sandbox/win/src/target_services.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/win/src/target_services.h"
   6
   7 #include <new>
   8
   9 #include <process.h>
  10
  11 #include "base/basictypes.h"
  12 #include "base/win/windows_version.h"
  13 #include "sandbox/win/src/crosscall_client.h"
  14 #include "sandbox/win/src/handle_closer_agent.h"
  15 #include "sandbox/win/src/handle_interception.h"
  16 #include "sandbox/win/src/ipc_tags.h"
  17 #include "sandbox/win/src/process_mitigations.h"
  18 #include "sandbox/win/src/restricted_token_utils.h"
  19 #include "sandbox/win/src/sandbox.h"
  20 #include "sandbox/win/src/sandbox_types.h"
  21 #include "sandbox/win/src/sharedmem_ipc_client.h"
  22 #include "sandbox/win/src/sandbox_nt_util.h"
  23
  24 namespace {
  25
  26 // Flushing a cached key is triggered by just opening the key and closing the
  27 // resulting handle. RegDisablePredefinedCache() is the documented way to flush
  28 // HKCU so do not use it with this function.
  29 bool FlushRegKey(HKEY root) {
  30   HKEY key;
  31   if (ERROR_SUCCESS == ::RegOpenKeyExW(root, NULL, 0, MAXIMUM_ALLOWED, &key)) {
  32     if (ERROR_SUCCESS != ::RegCloseKey(key))
  33       return false;
  34   }
  35   return true;
  36 }
  37
  38 // This function forces advapi32.dll to release some internally cached handles
  39 // that were made during calls to RegOpenkey and RegOpenKeyEx if it is called
  40 // with a more restrictive token. Returns true if the flushing is succesful
  41 // although this behavior is undocumented and there is no guarantee that in
  42 // fact this will happen in future versions of windows.
  43 bool FlushCachedRegHandles() {
  44   return (FlushRegKey(HKEY_LOCAL_MACHINE) &&
  45           FlushRegKey(HKEY_CLASSES_ROOT) &&
  46           FlushRegKey(HKEY_USERS));
  47 }
  48
  49 // Checks if we have handle entries pending and runs the closer.
  50 // Updates is_csrss_connected based on which handle types are closed.
  51 bool CloseOpenHandles(bool* is_csrss_connected) {
  52   if (sandbox::HandleCloserAgent::NeedsHandlesClosed()) {
  53     sandbox::HandleCloserAgent handle_closer;
  54     handle_closer.InitializeHandlesToClose(is_csrss_connected);
  55     if (!handle_closer.CloseHandles())
  56       return false;
  57   }
  58
  59   return true;
  60 }
  61
  62 // Warm up language subsystems before the sandbox is turned on.
  63 // Tested on Win8.1 x64:
  64 // This needs to happen after RevertToSelf() is called, because (at least) in
  65 // the case of GetUserDefaultLCID() it checks the TEB to see if the process is
  66 // impersonating (TEB!IsImpersonating). If it is, the cached locale information
  67 // is not used, nor is it set. Therefore, calls after RevertToSelf() will not
  68 // have warmed-up values to use.
  69 bool WarmupWindowsLocales() {
  70   // NOTE(liamjm): When last checked (Win 8.1 x64) it wasn't necessary to
  71   // warmup all of these functions, but let's not assume that.
  72   ::GetUserDefaultLangID();
  73   ::GetUserDefaultLCID();
  74   wchar_t localeName[LOCALE_NAME_MAX_LENGTH] = { 0 };
  75   return (0 != ::GetUserDefaultLocaleName(
  76       localeName, LOCALE_NAME_MAX_LENGTH * sizeof(wchar_t)));
  77 }
  78
  79 // Used as storage for g_target_services, because other allocation facilities
  80 // are not available early. We can't use a regular function static because on
  81 // VS2015, because the CRT tries to acquire a lock to guard initialization, but
  82 // this code runs before the CRT is initialized.
  83 char g_target_services_memory[sizeof(sandbox::TargetServicesBase)];
  84 sandbox::TargetServicesBase* g_target_services = nullptr;
  85
  86 }  // namespace
  87
  88 namespace sandbox {
  89
  90 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
  91     INTEGRITY_LEVEL_LAST;
  92 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations = 0;
  93
  94 TargetServicesBase::TargetServicesBase() {
  95 }
  96
  97 ResultCode TargetServicesBase::Init() {
  98   process_state_.SetInitCalled();
  99   return SBOX_ALL_OK;
 100 }
 101
 102 // Failure here is a breach of security so the process is terminated.
 103 void TargetServicesBase::LowerToken() {
 104   if (ERROR_SUCCESS !=
 105       SetProcessIntegrityLevel(g_shared_delayed_integrity_level))
 106     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_INTEGRITY);
 107   process_state_.SetRevertedToSelf();
 108   // If the client code as called RegOpenKey, advapi32.dll has cached some
 109   // handles. The following code gets rid of them.
 110   if (!::RevertToSelf())
 111     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_DROPTOKEN);
 112   if (!FlushCachedRegHandles())
 113     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
 114   if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
 115     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
 116   if (!WarmupWindowsLocales())
 117       ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_WARMUP);
 118   bool is_csrss_connected = true;
 119   if (!CloseOpenHandles(&is_csrss_connected))
 120     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
 121   process_state_.SetCsrssConnected(is_csrss_connected);
 122   // Enabling mitigations must happen last otherwise handle closing breaks
 123   if (g_shared_delayed_mitigations &&
 124       !ApplyProcessMitigationsToCurrentProcess(g_shared_delayed_mitigations))
 125     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_MITIGATION);
 126 }
 127
 128 ProcessState* TargetServicesBase::GetState() {
 129   return &process_state_;
 130 }
 131
 132 TargetServicesBase* TargetServicesBase::GetInstance() {
 133   // Leak on purpose TargetServicesBase.
 134   if (!g_target_services)
 135     g_target_services = new (g_target_services_memory) TargetServicesBase;
 136   return g_target_services;
 137 }
 138
 139 // The broker services a 'test' IPC service with the IPC_PING_TAG tag.
 140 bool TargetServicesBase::TestIPCPing(int version) {
 141   void* memory = GetGlobalIPCMemory();
 142   if (NULL == memory) {
 143     return false;
 144   }
 145   SharedMemIPCClient ipc(memory);
 146   CrossCallReturn answer = {0};
 147
 148   if (1 == version) {
 149     uint32 tick1 = ::GetTickCount();
 150     uint32 cookie = 717115;
 151     ResultCode code = CrossCall(ipc, IPC_PING1_TAG, cookie, &answer);
 152
 153     if (SBOX_ALL_OK != code) {
 154       return false;
 155     }
 156     // We should get two extended returns values from the IPC, one is the
 157     // tick count on the broker and the other is the cookie times two.
 158     if ((answer.extended_count != 2)) {
 159       return false;
 160     }
 161     // We test the first extended answer to be within the bounds of the tick
 162     // count only if there was no tick count wraparound.
 163     uint32 tick2 = ::GetTickCount();
 164     if (tick2 >= tick1) {
 165       if ((answer.extended[0].unsigned_int < tick1) ||
 166           (answer.extended[0].unsigned_int > tick2)) {
 167         return false;
 168       }
 169     }
 170
 171     if (answer.extended[1].unsigned_int != cookie * 2) {
 172       return false;
 173     }
 174   } else if (2 == version) {
 175     uint32 cookie = 717111;
 176     InOutCountedBuffer counted_buffer(&cookie, sizeof(cookie));
 177     ResultCode code = CrossCall(ipc, IPC_PING2_TAG, counted_buffer, &answer);
 178
 179     if (SBOX_ALL_OK != code) {
 180       return false;
 181     }
 182     if (cookie != 717111 * 3) {
 183       return false;
 184     }
 185   } else {
 186     return false;
 187   }
 188   return true;
 189 }
 190
 191 ProcessState::ProcessState() : process_state_(0), csrss_connected_(true) {
 192 }
 193
 194 bool ProcessState::IsKernel32Loaded() const {
 195   return process_state_ != 0;
 196 }
 197
 198 bool ProcessState::InitCalled() const {
 199   return process_state_ > 1;
 200 }
 201
 202 bool ProcessState::RevertedToSelf() const {
 203   return process_state_ > 2;
 204 }
 205
 206 bool ProcessState::IsCsrssConnected() const {
 207   return csrss_connected_;
 208 }
 209
 210 void ProcessState::SetKernel32Loaded() {
 211   if (!process_state_)
 212     process_state_ = 1;
 213 }
 214
 215 void ProcessState::SetInitCalled() {
 216   if (process_state_ < 2)
 217     process_state_ = 2;
 218 }
 219
 220 void ProcessState::SetRevertedToSelf() {
 221   if (process_state_ < 3)
 222     process_state_ = 3;
 223 }
 224
 225 void ProcessState::SetCsrssConnected(bool csrss_connected) {
 226   csrss_connected_ = csrss_connected;
 227 }
 228
 229
 230 ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
 231                                                DWORD target_process_id,
 232                                                HANDLE* target_handle,
 233                                                DWORD desired_access,
 234                                                DWORD options) {
 235   return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
 236                                        target_handle, desired_access, options);
 237 }
 238
 239 }  // namespace sandbox