Refactor configuration of sandboxes - first steps

content/browser/ppapi_plugin_process_host.cc

Index: content/browser/ppapi_plugin_process_host.cc
diff --git a/content/browser/ppapi_plugin_process_host.cc b/content/browser/ppapi_plugin_process_host.cc
index f1a3171d0d0251f382fa25dcf61a6c347f8c208d..da63a392baa5c2d6ddd0a53dbc7d3e166f973bc0 100644
--- a/content/browser/ppapi_plugin_process_host.cc
+++ b/content/browser/ppapi_plugin_process_host.cc
@@ -21,6 +21,7 @@
 #include "content/public/common/content_switches.h"
 #include "content/public/common/pepper_plugin_info.h"
 #include "content/public/common/process_type.h"
+#include "content/public/common/sandboxed_process_launcher_delegate.h"
 #include "ipc/ipc_switches.h"
 #include "net/base/network_change_notifier.h"
 #include "ppapi/proxy/ppapi_messages.h"
@@ -28,24 +29,31 @@
 
 #if defined(OS_WIN)
 #include "content/common/sandbox_win.h"
-#include "content/public/common/sandboxed_process_launcher_delegate.h"
 #include "sandbox/win/src/sandbox_policy.h"
 #endif
 
 namespace content {
 
-#if defined(OS_WIN)
 // NOTE: changes to this class need to be reviewed by the security team.
 class PpapiPluginSandboxedProcessLauncherDelegate
     : public content::SandboxedProcessLauncherDelegate {
  public:
-  explicit PpapiPluginSandboxedProcessLauncherDelegate(bool is_broker)
-      : is_broker_(is_broker) {}
+  PpapiPluginSandboxedProcessLauncherDelegate( bool is_broker,
+                                               const PepperPluginInfo& info,
+                                               ChildProcessHost* host)
+#if defined(OS_WIN)
+     : is_broker_(is_broker) {}

[jam, 2014/02/28 18:07:43]

nit: since is_broker_ is used for both ifdefs, i'd take this out of the ifdefs
since common parts shouldn't be duplicated.

[aberent, 2014/02/28 21:17:28]

Done. Had to put in some slightly strange line breaks to do it. Final layout is
as recommended by clang_format.

+#elif defined(OS_POSIX)
+     : is_broker_(is_broker),
+       info_(info),
+       ipc_fd_(host->TakeClientFileDescriptor()) {}
+#endif  // OS_WIN
+
   virtual ~PpapiPluginSandboxedProcessLauncherDelegate() {}
 
-  virtual void ShouldSandbox(bool* in_sandbox) OVERRIDE {
-    if (is_broker_)
-      *in_sandbox = false;
+#if defined(OS_WIN)
+  virtual bool ShouldSandbox() OVERRIDE {
+    return !is_broker_;
   }
 
   virtual void PreSpawnTarget(sandbox::TargetPolicy* policy,
@@ -61,12 +69,28 @@ class PpapiPluginSandboxedProcessLauncherDelegate
     *success = (result == sandbox::SBOX_ALL_OK);
   }
 
+#elif defined(OS_POSIX)
+  virtual bool ShouldUseZygote() OVERRIDE {
+    const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess();
+    CommandLine::StringType plugin_launcher = browser_command_line
+        .GetSwitchValueNative(switches::kPpapiPluginLauncher);
+    return !is_broker_ && plugin_launcher.empty() && info_.is_sandboxed;
+  }
+  virtual int GetIpcFd() OVERRIDE {
+    return ipc_fd_;
+  }
+#endif  // OS_WIN
+
  private:
   bool is_broker_;
 
+#if defined(OS_POSIX)
+  const PepperPluginInfo& info_;
+  int ipc_fd_;
+#endif  // OS_POSIX
+
   DISALLOW_COPY_AND_ASSIGN(PpapiPluginSandboxedProcessLauncherDelegate);
 };
-#endif  // OS_WIN
 
 class PpapiPluginProcessHost::PluginNetworkObserver
     : public net::NetworkChangeNotifier::IPAddressObserver,
@@ -333,18 +357,13 @@ bool PpapiPluginProcessHost::Init(const PepperPluginInfo& info) {
   // plugin launcher means we need to use another process instead of just
   // forking the zygote.
 #if defined(OS_POSIX)
-  bool use_zygote = !is_broker_ && plugin_launcher.empty() && info.is_sandboxed;
   if (!info.is_sandboxed)
     cmd_line->AppendSwitchASCII(switches::kNoSandbox, std::string());
 #endif  // OS_POSIX
   process_->Launch(
-#if defined(OS_WIN)
-      new PpapiPluginSandboxedProcessLauncherDelegate(is_broker_),
-      false,
-#elif defined(OS_POSIX)
-      use_zygote,
-      base::EnvironmentMap(),
-#endif
+      new PpapiPluginSandboxedProcessLauncherDelegate(is_broker_,
+                                                      info,
+                                                      process_->GetHost()),
       cmd_line);
   return true;
 }