Permission message rules: Each rule must have >= 1 required permissions
[chromium-blink-merge.git] / sandbox / win / src / handle_closer_agent.cc
blobae5c4d17a88979f86c395c33f585dfc22bc0b4dc
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/win/src/handle_closer_agent.h"
7 #include "base/logging.h"
8 #include "sandbox/win/src/nt_internals.h"
9 #include "sandbox/win/src/win_utils.h"
11 namespace {
13 // Returns type infomation for an NT object. This routine is expected to be
14 // called for invalid handles so it catches STATUS_INVALID_HANDLE exceptions
15 // that can be generated when handle tracing is enabled.
16 NTSTATUS QueryObjectTypeInformation(HANDLE handle,
17 void* buffer,
18 ULONG* size) {
19 static NtQueryObject QueryObject = NULL;
20 if (!QueryObject)
21 ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
23 NTSTATUS status = STATUS_UNSUCCESSFUL;
24 __try {
25 status = QueryObject(handle, ObjectTypeInformation, buffer, *size, size);
26 } __except(GetExceptionCode() == STATUS_INVALID_HANDLE ?
27 EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {
28 status = STATUS_INVALID_HANDLE;
30 return status;
33 } // namespace
35 namespace sandbox {
37 // Memory buffer mapped from the parent, with the list of handles.
38 SANDBOX_INTERCEPT HandleCloserInfo* g_handles_to_close = NULL;
40 bool HandleCloserAgent::NeedsHandlesClosed() {
41 return g_handles_to_close != NULL;
44 HandleCloserAgent::HandleCloserAgent()
45 : dummy_handle_(::CreateEvent(NULL, FALSE, FALSE, NULL)) {
48 HandleCloserAgent::~HandleCloserAgent() {
51 // Attempts to stuff |closed_handle| with a duplicated handle for a dummy Event
52 // with no access. This should allow the handle to be closed, to avoid
53 // generating EXCEPTION_INVALID_HANDLE on shutdown, but nothing else. For now
54 // the only supported |type| is Event or File.
55 bool HandleCloserAgent::AttemptToStuffHandleSlot(HANDLE closed_handle,
56 const base::string16& type) {
57 // Only attempt to stuff Files and Events at the moment.
58 if (type != L"Event" && type != L"File") {
59 return true;
62 if (!dummy_handle_.IsValid())
63 return false;
65 // This should never happen, as g_dummy is created before closing to_stuff.
66 DCHECK(dummy_handle_.Get() != closed_handle);
68 std::vector<HANDLE> to_close;
69 HANDLE dup_dummy = NULL;
70 size_t count = 16;
72 do {
73 if (!::DuplicateHandle(::GetCurrentProcess(), dummy_handle_.Get(),
74 ::GetCurrentProcess(), &dup_dummy, 0, FALSE, 0))
75 break;
76 if (dup_dummy != closed_handle)
77 to_close.push_back(dup_dummy);
78 } while (count-- &&
79 reinterpret_cast<uintptr_t>(dup_dummy) <
80 reinterpret_cast<uintptr_t>(closed_handle));
82 for (auto h : to_close)
83 ::CloseHandle(h);
85 // Useful to know when we're not able to stuff handles.
86 DCHECK(dup_dummy == closed_handle);
88 return dup_dummy == closed_handle;
91 // Reads g_handles_to_close and creates the lookup map.
92 void HandleCloserAgent::InitializeHandlesToClose(bool* is_csrss_connected) {
93 CHECK(g_handles_to_close != NULL);
95 // Default to connected state
96 *is_csrss_connected = true;
98 // Grab the header.
99 HandleListEntry* entry = g_handles_to_close->handle_entries;
100 for (size_t i = 0; i < g_handles_to_close->num_handle_types; ++i) {
101 // Set the type name.
102 base::char16* input = entry->handle_type;
103 if (!wcscmp(input, L"ALPC Port")) {
104 *is_csrss_connected = false;
106 HandleMap::mapped_type& handle_names = handles_to_close_[input];
107 input = reinterpret_cast<base::char16*>(reinterpret_cast<char*>(entry)
108 + entry->offset_to_names);
109 // Grab all the handle names.
110 for (size_t j = 0; j < entry->name_count; ++j) {
111 std::pair<HandleMap::mapped_type::iterator, bool> name
112 = handle_names.insert(input);
113 CHECK(name.second);
114 input += name.first->size() + 1;
117 // Move on to the next entry.
118 entry = reinterpret_cast<HandleListEntry*>(reinterpret_cast<char*>(entry)
119 + entry->record_bytes);
121 DCHECK(reinterpret_cast<base::char16*>(entry) >= input);
122 DCHECK(reinterpret_cast<base::char16*>(entry) - input <
123 sizeof(size_t) / sizeof(base::char16));
126 // Clean up the memory we copied over.
127 ::VirtualFree(g_handles_to_close, 0, MEM_RELEASE);
128 g_handles_to_close = NULL;
131 bool HandleCloserAgent::CloseHandles() {
132 DWORD handle_count = UINT_MAX;
133 const int kInvalidHandleThreshold = 100;
134 const size_t kHandleOffset = 4; // Handles are always a multiple of 4.
136 if (!::GetProcessHandleCount(::GetCurrentProcess(), &handle_count))
137 return false;
139 // Set up buffers for the type info and the name.
140 std::vector<BYTE> type_info_buffer(sizeof(OBJECT_TYPE_INFORMATION) +
141 32 * sizeof(wchar_t));
142 OBJECT_TYPE_INFORMATION* type_info =
143 reinterpret_cast<OBJECT_TYPE_INFORMATION*>(&(type_info_buffer[0]));
144 base::string16 handle_name;
145 HANDLE handle = NULL;
146 int invalid_count = 0;
148 // Keep incrementing until we hit the number of handles reported by
149 // GetProcessHandleCount(). If we hit a very long sequence of invalid
150 // handles we assume that we've run past the end of the table.
151 while (handle_count && invalid_count < kInvalidHandleThreshold) {
152 reinterpret_cast<size_t&>(handle) += kHandleOffset;
153 NTSTATUS rc;
155 // Get the type name, reusing the buffer.
156 ULONG size = static_cast<ULONG>(type_info_buffer.size());
157 rc = QueryObjectTypeInformation(handle, type_info, &size);
158 while (rc == STATUS_INFO_LENGTH_MISMATCH ||
159 rc == STATUS_BUFFER_OVERFLOW) {
160 type_info_buffer.resize(size + sizeof(wchar_t));
161 type_info = reinterpret_cast<OBJECT_TYPE_INFORMATION*>(
162 &(type_info_buffer[0]));
163 rc = QueryObjectTypeInformation(handle, type_info, &size);
164 // Leave padding for the nul terminator.
165 if (NT_SUCCESS(rc) && size == type_info_buffer.size())
166 rc = STATUS_INFO_LENGTH_MISMATCH;
168 if (!NT_SUCCESS(rc) || !type_info->Name.Buffer) {
169 ++invalid_count;
170 continue;
173 --handle_count;
174 type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0';
176 // Check if we're looking for this type of handle.
177 HandleMap::iterator result =
178 handles_to_close_.find(type_info->Name.Buffer);
179 if (result != handles_to_close_.end()) {
180 HandleMap::mapped_type& names = result->second;
181 // Empty set means close all handles of this type; otherwise check name.
182 if (!names.empty()) {
183 // Move on to the next handle if this name doesn't match.
184 if (!GetHandleName(handle, &handle_name) || !names.count(handle_name))
185 continue;
188 if (!::SetHandleInformation(handle, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0))
189 return false;
190 if (!::CloseHandle(handle))
191 return false;
192 // Attempt to stuff this handle with a new dummy Event.
193 AttemptToStuffHandleSlot(handle, result->first);
197 return true;
200 } // namespace sandbox