1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/win/src/sandbox_policy_base.h"
9 #include "base/basictypes.h"
10 #include "base/callback.h"
11 #include "base/logging.h"
12 #include "base/strings/stringprintf.h"
13 #include "base/win/windows_version.h"
14 #include "sandbox/win/src/app_container.h"
15 #include "sandbox/win/src/filesystem_dispatcher.h"
16 #include "sandbox/win/src/filesystem_policy.h"
17 #include "sandbox/win/src/handle_dispatcher.h"
18 #include "sandbox/win/src/handle_policy.h"
19 #include "sandbox/win/src/job.h"
20 #include "sandbox/win/src/interception.h"
21 #include "sandbox/win/src/process_mitigations.h"
22 #include "sandbox/win/src/named_pipe_dispatcher.h"
23 #include "sandbox/win/src/named_pipe_policy.h"
24 #include "sandbox/win/src/policy_broker.h"
25 #include "sandbox/win/src/policy_engine_processor.h"
26 #include "sandbox/win/src/policy_low_level.h"
27 #include "sandbox/win/src/process_mitigations_win32k_dispatcher.h"
28 #include "sandbox/win/src/process_mitigations_win32k_policy.h"
29 #include "sandbox/win/src/process_thread_dispatcher.h"
30 #include "sandbox/win/src/process_thread_policy.h"
31 #include "sandbox/win/src/registry_dispatcher.h"
32 #include "sandbox/win/src/registry_policy.h"
33 #include "sandbox/win/src/restricted_token_utils.h"
34 #include "sandbox/win/src/sandbox_policy.h"
35 #include "sandbox/win/src/sandbox_utils.h"
36 #include "sandbox/win/src/sync_dispatcher.h"
37 #include "sandbox/win/src/sync_policy.h"
38 #include "sandbox/win/src/target_process.h"
39 #include "sandbox/win/src/window.h"
43 // The standard windows size for one memory page.
44 const size_t kOneMemPage
= 4096;
45 // The IPC and Policy shared memory sizes.
46 const size_t kIPCMemSize
= kOneMemPage
* 2;
47 const size_t kPolMemSize
= kOneMemPage
* 14;
49 // Helper function to allocate space (on the heap) for policy.
50 sandbox::PolicyGlobal
* MakeBrokerPolicyMemory() {
51 const size_t kTotalPolicySz
= kPolMemSize
;
52 sandbox::PolicyGlobal
* policy
= static_cast<sandbox::PolicyGlobal
*>
53 (::operator new(kTotalPolicySz
));
55 memset(policy
, 0, kTotalPolicySz
);
56 policy
->data_size
= kTotalPolicySz
- sizeof(sandbox::PolicyGlobal
);
60 bool IsInheritableHandle(HANDLE handle
) {
63 if (handle
== INVALID_HANDLE_VALUE
)
65 // File handles (FILE_TYPE_DISK) and pipe handles are known to be
66 // inheritable. Console handles (FILE_TYPE_CHAR) are not
67 // inheritable via PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
68 DWORD handle_type
= GetFileType(handle
);
69 return handle_type
== FILE_TYPE_DISK
|| handle_type
== FILE_TYPE_PIPE
;
72 HANDLE
CreateLowBoxObjectDirectory(PSID lowbox_sid
) {
74 if (!::ProcessIdToSessionId(::GetCurrentProcessId(), &session_id
))
77 LPWSTR sid_string
= NULL
;
78 if (!::ConvertSidToStringSid(lowbox_sid
, &sid_string
))
81 base::string16 directory_path
= base::StringPrintf(
82 L
"\\Sessions\\%d\\AppContainerNamedObjects\\%ls",
83 session_id
, sid_string
).c_str();
84 ::LocalFree(sid_string
);
86 NtCreateDirectoryObjectFunction CreateObjectDirectory
= NULL
;
87 ResolveNTFunctionPtr("NtCreateDirectoryObject", &CreateObjectDirectory
);
89 OBJECT_ATTRIBUTES obj_attr
;
90 UNICODE_STRING obj_name
;
91 sandbox::InitObjectAttribs(directory_path
,
92 OBJ_CASE_INSENSITIVE
| OBJ_OPENIF
,
99 NTSTATUS status
= CreateObjectDirectory(&handle
,
100 DIRECTORY_ALL_ACCESS
,
103 if (!NT_SUCCESS(status
))
113 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level
;
114 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations
;
116 // Initializes static members.
117 HWINSTA
PolicyBase::alternate_winstation_handle_
= NULL
;
118 HDESK
PolicyBase::alternate_desktop_handle_
= NULL
;
119 IntegrityLevel
PolicyBase::alternate_desktop_integrity_level_label_
=
120 INTEGRITY_LEVEL_SYSTEM
;
122 PolicyBase::PolicyBase()
124 lockdown_level_(USER_LOCKDOWN
),
125 initial_level_(USER_LOCKDOWN
),
126 job_level_(JOB_LOCKDOWN
),
129 use_alternate_desktop_(false),
130 use_alternate_winstation_(false),
131 file_system_init_(false),
132 relaxed_interceptions_(true),
133 stdout_handle_(INVALID_HANDLE_VALUE
),
134 stderr_handle_(INVALID_HANDLE_VALUE
),
135 integrity_level_(INTEGRITY_LEVEL_LAST
),
136 delayed_integrity_level_(INTEGRITY_LEVEL_LAST
),
138 delayed_mitigations_(0),
142 ::InitializeCriticalSection(&lock_
);
143 // Initialize the IPC dispatcher array.
144 memset(&ipc_targets_
, NULL
, sizeof(ipc_targets_
));
145 Dispatcher
* dispatcher
= NULL
;
147 dispatcher
= new FilesystemDispatcher(this);
148 ipc_targets_
[IPC_NTCREATEFILE_TAG
] = dispatcher
;
149 ipc_targets_
[IPC_NTOPENFILE_TAG
] = dispatcher
;
150 ipc_targets_
[IPC_NTSETINFO_RENAME_TAG
] = dispatcher
;
151 ipc_targets_
[IPC_NTQUERYATTRIBUTESFILE_TAG
] = dispatcher
;
152 ipc_targets_
[IPC_NTQUERYFULLATTRIBUTESFILE_TAG
] = dispatcher
;
154 dispatcher
= new NamedPipeDispatcher(this);
155 ipc_targets_
[IPC_CREATENAMEDPIPEW_TAG
] = dispatcher
;
157 dispatcher
= new ThreadProcessDispatcher(this);
158 ipc_targets_
[IPC_NTOPENTHREAD_TAG
] = dispatcher
;
159 ipc_targets_
[IPC_NTOPENPROCESS_TAG
] = dispatcher
;
160 ipc_targets_
[IPC_CREATEPROCESSW_TAG
] = dispatcher
;
161 ipc_targets_
[IPC_NTOPENPROCESSTOKEN_TAG
] = dispatcher
;
162 ipc_targets_
[IPC_NTOPENPROCESSTOKENEX_TAG
] = dispatcher
;
164 dispatcher
= new SyncDispatcher(this);
165 ipc_targets_
[IPC_CREATEEVENT_TAG
] = dispatcher
;
166 ipc_targets_
[IPC_OPENEVENT_TAG
] = dispatcher
;
168 dispatcher
= new RegistryDispatcher(this);
169 ipc_targets_
[IPC_NTCREATEKEY_TAG
] = dispatcher
;
170 ipc_targets_
[IPC_NTOPENKEY_TAG
] = dispatcher
;
172 dispatcher
= new HandleDispatcher(this);
173 ipc_targets_
[IPC_DUPLICATEHANDLEPROXY_TAG
] = dispatcher
;
175 dispatcher
= new ProcessMitigationsWin32KDispatcher(this);
176 ipc_targets_
[IPC_GDI_GDIDLLINITIALIZE_TAG
] = dispatcher
;
177 ipc_targets_
[IPC_GDI_GETSTOCKOBJECT_TAG
] = dispatcher
;
178 ipc_targets_
[IPC_USER_REGISTERCLASSW_TAG
] = dispatcher
;
181 PolicyBase::~PolicyBase() {
182 ClearSharedHandles();
184 TargetSet::iterator it
;
185 for (it
= targets_
.begin(); it
!= targets_
.end(); ++it
) {
186 TargetProcess
* target
= (*it
);
189 delete ipc_targets_
[IPC_NTCREATEFILE_TAG
];
190 delete ipc_targets_
[IPC_CREATENAMEDPIPEW_TAG
];
191 delete ipc_targets_
[IPC_NTOPENTHREAD_TAG
];
192 delete ipc_targets_
[IPC_CREATEEVENT_TAG
];
193 delete ipc_targets_
[IPC_NTCREATEKEY_TAG
];
194 delete ipc_targets_
[IPC_DUPLICATEHANDLEPROXY_TAG
];
195 delete policy_maker_
;
199 ::LocalFree(lowbox_sid_
);
201 ::DeleteCriticalSection(&lock_
);
204 void PolicyBase::AddRef() {
205 ::InterlockedIncrement(&ref_count
);
208 void PolicyBase::Release() {
209 if (0 == ::InterlockedDecrement(&ref_count
))
213 ResultCode
PolicyBase::SetTokenLevel(TokenLevel initial
, TokenLevel lockdown
) {
214 if (initial
< lockdown
) {
215 return SBOX_ERROR_BAD_PARAMS
;
217 initial_level_
= initial
;
218 lockdown_level_
= lockdown
;
222 TokenLevel
PolicyBase::GetInitialTokenLevel() const {
223 return initial_level_
;
226 TokenLevel
PolicyBase::GetLockdownTokenLevel() const{
227 return lockdown_level_
;
230 ResultCode
PolicyBase::SetJobLevel(JobLevel job_level
, uint32 ui_exceptions
) {
231 if (memory_limit_
&& job_level
== JOB_NONE
) {
232 return SBOX_ERROR_BAD_PARAMS
;
234 job_level_
= job_level
;
235 ui_exceptions_
= ui_exceptions
;
239 ResultCode
PolicyBase::SetJobMemoryLimit(size_t memory_limit
) {
240 if (memory_limit
&& job_level_
== JOB_NONE
) {
241 return SBOX_ERROR_BAD_PARAMS
;
243 memory_limit_
= memory_limit
;
247 ResultCode
PolicyBase::SetAlternateDesktop(bool alternate_winstation
) {
248 use_alternate_desktop_
= true;
249 use_alternate_winstation_
= alternate_winstation
;
250 return CreateAlternateDesktop(alternate_winstation
);
253 base::string16
PolicyBase::GetAlternateDesktop() const {
254 // No alternate desktop or winstation. Return an empty string.
255 if (!use_alternate_desktop_
&& !use_alternate_winstation_
) {
256 return base::string16();
259 // The desktop and winstation should have been created by now.
260 // If we hit this scenario, it means that the user ignored the failure
261 // during SetAlternateDesktop, so we ignore it here too.
262 if (use_alternate_desktop_
&& !alternate_desktop_handle_
) {
263 return base::string16();
265 if (use_alternate_winstation_
&& (!alternate_desktop_handle_
||
266 !alternate_winstation_handle_
)) {
267 return base::string16();
270 return GetFullDesktopName(alternate_winstation_handle_
,
271 alternate_desktop_handle_
);
274 ResultCode
PolicyBase::CreateAlternateDesktop(bool alternate_winstation
) {
275 if (alternate_winstation
) {
276 // Previously called with alternate_winstation = false?
277 if (!alternate_winstation_handle_
&& alternate_desktop_handle_
)
278 return SBOX_ERROR_UNSUPPORTED
;
280 // Check if it's already created.
281 if (alternate_winstation_handle_
&& alternate_desktop_handle_
)
284 DCHECK(!alternate_winstation_handle_
);
285 // Create the window station.
286 ResultCode result
= CreateAltWindowStation(&alternate_winstation_handle_
);
287 if (SBOX_ALL_OK
!= result
)
290 // Verify that everything is fine.
291 if (!alternate_winstation_handle_
||
292 GetWindowObjectName(alternate_winstation_handle_
).empty())
293 return SBOX_ERROR_CANNOT_CREATE_DESKTOP
;
295 // Create the destkop.
296 result
= CreateAltDesktop(alternate_winstation_handle_
,
297 &alternate_desktop_handle_
);
298 if (SBOX_ALL_OK
!= result
)
301 // Verify that everything is fine.
302 if (!alternate_desktop_handle_
||
303 GetWindowObjectName(alternate_desktop_handle_
).empty())
304 return SBOX_ERROR_CANNOT_CREATE_DESKTOP
;
306 // Previously called with alternate_winstation = true?
307 if (alternate_winstation_handle_
)
308 return SBOX_ERROR_UNSUPPORTED
;
310 // Check if it already exists.
311 if (alternate_desktop_handle_
)
314 // Create the destkop.
315 ResultCode result
= CreateAltDesktop(NULL
, &alternate_desktop_handle_
);
316 if (SBOX_ALL_OK
!= result
)
319 // Verify that everything is fine.
320 if (!alternate_desktop_handle_
||
321 GetWindowObjectName(alternate_desktop_handle_
).empty())
322 return SBOX_ERROR_CANNOT_CREATE_DESKTOP
;
328 void PolicyBase::DestroyAlternateDesktop() {
329 if (alternate_desktop_handle_
) {
330 ::CloseDesktop(alternate_desktop_handle_
);
331 alternate_desktop_handle_
= NULL
;
334 if (alternate_winstation_handle_
) {
335 ::CloseWindowStation(alternate_winstation_handle_
);
336 alternate_winstation_handle_
= NULL
;
340 ResultCode
PolicyBase::SetIntegrityLevel(IntegrityLevel integrity_level
) {
341 integrity_level_
= integrity_level
;
345 IntegrityLevel
PolicyBase::GetIntegrityLevel() const {
346 return integrity_level_
;
349 ResultCode
PolicyBase::SetDelayedIntegrityLevel(
350 IntegrityLevel integrity_level
) {
351 delayed_integrity_level_
= integrity_level
;
355 ResultCode
PolicyBase::SetAppContainer(const wchar_t* sid
) {
356 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8
)
359 // SetLowBox and SetAppContainer are mutually exclusive.
361 return SBOX_ERROR_UNSUPPORTED
;
363 // Windows refuses to work with an impersonation token for a process inside
364 // an AppContainer. If the caller wants to use a more privileged initial
365 // token, or if the lockdown level will prevent the process from starting,
366 // we have to fail the operation.
367 if (lockdown_level_
< USER_LIMITED
|| lockdown_level_
!= initial_level_
)
368 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER
;
370 DCHECK(!appcontainer_list_
.get());
371 appcontainer_list_
.reset(new AppContainerAttributes
);
372 ResultCode rv
= appcontainer_list_
->SetAppContainer(sid
, capabilities_
);
373 if (rv
!= SBOX_ALL_OK
)
379 ResultCode
PolicyBase::SetCapability(const wchar_t* sid
) {
380 capabilities_
.push_back(sid
);
384 ResultCode
PolicyBase::SetLowBox(const wchar_t* sid
) {
385 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8
)
386 return SBOX_ERROR_UNSUPPORTED
;
388 // SetLowBox and SetAppContainer are mutually exclusive.
389 if (appcontainer_list_
.get())
390 return SBOX_ERROR_UNSUPPORTED
;
395 return SBOX_ERROR_BAD_PARAMS
;
397 if (!ConvertStringSidToSid(sid
, &lowbox_sid_
))
398 return SBOX_ERROR_GENERIC
;
403 ResultCode
PolicyBase::SetProcessMitigations(
404 MitigationFlags flags
) {
405 if (!CanSetProcessMitigationsPreStartup(flags
))
406 return SBOX_ERROR_BAD_PARAMS
;
407 mitigations_
= flags
;
411 MitigationFlags
PolicyBase::GetProcessMitigations() {
415 ResultCode
PolicyBase::SetDelayedProcessMitigations(
416 MitigationFlags flags
) {
417 if (!CanSetProcessMitigationsPostStartup(flags
))
418 return SBOX_ERROR_BAD_PARAMS
;
419 delayed_mitigations_
= flags
;
423 MitigationFlags
PolicyBase::GetDelayedProcessMitigations() const {
424 return delayed_mitigations_
;
427 void PolicyBase::SetStrictInterceptions() {
428 relaxed_interceptions_
= false;
431 ResultCode
PolicyBase::SetStdoutHandle(HANDLE handle
) {
432 if (!IsInheritableHandle(handle
))
433 return SBOX_ERROR_BAD_PARAMS
;
434 stdout_handle_
= handle
;
438 ResultCode
PolicyBase::SetStderrHandle(HANDLE handle
) {
439 if (!IsInheritableHandle(handle
))
440 return SBOX_ERROR_BAD_PARAMS
;
441 stderr_handle_
= handle
;
445 ResultCode
PolicyBase::AddRule(SubSystem subsystem
,
447 const wchar_t* pattern
) {
448 ResultCode result
= AddRuleInternal(subsystem
, semantics
, pattern
);
449 LOG_IF(ERROR
, result
!= SBOX_ALL_OK
) << "Failed to add sandbox rule."
450 << " error = " << result
451 << ", subsystem = " << subsystem
452 << ", semantics = " << semantics
453 << ", pattern = '" << pattern
<< "'";
457 ResultCode
PolicyBase::AddDllToUnload(const wchar_t* dll_name
) {
458 blacklisted_dlls_
.push_back(dll_name
);
462 ResultCode
PolicyBase::AddKernelObjectToClose(const base::char16
* handle_type
,
463 const base::char16
* handle_name
) {
464 return handle_closer_
.AddHandle(handle_type
, handle_name
);
467 void* PolicyBase::AddHandleToShare(HANDLE handle
) {
468 if (base::win::GetVersion() < base::win::VERSION_VISTA
)
474 HANDLE duped_handle
= NULL
;
475 ::DuplicateHandle(::GetCurrentProcess(),
477 ::GetCurrentProcess(),
481 DUPLICATE_SAME_ACCESS
);
482 DCHECK(duped_handle
);
483 handles_to_share_
.push_back(duped_handle
);
487 HandleList
PolicyBase::GetHandlesBeingShared() {
488 return handles_to_share_
;
491 void PolicyBase::ClearSharedHandles() {
492 for (auto handle
: handles_to_share_
) {
493 ::CloseHandle(handle
);
495 handles_to_share_
.clear();
498 // When an IPC is ready in any of the targets we get called. We manage an array
499 // of IPC dispatchers which are keyed on the IPC tag so we normally delegate
500 // to the appropriate dispatcher unless we can handle the IPC call ourselves.
501 Dispatcher
* PolicyBase::OnMessageReady(IPCParams
* ipc
,
502 CallbackGeneric
* callback
) {
504 static const IPCParams ping1
= {IPC_PING1_TAG
, UINT32_TYPE
};
505 static const IPCParams ping2
= {IPC_PING2_TAG
, INOUTPTR_TYPE
};
507 if (ping1
.Matches(ipc
) || ping2
.Matches(ipc
)) {
508 *callback
= reinterpret_cast<CallbackGeneric
>(
509 static_cast<Callback1
>(&PolicyBase::Ping
));
513 Dispatcher
* dispatch
= GetDispatcher(ipc
->ipc_tag
);
518 return dispatch
->OnMessageReady(ipc
, callback
);
521 // Delegate to the appropriate dispatcher.
522 bool PolicyBase::SetupService(InterceptionManager
* manager
, int service
) {
523 if (IPC_PING1_TAG
== service
|| IPC_PING2_TAG
== service
)
526 Dispatcher
* dispatch
= GetDispatcher(service
);
531 return dispatch
->SetupService(manager
, service
);
534 ResultCode
PolicyBase::MakeJobObject(HANDLE
* job
) {
535 if (job_level_
!= JOB_NONE
) {
536 // Create the windows job object.
538 DWORD result
= job_obj
.Init(job_level_
, NULL
, ui_exceptions_
,
540 if (ERROR_SUCCESS
!= result
) {
541 return SBOX_ERROR_GENERIC
;
543 *job
= job_obj
.Detach();
550 ResultCode
PolicyBase::MakeTokens(HANDLE
* initial
, HANDLE
* lockdown
) {
551 if (appcontainer_list_
.get() && appcontainer_list_
->HasAppContainer() &&
553 return SBOX_ERROR_BAD_PARAMS
;
556 // Create the 'naked' token. This will be the permanent token associated
557 // with the process and therefore with any thread that is not impersonating.
558 DWORD result
= CreateRestrictedToken(lockdown
, lockdown_level_
,
559 integrity_level_
, PRIMARY
);
560 if (ERROR_SUCCESS
!= result
)
561 return SBOX_ERROR_GENERIC
;
563 // If we're launching on the alternate desktop we need to make sure the
564 // integrity label on the object is no higher than the sandboxed process's
565 // integrity level. So, we lower the label on the desktop process if it's
566 // not already low enough for our process.
567 if (alternate_desktop_handle_
&& use_alternate_desktop_
&&
568 integrity_level_
!= INTEGRITY_LEVEL_LAST
&&
569 alternate_desktop_integrity_level_label_
< integrity_level_
&&
570 base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA
) {
571 // Integrity label enum is reversed (higher level is a lower value).
572 static_assert(INTEGRITY_LEVEL_SYSTEM
< INTEGRITY_LEVEL_UNTRUSTED
,
573 "Integrity level ordering reversed.");
574 result
= SetObjectIntegrityLabel(alternate_desktop_handle_
,
577 GetIntegrityLevelString(integrity_level_
));
578 if (ERROR_SUCCESS
!= result
)
579 return SBOX_ERROR_GENERIC
;
581 alternate_desktop_integrity_level_label_
= integrity_level_
;
584 // We are maintaining two mutually exclusive approaches. One is to start an
585 // AppContainer process through StartupInfoEx and other is replacing
586 // existing token with LowBox token after process creation.
587 if (appcontainer_list_
.get() && appcontainer_list_
->HasAppContainer()) {
588 // Windows refuses to work with an impersonation token. See SetAppContainer
589 // implementation for more details.
590 if (lockdown_level_
< USER_LIMITED
|| lockdown_level_
!= initial_level_
)
591 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER
;
593 *initial
= INVALID_HANDLE_VALUE
;
595 } else if (lowbox_sid_
) {
596 NtCreateLowBoxToken CreateLowBoxToken
= NULL
;
597 ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBoxToken
);
598 OBJECT_ATTRIBUTES obj_attr
;
599 InitializeObjectAttributes(&obj_attr
, NULL
, 0, NULL
, NULL
);
600 HANDLE token_lowbox
= NULL
;
602 if (!lowbox_directory_
.IsValid())
603 lowbox_directory_
.Set(CreateLowBoxObjectDirectory(lowbox_sid_
));
604 DCHECK(lowbox_directory_
.IsValid());
606 // The order of handles isn't important in the CreateLowBoxToken call.
607 // The kernel will maintain a reference to the object directory handle.
608 HANDLE saved_handles
[1] = {lowbox_directory_
.Get()};
609 DWORD saved_handles_count
= lowbox_directory_
.IsValid() ? 1 : 0;
611 NTSTATUS status
= CreateLowBoxToken(&token_lowbox
, *lockdown
,
612 TOKEN_ALL_ACCESS
, &obj_attr
,
613 lowbox_sid_
, 0, NULL
,
614 saved_handles_count
, saved_handles
);
615 if (!NT_SUCCESS(status
))
616 return SBOX_ERROR_GENERIC
;
618 DCHECK(token_lowbox
);
619 ::CloseHandle(*lockdown
);
620 *lockdown
= token_lowbox
;
623 // Create the 'better' token. We use this token as the one that the main
624 // thread uses when booting up the process. It should contain most of
625 // what we need (before reaching main( ))
626 result
= CreateRestrictedToken(initial
, initial_level_
,
627 integrity_level_
, IMPERSONATION
);
628 if (ERROR_SUCCESS
!= result
) {
629 ::CloseHandle(*lockdown
);
630 return SBOX_ERROR_GENERIC
;
635 const AppContainerAttributes
* PolicyBase::GetAppContainer() const {
636 if (!appcontainer_list_
.get() || !appcontainer_list_
->HasAppContainer())
639 return appcontainer_list_
.get();
642 const PSID
PolicyBase::GetLowBoxSid() const {
646 bool PolicyBase::AddTarget(TargetProcess
* target
) {
648 policy_maker_
->Done();
650 if (!ApplyProcessMitigationsToSuspendedProcess(target
->Process(),
655 if (!SetupAllInterceptions(target
))
658 if (!SetupHandleCloser(target
))
661 // Initialize the sandbox infrastructure for the target.
662 if (ERROR_SUCCESS
!= target
->Init(this, policy_
, kIPCMemSize
, kPolMemSize
))
665 g_shared_delayed_integrity_level
= delayed_integrity_level_
;
666 ResultCode ret
= target
->TransferVariable(
667 "g_shared_delayed_integrity_level",
668 &g_shared_delayed_integrity_level
,
669 sizeof(g_shared_delayed_integrity_level
));
670 g_shared_delayed_integrity_level
= INTEGRITY_LEVEL_LAST
;
671 if (SBOX_ALL_OK
!= ret
)
674 // Add in delayed mitigations and pseudo-mitigations enforced at startup.
675 g_shared_delayed_mitigations
= delayed_mitigations_
|
676 FilterPostStartupProcessMitigations(mitigations_
);
677 if (!CanSetProcessMitigationsPostStartup(g_shared_delayed_mitigations
))
680 ret
= target
->TransferVariable("g_shared_delayed_mitigations",
681 &g_shared_delayed_mitigations
,
682 sizeof(g_shared_delayed_mitigations
));
683 g_shared_delayed_mitigations
= 0;
684 if (SBOX_ALL_OK
!= ret
)
687 AutoLock
lock(&lock_
);
688 targets_
.push_back(target
);
692 bool PolicyBase::OnJobEmpty(HANDLE job
) {
693 AutoLock
lock(&lock_
);
694 TargetSet::iterator it
;
695 for (it
= targets_
.begin(); it
!= targets_
.end(); ++it
) {
696 if ((*it
)->Job() == job
)
699 if (it
== targets_
.end()) {
702 TargetProcess
* target
= *it
;
708 EvalResult
PolicyBase::EvalPolicy(int service
,
709 CountedParameterSetBase
* params
) {
710 if (NULL
!= policy_
) {
711 if (NULL
== policy_
->entry
[service
]) {
712 // There is no policy for this particular service. This is not a big
716 for (int i
= 0; i
< params
->count
; i
++) {
717 if (!params
->parameters
[i
].IsValid()) {
722 PolicyProcessor
pol_evaluator(policy_
->entry
[service
]);
723 PolicyResult result
= pol_evaluator
.Evaluate(kShortEval
,
726 if (POLICY_MATCH
== result
) {
727 return pol_evaluator
.GetAction();
729 DCHECK(POLICY_ERROR
!= result
);
735 HANDLE
PolicyBase::GetStdoutHandle() {
736 return stdout_handle_
;
739 HANDLE
PolicyBase::GetStderrHandle() {
740 return stderr_handle_
;
743 // We service IPC_PING_TAG message which is a way to test a round trip of the
744 // IPC subsystem. We receive a integer cookie and we are expected to return the
745 // cookie times two (or three) and the current tick count.
746 bool PolicyBase::Ping(IPCInfo
* ipc
, void* arg1
) {
747 switch (ipc
->ipc_tag
) {
748 case IPC_PING1_TAG
: {
749 IPCInt
ipc_int(arg1
);
750 uint32 cookie
= ipc_int
.As32Bit();
751 ipc
->return_info
.extended_count
= 2;
752 ipc
->return_info
.extended
[0].unsigned_int
= ::GetTickCount();
753 ipc
->return_info
.extended
[1].unsigned_int
= 2 * cookie
;
756 case IPC_PING2_TAG
: {
757 CountedBuffer
* io_buffer
= reinterpret_cast<CountedBuffer
*>(arg1
);
758 if (sizeof(uint32
) != io_buffer
->Size())
761 uint32
* cookie
= reinterpret_cast<uint32
*>(io_buffer
->Buffer());
762 *cookie
= (*cookie
) * 3;
765 default: return false;
769 Dispatcher
* PolicyBase::GetDispatcher(int ipc_tag
) {
770 if (ipc_tag
>= IPC_LAST_TAG
|| ipc_tag
<= IPC_UNUSED_TAG
)
773 return ipc_targets_
[ipc_tag
];
776 bool PolicyBase::SetupAllInterceptions(TargetProcess
* target
) {
777 InterceptionManager
manager(target
, relaxed_interceptions_
);
780 for (int i
= 0; i
< IPC_LAST_TAG
; i
++) {
781 if (policy_
->entry
[i
] && !ipc_targets_
[i
]->SetupService(&manager
, i
))
786 if (!blacklisted_dlls_
.empty()) {
787 std::vector
<base::string16
>::iterator it
= blacklisted_dlls_
.begin();
788 for (; it
!= blacklisted_dlls_
.end(); ++it
) {
789 manager
.AddToUnloadModules(it
->c_str());
793 if (!SetupBasicInterceptions(&manager
))
796 if (!manager
.InitializeInterceptions())
799 // Finally, setup imports on the target so the interceptions can work.
800 return SetupNtdllImports(target
);
803 bool PolicyBase::SetupHandleCloser(TargetProcess
* target
) {
804 return handle_closer_
.InitializeTargetHandles(target
);
807 ResultCode
PolicyBase::AddRuleInternal(SubSystem subsystem
,
809 const wchar_t* pattern
) {
810 if (NULL
== policy_
) {
811 policy_
= MakeBrokerPolicyMemory();
813 policy_maker_
= new LowLevelPolicy(policy_
);
814 DCHECK(policy_maker_
);
819 if (!file_system_init_
) {
820 if (!FileSystemPolicy::SetInitialRules(policy_maker_
))
821 return SBOX_ERROR_BAD_PARAMS
;
822 file_system_init_
= true;
824 if (!FileSystemPolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
826 return SBOX_ERROR_BAD_PARAMS
;
831 if (!SyncPolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
833 return SBOX_ERROR_BAD_PARAMS
;
837 case SUBSYS_PROCESS
: {
838 if (lockdown_level_
< USER_INTERACTIVE
&&
839 TargetPolicy::PROCESS_ALL_EXEC
== semantics
) {
840 // This is unsupported. This is a huge security risk to give full access
841 // to a process handle.
842 return SBOX_ERROR_UNSUPPORTED
;
844 if (!ProcessPolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
846 return SBOX_ERROR_BAD_PARAMS
;
850 case SUBSYS_NAMED_PIPES
: {
851 if (!NamedPipePolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
853 return SBOX_ERROR_BAD_PARAMS
;
857 case SUBSYS_REGISTRY
: {
858 if (!RegistryPolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
860 return SBOX_ERROR_BAD_PARAMS
;
864 case SUBSYS_HANDLES
: {
865 if (!HandlePolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
867 return SBOX_ERROR_BAD_PARAMS
;
872 case SUBSYS_WIN32K_LOCKDOWN
: {
873 if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules(
874 pattern
, semantics
, policy_maker_
)) {
876 return SBOX_ERROR_BAD_PARAMS
;
881 default: { return SBOX_ERROR_UNSUPPORTED
; }
887 } // namespace sandbox