| Index: content/common/sandbox_policy.cc
|
| ===================================================================
|
| --- content/common/sandbox_policy.cc (revision 131361)
|
| +++ content/common/sandbox_policy.cc (working copy)
|
| @@ -373,22 +373,34 @@
|
| if (result != sandbox::SBOX_ALL_OK)
|
| return false;
|
|
|
| + // GPU needs to copy sections to renderers.
|
| + result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
|
| + sandbox::TargetPolicy::HANDLES_DUP_ANY,
|
| + L"Section");
|
| + if (result != sandbox::SBOX_ALL_OK)
|
| + return false;
|
| +
|
| AddGenericDllEvictionPolicy(policy);
|
| #endif
|
| return true;
|
| }
|
|
|
| bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
|
| - // Renderers need to copy sections for plugin DIBs.
|
| + // Renderers need to copy sections for plugin DIBs and GPU.
|
| sandbox::ResultCode result;
|
| result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
|
| sandbox::TargetPolicy::HANDLES_DUP_ANY,
|
| L"Section");
|
| - if (result != sandbox::SBOX_ALL_OK) {
|
| - NOTREACHED();
|
| + if (result != sandbox::SBOX_ALL_OK)
|
| return false;
|
| - }
|
|
|
| + // Renderers need to share events with plugins.
|
| + result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
|
| + sandbox::TargetPolicy::HANDLES_DUP_ANY,
|
| + L"Event");
|
| + if (result != sandbox::SBOX_ALL_OK)
|
| + return false;
|
| +
|
| policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
|
|
|
| sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
|
| @@ -450,30 +462,26 @@
|
| HANDLE* target_handle,
|
| DWORD desired_access,
|
| DWORD options) {
|
| - // Just use DuplicateHandle() if we aren't in the sandbox.
|
| - if (!g_target_services) {
|
| - base::win::ScopedHandle target_process(::OpenProcess(PROCESS_DUP_HANDLE,
|
| - FALSE,
|
| - target_process_id));
|
| - if (!target_process.IsValid())
|
| - return false;
|
| -
|
| - if (!::DuplicateHandle(::GetCurrentProcess(), source_handle,
|
| - target_process, target_handle,
|
| - desired_access, FALSE,
|
| - options)) {
|
| - return false;
|
| + { // First try to open the target process in case we're not in a sandbox.
|
| + base::win::ScopedHandle target_process;
|
| + target_process.Set(::OpenProcess(PROCESS_DUP_HANDLE, FALSE,
|
| + target_process_id));
|
| + if (target_process.IsValid()) {
|
| + return !!::DuplicateHandle(::GetCurrentProcess(), source_handle,
|
| + target_process, target_handle, desired_access,
|
| + FALSE, options);
|
| }
|
| -
|
| - return true;
|
| }
|
|
|
| - ResultCode result = g_target_services->DuplicateHandle(source_handle,
|
| - target_process_id,
|
| - target_handle,
|
| - desired_access,
|
| - options);
|
| - return SBOX_ALL_OK == result;
|
| + // Don't broker if we're not in the sandbox or didn't get denied access.
|
| + if (!g_target_services || ::GetLastError() != ERROR_ACCESS_DENIED)
|
| + return false;
|
| +
|
| + return SBOX_ALL_OK == g_target_services->DuplicateHandle(source_handle,
|
| + target_process_id,
|
| + target_handle,
|
| + desired_access,
|
| + options);
|
| }
|
|
|
|
|
| @@ -514,6 +522,10 @@
|
| (type != content::PROCESS_TYPE_NACL_BROKER) &&
|
| (type != content::PROCESS_TYPE_PLUGIN) &&
|
| (type != content::PROCESS_TYPE_PPAPI_BROKER);
|
| + // The handle duplication policies need the broker to track both the
|
| + // source and target process. So, we still launch unsandboxed plugins
|
| + // via the broker to make that work.
|
| + bool use_broker = false;
|
|
|
| // If it is the GPU process then it can be disabled by a command line flag.
|
| if ((type == content::PROCESS_TYPE_GPU) &&
|
| @@ -562,20 +574,24 @@
|
|
|
| #if !defined(NACL_WIN64) // We don't need this code on win nacl64.
|
| if (type == content::PROCESS_TYPE_PLUGIN &&
|
| - !browser_command_line.HasSwitch(switches::kNoSandbox) &&
|
| - content::GetContentClient()->SandboxPlugin(cmd_line, policy)) {
|
| - in_sandbox = true;
|
| + !browser_command_line.HasSwitch(switches::kNoSandbox)) {
|
| + in_sandbox = content::GetContentClient()->SandboxPlugin(cmd_line, policy);
|
| + use_broker = true;
|
| }
|
| #endif
|
|
|
| if (!in_sandbox) {
|
| - policy->Release();
|
| - base::ProcessHandle process = 0;
|
| - base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process);
|
| - return process;
|
| - }
|
| -
|
| - if (type == content::PROCESS_TYPE_PLUGIN) {
|
| + if (!use_broker) {
|
| + policy->Release();
|
| + base::ProcessHandle process = 0;
|
| + base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process);
|
| + return process;
|
| + } else {
|
| + policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
|
| + policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
|
| + sandbox::USER_UNPROTECTED);
|
| + }
|
| + } else if (type == content::PROCESS_TYPE_PLUGIN) {
|
| AddGenericDllEvictionPolicy(policy);
|
| AddPluginDllEvictionPolicy(policy);
|
| } else if (type == content::PROCESS_TYPE_GPU) {
|
|
|
Chromium Code Reviews
Issue 9958034:
Convert plugin and GPU process to brokered handle duplication. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/