Remove mention of the nacl process in content.

content/common/sandbox_policy.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_policy.h"
 
 #include <string>
 
 #include "base/command_line.h"
 #include "base/debug/debugger.h"
@@ skipping 13 matching lines @@
 #include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/process_type.h"
 #include "content/public/common/sandbox_init.h"
 #include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/win_utils.h"
 #include "ui/gl/gl_switches.h"
 
-static sandbox::BrokerServices* g_broker_services = NULL;
-static sandbox::TargetServices* g_target_services = NULL;
-
+namespace content {
 namespace {
+sandbox::BrokerServices* g_broker_services = NULL;
+sandbox::TargetServices* g_target_services = NULL;
+base::LazyInstance<SandboxedProcessStartingCallback>
+    g_sandboxed_process_starting_callback = LAZY_INSTANCE_INITIALIZER;
 
 // The DLLs listed here are known (or under strong suspicion) of causing crashes
 // when they are loaded in the renderer. Note: at runtime we generate short
 // versions of the dll name only if the dll has an extension.
 const wchar_t* const kTroublesomeDlls[] = {
   L"adialhk.dll",                 // Kaspersky Internet Security.
   L"acpiz.dll",                   // Unknown.
   L"avgrsstx.dll",                // AVG 8.
   L"babylonchromepi.dll",         // Babylon translator.
   L"btkeyind.dll",                // Widcomm Bluetooth.
@@ skipping 268 matching lines @@
   sandbox::ResultCode result;
 
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
   // "chrome." so the sandboxed process cannot connect to system services.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
                            L"\\??\\pipe\\chrome.*");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
-  // Allow the server side of a pipe restricted to the "chrome.nacl."
-  // namespace so that it cannot impersonate other system or other chrome
-  // service pipes.
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-                           L"\\\\.\\pipe\\chrome.nacl.*");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
+
   // Allow the server side of sync sockets, which are pipes that have
   // the "chrome.sync" namespace and a randomly generated suffix.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                            L"\\\\.\\pipe\\chrome.sync.*");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
   // Add the policy for debug message only in debug
 #ifndef NDEBUG
@@ skipping 126 matching lines @@
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
   // Renderers need to share events with plugins.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
                            sandbox::TargetPolicy::HANDLES_DUP_ANY,
                            L"Event");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
-  // Renderers need to send named pipe handles and shared memory
-  // segment handles to NaCl loader processes.
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
-                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
-                           L"File");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
-
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
   if (base::win::GetVersion() > base::win::VERSION_XP) {
     // On 2003/Vista the initial token has to be restricted if the main
     // token is restricted.
     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
   }
 
   policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
   // Prevents the renderers from manipulating low-integrity processes.
   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
@@ skipping 113 matching lines @@
     // Callers use CHECK macro to make sure we get the right stack.
     CheckDuplicateHandle(handle);
   }
 
   return TRUE;
 }
 #endif
 
 }  // namespace
 
-namespace content {
-
 bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
   // TODO(abarth): DCHECK(CalledOnValidThread());
   //               See <http://b/1287166>.
   DCHECK(broker_services);
   DCHECK(!g_broker_services);
   sandbox::ResultCode result = broker_services->Init();
   g_broker_services = broker_services;
 
-// In non-official builds warn about dangerous uses of DuplicateHandle.
+  // In non-official builds warn about dangerous uses of DuplicateHandle.
   BOOL is_in_job = FALSE;
 #ifdef NACL_WIN64
   CHECK(::IsProcessInJob(::GetCurrentProcess(), NULL, &is_in_job));
 #endif
 #ifndef OFFICIAL_BUILD
   if (!is_in_job && !g_iat_patch_duplicate_handle.is_patched()) {
     HMODULE module = NULL;
     wchar_t module_name[MAX_PATH];
     CHECK(::GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,
                               reinterpret_cast<LPCWSTR>(InitBrokerServices),
@@ skipping 171 matching lines @@
                              exposed_files.value().c_str());
     if (result != sandbox::SBOX_ALL_OK)
       return 0;
   }
 
   if (!AddGenericPolicy(policy)) {
     NOTREACHED();
     return 0;
   }
 
+  if (!g_sandboxed_process_starting_callback.Pointer()->is_null()) {
+    g_sandboxed_process_starting_callback.Pointer()->Run(
+        cmd_line, policy);
+  }
+
   if (browser_command_line.HasSwitch(switches::kEnableLogging)) {
     // If stdout/stderr point to a Windows console, these calls will
     // have no effect.
     policy->SetStdoutHandle(GetStdHandle(STD_OUTPUT_HANDLE));
     policy->SetStderrHandle(GetStdHandle(STD_ERROR_HANDLE));
   }
 
   TRACE_EVENT_BEGIN_ETW("StartProcessWithAccess::LAUNCHPROCESS", 0, 0);
 
   result = g_broker_services->SpawnTarget(
       cmd_line->GetProgram().value().c_str(),
       cmd_line->GetCommandLineString().c_str(),
       policy, target.Receive());
   policy->Release();
 
   TRACE_EVENT_END_ETW("StartProcessWithAccess::LAUNCHPROCESS", 0, 0);
 
   if (sandbox::SBOX_ALL_OK != result) {
     DLOG(ERROR) << "Failed to launch process. Error: " << result;
     return 0;
   }
 
 #if !defined(NACL_WIN64)
   // For Native Client sel_ldr processes on 32-bit Windows, reserve 1 GB of

[cpu_(ooo_6.6-7.5), 2013/03/18 19:46:26]

you want to add this as another callback after process started as well?

[jam, 2013/03/18 19:50:19]

yeah, this and other nacl stuff in this file will be done in future changes

   // address space to prevent later failure due to address space fragmentation
   // from .dll loading. The NaCl process will attempt to locate this space by
   // scanning the address space using VirtualQuery.
   // TODO(bbudge) Handle the --no-sandbox case.
   // http://code.google.com/p/nativeclient/issues/detail?id=2131
   if (type == PROCESS_TYPE_NACL_LOADER) {
     const SIZE_T kOneGigabyte = 1 << 30;
     void* nacl_mem = VirtualAllocEx(target.process_handle(),
                                     NULL,
                                     kOneGigabyte,
                                     MEM_RESERVE,
                                     PAGE_NOACCESS);
     if (!nacl_mem) {
       DLOG(WARNING) << "Failed to reserve address space for Native Client";
     }
   }
 #endif  // !defined(NACL_WIN64)
 
   ResumeThread(target.thread_handle());
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     base::debug::SpawnDebuggerOnProcess(target.process_id());
 
   return target.TakeProcessHandle();
 }
 
+void SetSandboxedProcessStartingCallback(
+    const SandboxedProcessStartingCallback& callback) {
+  g_sandboxed_process_starting_callback.Get() = callback;
+}
+
 bool BrokerDuplicateHandle(HANDLE source_handle,
                            DWORD target_process_id,
                            HANDLE* target_handle,
                            DWORD desired_access,
                            DWORD options) {
   // If our process is the target just duplicate the handle.
   if (::GetCurrentProcessId() == target_process_id) {
     return !!::DuplicateHandle(::GetCurrentProcess(), source_handle,
                                ::GetCurrentProcess(), target_handle,
                                desired_access, FALSE, options);
@@ skipping 19 matching lines @@
   }
 
   return false;
 }
 
 bool BrokerAddTargetPeer(HANDLE peer_process) {
   return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
 }
 
 }  // namespace content