Reland "Fix sandbox::PolicyBase leak"

content/common/sandbox_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_win.h"
 
 #include <stddef.h>
 
 #include <string>
 
@@ skipping 690 matching lines @@
     if (!handles_to_inherit.empty()) {
       options.inherit_handles = true;
       options.handles_to_inherit = &handles;
     }
     base::Process unsandboxed_process = base::LaunchProcess(*cmd_line, options);
 
     *process = std::move(unsandboxed_process);
     return sandbox::SBOX_ALL_OK;
   }
 
-  sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
+  scoped_refptr<sandbox::TargetPolicy> policy =
+      g_broker_services->CreatePolicy();
 
   // Add any handles to be inherited to the policy.
   for (HANDLE handle : handles_to_inherit)
     policy->AddHandleToShare(handle);
 
   // Pre-startup mitigations.
   sandbox::MitigationFlags mitigations =
       sandbox::MITIGATION_HEAP_TERMINATE |
       sandbox::MITIGATION_BOTTOM_UP_ASLR |
       sandbox::MITIGATION_DEP |
       sandbox::MITIGATION_DEP_NO_ATL_THUNK |
       sandbox::MITIGATION_SEHOP |
       sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
       sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
       sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
 
   if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints))
     mitigations |= sandbox::MITIGATION_EXTENSION_POINT_DISABLE;
 
   sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
   result = policy->SetProcessMitigations(mitigations);
 
   if (result != sandbox::SBOX_ALL_OK)
     return result;
 
 #if !defined(NACL_WIN64)
   if (type_str == switches::kRendererProcess && IsWin32kLockdownEnabled()) {
-    result = AddWin32kLockdownPolicy(policy, false);
+    result = AddWin32kLockdownPolicy(policy.get(), false);
     if (result != sandbox::SBOX_ALL_OK)
       return result;
   }
 #endif
 
   // Post-startup mitigations.
   mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
                 sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
   result = policy->SetDelayedProcessMitigations(mitigations);
   if (result != sandbox::SBOX_ALL_OK)
     return result;
 
-  result = SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy);
+  result = SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy.get());
   if (result != sandbox::SBOX_ALL_OK)
     return result;
 
   if (!delegate->DisableDefaultPolicy()) {
-    result = AddPolicyForSandboxedProcess(policy);
+    result = AddPolicyForSandboxedProcess(policy.get());
     if (result != sandbox::SBOX_ALL_OK)
       return result;
   }
 
 #if !defined(NACL_WIN64)
   if (type_str == switches::kRendererProcess ||
       type_str == switches::kPpapiPluginProcess) {
     AddDirectory(base::DIR_WINDOWS_FONTS, NULL, true,
-                 sandbox::TargetPolicy::FILES_ALLOW_READONLY, policy);
+                 sandbox::TargetPolicy::FILES_ALLOW_READONLY, policy.get());
   }
 #endif
 
   if (type_str != switches::kRendererProcess) {
     // Hack for Google Desktop crash. Trick GD into not injecting its DLL into
     // this subprocess. See
     // http://code.google.com/p/chromium/issues/detail?id=25580
     cmd_line->AppendSwitchASCII("ignored", " --type=renderer ");
   }
 
-  result = AddGenericPolicy(policy);
+  result = AddGenericPolicy(policy.get());
 
   if (result != sandbox::SBOX_ALL_OK) {
     NOTREACHED();
     return result;
   }
 
   // Allow the renderer and gpu processes to access the log file.
   if (type_str == switches::kRendererProcess ||
       type_str == switches::kGpuProcess) {
     if (logging::IsLoggingToFileEnabled()) {
       DCHECK(base::FilePath(logging::GetLogFileFullPath()).IsAbsolute());
       result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                                sandbox::TargetPolicy::FILES_ALLOW_ANY,
                                logging::GetLogFileFullPath().c_str());
       if (result != sandbox::SBOX_ALL_OK)
         return result;
     }
   }
 
   // If stdout/stderr point to a Windows console, these calls will
   // have no effect. These calls can fail with SBOX_ERROR_BAD_PARAMS.
   policy->SetStdoutHandle(GetStdHandle(STD_OUTPUT_HANDLE));
   policy->SetStderrHandle(GetStdHandle(STD_ERROR_HANDLE));
 
-  if (!delegate->PreSpawnTarget(policy))
+  if (!delegate->PreSpawnTarget(policy.get()))
     return sandbox::SBOX_ERROR_DELEGATE_PRE_SPAWN;
 
   TRACE_EVENT_BEGIN0("startup", "StartProcessWithAccess::LAUNCHPROCESS");
 
   PROCESS_INFORMATION temp_process_info = {};
   sandbox::ResultCode last_warning = sandbox::SBOX_ALL_OK;
   DWORD last_error = ERROR_SUCCESS;
   result = g_broker_services->SpawnTarget(
       cmd_line->GetProgram().value().c_str(),
       cmd_line->GetCommandLineString().c_str(), policy, &last_warning,
@@ skipping 18 matching lines @@
   }
 
   delegate->PostSpawnTarget(target.process_handle());
 
   CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1));
   *process = base::Process(target.TakeProcessHandle());
   return sandbox::SBOX_ALL_OK;
 }
 
 }  // namespace content