Remove mention of the nacl process in content.

content/common/sandbox_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "content/common/sandbox_policy.h"
+#include "content/common/sandbox_win.h"
 
 #include <string>
 
 #include "base/command_line.h"
 #include "base/debug/debugger.h"
 #include "base/debug/trace_event.h"
 #include "base/file_util.h"
-#include "base/lazy_instance.h"
-#include "base/logging.h"
 #include "base/path_service.h"
 #include "base/process_util.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/win/iat_patch_function.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_process_information.h"
 #include "base/win/windows_version.h"
 #include "content/common/debug_flags.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/process_type.h"
 #include "content/public/common/sandbox_init.h"
+#include "content/public/common/sandboxed_process_launcher_delegate.h"
 #include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/win_utils.h"
-#include "ui/gl/gl_switches.h"
 
 static sandbox::BrokerServices* g_broker_services = NULL;
 static sandbox::TargetServices* g_target_services = NULL;
 
+namespace content {
 namespace {
 
 // The DLLs listed here are known (or under strong suspicion) of causing crashes
 // when they are loaded in the renderer. Note: at runtime we generate short
 // versions of the dll name only if the dll has an extension.
 const wchar_t* const kTroublesomeDlls[] = {
   L"adialhk.dll",                 // Kaspersky Internet Security.
   L"acpiz.dll",                   // Unknown.
   L"avgrsstx.dll",                // AVG 8.
   L"babylonchromepi.dll",         // Babylon translator.
@@ skipping 57 matching lines @@
   L"smumhook.dll",                // Spyware Doctor version 5.
   L"ssldivx.dll",                 // DivX.
   L"syncor11.dll",                // SynthCore Midi interface.
   L"systools.dll",                // Panda Antivirus.
   L"tfwah.dll",                   // Threatfire (PC tools).
   L"wblind.dll",                  // Stardock Object desktop.
   L"wbhelp.dll",                  // Stardock Object desktop.
   L"winstylerthemehelper.dll"     // Tuneup utilities 2006.
 };
 
-// The DLLs listed here are known (or under strong suspicion) of causing crashes
-// when they are loaded in the GPU process.
-const wchar_t* const kTroublesomeGpuDlls[] = {
-  L"cmsetac.dll",                 // Unknown (suspected malware).
-};
-
 // Adds the policy rules for the path and path\ with the semantic |access|.
 // If |children| is set to true, we need to add the wildcard rules to also
 // apply the rule to the subfiles and subfolders.
 bool AddDirectory(int path, const wchar_t* sub_dir, bool children,
                   sandbox::TargetPolicy::Semantics access,
                   sandbox::TargetPolicy* policy) {
   base::FilePath directory;
   if (!PathService::Get(path, &directory))
     return false;
 
@@ skipping 95 matching lines @@
 }
 
 // Adds policy rules for unloaded the known dlls that cause chrome to crash.
 // Eviction of injected DLLs is done by the sandbox so that the injected module
 // does not get a chance to execute any code.
 void AddGenericDllEvictionPolicy(sandbox::TargetPolicy* policy) {
   for (int ix = 0; ix != arraysize(kTroublesomeDlls); ++ix)
     BlacklistAddOneDll(kTroublesomeDlls[ix], true, policy);
 }
 
-// Same as AddGenericDllEvictionPolicy but specifically for the GPU process.
-// In this we add the blacklisted dlls even if they are not loaded in this
-// process.
-void AddGpuDllEvictionPolicy(sandbox::TargetPolicy* policy) {
-  for (int ix = 0; ix != arraysize(kTroublesomeGpuDlls); ++ix)
-    BlacklistAddOneDll(kTroublesomeGpuDlls[ix], false, policy);
-}
-
 // Returns the object path prepended with the current logon session.
 string16 PrependWindowsSessionPath(const char16* object) {
   // Cache this because it can't change after process creation.
   static uintptr_t s_session_id = 0;
   if (s_session_id == 0) {
     HANDLE token;
     DWORD session_id_length;
     DWORD session_id = 0;
 
     CHECK(::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token));
@@ skipping 31 matching lines @@
                                    sizeof(job_info), NULL)) {
     NOTREACHED() << "QueryInformationJobObject failed. " << GetLastError();
     return true;
   }
   if (job_info.BasicLimitInformation.LimitFlags & JOB_OBJECT_LIMIT_BREAKAWAY_OK)
     return true;
 
   return false;
 }
 
-void SetJobLevel(const CommandLine& cmd_line,
-                 sandbox::JobLevel job_level,
-                 uint32 ui_exceptions,
-                 sandbox::TargetPolicy* policy) {
-  if (ShouldSetJobLevel(cmd_line))
-    policy->SetJobLevel(job_level, ui_exceptions);
-  else
-    policy->SetJobLevel(sandbox::JOB_NONE, 0);
-}
-
-// Closes handles that are opened at process creation and initialization.
-void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
-  // Being able to manipulate anything BaseNamedObjects is bad.
-  string16 object_path = PrependWindowsSessionPath(L"\\BaseNamedObjects");
-  policy->AddKernelObjectToClose(L"Directory", object_path.data());
-  object_path = PrependWindowsSessionPath(
-      L"\\BaseNamedObjects\\windows_shell_global_counters");
-  policy->AddKernelObjectToClose(L"Section", object_path.data());
-}
-
 // Adds the generic policy rules to a sandbox TargetPolicy.
 bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result;
 
+  // Renderers need to copy sections for plugin DIBs and GPU.
+  // GPU needs to copy sections to renderers.
+  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
+                           L"Section");
+  if (result != sandbox::SBOX_ALL_OK)
+    return false;
+
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
   // "chrome." so the sandboxed process cannot connect to system services.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
                            L"\\??\\pipe\\chrome.*");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
-  // Allow the server side of a pipe restricted to the "chrome.nacl."
-  // namespace so that it cannot impersonate other system or other chrome
-  // service pipes.
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-                           L"\\\\.\\pipe\\chrome.nacl.*");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
+
   // Allow the server side of sync sockets, which are pipes that have
   // the "chrome.sync" namespace and a randomly generated suffix.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                            L"\\\\.\\pipe\\chrome.sync.*");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
   // Add the policy for debug message only in debug
 #ifndef NDEBUG
   base::FilePath app_dir;
   if (!PathService::Get(base::DIR_MODULE, &app_dir))
     return false;
 
   wchar_t long_path_buf[MAX_PATH];
   DWORD long_path_return_value = GetLongPathName(app_dir.value().c_str(),
                                                  long_path_buf,
                                                  MAX_PATH);
   if (long_path_return_value == 0 || long_path_return_value >= MAX_PATH)
     return false;
 
   base::FilePath debug_message(long_path_buf);
   debug_message = debug_message.AppendASCII("debug_message.exe");
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
                            sandbox::TargetPolicy::PROCESS_MIN_EXEC,
                            debug_message.value().c_str());
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 #endif  // NDEBUG
+
+  AddGenericDllEvictionPolicy(policy);
+
   return true;
 }
 
-// For the GPU process we gotten as far as USER_LIMITED. The next level
-// which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL
-// backend. Note that the GPU process is connected to the interactive
-// desktop.
-// TODO(cpu): Lock down the sandbox more if possible.
-bool AddPolicyForGPU(CommandLine* cmd_line, sandbox::TargetPolicy* policy) {
-#if !defined(NACL_WIN64)  // We don't need this code on win nacl64.
-  if (base::win::GetVersion() > base::win::VERSION_XP) {
-    if (cmd_line->GetSwitchValueASCII(switches::kUseGL) ==
-        gfx::kGLImplementationDesktopName) {
-      // Open GL path.
-      policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                            sandbox::USER_LIMITED);
-      SetJobLevel(*cmd_line, sandbox::JOB_UNPROTECTED, 0, policy);
-      policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-    } else {
-      if (cmd_line->GetSwitchValueASCII(switches::kUseGL) ==
-          gfx::kGLImplementationSwiftShaderName ||
-          cmd_line->HasSwitch(switches::kReduceGpuSandbox) ||
-          cmd_line->HasSwitch(switches::kDisableImageTransportSurface)) {
-        // Swiftshader path.
-        policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                              sandbox::USER_LIMITED);
-      } else {
-        // Angle + DirectX path.
-        policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                              sandbox::USER_RESTRICTED);
-        // This is a trick to keep the GPU out of low-integrity processes. It
-        // starts at low-integrity for UIPI to work, then drops below
-        // low-integrity after warm-up.
-        policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
-      }
-
-      // UI restrictions break when we access Windows from outside our job.
-      // However, we don't want a proxy window in this process because it can
-      // introduce deadlocks where the renderer blocks on the gpu, which in
-      // turn blocks on the browser UI thread. So, instead we forgo a window
-      // message pump entirely and just add job restrictions to prevent child
-      // processes.
-      SetJobLevel(*cmd_line,
-                  sandbox::JOB_LIMITED_USER,
-                  JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS |
-                  JOB_OBJECT_UILIMIT_DESKTOP |
-                  JOB_OBJECT_UILIMIT_EXITWINDOWS |
-                  JOB_OBJECT_UILIMIT_DISPLAYSETTINGS,
-                  policy);
-
-      policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-    }
-  } else {
-    SetJobLevel(*cmd_line, sandbox::JOB_UNPROTECTED, 0, policy);
-    policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
-                          sandbox::USER_LIMITED);
-  }
-
-  // Allow the server side of GPU sockets, which are pipes that have
-  // the "chrome.gpu" namespace and an arbitrary suffix.
-  sandbox::ResultCode result = policy->AddRule(
-      sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-      sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-      L"\\\\.\\pipe\\chrome.gpu.*");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
-
-  // GPU needs to copy sections to renderers.
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
-                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
-                           L"Section");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
-
-#ifdef USE_AURA
-  // GPU also needs to add sections to the browser for aura
-  // TODO(jschuh): refactor the GPU channel to remove this. crbug.com/128786
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
-                           sandbox::TargetPolicy::HANDLES_DUP_BROKER,
-                           L"Section");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
-#endif
-
-  AddGenericDllEvictionPolicy(policy);
-  AddGpuDllEvictionPolicy(policy);
-
-  if (cmd_line->HasSwitch(switches::kEnableLogging)) {
-    string16 log_file_path = logging::GetLogFileFullPath();
-    if (!log_file_path.empty()) {
-      result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
-                               sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                               log_file_path.c_str());
-      if (result != sandbox::SBOX_ALL_OK)
-        return false;
-    }
-  }
-#endif
-  return true;
-}
-
-bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
-  // Renderers need to copy sections for plugin DIBs and GPU.
+bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result;
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
-                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
-                           L"Section");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
-
   // Renderers need to share events with plugins.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
                            sandbox::TargetPolicy::HANDLES_DUP_ANY,
                            L"Event");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
-  // Renderers need to send named pipe handles and shared memory
-  // segment handles to NaCl loader processes.
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
-                           sandbox::TargetPolicy::HANDLES_DUP_ANY,
-                           L"File");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
-
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
   if (base::win::GetVersion() > base::win::VERSION_XP) {
     // On 2003/Vista the initial token has to be restricted if the main
     // token is restricted.
     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
   }
 
   policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
   // Prevents the renderers from manipulating low-integrity processes.
   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
 
   bool use_winsta = !CommandLine::ForCurrentProcess()->HasSwitch(
                         switches::kDisableAltWinstation);
 
   if (sandbox::SBOX_ALL_OK !=  policy->SetAlternateDesktop(use_winsta)) {
     DLOG(WARNING) << "Failed to apply desktop security to the renderer";
   }
 
-  AddGenericDllEvictionPolicy(policy);
-
   return true;
 }
 
-// The Pepper process as locked-down as a renderer execpt that it can
-// create the server side of chrome pipes.
-bool AddPolicyForPepperPlugin(sandbox::TargetPolicy* policy) {
-  sandbox::ResultCode result;
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-                           L"\\\\.\\pipe\\chrome.*");
-  return result == sandbox::SBOX_ALL_OK;
-}
-
 // This code is test only, and attempts to catch unsafe uses of
 // DuplicateHandle() that copy privileged handles into sandboxed processes.
 #ifndef OFFICIAL_BUILD
 base::win::IATPatchFunction g_iat_patch_duplicate_handle;
 
 BOOL (WINAPI *g_iat_orig_duplicate_handle)(HANDLE source_process_handle,
                                            HANDLE source_handle,
                                            HANDLE target_process_handle,
                                            LPHANDLE target_handle,
                                            DWORD desired_access,
@@ skipping 80 matching lines @@
     // Callers use CHECK macro to make sure we get the right stack.
     CheckDuplicateHandle(handle);
   }
 
   return TRUE;
 }
 #endif
 
 }  // namespace
 
-namespace content {
+void SetJobLevel(const CommandLine& cmd_line,
+                 sandbox::JobLevel job_level,
+                 uint32 ui_exceptions,
+                 sandbox::TargetPolicy* policy) {
+  if (ShouldSetJobLevel(cmd_line))
+    policy->SetJobLevel(job_level, ui_exceptions);
+  else
+    policy->SetJobLevel(sandbox::JOB_NONE, 0);
+}
+
+// TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
+// Just have to figure out what needs to be warmed up first.
+void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
+  // Being able to manipulate anything BaseNamedObjects is bad.
+  string16 object_path = PrependWindowsSessionPath(L"\\BaseNamedObjects");
+  policy->AddKernelObjectToClose(L"Directory", object_path.data());
+  object_path = PrependWindowsSessionPath(
+      L"\\BaseNamedObjects\\windows_shell_global_counters");
+  policy->AddKernelObjectToClose(L"Section", object_path.data());
+}
 
 bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
   // TODO(abarth): DCHECK(CalledOnValidThread());
   //               See <http://b/1287166>.
   DCHECK(broker_services);
   DCHECK(!g_broker_services);
   sandbox::ResultCode result = broker_services->Init();
   g_broker_services = broker_services;
 
-// In non-official builds warn about dangerous uses of DuplicateHandle.
+  // In non-official builds warn about dangerous uses of DuplicateHandle.
   BOOL is_in_job = FALSE;
 #ifdef NACL_WIN64
   CHECK(::IsProcessInJob(::GetCurrentProcess(), NULL, &is_in_job));
 #endif
 #ifndef OFFICIAL_BUILD
   if (!is_in_job && !g_iat_patch_duplicate_handle.is_patched()) {
     HMODULE module = NULL;
     wchar_t module_name[MAX_PATH];
     CHECK(::GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,
                               reinterpret_cast<LPCWSTR>(InitBrokerServices),
@@ skipping 13 matching lines @@
 }
 
 bool InitTargetServices(sandbox::TargetServices* target_services) {
   DCHECK(target_services);
   DCHECK(!g_target_services);
   sandbox::ResultCode result = target_services->Init();
   g_target_services = target_services;
   return sandbox::SBOX_ALL_OK == result;
 }
 
-base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
-                                           const base::FilePath& exposed_dir) {
+base::ProcessHandle StartSandboxedProcess(
+    SandboxedProcessLauncherDelegate* delegate,
+    CommandLine* cmd_line) {
   const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess();
   ProcessType type;
   std::string type_str = cmd_line->GetSwitchValueASCII(switches::kProcessType);
   if (type_str == switches::kRendererProcess) {
     type = PROCESS_TYPE_RENDERER;
   } else if (type_str == switches::kPluginProcess) {
     type = PROCESS_TYPE_PLUGIN;
   } else if (type_str == switches::kWorkerProcess) {

[cpu_(ooo_6.6-7.5), 2013/03/19 21:22:55]

Most of this 'else if' section was only needed to call the functions that you
moved, take for example the nacl loader, that should go away.

[jam, 2013/03/19 22:57:30]

yep, I'm planning on removing this whole section in the next cl

     type = PROCESS_TYPE_WORKER;
   } else if (type_str == switches::kNaClLoaderProcess) {
     type = PROCESS_TYPE_NACL_LOADER;
   } else if (type_str == switches::kUtilityProcess) {
     type = PROCESS_TYPE_UTILITY;
   } else if (type_str == switches::kNaClBrokerProcess) {
     type = PROCESS_TYPE_NACL_BROKER;
   } else if (type_str == switches::kGpuProcess) {
     type = PROCESS_TYPE_GPU;
   } else if (type_str == switches::kPpapiPluginProcess) {
     type = PROCESS_TYPE_PPAPI_PLUGIN;
   } else if (type_str == switches::kPpapiBrokerProcess) {
     type = PROCESS_TYPE_PPAPI_BROKER;
   } else {
     NOTREACHED();
     return 0;
   }
 
   TRACE_EVENT_BEGIN_ETW("StartProcessWithAccess", 0, type_str);
 
   // To decide if the process is going to be sandboxed we have two cases.
   // First case: all process types except the nacl broker, and the plugin
   // process are sandboxed by default.
   bool in_sandbox =

[cpu_(ooo_6.6-7.5), 2013/03/19 21:22:55]

same here, this decision can be pushed to each host. If you remove this you can
also remove references to the nacl_broker above.

[jam, 2013/03/19 22:57:30]

ditto

       (type != PROCESS_TYPE_NACL_BROKER) &&
       (type != PROCESS_TYPE_PLUGIN) &&
       (type != PROCESS_TYPE_PPAPI_BROKER);
 
   // If it is the GPU process then it can be disabled by a command line flag.
   if ((type == PROCESS_TYPE_GPU) &&
       (cmd_line->HasSwitch(switches::kDisableGpuSandbox))) {
     in_sandbox = false;
     DVLOG(1) << "GPU sandbox is disabled";
   }
@@ skipping 57 matching lines @@
     return 0;
 
   mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
                 sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
   if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
     return 0;
 
   SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy);
 
-  if (type == PROCESS_TYPE_GPU) {
-    if (!AddPolicyForGPU(cmd_line, policy))
-      return 0;
-  } else {
-    if (!AddPolicyForRenderer(policy))
-      return 0;
-    // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
-    // Just have to figure out what needs to be warmed up first.
-    if (type == PROCESS_TYPE_RENDERER ||
-        type == PROCESS_TYPE_WORKER) {
-      AddBaseHandleClosePolicy(policy);
-    // Pepper uses the renderer's policy, whith some tweaks.
-    } else if (type == PROCESS_TYPE_PPAPI_PLUGIN) {
-      if (!AddPolicyForPepperPlugin(policy))
-        return 0;
-    }
+  bool disable_default_policy = false;
+  base::FilePath exposed_dir;
+  if (delegate)
+    delegate->PreSandbox(&disable_default_policy, &exposed_dir);
 
+  if (!disable_default_policy && !AddPolicyForSandboxedProcess(policy))
+    return 0;
 
-    if (type_str != switches::kRendererProcess) {
-      // Hack for Google Desktop crash. Trick GD into not injecting its DLL into
-      // this subprocess. See
-      // http://code.google.com/p/chromium/issues/detail?id=25580
-      cmd_line->AppendSwitchASCII("ignored", " --type=renderer ");
-    }
+  if (type_str != switches::kRendererProcess) {
+    // Hack for Google Desktop crash. Trick GD into not injecting its DLL into
+    // this subprocess. See
+    // http://code.google.com/p/chromium/issues/detail?id=25580
+    cmd_line->AppendSwitchASCII("ignored", " --type=renderer ");
   }
 
   sandbox::ResultCode result;
   if (!exposed_dir.empty()) {
     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
                              exposed_dir.value().c_str());
     if (result != sandbox::SBOX_ALL_OK)
       return 0;
 
@@ skipping 10 matching lines @@
     return 0;
   }
 
   if (browser_command_line.HasSwitch(switches::kEnableLogging)) {
     // If stdout/stderr point to a Windows console, these calls will
     // have no effect.
     policy->SetStdoutHandle(GetStdHandle(STD_OUTPUT_HANDLE));
     policy->SetStderrHandle(GetStdHandle(STD_ERROR_HANDLE));
   }
 
+  if (delegate) {
+    bool success = true;
+    delegate->PreSpawnTarget(policy, &success);
+    if (!success)
+      return 0;
+  }
+
   TRACE_EVENT_BEGIN_ETW("StartProcessWithAccess::LAUNCHPROCESS", 0, 0);
 
   result = g_broker_services->SpawnTarget(
       cmd_line->GetProgram().value().c_str(),
       cmd_line->GetCommandLineString().c_str(),
       policy, target.Receive());
   policy->Release();
 
   TRACE_EVENT_END_ETW("StartProcessWithAccess::LAUNCHPROCESS", 0, 0);
 
   if (sandbox::SBOX_ALL_OK != result) {
     DLOG(ERROR) << "Failed to launch process. Error: " << result;
     return 0;
   }
 
-#if !defined(NACL_WIN64)
-  // For Native Client sel_ldr processes on 32-bit Windows, reserve 1 GB of
-  // address space to prevent later failure due to address space fragmentation
-  // from .dll loading. The NaCl process will attempt to locate this space by
-  // scanning the address space using VirtualQuery.
-  // TODO(bbudge) Handle the --no-sandbox case.
-  // http://code.google.com/p/nativeclient/issues/detail?id=2131
-  if (type == PROCESS_TYPE_NACL_LOADER) {
-    const SIZE_T kOneGigabyte = 1 << 30;
-    void* nacl_mem = VirtualAllocEx(target.process_handle(),
-                                    NULL,
-                                    kOneGigabyte,
-                                    MEM_RESERVE,
-                                    PAGE_NOACCESS);
-    if (!nacl_mem) {
-      DLOG(WARNING) << "Failed to reserve address space for Native Client";
-    }
-  }
-#endif  // !defined(NACL_WIN64)
+  if (delegate)
+    delegate->PostSpawnTarget(target.process_handle());
+
 
   ResumeThread(target.thread_handle());
 
   // Help the process a little. It can't start the debugger by itself if
   // the process is in a sandbox.
   if (child_needs_help)
     base::debug::SpawnDebuggerOnProcess(target.process_id());
 
   return target.TakeProcessHandle();
 }
@@ skipping 30 matching lines @@
   }
 
   return false;
 }
 
 bool BrokerAddTargetPeer(HANDLE peer_process) {
   return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
 }
 
 }  // namespace content