sandbox/win/src/target_services.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/win/src/target_services.h"
   6
   7 #include <process.h>
   8
   9 #include "base/basictypes.h"
  10 #include "sandbox/win/src/crosscall_client.h"
  11 #include "sandbox/win/src/handle_closer_agent.h"
  12 #include "sandbox/win/src/handle_interception.h"
  13 #include "sandbox/win/src/ipc_tags.h"
  14 #include "sandbox/win/src/process_mitigations.h"
  15 #include "sandbox/win/src/restricted_token_utils.h"
  16 #include "sandbox/win/src/sandbox.h"
  17 #include "sandbox/win/src/sandbox_types.h"
  18 #include "sandbox/win/src/sharedmem_ipc_client.h"
  19 #include "sandbox/win/src/sandbox_nt_util.h"
  20
  21 namespace {
  22
  23 // Flushing a cached key is triggered by just opening the key and closing the
  24 // resulting handle. RegDisablePredefinedCache() is the documented way to flush
  25 // HKCU so do not use it with this function.
  26 bool FlushRegKey(HKEY root) {
  27   HKEY key;
  28   if (ERROR_SUCCESS == ::RegOpenKeyExW(root, NULL, 0, MAXIMUM_ALLOWED, &key)) {
  29     if (ERROR_SUCCESS != ::RegCloseKey(key))
  30       return false;
  31   }
  32   return true;
  33 }
  34
  35 // This function forces advapi32.dll to release some internally cached handles
  36 // that were made during calls to RegOpenkey and RegOpenKeyEx if it is called
  37 // with a more restrictive token. Returns true if the flushing is succesful
  38 // although this behavior is undocumented and there is no guarantee that in
  39 // fact this will happen in future versions of windows.
  40 bool FlushCachedRegHandles() {
  41   return (FlushRegKey(HKEY_LOCAL_MACHINE) &&
  42           FlushRegKey(HKEY_CLASSES_ROOT) &&
  43           FlushRegKey(HKEY_USERS));
  44 }
  45
  46 // Checks if we have handle entries pending and runs the closer.
  47 bool CloseOpenHandles() {
  48   if (sandbox::HandleCloserAgent::NeedsHandlesClosed()) {
  49     sandbox::HandleCloserAgent handle_closer;
  50
  51     handle_closer.InitializeHandlesToClose();
  52     if (!handle_closer.CloseHandles())
  53       return false;
  54   }
  55
  56   return true;
  57 }
  58
  59 }  // namespace
  60
  61 namespace sandbox {
  62
  63 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
  64     INTEGRITY_LEVEL_LAST;
  65 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations = 0;
  66
  67 TargetServicesBase::TargetServicesBase() {
  68 }
  69
  70 ResultCode TargetServicesBase::Init() {
  71   process_state_.SetInitCalled();
  72   return SBOX_ALL_OK;
  73 }
  74
  75 // Failure here is a breach of security so the process is terminated.
  76 void TargetServicesBase::LowerToken() {
  77   if (ERROR_SUCCESS !=
  78       SetProcessIntegrityLevel(g_shared_delayed_integrity_level))
  79     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_INTEGRITY);
  80   process_state_.SetRevertedToSelf();
  81   // If the client code as called RegOpenKey, advapi32.dll has cached some
  82   // handles. The following code gets rid of them.
  83   if (!::RevertToSelf())
  84     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_DROPTOKEN);
  85   if (!FlushCachedRegHandles())
  86     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
  87   if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
  88     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
  89   if (!CloseOpenHandles())
  90     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
  91   // Enabling mitigations must happen last otherwise handle closing breaks
  92   if (g_shared_delayed_mitigations &&
  93       !ApplyProcessMitigationsToCurrentProcess(g_shared_delayed_mitigations))
  94     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_MITIGATION);
  95 }
  96
  97 ProcessState* TargetServicesBase::GetState() {
  98   return &process_state_;
  99 }
 100
 101 TargetServicesBase* TargetServicesBase::GetInstance() {
 102   static TargetServicesBase instance;
 103   return &instance;
 104 }
 105
 106 // The broker services a 'test' IPC service with the IPC_PING_TAG tag.
 107 bool TargetServicesBase::TestIPCPing(int version) {
 108   void* memory = GetGlobalIPCMemory();
 109   if (NULL == memory) {
 110     return false;
 111   }
 112   SharedMemIPCClient ipc(memory);
 113   CrossCallReturn answer = {0};
 114
 115   if (1 == version) {
 116     uint32 tick1 = ::GetTickCount();
 117     uint32 cookie = 717115;
 118     ResultCode code = CrossCall(ipc, IPC_PING1_TAG, cookie, &answer);
 119
 120     if (SBOX_ALL_OK != code) {
 121       return false;
 122     }
 123     // We should get two extended returns values from the IPC, one is the
 124     // tick count on the broker and the other is the cookie times two.
 125     if ((answer.extended_count != 2)) {
 126       return false;
 127     }
 128     // We test the first extended answer to be within the bounds of the tick
 129     // count only if there was no tick count wraparound.
 130     uint32 tick2 = ::GetTickCount();
 131     if (tick2 >= tick1) {
 132       if ((answer.extended[0].unsigned_int < tick1) ||
 133           (answer.extended[0].unsigned_int > tick2)) {
 134         return false;
 135       }
 136     }
 137
 138     if (answer.extended[1].unsigned_int != cookie * 2) {
 139       return false;
 140     }
 141   } else if (2 == version) {
 142     uint32 cookie = 717111;
 143     InOutCountedBuffer counted_buffer(&cookie, sizeof(cookie));
 144     ResultCode code = CrossCall(ipc, IPC_PING2_TAG, counted_buffer, &answer);
 145
 146     if (SBOX_ALL_OK != code) {
 147       return false;
 148     }
 149     if (cookie != 717111 * 3) {
 150       return false;
 151     }
 152   } else {
 153     return false;
 154   }
 155   return true;
 156 }
 157
 158 bool ProcessState::IsKernel32Loaded() {
 159   return process_state_ != 0;
 160 }
 161
 162 bool ProcessState::InitCalled() {
 163   return process_state_ > 1;
 164 }
 165
 166 bool ProcessState::RevertedToSelf() {
 167   return process_state_ > 2;
 168 }
 169
 170 void ProcessState::SetKernel32Loaded() {
 171   if (!process_state_)
 172     process_state_ = 1;
 173 }
 174
 175 void ProcessState::SetInitCalled() {
 176   if (process_state_ < 2)
 177     process_state_ = 2;
 178 }
 179
 180 void ProcessState::SetRevertedToSelf() {
 181   if (process_state_ < 3)
 182     process_state_ = 3;
 183 }
 184
 185 ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
 186                                                DWORD target_process_id,
 187                                                HANDLE* target_handle,
 188                                                DWORD desired_access,
 189                                                DWORD options) {
 190   return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
 191                                        target_handle, desired_access, options);
 192 }
 193
 194 }  // namespace sandbox