| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_policy.h" | 5 #include "content/common/sandbox_policy.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/debug/debugger.h" | 10 #include "base/debug/debugger.h" |
| (...skipping 356 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 367 | 367 |
| 368 // Allow the server side of GPU sockets, which are pipes that have | 368 // Allow the server side of GPU sockets, which are pipes that have |
| 369 // the "chrome.gpu" namespace and an arbitrary suffix. | 369 // the "chrome.gpu" namespace and an arbitrary suffix. |
| 370 sandbox::ResultCode result = policy->AddRule( | 370 sandbox::ResultCode result = policy->AddRule( |
| 371 sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, | 371 sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, |
| 372 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, | 372 sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, |
| 373 L"\\\\.\\pipe\\chrome.gpu.*"); | 373 L"\\\\.\\pipe\\chrome.gpu.*"); |
| 374 if (result != sandbox::SBOX_ALL_OK) | 374 if (result != sandbox::SBOX_ALL_OK) |
| 375 return false; | 375 return false; |
| 376 | 376 |
| 377 // GPU needs to copy sections to renderers. | |
| 378 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, | |
| 379 sandbox::TargetPolicy::HANDLES_DUP_ANY, | |
| 380 L"Section"); | |
| 381 if (result != sandbox::SBOX_ALL_OK) | |
| 382 return false; | |
| 383 | |
| 384 AddGenericDllEvictionPolicy(policy); | 377 AddGenericDllEvictionPolicy(policy); |
| 385 #endif | 378 #endif |
| 386 return true; | 379 return true; |
| 387 } | 380 } |
| 388 | 381 |
| 389 bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) { | 382 bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) { |
| 390 // Renderers need to copy sections for plugin DIBs and GPU. | 383 // Renderers need to copy sections for plugin DIBs. |
| 391 sandbox::ResultCode result; | 384 sandbox::ResultCode result; |
| 392 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, | 385 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, |
| 393 sandbox::TargetPolicy::HANDLES_DUP_ANY, | 386 sandbox::TargetPolicy::HANDLES_DUP_ANY, |
| 394 L"Section"); | 387 L"Section"); |
| 395 if (result != sandbox::SBOX_ALL_OK) | 388 if (result != sandbox::SBOX_ALL_OK) { |
| 389 NOTREACHED(); |
| 396 return false; | 390 return false; |
| 397 | 391 } |
| 398 // Renderers need to share events with plugins. | |
| 399 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, | |
| 400 sandbox::TargetPolicy::HANDLES_DUP_ANY, | |
| 401 L"Event"); | |
| 402 if (result != sandbox::SBOX_ALL_OK) | |
| 403 return false; | |
| 404 | 392 |
| 405 policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); | 393 policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); |
| 406 | 394 |
| 407 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; | 395 sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED; |
| 408 if (base::win::GetVersion() > base::win::VERSION_XP) { | 396 if (base::win::GetVersion() > base::win::VERSION_XP) { |
| 409 // On 2003/Vista the initial token has to be restricted if the main | 397 // On 2003/Vista the initial token has to be restricted if the main |
| 410 // token is restricted. | 398 // token is restricted. |
| 411 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; | 399 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; |
| 412 } | 400 } |
| 413 | 401 |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 456 sandbox::ResultCode result = target_services->Init(); | 444 sandbox::ResultCode result = target_services->Init(); |
| 457 g_target_services = target_services; | 445 g_target_services = target_services; |
| 458 return SBOX_ALL_OK == result; | 446 return SBOX_ALL_OK == result; |
| 459 } | 447 } |
| 460 | 448 |
| 461 bool BrokerDuplicateHandle(HANDLE source_handle, | 449 bool BrokerDuplicateHandle(HANDLE source_handle, |
| 462 DWORD target_process_id, | 450 DWORD target_process_id, |
| 463 HANDLE* target_handle, | 451 HANDLE* target_handle, |
| 464 DWORD desired_access, | 452 DWORD desired_access, |
| 465 DWORD options) { | 453 DWORD options) { |
| 466 // If our process is the target just duplicate the handle. | 454 // Just use DuplicateHandle() if we aren't in the sandbox. |
| 467 if (::GetCurrentProcessId() == target_process_id) { | 455 if (!g_target_services) { |
| 468 return !!::DuplicateHandle(::GetCurrentProcess(), source_handle, | 456 base::win::ScopedHandle target_process(::OpenProcess(PROCESS_DUP_HANDLE, |
| 469 ::GetCurrentProcess(), target_handle, | 457 FALSE, |
| 470 desired_access, FALSE, options); | 458 target_process_id)); |
| 459 if (!target_process.IsValid()) |
| 460 return false; |
| 471 | 461 |
| 472 } | 462 if (!::DuplicateHandle(::GetCurrentProcess(), source_handle, |
| 463 target_process, target_handle, |
| 464 desired_access, FALSE, |
| 465 options)) { |
| 466 return false; |
| 467 } |
| 473 | 468 |
| 474 // Try the broker next | |
| 475 if (g_target_services && | |
| 476 g_target_services->DuplicateHandle(source_handle, target_process_id, | |
| 477 target_handle, desired_access, | |
| 478 options) == SBOX_ALL_OK) { | |
| 479 return true; | 469 return true; |
| 480 } | 470 } |
| 481 | 471 |
| 482 // Finally, see if we already have access to the process. | 472 ResultCode result = g_target_services->DuplicateHandle(source_handle, |
| 483 base::win::ScopedHandle target_process; | 473 target_process_id, |
| 484 target_process.Set(::OpenProcess(PROCESS_DUP_HANDLE, FALSE, | 474 target_handle, |
| 485 target_process_id)); | 475 desired_access, |
| 486 if (target_process.IsValid()) { | 476 options); |
| 487 return !!::DuplicateHandle(::GetCurrentProcess(), source_handle, | 477 return SBOX_ALL_OK == result; |
| 488 target_process, target_handle, | |
| 489 desired_access, FALSE, options); | |
| 490 } | |
| 491 | |
| 492 return false; | |
| 493 } | 478 } |
| 494 | 479 |
| 495 | 480 |
| 496 base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, | 481 base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, |
| 497 const FilePath& exposed_dir) { | 482 const FilePath& exposed_dir) { |
| 498 const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess(); | 483 const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess(); |
| 499 content::ProcessType type; | 484 content::ProcessType type; |
| 500 std::string type_str = cmd_line->GetSwitchValueASCII(switches::kProcessType); | 485 std::string type_str = cmd_line->GetSwitchValueASCII(switches::kProcessType); |
| 501 if (type_str == switches::kRendererProcess) { | 486 if (type_str == switches::kRendererProcess) { |
| 502 type = content::PROCESS_TYPE_RENDERER; | 487 type = content::PROCESS_TYPE_RENDERER; |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 581 !browser_command_line.HasSwitch(switches::kNoSandbox) && | 566 !browser_command_line.HasSwitch(switches::kNoSandbox) && |
| 582 content::GetContentClient()->SandboxPlugin(cmd_line, policy)) { | 567 content::GetContentClient()->SandboxPlugin(cmd_line, policy)) { |
| 583 in_sandbox = true; | 568 in_sandbox = true; |
| 584 } | 569 } |
| 585 #endif | 570 #endif |
| 586 | 571 |
| 587 if (!in_sandbox) { | 572 if (!in_sandbox) { |
| 588 policy->Release(); | 573 policy->Release(); |
| 589 base::ProcessHandle process = 0; | 574 base::ProcessHandle process = 0; |
| 590 base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process); | 575 base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process); |
| 591 g_broker_services->AddTargetPeer(process); | |
| 592 return process; | 576 return process; |
| 593 } | 577 } |
| 594 | 578 |
| 595 if (type == content::PROCESS_TYPE_PLUGIN) { | 579 if (type == content::PROCESS_TYPE_PLUGIN) { |
| 596 AddGenericDllEvictionPolicy(policy); | 580 AddGenericDllEvictionPolicy(policy); |
| 597 AddPluginDllEvictionPolicy(policy); | 581 AddPluginDllEvictionPolicy(policy); |
| 598 } else if (type == content::PROCESS_TYPE_GPU) { | 582 } else if (type == content::PROCESS_TYPE_GPU) { |
| 599 if (!AddPolicyForGPU(cmd_line, policy)) | 583 if (!AddPolicyForGPU(cmd_line, policy)) |
| 600 return 0; | 584 return 0; |
| 601 } else { | 585 } else { |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 681 | 665 |
| 682 // Help the process a little. It can't start the debugger by itself if | 666 // Help the process a little. It can't start the debugger by itself if |
| 683 // the process is in a sandbox. | 667 // the process is in a sandbox. |
| 684 if (child_needs_help) | 668 if (child_needs_help) |
| 685 base::debug::SpawnDebuggerOnProcess(target.process_id()); | 669 base::debug::SpawnDebuggerOnProcess(target.process_id()); |
| 686 | 670 |
| 687 return target.TakeProcessHandle(); | 671 return target.TakeProcessHandle(); |
| 688 } | 672 } |
| 689 | 673 |
| 690 } // namespace sandbox | 674 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10081018:
Revert 132218 - Convert plugin and GPU process to brokered handle duplication. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/