Update To 11.40.268.0

[platform/framework/web/crosswalk.git] / src / sandbox / win / src / broker_services.cc

diff --git a/src/sandbox/win/src/broker_services.cc b/src/sandbox/win/src/broker_services.cc
index b55fd22..8fa7f0d 100644 (file)
--- a/src/sandbox/win/src/broker_services.cc
+++ b/src/sandbox/win/src/broker_services.cc
@@ -82,11 +82,26 @@ void DeregisterPeerTracker(PeerTracker* peer) {
   }
 }
 
+// Utility function to determine whether a token for the specified policy can
+// be cached.
+bool IsTokenCacheable(const sandbox::PolicyBase* policy) {
+  const sandbox::AppContainerAttributes* app_container =
+      policy->GetAppContainer();
+
+  // We cannot cache tokens with an app container.
+  if (app_container)
+    return false;
+
+  return true;
+}
+
 // Utility function to pack token values into a key for the cache map.
 uint32_t GenerateTokenCacheKey(const sandbox::PolicyBase* policy) {
   const size_t kTokenShift = 3;
   uint32_t key;
 
+  DCHECK(IsTokenCacheable(policy));
+
   // Make sure our token values aren't too large to pack into the key.
   static_assert(sandbox::USER_LAST <= (1 << kTokenShift),
                 "TokenLevel too large");
@@ -340,32 +355,38 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
   HANDLE lockdown_token_temp;
   ResultCode result = SBOX_ALL_OK;
 
-  // Create the master tokens only once and save them in a cache. That way
-  // can just duplicate them to avoid hammering LSASS on every sandboxed
-  // process launch.
-  uint32_t token_key = GenerateTokenCacheKey(policy_base);
-  TokenCacheMap::iterator it = token_cache_.find(token_key);
-  if (it != token_cache_.end()) {
-    initial_token_temp = it->second.first;
-    lockdown_token_temp = it->second.second;
+  if (IsTokenCacheable(policy_base)) {
+    // Create the master tokens only once and save them in a cache. That way
+    // can just duplicate them to avoid hammering LSASS on every sandboxed
+    // process launch.
+    uint32_t token_key = GenerateTokenCacheKey(policy_base);
+    TokenCacheMap::iterator it = token_cache_.find(token_key);
+    if (it != token_cache_.end()) {
+      initial_token_temp = it->second.first;
+      lockdown_token_temp = it->second.second;
+    } else {
+      result =
+          policy_base->MakeTokens(&initial_token_temp, &lockdown_token_temp);
+      if (SBOX_ALL_OK != result)
+        return result;
+      token_cache_[token_key] =
+          std::pair<HANDLE, HANDLE>(initial_token_temp, lockdown_token_temp);
+    }
+
+    if (!::DuplicateToken(initial_token_temp, SecurityImpersonation,
+                          &initial_token_temp)) {
+      return SBOX_ERROR_GENERIC;
+    }
+
+    if (!::DuplicateTokenEx(lockdown_token_temp, TOKEN_ALL_ACCESS, 0,
+                            SecurityIdentification, TokenPrimary,
+                            &lockdown_token_temp)) {
+      return SBOX_ERROR_GENERIC;
+    }
   } else {
-    result = policy_base->MakeTokens(&initial_token_temp,
-                                     &lockdown_token_temp);
+    result = policy_base->MakeTokens(&initial_token_temp, &lockdown_token_temp);
     if (SBOX_ALL_OK != result)
       return result;
-    token_cache_[token_key] =
-        std::pair<HANDLE, HANDLE>(initial_token_temp, lockdown_token_temp);
-  }
-
-  if (!::DuplicateToken(initial_token_temp, SecurityImpersonation,
-                        &initial_token_temp)) {
-    return SBOX_ERROR_GENERIC;
-  }
-
-  if (!::DuplicateTokenEx(lockdown_token_temp, TOKEN_ALL_ACCESS, 0,
-                          SecurityIdentification, TokenPrimary,
-                          &lockdown_token_temp)) {
-    return SBOX_ERROR_GENERIC;
   }
 
   base::win::ScopedHandle initial_token(initial_token_temp);