endif
   return true;
 }
 
 bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
-  // Renderers need to copy sections for plugin DIBs.
+  // Renderers need to copy sections for plugin DIBs and GPU.
   sandbox::ResultCode result;
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
                            sandbox::TargetPolicy::HANDLES_DUP_ANY,
                            L"Section");
-  if (result != sandbox::SBOX_ALL_OK) {
-    NOTREACHED();
+  if (result != sandbox::SBOX_ALL_OK)
     return false;
-  }
+
+  // Renderers need to share events with plugins.
+  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
+                           L"Event");
+  if (result != sandbox::SBOX_ALL_OK)
+    return false;
 
   policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
   if (base::win::GetVersion() > base::win::VERSION_XP) {
     // On 2003/Vista the initial token has to be restricted if the main
     // token is restricted.
     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
   }
 
@@ skipping 42 matching lines @@
   sandbox::ResultCode result = target_services->Init();
   g_target_services = target_services;
   return SBOX_ALL_OK == result;
 }
 
 bool BrokerDuplicateHandle(HANDLE source_handle,
                            DWORD target_process_id,
                            HANDLE* target_handle,
                            DWORD desired_access,
                            DWORD options) {
-  // Just use DuplicateHandle() if we aren't in the sandbox.
-  if (!g_target_services) {
-    base::win::ScopedHandle target_process(::OpenProcess(PROCESS_DUP_HANDLE,
-                                                         FALSE,
-                                                         target_process_id));
-    if (!target_process.IsValid())
-      return false;
-
-    if (!::DuplicateHandle(::GetCurrentProcess(), source_handle,
-                           target_process, target_handle,
-                           desired_access, FALSE,
-                           options)) {
-      return false;
+  {  // First try to open the target process in case we're not in a sandbox.
+    base::win::ScopedHandle target_process;
+    target_process.Set(::OpenProcess(PROCESS_DUP_HANDLE, FALSE,
+                                     target_process_id));
+    if (target_process.IsValid()) {
+      return !!::DuplicateHandle(::GetCurrentProcess(), source_handle,
+                                 target_process, target_handle, desired_access,
+                                 FALSE, options);
     }
-
-    return true;
   }
 
-  ResultCode result = g_target_services->DuplicateHandle(source_handle,
-                                                         target_process_id,
-                                                         target_handle,
-                                                         desired_access,
-                                                         options);
-  return SBOX_ALL_OK == result;
+  // Don't broker if we're not in the sandbox or didn't get denied access.
+  if (!g_target_services || ::GetLastError() != ERROR_ACCESS_DENIED)
+    return false;
+
+  return SBOX_ALL_OK == g_target_services->DuplicateHandle(source_handle,
+                                                           target_process_id,
+                                                           target_handle,
+                                                           desired_access,
+                                                           options);
 }
 
 
 base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
                                            const FilePath& exposed_dir) {
   const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess();
   content::ProcessType type;
   std::string type_str = cmd_line->GetSwitchValueASCII(switches::kProcessType);
   if (type_str == switches::kRendererProcess) {
     type = content::PROCESS_TYPE_RENDERER;
@@ skipping 20 matching lines @@
 
   TRACE_EVENT_BEGIN_ETW("StartProcessWithAccess", 0, type_str);
 
   // To decide if the process is going to be sandboxed we have two cases.
   // First case: all process types except the nacl broker, and the plugin
   // process are sandboxed by default.
   bool in_sandbox =
       (type != content::PROCESS_TYPE_NACL_BROKER) &&
       (type != content::PROCESS_TYPE_PLUGIN) &&
       (type != content::PROCESS_TYPE_PPAPI_BROKER);
+  // The handle duplication policies need the broker to track both the
+  // source and target process. So, we still launch unsandboxed plugins
+  // via the broker to make that work.
+  bool use_broker = false;
 
   // If it is the GPU process then it can be disabled by a command line flag.
   if ((type == content::PROCESS_TYPE_GPU) &&
       (cmd_line->HasSwitch(switches::kDisableGpuSandbox))) {
     in_sandbox = false;
     DVLOG(1) << "GPU sandbox is disabled";
   }
 
   if (browser_command_line.HasSwitch(switches::kNoSandbox) ||
       cmd_line->HasSwitch(switches::kNoSandbox)) {
@@ skipping 28 matching lines @@
   // Using a different prefetch profile per process type will allow Windows
   // to create separate pretetch settings for browser, renderer etc.
   cmd_line->AppendArg(base::StringPrintf("/prefetch:%d", type));
 
   sandbox::ResultCode result;
   base::win::ScopedProcessInformation target;
   sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
 
 #if !defined(NACL_WIN64)  // We don't need this code on win nacl64.
   if (type == content::PROCESS_TYPE_PLUGIN &&
-      !browser_command_line.HasSwitch(switches::kNoSandbox) &&
-      content::GetContentClient()->SandboxPlugin(cmd_line, policy)) {
-    in_sandbox = true;
+      !browser_command_line.HasSwitch(switches::kNoSandbox)) {
+    in_sandbox = content::GetContentClient()->SandboxPlugin(cmd_line, policy);
+    use_broker = true;
   }
 #endif
 
   if (!in_sandbox) {
-    policy->Release();
-    base::ProcessHandle process = 0;
-    base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process);
-    return process;
-  }
-
-  if (type == content::PROCESS_TYPE_PLUGIN) {
+    if (!use_broker) {
+      policy->Release();
+      base::ProcessHandle process = 0;
+      base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process);
+      return process;
+    } else {
+      policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
+      policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
+                            sandbox::USER_UNPROTECTED);
+    }
+  } else if (type == content::PROCESS_TYPE_PLUGIN) {
     AddGenericDllEvictionPolicy(policy);
     AddPluginDllEvictionPolicy(policy);
   } else if (type == content::PROCESS_TYPE_GPU) {
     if (!AddPolicyForGPU(cmd_line, policy))
       return 0;
   } else {
     if (!AddPolicyForRenderer(policy))
       return 0;
     // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
     // Just have to figure out what needs to be warmed up first.
@@ skipping 75 matching lines @@
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     base::debug::SpawnDebuggerOnProcess(target.process_id());
 
   return target.TakeProcessHandle();
 }
 
 }  // namespace sandbox