Move AudioPreSpawnTarget to utility sandbox delegate.

No functional changes. Also updates build.gn and deps to reflect move.

Linux hooks serve a different purpose and occur in utility so have not
been moved.

Bug: 1111421
Change-Id: I081d31afb421bbe0b906085c8c14e1f9558bab28
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2340158
Commit-Queue: Alex Gough <ajgo@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#796214}

content/browser/utility_sandbox_delegate_win.cc

@@ -13,10 +13,48 @@
 #include "sandbox/policy/win/sandbox_win.h"
 #include "sandbox/win/src/sandbox_policy.h"
 #include "sandbox/win/src/sandbox_types.h"
-#include "services/audio/audio_sandbox_win.h"
 
 namespace content {
 namespace {
+// Audio:
+//  lockdown_level_(sandbox::USER_LOCKDOWN),
+//  initial_level_(sandbox::USER_RESTRICTED_SAME_ACCESS),
+//
+//  job_level_(sandbox::JOB_LOCKDOWN),
+//
+//  integrity_level_(sandbox::INTEGRITY_LEVEL_LOW),
+//  delayed_integrity_level_(sandbox::INTEGRITY_LEVEL_UNTRUSTED),
+bool AudioPreSpawnTarget(sandbox::TargetPolicy* policy) {
+  // Audio process privilege requirements:
+  //  - Lockdown level of USER_NON_ADMIN
+  //  - Delayed integrity level of INTEGRITY_LEVEL_LOW
+  //
+  // For audio streams to create shared memory regions, lockdown level must be
+  // at least USER_LIMITED and delayed integrity level INTEGRITY_LEVEL_LOW,
+  // otherwise CreateFileMapping() will fail with error code ERROR_ACCESS_DENIED
+  // (0x5).
+  //
+  // For audio input streams to use ISimpleAudioVolume interface, lockdown
+  // level must be set to USER_NON_ADMIN, otherwise
+  // WASAPIAudioInputStream::Open() will fail with error code E_ACCESSDENIED
+  // (0x80070005) when trying to get a reference to ISimpleAudioVolume
+  // interface. See
+  // https://cs.chromium.org/chromium/src/media/audio/win/audio_low_latency_input_win.cc
+  // Use USER_RESTRICTED_NON_ADMIN over USER_NON_ADMIN to prevent failures when
+  // AppLocker and similar application whitelisting solutions are in place.
+  policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                        sandbox::USER_RESTRICTED_NON_ADMIN);
+  policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+
+  // Custom default policy allowing audio drivers to read device properties
+  // (https://crbug.com/883326).
+  policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+  policy->SetLockdownDefaultDacl();
+  policy->SetAlternateDesktop(true);
+
+  return true;
+}
+
 // Right now, this policy is essentially unsandboxed, but with default process
 // mitigations applied.
 // TODO(https://crbug.com/841001) This will be tighted up in future releases.
@@ -73,7 +111,7 @@ bool UtilitySandboxedProcessLauncherDelegate::PreSpawnTarget(
     return NetworkPreSpawnTarget(policy, cmd_line_);
 
   if (sandbox_type_ == sandbox::policy::SandboxType::kAudio)
-    return audio::AudioPreSpawnTarget(policy);
+    return AudioPreSpawnTarget(policy);
 
   if (sandbox_type_ == sandbox::policy::SandboxType::kProxyResolver) {
     sandbox::MitigationFlags flags = policy->GetDelayedProcessMitigations();

services/audio/BUILD.gn

@@ -70,7 +70,6 @@ source_set("audio") {
     "//base",
     "//media",
     "//media/webrtc",
-    "//sandbox/policy",
     "//services/audio/public/mojom",
   ]
 
@@ -79,16 +78,12 @@ source_set("audio") {
       "audio_sandbox_hook_linux.cc",
       "audio_sandbox_hook_linux.h",
     ]
-    public_deps += [ "//sandbox/linux:sandbox_services" ]
-  }
-
-  if (is_win) {
-    sources += [
-      "audio_sandbox_win.cc",
-      "audio_sandbox_win.h",
+    public_deps += [
+      "//sandbox/linux:sandbox_services",
+      "//sandbox/policy",
     ]
-    public_deps += [ "//sandbox/win:sandbox" ]
   }
+
   configs += [
     "//build/config/compiler:wexit_time_destructors",
     "//media:media_config",

services/audio/OWNERS

@@ -3,6 +3,5 @@ dalecurtis@chromium.org
 miu@chromium.org
 
 per-file audio_sandbox_hook_linux.*=file://sandbox/linux/OWNERS
-per-file audio_sandbox_win.*=file://sandbox/win/OWNERS
 
 # COMPONENT: Internals>Media>Audio

services/audio/audio_sandbox_win.cc

-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "services/audio/audio_sandbox_win.h"
-
-#include "sandbox/win/src/sandbox_policy.h"
-
-// NOTE: changes to this code need to be reviewed by the security team.
-
-namespace audio {
-
-//------------------------------------------------------------------------------
-// Public audio service sandbox configuration extension functions.
-//------------------------------------------------------------------------------
-//
-//  Default policy:
-//
-//  lockdown_level_(sandbox::USER_LOCKDOWN),
-//  initial_level_(sandbox::USER_RESTRICTED_SAME_ACCESS),
-//
-//  job_level_(sandbox::JOB_LOCKDOWN),
-//
-//  integrity_level_(sandbox::INTEGRITY_LEVEL_LOW),
-//  delayed_integrity_level_(sandbox::INTEGRITY_LEVEL_UNTRUSTED),
-
-bool AudioPreSpawnTarget(sandbox::TargetPolicy* policy) {
-  // Audio process privilege requirements:
-  //  - Lockdown level of USER_NON_ADMIN
-  //  - Delayed integrity level of INTEGRITY_LEVEL_LOW
-  //
-  // For audio streams to create shared memory regions, lockdown level must be
-  // at least USER_LIMITED and delayed integrity level INTEGRITY_LEVEL_LOW,
-  // otherwise CreateFileMapping() will fail with error code ERROR_ACCESS_DENIED
-  // (0x5).
-  //
-  // For audio input streams to use ISimpleAudioVolume interface, lockdown
-  // level must be set to USER_NON_ADMIN, otherwise
-  // WASAPIAudioInputStream::Open() will fail with error code E_ACCESSDENIED
-  // (0x80070005) when trying to get a reference to ISimpleAudioVolume
-  // interface. See
-  // https://cs.chromium.org/chromium/src/media/audio/win/audio_low_latency_input_win.cc
-  // Use USER_RESTRICTED_NON_ADMIN over USER_NON_ADMIN to prevent failures when
-  // AppLocker and similar application whitelisting solutions are in place.
-  policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                        sandbox::USER_RESTRICTED_NON_ADMIN);
-  policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-
-  // Custom default policy allowing audio drivers to read device properties
-  // (https://crbug.com/883326).
-  policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-  policy->SetLockdownDefaultDacl();
-  policy->SetAlternateDesktop(true);
-
-  return true;
-}
-
-}  // namespace audio

services/audio/audio_sandbox_win.h

-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SERVICES_AUDIO_AUDIO_SANDBOX_WIN_H_
-#define SERVICES_AUDIO_AUDIO_SANDBOX_WIN_H_
-
-namespace sandbox {
-class TargetPolicy;
-}
-
-// These sandbox-config extension functions should be called from
-// UtilitySandboxedProcessLauncherDelegate on Windows (or the appropriate
-// Delegate if SandboxType::kAudio is removed from SandboxType::kUtility).
-//
-// NOTE: changes to this code need to be reviewed by the security team.
-
-namespace audio {
-
-// PreSpawnTarget extension.
-bool AudioPreSpawnTarget(sandbox::TargetPolicy* policy);
-
-}  // namespace audio
-
-#endif  // SERVICES_AUDIO_AUDIO_SANDBOX_WIN_H_