Implement GetSandboxType() on all platforms and implement for all process types.

chrome/browser/chrome_content_browser_client.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chrome_content_browser_client.h"
 
 #include <set>
 #include <utility>
 #include <vector>
 
@@ skipping 103 matching lines @@
 #include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/client_certificate_delegate.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/resource_context.h"
 #include "content/public/browser/site_instance.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/child_process_host.h"
 #include "content/public/common/content_descriptors.h"
+#include "content/public/common/sandbox_type.h"
 #include "content/public/common/service_registry.h"
 #include "content/public/common/url_utils.h"
 #include "content/public/common/web_preferences.h"
 #include "device/devices_app/public/cpp/constants.h"
 #include "device/devices_app/public/cpp/devices_app_factory.h"
 #include "gin/v8_initializer.h"
 #include "mojo/application/public/cpp/application_delegate.h"
 #include "net/base/mime_util.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_options.h"
@@ skipping 2190 matching lines @@
   }
 #endif  // defined(OS_ANDROID)
 }
 #endif  // defined(OS_POSIX) && !defined(OS_MACOSX)
 
 #if defined(OS_WIN)
 const wchar_t* ChromeContentBrowserClient::GetResourceDllName() {
   return chrome::kBrowserResourcesDll;
 }
 
+base::string16 ChromeContentBrowserClient::GetAppContainerSidForSandboxType(
+    int sandbox_type) const {
+// TODO(wfh): Create specific SID for each channel.
+#if defined(GOOGLE_CHROME_BUILD)
+  const wchar_t kAppContainerPrefix[] =
+      L"S-1-15-2-3251537155-1984446955-2931258699-841473695-1938553385-"
+      L"924012148-";
+#else
+  const wchar_t kAppContainerPrefix[] =
+      L"S-1-15-2-3251537155-1984446955-2931258699-841473695-1938553385-"
+      L"924012149-";
+#endif
+  base::string16 sid(kAppContainerPrefix);
+
+  // Only PPAPI and renderer processes enjoy being inside App Containers at the
+  // moment.
+  switch (sandbox_type) {
+    case content::SANDBOX_TYPE_RENDERER:
+      return sid + L"129201922";
+    case content::SANDBOX_TYPE_PPAPI:
+      return sid + L"129201924";
+  }
+
+  return base::string16();
+}
+
 void ChromeContentBrowserClient::PreSpawnRenderer(
     sandbox::TargetPolicy* policy,
     bool* success) {
   // This code is duplicated in nacl_exe_win_64.cc.
   // Allow the server side of a pipe restricted to the "chrome.nacl."
   // namespace so that it cannot impersonate other system or other chrome
   // service pipes.
   sandbox::ResultCode result = policy->AddRule(
       sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
       sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
@@ skipping 150 matching lines @@
       switches::kDisableWebRtcEncryption,
     };
     to_command_line->CopySwitchesFrom(from_command_line,
                                       kWebRtcDevSwitchNames,
                                       arraysize(kWebRtcDevSwitchNames));
   }
 }
 #endif  // defined(ENABLE_WEBRTC)
 
 }  // namespace chrome