Use scoped_refptr and RefCountedThreadSafe for TargetPolicy.

content/common/sandbox_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_win.h"
 
 #include <string>
 
 #include "base/base_switches.h"
 #include "base/command_line.h"
 #include "base/debug/profiler.h"
 #include "base/files/file_util.h"
 #include "base/hash.h"
 #include "base/logging.h"
+#include "base/memory/ref_counted.h"
 #include "base/memory/shared_memory.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/path_service.h"
 #include "base/process/launch.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/trace_event/trace_event.h"
 #include "base/win/iat_patch_function.h"
@@ skipping 659 matching lines @@
   if ((!delegate->ShouldSandbox()) ||
       browser_command_line.HasSwitch(switches::kNoSandbox) ||
       cmd_line->HasSwitch(switches::kNoSandbox)) {
     base::Process process =
         base::LaunchProcess(*cmd_line, base::LaunchOptions());
     // TODO(rvargas) crbug.com/417532: Don't share a raw handle.
     g_broker_services->AddTargetPeer(process.Handle());
     return process.Pass();
   }
 
-  sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
+  scoped_refptr<sandbox::TargetPolicy> policy =
+      g_broker_services->CreatePolicy();
 
   sandbox::MitigationFlags mitigations = sandbox::MITIGATION_HEAP_TERMINATE |
                                          sandbox::MITIGATION_BOTTOM_UP_ASLR |
                                          sandbox::MITIGATION_DEP |
                                          sandbox::MITIGATION_DEP_NO_ATL_THUNK |
                                          sandbox::MITIGATION_SEHOP;
 
   if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
     return base::Process();
 
 #if !defined(NACL_WIN64)
   if (type_str == switches::kRendererProcess &&
       IsWin32kRendererLockdownEnabled()) {
-    if (!AddWin32kLockdownPolicy(policy))
+    if (!AddWin32kLockdownPolicy(policy.get()))
       return base::Process();
   }
 #endif
 
   mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
                 sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
   if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
     return base::Process();
 
-  SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy);
+  SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy.get());
 
   if (!delegate->DisableDefaultPolicy()) {
-    if (!AddPolicyForSandboxedProcess(policy))
+    if (!AddPolicyForSandboxedProcess(policy.get()))
       return base::Process();
   }
 
 #if !defined(NACL_WIN64)
   if (type_str == switches::kRendererProcess ||
       type_str == switches::kPpapiPluginProcess) {
     if (gfx::win::ShouldUseDirectWrite()) {
       AddDirectory(base::DIR_WINDOWS_FONTS,
                   NULL,
                   true,
                   sandbox::TargetPolicy::FILES_ALLOW_READONLY,
-                  policy);
+                  policy.get());
 
       // If DirectWrite is enabled for font rendering then open the font cache
       // section which is created by the browser and pass the handle to the
       // renderer process. This is needed because renderer processes on
       // Windows 8+ may be running in an AppContainer sandbox and hence their
       // kernel object namespace may be partitioned.
       std::string name(content::kFontCacheSharedSectionName);
       name.append(base::UintToString(base::GetCurrentProcId()));
 
       base::SharedMemory direct_write_font_cache_section;
       if (direct_write_font_cache_section.Open(name, true)) {
         void* shared_handle = policy->AddHandleToShare(
             direct_write_font_cache_section.handle().GetHandle());
         cmd_line->AppendSwitchASCII(switches::kFontCacheSharedHandle,
             base::UintToString(reinterpret_cast<unsigned int>(shared_handle)));
       }
     }
   }
 #endif
 
   if (type_str != switches::kRendererProcess) {
     // Hack for Google Desktop crash. Trick GD into not injecting its DLL into
     // this subprocess. See
     // http://code.google.com/p/chromium/issues/detail?id=25580
     cmd_line->AppendSwitchASCII("ignored", " --type=renderer ");
   }
 
-  if (!AddGenericPolicy(policy)) {
+  if (!AddGenericPolicy(policy.get())) {
     NOTREACHED();
     return base::Process();
   }
 
   // Allow the renderer and gpu processes to access the log file.
   if (type_str == switches::kRendererProcess ||
       type_str == switches::kGpuProcess) {
     if (logging::IsLoggingToFileEnabled()) {
       DCHECK(base::FilePath(logging::GetLogFileFullPath()).IsAbsolute());
       policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                       sandbox::TargetPolicy::FILES_ALLOW_ANY,
                       logging::GetLogFileFullPath().c_str());
     }
   }
 
 #if !defined(OFFICIAL_BUILD)
   // If stdout/stderr point to a Windows console, these calls will
   // have no effect.
   policy->SetStdoutHandle(GetStdHandle(STD_OUTPUT_HANDLE));
   policy->SetStderrHandle(GetStdHandle(STD_ERROR_HANDLE));
 #endif
 
-  if (!delegate->PreSpawnTarget(policy))
+  if (!delegate->PreSpawnTarget(policy.get()))
     return base::Process();
 
   TRACE_EVENT_BEGIN0("startup", "StartProcessWithAccess::LAUNCHPROCESS");
 
   PROCESS_INFORMATION temp_process_info = {};
   sandbox::ResultCode result = g_broker_services->SpawnTarget(
       cmd_line->GetProgram().value().c_str(),
       cmd_line->GetCommandLineString().c_str(), policy, &temp_process_info);
   DWORD last_error = ::GetLastError();
   base::win::ScopedProcessInformation target(temp_process_info);
@@ skipping 53 matching lines @@
   }
 
   return false;
 }
 
 bool BrokerAddTargetPeer(HANDLE peer_process) {
   return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
 }
 
 }  // namespace content