Prevent cmsetac.dll from loading in GPU process.

content/common/sandbox_policy.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_policy.h"
 
 #include <string>
 
 #include "base/command_line.h"
 #include "base/debug/debugger.h"
@@ skipping 102 matching lines @@
 // The DLLs listed here are known (or under strong suspicion) of causing crashes
 // when they are loaded in the plugin process.
 const wchar_t* const kTroublesomePluginDlls[] = {
   L"rpmainbrowserrecordplugin.dll",      // RealPlayer.
   L"rpchromebrowserrecordhelper.dll",    // RealPlayer.
   L"rpchrome10browserrecordhelper.dll",  // RealPlayer.
   L"ycwebcamerasource.ax"                // Cyberlink Camera helper.
   L"CLRGL.ax"                            // Cyberlink Camera helper.
 };
 
+// The DLLs listed here are known (or under strong suspicion) of causing crashes
+// when they are loaded in the GPU process.
+const wchar_t* const kTroublesomeGpuDlls[] = {
+  L"cmsetac.dll",                 // Unknown (suspected malware).
+};
+
 // Adds the policy rules for the path and path\ with the semantic |access|.
 // If |children| is set to true, we need to add the wildcard rules to also
 // apply the rule to the subfiles and subfolders.
 bool AddDirectory(int path, const wchar_t* sub_dir, bool children,
                   sandbox::TargetPolicy::Semantics access,
                   sandbox::TargetPolicy* policy) {
   FilePath directory;
   if (!PathService::Get(path, &directory))
     return false;
 
@@ skipping 102 matching lines @@
     BlacklistAddOneDll(kTroublesomeDlls[ix], true, policy);
 }
 
 // Same as AddGenericDllEvictionPolicy but specifically for plugins. In this
 // case we add the blacklisted dlls even if they are not loaded in this process.
 void AddPluginDllEvictionPolicy(sandbox::TargetPolicy* policy) {
   for (int ix = 0; ix != arraysize(kTroublesomePluginDlls); ++ix)
     BlacklistAddOneDll(kTroublesomePluginDlls[ix], false, policy);
 }
 
+// Same as AddGenericDllEvictionPolicy but specifically for the GPU process.
+// In this we add the blacklisted dlls even if they are not loaded in this
+// process.
+void AddGpuDllEvictionPolicy(sandbox::TargetPolicy* policy) {
+  for (int ix = 0; ix != arraysize(kTroublesomeGpuDlls); ++ix)
+    BlacklistAddOneDll(kTroublesomeGpuDlls[ix], false, policy);
+}
+
 // Returns the object path prepended with the current logon session.
 string16 PrependWindowsSessionPath(const char16* object) {
   // Cache this because it can't change after process creation.
   static uintptr_t s_session_id = 0;
   if (s_session_id == 0) {
     HANDLE token;
     DWORD session_id_length;
     DWORD session_id = 0;
 
     CHECK(::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token));
@@ skipping 143 matching lines @@
   // GPU also needs to add sections to the browser for aura
   // TODO(jschuh): refactor the GPU channel to remove this. crbug.com/128786
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
                            sandbox::TargetPolicy::HANDLES_DUP_BROKER,
                            L"Section");
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 #endif
 
   AddGenericDllEvictionPolicy(policy);
+  AddGpuDllEvictionPolicy(policy);
 #endif
   return true;
 }
 
 bool AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
   // Renderers need to copy sections for plugin DIBs and GPU.
   sandbox::ResultCode result;
   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
                            sandbox::TargetPolicy::HANDLES_DUP_ANY,
                            L"Section");
@@ skipping 432 matching lines @@
   return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
 }
 
 base::ProcessHandle StartProcessWithAccess(
     CommandLine* cmd_line,
     const FilePath& exposed_dir) {
   return sandbox::StartProcessWithAccess(cmd_line, exposed_dir);
 }
 
 }  // namespace content