Wire up process launch error codes.

content/common/sandbox_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_win.h"
 
 #include <stddef.h>
 
 #include <string>
 
@@ skipping 263 matching lines @@
     NOTREACHED() << "QueryInformationJobObject failed. " << GetLastError();
     return true;
   }
   if (job_info.BasicLimitInformation.LimitFlags & JOB_OBJECT_LIMIT_BREAKAWAY_OK)
     return true;
 
   return false;
 }
 
 // Adds the generic policy rules to a sandbox TargetPolicy.
-bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
+sandbox::ResultCode AddGenericPolicy(sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result;
 
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
   // "chrome." so the sandboxed process cannot connect to system services.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
                            L"\\??\\pipe\\chrome.*");
   if (result != sandbox::SBOX_ALL_OK)
-    return false;
+    return result;
 
   // Add the policy for the server side of nacl pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
   // "chrome.nacl" so the sandboxed process cannot connect to
   // system services.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                            L"\\\\.\\pipe\\chrome.nacl.*");
   if (result != sandbox::SBOX_ALL_OK)
-    return false;
+    return result;
 
   // Allow the server side of sync sockets, which are pipes that have
   // the "chrome.sync" namespace and a randomly generated suffix.
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
                            L"\\\\.\\pipe\\chrome.sync.*");
   if (result != sandbox::SBOX_ALL_OK)
-    return false;
+    return result;
 
   // Add the policy for debug message only in debug
 #ifndef NDEBUG
   base::FilePath app_dir;
   if (!PathService::Get(base::DIR_MODULE, &app_dir))
     return false;
 
   wchar_t long_path_buf[MAX_PATH];
   DWORD long_path_return_value = GetLongPathName(app_dir.value().c_str(),
                                                  long_path_buf,
                                                  MAX_PATH);
   if (long_path_return_value == 0 || long_path_return_value >= MAX_PATH)
     return false;
 
   base::FilePath debug_message(long_path_buf);
   debug_message = debug_message.AppendASCII("debug_message.exe");
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
                            sandbox::TargetPolicy::PROCESS_MIN_EXEC,
                            debug_message.value().c_str());
   if (result != sandbox::SBOX_ALL_OK)
-    return false;
+    return result;
 #endif  // NDEBUG
 
   // Add the policy for read-only PDB file access for stack traces.
 #if !defined(OFFICIAL_BUILD)
   base::FilePath exe;
   if (!PathService::Get(base::FILE_EXE, &exe))
-    return false;
+    return sandbox::SBOX_ERROR_GENERIC;
   base::FilePath pdb_path = exe.DirName().Append(L"*.pdb");
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                            sandbox::TargetPolicy::FILES_ALLOW_READONLY,
                            pdb_path.value().c_str());
   if (result != sandbox::SBOX_ALL_OK)
-    return false;
+    return result;
 #endif
 
 #if defined(SANITIZER_COVERAGE)
   DWORD coverage_dir_size =
       ::GetEnvironmentVariable(L"SANITIZER_COVERAGE_DIR", NULL, 0);
   if (coverage_dir_size == 0) {
     LOG(WARNING) << "SANITIZER_COVERAGE_DIR was not set, coverage won't work.";
   } else {
     std::wstring coverage_dir;
     wchar_t* coverage_dir_str =
         base::WriteInto(&coverage_dir, coverage_dir_size);
     coverage_dir_size = ::GetEnvironmentVariable(
         L"SANITIZER_COVERAGE_DIR", coverage_dir_str, coverage_dir_size);
     CHECK(coverage_dir.size() == coverage_dir_size);
     base::FilePath sancov_path =
         base::FilePath(coverage_dir).Append(L"*.sancov");
     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
                              sancov_path.value().c_str());
     if (result != sandbox::SBOX_ALL_OK)
-      return false;
+      return result;
   }
 #endif
 
   AddGenericDllEvictionPolicy(policy);
-  return true;
+  return sandbox::SBOX_ALL_OK;
 }
 
-bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
+sandbox::ResultCode AddPolicyForSandboxedProcess(
+    sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result = sandbox::SBOX_ALL_OK;
 
   // Win8+ adds a device DeviceApi that we don't need.
   if (base::win::GetVersion() > base::win::VERSION_WIN7)
     result = policy->AddKernelObjectToClose(L"File", L"\\Device\\DeviceApi");
   if (result != sandbox::SBOX_ALL_OK)
-    return false;
+    return result;
 
   // Close the proxy settings on XP.
   if (base::win::GetVersion() <= base::win::VERSION_SERVER_2003)
     result = policy->AddKernelObjectToClose(L"Key",
                  L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\" \
                      L"CurrentVersion\\Internet Settings");
   if (result != sandbox::SBOX_ALL_OK)
-    return false;
+    return result;
 
   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
   if (base::win::GetVersion() > base::win::VERSION_XP) {
     // On 2003/Vista the initial token has to be restricted if the main
     // token is restricted.
     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
   }
 
-  policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
+  result = policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
+  if (result != sandbox::SBOX_ALL_OK)
+    return result;
   // Prevents the renderers from manipulating low-integrity processes.
-  policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
-  policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+  result = policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
+  if (result != sandbox::SBOX_ALL_OK)
+    return result;
+  result = policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+  if (result != sandbox::SBOX_ALL_OK)
+    return result;
   policy->SetLockdownDefaultDacl();
 
-  if (sandbox::SBOX_ALL_OK !=  policy->SetAlternateDesktop(true)) {
+  result = policy->SetAlternateDesktop(true);
+  if (result != sandbox::SBOX_ALL_OK) {
     DLOG(WARNING) << "Failed to apply desktop security to the renderer";
+    return result;
   }
 
-  return true;
+  return result;
 }
 
 // Updates the command line arguments with debug-related flags. If debug flags
 // have been used with this process, they will be filtered and added to
 // command_line as needed.
 void ProcessDebugFlags(base::CommandLine* command_line) {
   const base::CommandLine& current_cmd_line =
       *base::CommandLine::ForCurrentProcess();
   std::string type = command_line->GetSwitchValueASCII(switches::kProcessType);
   if (current_cmd_line.HasSwitch(switches::kWaitForDebuggerChildren)) {
@@ skipping 121 matching lines @@
   if (command_line.HasSwitch(switches::kDisableAppContainer))
     return false;
   if (command_line.HasSwitch(switches::kEnableAppContainer))
     return true;
   return base::StartsWith(appcontainer_group_name, "Enabled",
                           base::CompareCase::INSENSITIVE_ASCII);
 }
 
 }  // namespace
 
-void SetJobLevel(const base::CommandLine& cmd_line,
-                 sandbox::JobLevel job_level,
-                 uint32_t ui_exceptions,
-                 sandbox::TargetPolicy* policy) {
-  if (ShouldSetJobLevel(cmd_line)) {
+sandbox::ResultCode SetJobLevel(const base::CommandLine& cmd_line,
+                                sandbox::JobLevel job_level,
+                                uint32_t ui_exceptions,
+                                sandbox::TargetPolicy* policy) {
+  if (!ShouldSetJobLevel(cmd_line))
+    return policy->SetJobLevel(sandbox::JOB_NONE, 0);
+
 #ifdef _WIN64
-    policy->SetJobMemoryLimit(4ULL * 1024 * 1024 * 1024);
+  sandbox::ResultCode ret =
+      policy->SetJobMemoryLimit(4ULL * 1024 * 1024 * 1024);
+  if (ret != sandbox::SBOX_ALL_OK)
+    return ret;
 #endif
-    policy->SetJobLevel(job_level, ui_exceptions);
-  } else {
-    policy->SetJobLevel(sandbox::JOB_NONE, 0);
-  }
+  return policy->SetJobLevel(job_level, ui_exceptions);
 }
 
 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
 // Just have to figure out what needs to be warmed up first.
-void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
+sandbox::ResultCode AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
   // TODO(cpu): Add back the BaseNamedObjects policy.
   base::string16 object_path = PrependWindowsSessionPath(
       L"\\BaseNamedObjects\\windows_shell_global_counters");
-  policy->AddKernelObjectToClose(L"Section", object_path.data());
+  return policy->AddKernelObjectToClose(L"Section", object_path.data());
 }
 
-void AddAppContainerPolicy(sandbox::TargetPolicy* policy, const wchar_t* sid) {
+sandbox::ResultCode AddAppContainerPolicy(sandbox::TargetPolicy* policy,
+                                          const wchar_t* sid) {
   if (IsAppContainerEnabled())
-    policy->SetLowBox(sid);
+    return policy->SetLowBox(sid);
+  return sandbox::SBOX_ALL_OK;
 }
 
-bool AddWin32kLockdownPolicy(sandbox::TargetPolicy* policy, bool enable_opm) {
+sandbox::ResultCode AddWin32kLockdownPolicy(sandbox::TargetPolicy* policy,
+                                            bool enable_opm) {
 #if !defined(NACL_WIN64)
   if (!IsWin32kRendererLockdownEnabled())
-    return true;
+    return sandbox::SBOX_ALL_OK;
 
   // Enable win32k lockdown if not already.
   sandbox::MitigationFlags flags = policy->GetProcessMitigations();
   if ((flags & sandbox::MITIGATION_WIN32K_DISABLE) ==
       sandbox::MITIGATION_WIN32K_DISABLE)
-    return true;
+    return sandbox::SBOX_ALL_OK;
 
   sandbox::ResultCode result =
       policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
                       enable_opm ? sandbox::TargetPolicy::IMPLEMENT_OPM_APIS
                                  : sandbox::TargetPolicy::FAKE_USER_GDI_INIT,
                       nullptr);
   if (result != sandbox::SBOX_ALL_OK)
-    return false;
+    return result;
   if (enable_opm)
     policy->SetEnableOPMRedirection();
+
   flags |= sandbox::MITIGATION_WIN32K_DISABLE;
-  result = policy->SetProcessMitigations(flags);
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
+  return policy->SetProcessMitigations(flags);
+#else
+  return sandbox::SBOX_ALL_OK;
 #endif
-  return true;
 }
 
 bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
   // TODO(abarth): DCHECK(CalledOnValidThread());
   //               See <http://b/1287166>.
   DCHECK(broker_services);
   DCHECK(!g_broker_services);
   sandbox::ResultCode result = broker_services->Init();
   g_broker_services = broker_services;
 
@@ skipping 29 matching lines @@
 }
 
 bool InitTargetServices(sandbox::TargetServices* target_services) {
   DCHECK(target_services);
   DCHECK(!g_target_services);
   sandbox::ResultCode result = target_services->Init();
   g_target_services = target_services;
   return sandbox::SBOX_ALL_OK == result;
 }
 
-base::Process StartSandboxedProcess(
+sandbox::ResultCode StartSandboxedProcess(
     SandboxedProcessLauncherDelegate* delegate,
     base::CommandLine* cmd_line,
-    const base::HandlesToInheritVector& handles_to_inherit) {
+    const base::HandlesToInheritVector& handles_to_inherit,
+    base::Process* process) {
   DCHECK(delegate);
   const base::CommandLine& browser_command_line =
       *base::CommandLine::ForCurrentProcess();
   std::string type_str = cmd_line->GetSwitchValueASCII(switches::kProcessType);
 
   TRACE_EVENT1("startup", "StartProcessWithAccess", "type", type_str);
 
   // Propagate the --allow-no-job flag if present.
   if (browser_command_line.HasSwitch(switches::kAllowNoSandboxJob) &&
       !cmd_line->HasSwitch(switches::kAllowNoSandboxJob)) {
     cmd_line->AppendSwitch(switches::kAllowNoSandboxJob);
   }
 
   ProcessDebugFlags(cmd_line);
 
   if ((!delegate->ShouldSandbox()) ||
       browser_command_line.HasSwitch(switches::kNoSandbox) ||
       cmd_line->HasSwitch(switches::kNoSandbox)) {
     base::LaunchOptions options;
 
     base::HandlesToInheritVector handles = handles_to_inherit;
     if (!handles_to_inherit.empty()) {
       options.inherit_handles = true;
       options.handles_to_inherit = &handles;
     }
-    base::Process process = base::LaunchProcess(*cmd_line, options);
+    base::Process unsandboxed_process = base::LaunchProcess(*cmd_line, options);
 
     // TODO(rvargas) crbug.com/417532: Don't share a raw handle.
-    g_broker_services->AddTargetPeer(process.Handle());
-    return process;
+    g_broker_services->AddTargetPeer(unsandboxed_process.Handle());
+
+    *process = std::move(unsandboxed_process);
+    return sandbox::SBOX_ALL_OK;
   }
 
   sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
 
   // Add any handles to be inherited to the policy.
   for (HANDLE handle : handles_to_inherit)
     policy->AddHandleToShare(handle);
 
   // Pre-startup mitigations.
   sandbox::MitigationFlags mitigations =
       sandbox::MITIGATION_HEAP_TERMINATE |
       sandbox::MITIGATION_BOTTOM_UP_ASLR |
       sandbox::MITIGATION_DEP |
       sandbox::MITIGATION_DEP_NO_ATL_THUNK |
       sandbox::MITIGATION_SEHOP |
       sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
       sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
       sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
 #if !defined(NACL_WIN64)
   // Don't block font loading with GDI.
   if (!gfx::win::ShouldUseDirectWrite())
     mitigations ^= sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE;
 #endif
 
-  if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
-    return base::Process();
+  sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
+
+  result = policy->SetProcessMitigations(mitigations);
+
+  if (result != sandbox::SBOX_ALL_OK)
+    return result;
 
 #if !defined(NACL_WIN64)
   if (type_str == switches::kRendererProcess &&
       IsWin32kRendererLockdownEnabled()) {
-    if (!AddWin32kLockdownPolicy(policy, false))
-      return base::Process();
+    result = AddWin32kLockdownPolicy(policy, false);
+    if (result != sandbox::SBOX_ALL_OK)
+      return result;
   }
 #endif
 
   // Post-startup mitigations.
   mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
                 sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
-  if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
-    return base::Process();
+  result = policy->SetDelayedProcessMitigations(mitigations);
+  if (result != sandbox::SBOX_ALL_OK)
+    return result;
 
-  SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy);
+  result = SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy);
+  if (result != sandbox::SBOX_ALL_OK)
+    return result;
 
   if (!delegate->DisableDefaultPolicy()) {
-    if (!AddPolicyForSandboxedProcess(policy))
-      return base::Process();
+    result = AddPolicyForSandboxedProcess(policy);
+    if (result != sandbox::SBOX_ALL_OK)
+      return result;
   }
 
 #if !defined(NACL_WIN64)
   // NOTE: This is placed at function scope so that it stays alive through
   // process launch.
   base::SharedMemory direct_write_font_cache_section;
   if (type_str == switches::kRendererProcess ||
       type_str == switches::kPpapiPluginProcess) {
     if (gfx::win::ShouldUseDirectWrite()) {
       AddDirectory(base::DIR_WINDOWS_FONTS,
                   NULL,
                   true,
                   sandbox::TargetPolicy::FILES_ALLOW_READONLY,
                   policy);
     }
   }
 #endif
 
   if (type_str != switches::kRendererProcess) {
     // Hack for Google Desktop crash. Trick GD into not injecting its DLL into
     // this subprocess. See
     // http://code.google.com/p/chromium/issues/detail?id=25580
     cmd_line->AppendSwitchASCII("ignored", " --type=renderer ");
   }
 
-  if (!AddGenericPolicy(policy)) {
+  result = AddGenericPolicy(policy);
+
+  if (result != sandbox::SBOX_ALL_OK) {
     NOTREACHED();
-    return base::Process();
+    return result;
   }
 
   // Allow the renderer and gpu processes to access the log file.
   if (type_str == switches::kRendererProcess ||
       type_str == switches::kGpuProcess) {
     if (logging::IsLoggingToFileEnabled()) {
       DCHECK(base::FilePath(logging::GetLogFileFullPath()).IsAbsolute());
-      policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
-                      sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                      logging::GetLogFileFullPath().c_str());
+      result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+                               sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                               logging::GetLogFileFullPath().c_str());
+      if (result != sandbox::SBOX_ALL_OK)
+        return result;
     }
   }
 
 #if !defined(OFFICIAL_BUILD)
   // If stdout/stderr point to a Windows console, these calls will
-  // have no effect.
+  // have no effect. These calls can fail with SBOX_ERROR_BAD_PARAMS.
   policy->SetStdoutHandle(GetStdHandle(STD_OUTPUT_HANDLE));
   policy->SetStderrHandle(GetStdHandle(STD_ERROR_HANDLE));
 #endif
 
   if (!delegate->PreSpawnTarget(policy))
-    return base::Process();
+    return sandbox::SBOX_ERROR_DELEGATE_PRE_SPAWN;
 
   TRACE_EVENT_BEGIN0("startup", "StartProcessWithAccess::LAUNCHPROCESS");
 
   PROCESS_INFORMATION temp_process_info = {};
-  sandbox::ResultCode result = g_broker_services->SpawnTarget(
+  result = g_broker_services->SpawnTarget(
       cmd_line->GetProgram().value().c_str(),
       cmd_line->GetCommandLineString().c_str(), policy, &temp_process_info);
   DWORD last_error = ::GetLastError();
   base::win::ScopedProcessInformation target(temp_process_info);
 
   TRACE_EVENT_END0("startup", "StartProcessWithAccess::LAUNCHPROCESS");
 
   if (sandbox::SBOX_ALL_OK != result) {
     if (result == sandbox::SBOX_ERROR_GENERIC)
       DPLOG(ERROR) << "Failed to launch process";
     else if (result == sandbox::SBOX_ERROR_CREATE_PROCESS) {
       // TODO(shrikant): Remove this special case handling after determining
       // cause for lowbox/createprocess errors.
       sandbox::PolicyBase* policy_base =
           static_cast<sandbox::PolicyBase*>(policy);
       UMA_HISTOGRAM_SPARSE_SLOWLY(policy_base->GetLowBoxSid() ?
                                       "Process.Sandbox.Lowbox.Launch.Error" :
                                       "Process.Sandbox.Launch.Error",
                                   last_error);
     } else
       DLOG(ERROR) << "Failed to launch process. Error: " << result;
 
-    return base::Process();
+    return result;
   }
 
   delegate->PostSpawnTarget(target.process_handle());
 
   CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1));
-  return base::Process(target.TakeProcessHandle());
+  *process = base::Process(target.TakeProcessHandle());
+  return sandbox::SBOX_ALL_OK;
 }
 
 bool BrokerAddTargetPeer(HANDLE peer_process) {
   return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
 }
 
 }  // namespace content