Enabled OPM redirection policy for PPAPI processes.

content/common/sandbox_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_win.h"
 
 #include <stddef.h>
 
 #include <string>
 
@@ skipping 558 matching lines @@
   base::string16 object_path = PrependWindowsSessionPath(
       L"\\BaseNamedObjects\\windows_shell_global_counters");
   policy->AddKernelObjectToClose(L"Section", object_path.data());
 }
 
 void AddAppContainerPolicy(sandbox::TargetPolicy* policy, const wchar_t* sid) {
   if (IsAppContainerEnabled())
     policy->SetLowBox(sid);
 }
 
-bool AddWin32kLockdownPolicy(sandbox::TargetPolicy* policy) {
+bool AddWin32kLockdownPolicy(sandbox::TargetPolicy* policy, bool enable_opm) {
 #if !defined(NACL_WIN64)
   if (!IsWin32kRendererLockdownEnabled())
     return true;
 
   // Enable win32k lockdown if not already.
   sandbox::MitigationFlags flags = policy->GetProcessMitigations();
   if ((flags & sandbox::MITIGATION_WIN32K_DISABLE) ==
       sandbox::MITIGATION_WIN32K_DISABLE)
     return true;
 
   sandbox::ResultCode result =
       policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
-                      sandbox::TargetPolicy::FAKE_USER_GDI_INIT, nullptr);
+                      enable_opm ? sandbox::TargetPolicy::IMPLEMENT_OPM_APIS
+                                 : sandbox::TargetPolicy::FAKE_USER_GDI_INIT,
+                      nullptr);
   if (result != sandbox::SBOX_ALL_OK)
     return false;
-
+  if (enable_opm)
+    policy->SetEnableOPMRedirection();
   flags |= sandbox::MITIGATION_WIN32K_DISABLE;
   result = policy->SetProcessMitigations(flags);
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 #endif
   return true;
 }
 
 bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
   // TODO(abarth): DCHECK(CalledOnValidThread());
@@ skipping 99 matching lines @@
   if (!gfx::win::ShouldUseDirectWrite())
     mitigations ^= sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE;
 #endif
 
   if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
     return base::Process();
 
 #if !defined(NACL_WIN64)
   if (type_str == switches::kRendererProcess &&
       IsWin32kRendererLockdownEnabled()) {
-    if (!AddWin32kLockdownPolicy(policy))
+    if (!AddWin32kLockdownPolicy(policy, false))
       return base::Process();
   }
 #endif
 
   // Post-startup mitigations.
   mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
                 sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
   if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
     return base::Process();
@@ skipping 87 matching lines @@
 
   CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1));
   return base::Process(target.TakeProcessHandle());
 }
 
 bool BrokerAddTargetPeer(HANDLE peer_process) {
   return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
 }
 
 }  // namespace content