| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/sandbox_policy.h" | 5 #include "chrome/browser/sandbox_policy.h" |
| 6 | 6 |
| 7 #include "base/file_util.h" | 7 #include "base/file_util.h" |
| 8 #include "base/logging.h" | 8 #include "base/logging.h" |
| 9 #include "base/path_service.h" | 9 #include "base/path_service.h" |
| 10 #include "base/registry.h" | 10 #include "base/registry.h" |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 85 | 85 |
| 86 key += L"\\*"; | 86 key += L"\\*"; |
| 87 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, access, | 87 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, access, |
| 88 key.c_str()); | 88 key.c_str()); |
| 89 if (result != sandbox::SBOX_ALL_OK) | 89 if (result != sandbox::SBOX_ALL_OK) |
| 90 return false; | 90 return false; |
| 91 | 91 |
| 92 return true; | 92 return true; |
| 93 } | 93 } |
| 94 | 94 |
| 95 // Eviction of injected DLLs is done by the sandbox. An interception on a |
| 96 // system call is added such that the blacklisted dll, don't fully load so |
| 97 // the injected module does not get a chance to execute any code. |
| 98 bool AddDllEvictionPolicy(sandbox::TargetPolicy* policy) { |
| 99 // List of dlls to unmap. |
| 100 const wchar_t* troublesome_dlls[] = { |
| 101 L"smumhook.dll", // Spyware Doctor version 5 and above. |
| 102 L"GoogleDesktopNetwork3.DLL", // Google Desktop Search v5. |
| 103 L"npggNT.des", // GameGuard version 2008. It is a packed dll. |
| 104 }; |
| 105 |
| 106 for(int ix = 0; ix != arraysize(troublesome_dlls); ++ix) { |
| 107 // To minimize the list we only add an unload policy if the dll is also |
| 108 // loaded in this process. All the injected dlls of interest do this. |
| 109 if (::GetModuleHandleW(troublesome_dlls[ix])) { |
| 110 LOG(WARNING) << "dll to unload found: " << troublesome_dlls[ix]; |
| 111 if (sandbox::SBOX_ALL_OK != policy->AddDllToUnload(troublesome_dlls[ix])) |
| 112 return false; |
| 113 } |
| 114 } |
| 115 |
| 116 return true; |
| 117 } |
| 118 |
| 95 bool AddGenericPolicy(sandbox::TargetPolicy* policy) { | 119 bool AddGenericPolicy(sandbox::TargetPolicy* policy) { |
| 96 sandbox::ResultCode result; | 120 sandbox::ResultCode result; |
| 97 | 121 |
| 98 // Add the policy for the pipes | 122 // Add the policy for the pipes |
| 99 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, | 123 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, |
| 100 sandbox::TargetPolicy::FILES_ALLOW_ANY, | 124 sandbox::TargetPolicy::FILES_ALLOW_ANY, |
| 101 L"\\??\\pipe\\chrome.*"); | 125 L"\\??\\pipe\\chrome.*"); |
| 102 if (result != sandbox::SBOX_ALL_OK) | 126 if (result != sandbox::SBOX_ALL_OK) |
| 103 return false; | 127 return false; |
| 104 | 128 |
| (...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 219 return ApplyPolicyForTrustedPlugin(policy); | 243 return ApplyPolicyForTrustedPlugin(policy); |
| 220 case PLUGIN_GROUP_UNTRUSTED: | 244 case PLUGIN_GROUP_UNTRUSTED: |
| 221 return ApplyPolicyForUntrustedPlugin(policy); | 245 return ApplyPolicyForUntrustedPlugin(policy); |
| 222 default: | 246 default: |
| 223 NOTREACHED(); | 247 NOTREACHED(); |
| 224 break; | 248 break; |
| 225 } | 249 } |
| 226 | 250 |
| 227 return false; | 251 return false; |
| 228 } | 252 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2458:
Use the new dll injection blocking api of the sandbox to block... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/