1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/win/src/process_thread_policy.h"
9 #include "base/memory/scoped_ptr.h"
10 #include "sandbox/win/src/ipc_tags.h"
11 #include "sandbox/win/src/nt_internals.h"
12 #include "sandbox/win/src/policy_engine_opcodes.h"
13 #include "sandbox/win/src/policy_params.h"
14 #include "sandbox/win/src/sandbox_types.h"
15 #include "sandbox/win/src/win_utils.h"
19 // These are the only safe rights that can be given to a sandboxed
20 // process for the process created by the broker. All others are potential
21 // vectors of privilege elevation.
22 const DWORD kProcessRights
= SYNCHRONIZE
|
23 PROCESS_QUERY_INFORMATION
|
24 PROCESS_QUERY_LIMITED_INFORMATION
|
26 PROCESS_SUSPEND_RESUME
;
28 const DWORD kThreadRights
= SYNCHRONIZE
|
30 THREAD_SUSPEND_RESUME
|
31 THREAD_QUERY_INFORMATION
|
32 THREAD_QUERY_LIMITED_INFORMATION
|
33 THREAD_SET_LIMITED_INFORMATION
;
35 // Creates a child process and duplicates the handles to 'target_process'. The
36 // remaining parameters are the same as CreateProcess().
37 BOOL
CreateProcessExWHelper(HANDLE target_process
, BOOL give_full_access
,
38 LPCWSTR lpApplicationName
, LPWSTR lpCommandLine
,
39 LPSECURITY_ATTRIBUTES lpProcessAttributes
,
40 LPSECURITY_ATTRIBUTES lpThreadAttributes
,
41 BOOL bInheritHandles
, DWORD dwCreationFlags
,
42 LPVOID lpEnvironment
, LPCWSTR lpCurrentDirectory
,
43 LPSTARTUPINFOW lpStartupInfo
,
44 LPPROCESS_INFORMATION lpProcessInformation
) {
45 if (!::CreateProcessW(lpApplicationName
, lpCommandLine
, lpProcessAttributes
,
46 lpThreadAttributes
, bInheritHandles
, dwCreationFlags
,
47 lpEnvironment
, lpCurrentDirectory
, lpStartupInfo
,
48 lpProcessInformation
)) {
52 DWORD process_access
= kProcessRights
;
53 DWORD thread_access
= kThreadRights
;
54 if (give_full_access
) {
55 process_access
= PROCESS_ALL_ACCESS
;
56 thread_access
= THREAD_ALL_ACCESS
;
58 if (!::DuplicateHandle(::GetCurrentProcess(), lpProcessInformation
->hProcess
,
59 target_process
, &lpProcessInformation
->hProcess
,
60 process_access
, FALSE
, DUPLICATE_CLOSE_SOURCE
)) {
61 ::CloseHandle(lpProcessInformation
->hThread
);
64 if (!::DuplicateHandle(::GetCurrentProcess(), lpProcessInformation
->hThread
,
65 target_process
, &lpProcessInformation
->hThread
,
66 thread_access
, FALSE
, DUPLICATE_CLOSE_SOURCE
)) {
76 bool ProcessPolicy::GenerateRules(const wchar_t* name
,
77 TargetPolicy::Semantics semantics
,
78 LowLevelPolicy
* policy
) {
79 scoped_ptr
<PolicyRule
> process
;
81 case TargetPolicy::PROCESS_MIN_EXEC
: {
82 process
.reset(new PolicyRule(GIVE_READONLY
));
85 case TargetPolicy::PROCESS_ALL_EXEC
: {
86 process
.reset(new PolicyRule(GIVE_ALLACCESS
));
94 if (!process
->AddStringMatch(IF
, NameBased::NAME
, name
, CASE_INSENSITIVE
)) {
97 if (!policy
->AddRule(IPC_CREATEPROCESSW_TAG
, process
.get())) {
103 NTSTATUS
ProcessPolicy::OpenThreadAction(const ClientInfo
& client_info
,
104 uint32 desired_access
,
109 NtOpenThreadFunction NtOpenThread
= NULL
;
110 ResolveNTFunctionPtr("NtOpenThread", &NtOpenThread
);
112 OBJECT_ATTRIBUTES attributes
= {0};
113 attributes
.Length
= sizeof(attributes
);
114 CLIENT_ID client_id
= {0};
115 client_id
.UniqueProcess
= reinterpret_cast<PVOID
>(
116 static_cast<ULONG_PTR
>(client_info
.process_id
));
117 client_id
.UniqueThread
=
118 reinterpret_cast<PVOID
>(static_cast<ULONG_PTR
>(thread_id
));
120 HANDLE local_handle
= NULL
;
121 NTSTATUS status
= NtOpenThread(&local_handle
, desired_access
, &attributes
,
123 if (NT_SUCCESS(status
)) {
124 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle
,
125 client_info
.process
, handle
, 0, FALSE
,
126 DUPLICATE_CLOSE_SOURCE
| DUPLICATE_SAME_ACCESS
)) {
127 return STATUS_ACCESS_DENIED
;
134 NTSTATUS
ProcessPolicy::OpenProcessAction(const ClientInfo
& client_info
,
135 uint32 desired_access
,
140 NtOpenProcessFunction NtOpenProcess
= NULL
;
141 ResolveNTFunctionPtr("NtOpenProcess", &NtOpenProcess
);
143 if (client_info
.process_id
!= process_id
)
144 return STATUS_ACCESS_DENIED
;
146 OBJECT_ATTRIBUTES attributes
= {0};
147 attributes
.Length
= sizeof(attributes
);
148 CLIENT_ID client_id
= {0};
149 client_id
.UniqueProcess
= reinterpret_cast<PVOID
>(
150 static_cast<ULONG_PTR
>(client_info
.process_id
));
151 HANDLE local_handle
= NULL
;
152 NTSTATUS status
= NtOpenProcess(&local_handle
, desired_access
, &attributes
,
154 if (NT_SUCCESS(status
)) {
155 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle
,
156 client_info
.process
, handle
, 0, FALSE
,
157 DUPLICATE_CLOSE_SOURCE
| DUPLICATE_SAME_ACCESS
)) {
158 return STATUS_ACCESS_DENIED
;
165 NTSTATUS
ProcessPolicy::OpenProcessTokenAction(const ClientInfo
& client_info
,
167 uint32 desired_access
,
170 NtOpenProcessTokenFunction NtOpenProcessToken
= NULL
;
171 ResolveNTFunctionPtr("NtOpenProcessToken", &NtOpenProcessToken
);
173 if (CURRENT_PROCESS
!= process
)
174 return STATUS_ACCESS_DENIED
;
176 HANDLE local_handle
= NULL
;
177 NTSTATUS status
= NtOpenProcessToken(client_info
.process
, desired_access
,
179 if (NT_SUCCESS(status
)) {
180 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle
,
181 client_info
.process
, handle
, 0, FALSE
,
182 DUPLICATE_CLOSE_SOURCE
| DUPLICATE_SAME_ACCESS
)) {
183 return STATUS_ACCESS_DENIED
;
189 NTSTATUS
ProcessPolicy::OpenProcessTokenExAction(const ClientInfo
& client_info
,
191 uint32 desired_access
,
195 NtOpenProcessTokenExFunction NtOpenProcessTokenEx
= NULL
;
196 ResolveNTFunctionPtr("NtOpenProcessTokenEx", &NtOpenProcessTokenEx
);
198 if (CURRENT_PROCESS
!= process
)
199 return STATUS_ACCESS_DENIED
;
201 HANDLE local_handle
= NULL
;
202 NTSTATUS status
= NtOpenProcessTokenEx(client_info
.process
, desired_access
,
203 attributes
, &local_handle
);
204 if (NT_SUCCESS(status
)) {
205 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle
,
206 client_info
.process
, handle
, 0, FALSE
,
207 DUPLICATE_CLOSE_SOURCE
| DUPLICATE_SAME_ACCESS
)) {
208 return STATUS_ACCESS_DENIED
;
214 DWORD
ProcessPolicy::CreateProcessWAction(EvalResult eval_result
,
215 const ClientInfo
& client_info
,
216 const base::string16
&app_name
,
217 const base::string16
&command_line
,
218 PROCESS_INFORMATION
* process_info
) {
219 // The only action supported is ASK_BROKER which means create the process.
220 if (GIVE_ALLACCESS
!= eval_result
&& GIVE_READONLY
!= eval_result
) {
221 return ERROR_ACCESS_DENIED
;
224 STARTUPINFO startup_info
= {0};
225 startup_info
.cb
= sizeof(startup_info
);
226 scoped_ptr
<wchar_t, base::FreeDeleter
>
227 cmd_line(_wcsdup(command_line
.c_str()));
229 BOOL should_give_full_access
= (GIVE_ALLACCESS
== eval_result
);
230 if (!CreateProcessExWHelper(client_info
.process
, should_give_full_access
,
231 app_name
.c_str(), cmd_line
.get(), NULL
, NULL
,
232 FALSE
, 0, NULL
, NULL
, &startup_info
,
234 return ERROR_ACCESS_DENIED
;
236 return ERROR_SUCCESS
;
239 } // namespace sandbox