| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_policy.h" | 5 #include "content/common/sandbox_policy.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/debug/debugger.h" | 10 #include "base/debug/debugger.h" |
| (...skipping 385 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 396 if (result != sandbox::SBOX_ALL_OK) | 396 if (result != sandbox::SBOX_ALL_OK) |
| 397 return false; | 397 return false; |
| 398 | 398 |
| 399 // Renderers need to share events with plugins. | 399 // Renderers need to share events with plugins. |
| 400 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, | 400 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, |
| 401 sandbox::TargetPolicy::HANDLES_DUP_ANY, | 401 sandbox::TargetPolicy::HANDLES_DUP_ANY, |
| 402 L"Event"); | 402 L"Event"); |
| 403 if (result != sandbox::SBOX_ALL_OK) | 403 if (result != sandbox::SBOX_ALL_OK) |
| 404 return false; | 404 return false; |
| 405 | 405 |
| 406 // Renderers need to send named pipe handles and shared memory |
| 407 // segment handles to NaCl loader processes. |
| 408 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, |
| 409 sandbox::TargetPolicy::HANDLES_DUP_ANY, |
| 410 L"File"); |
| 411 if (result != sandbox::SBOX_ALL_OK) |
| 412 return false; |
| 413 |
| 406 policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); | 414 policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); |
| 407 | 415 |
| 408 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; | 416 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; |
| 409 if (base::win::GetVersion() > base::win::VERSION_XP) { | 417 if (base::win::GetVersion() > base::win::VERSION_XP) { |
| 410 // On 2003/Vista the initial token has to be restricted if the main | 418 // On 2003/Vista the initial token has to be restricted if the main |
| 411 // token is restricted. | 419 // token is restricted. |
| 412 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; | 420 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; |
| 413 } | 421 } |
| 414 | 422 |
| 415 policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN); | 423 policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN); |
| (...skipping 268 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 684 target_process_id)); | 692 target_process_id)); |
| 685 if (target_process.IsValid()) { | 693 if (target_process.IsValid()) { |
| 686 return !!::DuplicateHandle(::GetCurrentProcess(), source_handle, | 694 return !!::DuplicateHandle(::GetCurrentProcess(), source_handle, |
| 687 target_process, target_handle, | 695 target_process, target_handle, |
| 688 desired_access, FALSE, options); | 696 desired_access, FALSE, options); |
| 689 } | 697 } |
| 690 | 698 |
| 691 return false; | 699 return false; |
| 692 } | 700 } |
| 693 | 701 |
| 702 bool BrokerAddTargetPeer(HANDLE peer_process) { |
| 703 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK; |
| 704 } |
| 705 |
| 694 } // namespace content | 706 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10039001:
NaCl: Supply Windows handle-passing function (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src