sandbox/win/src/target_services.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/win/src/target_services.h"
   6
   7 #include <process.h>
   8
   9 #include "base/basictypes.h"
  10 #include "base/win/windows_version.h"
  11 #include "sandbox/win/src/crosscall_client.h"
  12 #include "sandbox/win/src/handle_closer_agent.h"
  13 #include "sandbox/win/src/handle_interception.h"
  14 #include "sandbox/win/src/ipc_tags.h"
  15 #include "sandbox/win/src/process_mitigations.h"
  16 #include "sandbox/win/src/restricted_token_utils.h"
  17 #include "sandbox/win/src/sandbox.h"
  18 #include "sandbox/win/src/sandbox_types.h"
  19 #include "sandbox/win/src/sharedmem_ipc_client.h"
  20 #include "sandbox/win/src/sandbox_nt_util.h"
  21
  22 namespace {
  23
  24 // Flushing a cached key is triggered by just opening the key and closing the
  25 // resulting handle. RegDisablePredefinedCache() is the documented way to flush
  26 // HKCU so do not use it with this function.
  27 bool FlushRegKey(HKEY root) {
  28   HKEY key;
  29   if (ERROR_SUCCESS == ::RegOpenKeyExW(root, NULL, 0, MAXIMUM_ALLOWED, &key)) {
  30     if (ERROR_SUCCESS != ::RegCloseKey(key))
  31       return false;
  32   }
  33   return true;
  34 }
  35
  36 // This function forces advapi32.dll to release some internally cached handles
  37 // that were made during calls to RegOpenkey and RegOpenKeyEx if it is called
  38 // with a more restrictive token. Returns true if the flushing is succesful
  39 // although this behavior is undocumented and there is no guarantee that in
  40 // fact this will happen in future versions of windows.
  41 bool FlushCachedRegHandles() {
  42   return (FlushRegKey(HKEY_LOCAL_MACHINE) &&
  43           FlushRegKey(HKEY_CLASSES_ROOT) &&
  44           FlushRegKey(HKEY_USERS));
  45 }
  46
  47 // Checks if we have handle entries pending and runs the closer.
  48 bool CloseOpenHandles() {
  49   if (sandbox::HandleCloserAgent::NeedsHandlesClosed()) {
  50     sandbox::HandleCloserAgent handle_closer;
  51
  52     handle_closer.InitializeHandlesToClose();
  53     if (!handle_closer.CloseHandles())
  54       return false;
  55   }
  56
  57   return true;
  58 }
  59
  60 }  // namespace
  61
  62 namespace sandbox {
  63
  64 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
  65     INTEGRITY_LEVEL_LAST;
  66 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations = 0;
  67
  68 TargetServicesBase::TargetServicesBase() {
  69 }
  70
  71 ResultCode TargetServicesBase::Init() {
  72   process_state_.SetInitCalled();
  73   return SBOX_ALL_OK;
  74 }
  75
  76 // Failure here is a breach of security so the process is terminated.
  77 void TargetServicesBase::LowerToken() {
  78   if (ERROR_SUCCESS !=
  79       SetProcessIntegrityLevel(g_shared_delayed_integrity_level))
  80     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_INTEGRITY);
  81   process_state_.SetRevertedToSelf();
  82   // If the client code as called RegOpenKey, advapi32.dll has cached some
  83   // handles. The following code gets rid of them.
  84   if (!::RevertToSelf())
  85     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_DROPTOKEN);
  86   if (!FlushCachedRegHandles())
  87     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
  88   if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
  89     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
  90   if (!CloseOpenHandles())
  91     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
  92   // Enabling mitigations must happen last otherwise handle closing breaks
  93   if (g_shared_delayed_mitigations &&
  94       !ApplyProcessMitigationsToCurrentProcess(g_shared_delayed_mitigations))
  95     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_MITIGATION);
  96 }
  97
  98 ProcessState* TargetServicesBase::GetState() {
  99   return &process_state_;
 100 }
 101
 102 TargetServicesBase* TargetServicesBase::GetInstance() {
 103   static TargetServicesBase instance;
 104   return &instance;
 105 }
 106
 107 // The broker services a 'test' IPC service with the IPC_PING_TAG tag.
 108 bool TargetServicesBase::TestIPCPing(int version) {
 109   void* memory = GetGlobalIPCMemory();
 110   if (NULL == memory) {
 111     return false;
 112   }
 113   SharedMemIPCClient ipc(memory);
 114   CrossCallReturn answer = {0};
 115
 116   if (1 == version) {
 117     uint32 tick1 = ::GetTickCount();
 118     uint32 cookie = 717115;
 119     ResultCode code = CrossCall(ipc, IPC_PING1_TAG, cookie, &answer);
 120
 121     if (SBOX_ALL_OK != code) {
 122       return false;
 123     }
 124     // We should get two extended returns values from the IPC, one is the
 125     // tick count on the broker and the other is the cookie times two.
 126     if ((answer.extended_count != 2)) {
 127       return false;
 128     }
 129     // We test the first extended answer to be within the bounds of the tick
 130     // count only if there was no tick count wraparound.
 131     uint32 tick2 = ::GetTickCount();
 132     if (tick2 >= tick1) {
 133       if ((answer.extended[0].unsigned_int < tick1) ||
 134           (answer.extended[0].unsigned_int > tick2)) {
 135         return false;
 136       }
 137     }
 138
 139     if (answer.extended[1].unsigned_int != cookie * 2) {
 140       return false;
 141     }
 142   } else if (2 == version) {
 143     uint32 cookie = 717111;
 144     InOutCountedBuffer counted_buffer(&cookie, sizeof(cookie));
 145     ResultCode code = CrossCall(ipc, IPC_PING2_TAG, counted_buffer, &answer);
 146
 147     if (SBOX_ALL_OK != code) {
 148       return false;
 149     }
 150     if (cookie != 717111 * 3) {
 151       return false;
 152     }
 153   } else {
 154     return false;
 155   }
 156   return true;
 157 }
 158
 159 bool ProcessState::IsKernel32Loaded() {
 160   return process_state_ != 0;
 161 }
 162
 163 bool ProcessState::InitCalled() {
 164   return process_state_ > 1;
 165 }
 166
 167 bool ProcessState::RevertedToSelf() {
 168   return process_state_ > 2;
 169 }
 170
 171 void ProcessState::SetKernel32Loaded() {
 172   if (!process_state_)
 173     process_state_ = 1;
 174 }
 175
 176 void ProcessState::SetInitCalled() {
 177   if (process_state_ < 2)
 178     process_state_ = 2;
 179 }
 180
 181 void ProcessState::SetRevertedToSelf() {
 182   if (process_state_ < 3)
 183     process_state_ = 3;
 184 }
 185
 186 ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
 187                                                DWORD target_process_id,
 188                                                HANDLE* target_handle,
 189                                                DWORD desired_access,
 190                                                DWORD options) {
 191   return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
 192                                        target_handle, desired_access, options);
 193 }
 194
 195 }  // namespace sandbox