search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "Fix broken channel icon in chrome://help on CrOS" and try again
[chromium-blink-merge.git] / sandbox / win / src / sandbox_policy_base.cc
blob9c3bf0c7a6bab1436d44899d40d1a9de5c65476a
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/sandbox_policy_base.h"
6
7 #include <sddl.h>
8
9 #include "base/basictypes.h"
10 #include "base/callback.h"
11 #include "base/logging.h"
12 #include "base/stl_util.h"
13 #include "base/strings/stringprintf.h"
14 #include "base/win/windows_version.h"
15 #include "sandbox/win/src/app_container.h"
16 #include "sandbox/win/src/filesystem_dispatcher.h"
17 #include "sandbox/win/src/filesystem_policy.h"
18 #include "sandbox/win/src/handle_dispatcher.h"
19 #include "sandbox/win/src/handle_policy.h"
20 #include "sandbox/win/src/job.h"
21 #include "sandbox/win/src/interception.h"
22 #include "sandbox/win/src/process_mitigations.h"
23 #include "sandbox/win/src/named_pipe_dispatcher.h"
24 #include "sandbox/win/src/named_pipe_policy.h"
25 #include "sandbox/win/src/policy_broker.h"
26 #include "sandbox/win/src/policy_engine_processor.h"
27 #include "sandbox/win/src/policy_low_level.h"
28 #include "sandbox/win/src/process_mitigations_win32k_dispatcher.h"
29 #include "sandbox/win/src/process_mitigations_win32k_policy.h"
30 #include "sandbox/win/src/process_thread_dispatcher.h"
31 #include "sandbox/win/src/process_thread_policy.h"
32 #include "sandbox/win/src/registry_dispatcher.h"
33 #include "sandbox/win/src/registry_policy.h"
34 #include "sandbox/win/src/restricted_token_utils.h"
35 #include "sandbox/win/src/sandbox_policy.h"
36 #include "sandbox/win/src/sandbox_utils.h"
37 #include "sandbox/win/src/sync_dispatcher.h"
38 #include "sandbox/win/src/sync_policy.h"
39 #include "sandbox/win/src/target_process.h"
40 #include "sandbox/win/src/window.h"
41
42 namespace {
43
44 // The standard windows size for one memory page.
45 const size_t kOneMemPage = 4096;
46 // The IPC and Policy shared memory sizes.
47 const size_t kIPCMemSize = kOneMemPage * 2;
48 const size_t kPolMemSize = kOneMemPage * 14;
49
50 // Helper function to allocate space (on the heap) for policy.
51 sandbox::PolicyGlobal* MakeBrokerPolicyMemory() {
52 const size_t kTotalPolicySz = kPolMemSize;
53 sandbox::PolicyGlobal* policy = static_cast<sandbox::PolicyGlobal*>
54 (::operator new(kTotalPolicySz));
55 DCHECK(policy);
56 memset(policy, 0, kTotalPolicySz);
57 policy->data_size = kTotalPolicySz - sizeof(sandbox::PolicyGlobal);
58 return policy;
59 }
60
61 bool IsInheritableHandle(HANDLE handle) {
62 if (!handle)
63 return false;
64 if (handle == INVALID_HANDLE_VALUE)
65 return false;
66 // File handles (FILE_TYPE_DISK) and pipe handles are known to be
67 // inheritable. Console handles (FILE_TYPE_CHAR) are not
68 // inheritable via PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
69 DWORD handle_type = GetFileType(handle);
70 return handle_type == FILE_TYPE_DISK || handle_type == FILE_TYPE_PIPE;
71 }
72
73 HANDLE CreateLowBoxObjectDirectory(PSID lowbox_sid) {
74 DWORD session_id = 0;
75 if (!::ProcessIdToSessionId(::GetCurrentProcessId(), &session_id))
76 return NULL;
77
78 LPWSTR sid_string = NULL;
79 if (!::ConvertSidToStringSid(lowbox_sid, &sid_string))
80 return NULL;
81
82 base::string16 directory_path = base::StringPrintf(
83 L"\\Sessions\\%d\\AppContainerNamedObjects\\%ls",
84 session_id, sid_string).c_str();
85 ::LocalFree(sid_string);
86
87 NtCreateDirectoryObjectFunction CreateObjectDirectory = NULL;
88 ResolveNTFunctionPtr("NtCreateDirectoryObject", &CreateObjectDirectory);
89
90 OBJECT_ATTRIBUTES obj_attr;
91 UNICODE_STRING obj_name;
92 sandbox::InitObjectAttribs(directory_path,
93 OBJ_CASE_INSENSITIVE | OBJ_OPENIF,
94 NULL,
95 &obj_attr,
96 &obj_name,
97 NULL);
98
99 HANDLE handle = NULL;
100 NTSTATUS status = CreateObjectDirectory(&handle,
101 DIRECTORY_ALL_ACCESS,
102 &obj_attr);
103
104 if (!NT_SUCCESS(status))
105 return NULL;
106
107 return handle;
108 }
109
110 }
111
112 namespace sandbox {
113
114 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level;
115 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations;
116
117 // Initializes static members.
118 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL;
119 HDESK PolicyBase::alternate_desktop_handle_ = NULL;
120 IntegrityLevel PolicyBase::alternate_desktop_integrity_level_label_ =
121 INTEGRITY_LEVEL_SYSTEM;
122
123 PolicyBase::PolicyBase()
124 : ref_count(1),
125 lockdown_level_(USER_LOCKDOWN),
126 initial_level_(USER_LOCKDOWN),
127 job_level_(JOB_LOCKDOWN),
128 ui_exceptions_(0),
129 memory_limit_(0),
130 use_alternate_desktop_(false),
131 use_alternate_winstation_(false),
132 file_system_init_(false),
133 relaxed_interceptions_(true),
134 stdout_handle_(INVALID_HANDLE_VALUE),
135 stderr_handle_(INVALID_HANDLE_VALUE),
136 integrity_level_(INTEGRITY_LEVEL_LAST),
137 delayed_integrity_level_(INTEGRITY_LEVEL_LAST),
138 mitigations_(0),
139 delayed_mitigations_(0),
140 policy_maker_(NULL),
141 policy_(NULL),
142 lowbox_sid_(NULL) {
143 ::InitializeCriticalSection(&lock_);
144 // Initialize the IPC dispatcher array.
145 memset(&ipc_targets_, NULL, sizeof(ipc_targets_));
146 Dispatcher* dispatcher = NULL;
147
148 dispatcher = new FilesystemDispatcher(this);
149 ipc_targets_[IPC_NTCREATEFILE_TAG] = dispatcher;
150 ipc_targets_[IPC_NTOPENFILE_TAG] = dispatcher;
151 ipc_targets_[IPC_NTSETINFO_RENAME_TAG] = dispatcher;
152 ipc_targets_[IPC_NTQUERYATTRIBUTESFILE_TAG] = dispatcher;
153 ipc_targets_[IPC_NTQUERYFULLATTRIBUTESFILE_TAG] = dispatcher;
154
155 dispatcher = new NamedPipeDispatcher(this);
156 ipc_targets_[IPC_CREATENAMEDPIPEW_TAG] = dispatcher;
157
158 dispatcher = new ThreadProcessDispatcher(this);
159 ipc_targets_[IPC_NTOPENTHREAD_TAG] = dispatcher;
160 ipc_targets_[IPC_NTOPENPROCESS_TAG] = dispatcher;
161 ipc_targets_[IPC_CREATEPROCESSW_TAG] = dispatcher;
162 ipc_targets_[IPC_NTOPENPROCESSTOKEN_TAG] = dispatcher;
163 ipc_targets_[IPC_NTOPENPROCESSTOKENEX_TAG] = dispatcher;
164
165 dispatcher = new SyncDispatcher(this);
166 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher;
167 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher;
168
169 dispatcher = new RegistryDispatcher(this);
170 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher;
171 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher;
172
173 dispatcher = new HandleDispatcher(this);
174 ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher;
175
176 dispatcher = new ProcessMitigationsWin32KDispatcher(this);
177 ipc_targets_[IPC_GDI_GDIDLLINITIALIZE_TAG] = dispatcher;
178 ipc_targets_[IPC_GDI_GETSTOCKOBJECT_TAG] = dispatcher;
179 ipc_targets_[IPC_USER_REGISTERCLASSW_TAG] = dispatcher;
180 }
181
182 PolicyBase::~PolicyBase() {
183 ClearSharedHandles();
184
185 TargetSet::iterator it;
186 for (it = targets_.begin(); it != targets_.end(); ++it) {
187 TargetProcess* target = (*it);
188 delete target;
189 }
190 delete ipc_targets_[IPC_NTCREATEFILE_TAG];
191 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG];
192 delete ipc_targets_[IPC_NTOPENTHREAD_TAG];
193 delete ipc_targets_[IPC_CREATEEVENT_TAG];
194 delete ipc_targets_[IPC_NTCREATEKEY_TAG];
195 delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG];
196 delete policy_maker_;
197 delete policy_;
198
199 if (lowbox_sid_)
200 ::LocalFree(lowbox_sid_);
201
202 ::DeleteCriticalSection(&lock_);
203 }
204
205 void PolicyBase::AddRef() {
206 ::InterlockedIncrement(&ref_count);
207 }
208
209 void PolicyBase::Release() {
210 if (0 == ::InterlockedDecrement(&ref_count))
211 delete this;
212 }
213
214 ResultCode PolicyBase::SetTokenLevel(TokenLevel initial, TokenLevel lockdown) {
215 if (initial < lockdown) {
216 return SBOX_ERROR_BAD_PARAMS;
217 }
218 initial_level_ = initial;
219 lockdown_level_ = lockdown;
220 return SBOX_ALL_OK;
221 }
222
223 TokenLevel PolicyBase::GetInitialTokenLevel() const {
224 return initial_level_;
225 }
226
227 TokenLevel PolicyBase::GetLockdownTokenLevel() const{
228 return lockdown_level_;
229 }
230
231 ResultCode PolicyBase::SetJobLevel(JobLevel job_level, uint32 ui_exceptions) {
232 if (memory_limit_ && job_level == JOB_NONE) {
233 return SBOX_ERROR_BAD_PARAMS;
234 }
235 job_level_ = job_level;
236 ui_exceptions_ = ui_exceptions;
237 return SBOX_ALL_OK;
238 }
239
240 ResultCode PolicyBase::SetJobMemoryLimit(size_t memory_limit) {
241 if (memory_limit && job_level_ == JOB_NONE) {
242 return SBOX_ERROR_BAD_PARAMS;
243 }
244 memory_limit_ = memory_limit;
245 return SBOX_ALL_OK;
246 }
247
248 ResultCode PolicyBase::SetAlternateDesktop(bool alternate_winstation) {
249 use_alternate_desktop_ = true;
250 use_alternate_winstation_ = alternate_winstation;
251 return CreateAlternateDesktop(alternate_winstation);
252 }
253
254 base::string16 PolicyBase::GetAlternateDesktop() const {
255 // No alternate desktop or winstation. Return an empty string.
256 if (!use_alternate_desktop_ && !use_alternate_winstation_) {
257 return base::string16();
258 }
259
260 // The desktop and winstation should have been created by now.
261 // If we hit this scenario, it means that the user ignored the failure
262 // during SetAlternateDesktop, so we ignore it here too.
263 if (use_alternate_desktop_ && !alternate_desktop_handle_) {
264 return base::string16();
265 }
266 if (use_alternate_winstation_ && (!alternate_desktop_handle_ ||
267 !alternate_winstation_handle_)) {
268 return base::string16();
269 }
270
271 return GetFullDesktopName(alternate_winstation_handle_,
272 alternate_desktop_handle_);
273 }
274
275 ResultCode PolicyBase::CreateAlternateDesktop(bool alternate_winstation) {
276 if (alternate_winstation) {
277 // Previously called with alternate_winstation = false?
278 if (!alternate_winstation_handle_ && alternate_desktop_handle_)
279 return SBOX_ERROR_UNSUPPORTED;
280
281 // Check if it's already created.
282 if (alternate_winstation_handle_ && alternate_desktop_handle_)
283 return SBOX_ALL_OK;
284
285 DCHECK(!alternate_winstation_handle_);
286 // Create the window station.
287 ResultCode result = CreateAltWindowStation(&alternate_winstation_handle_);
288 if (SBOX_ALL_OK != result)
289 return result;
290
291 // Verify that everything is fine.
292 if (!alternate_winstation_handle_ ||
293 GetWindowObjectName(alternate_winstation_handle_).empty())
294 return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
295
296 // Create the destkop.
297 result = CreateAltDesktop(alternate_winstation_handle_,
298 &alternate_desktop_handle_);
299 if (SBOX_ALL_OK != result)
300 return result;
301
302 // Verify that everything is fine.
303 if (!alternate_desktop_handle_ ||
304 GetWindowObjectName(alternate_desktop_handle_).empty())
305 return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
306 } else {
307 // Previously called with alternate_winstation = true?
308 if (alternate_winstation_handle_)
309 return SBOX_ERROR_UNSUPPORTED;
310
311 // Check if it already exists.
312 if (alternate_desktop_handle_)
313 return SBOX_ALL_OK;
314
315 // Create the destkop.
316 ResultCode result = CreateAltDesktop(NULL, &alternate_desktop_handle_);
317 if (SBOX_ALL_OK != result)
318 return result;
319
320 // Verify that everything is fine.
321 if (!alternate_desktop_handle_ ||
322 GetWindowObjectName(alternate_desktop_handle_).empty())
323 return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
324 }
325
326 return SBOX_ALL_OK;
327 }
328
329 void PolicyBase::DestroyAlternateDesktop() {
330 if (alternate_desktop_handle_) {
331 ::CloseDesktop(alternate_desktop_handle_);
332 alternate_desktop_handle_ = NULL;
333 }
334
335 if (alternate_winstation_handle_) {
336 ::CloseWindowStation(alternate_winstation_handle_);
337 alternate_winstation_handle_ = NULL;
338 }
339 }
340
341 ResultCode PolicyBase::SetIntegrityLevel(IntegrityLevel integrity_level) {
342 integrity_level_ = integrity_level;
343 return SBOX_ALL_OK;
344 }
345
346 IntegrityLevel PolicyBase::GetIntegrityLevel() const {
347 return integrity_level_;
348 }
349
350 ResultCode PolicyBase::SetDelayedIntegrityLevel(
351 IntegrityLevel integrity_level) {
352 delayed_integrity_level_ = integrity_level;
353 return SBOX_ALL_OK;
354 }
355
356 ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) {
357 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
358 return SBOX_ALL_OK;
359
360 // SetLowBox and SetAppContainer are mutually exclusive.
361 if (lowbox_sid_)
362 return SBOX_ERROR_UNSUPPORTED;
363
364 // Windows refuses to work with an impersonation token for a process inside
365 // an AppContainer. If the caller wants to use a more privileged initial
366 // token, or if the lockdown level will prevent the process from starting,
367 // we have to fail the operation.
368 if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
369 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
370
371 DCHECK(!appcontainer_list_.get());
372 appcontainer_list_.reset(new AppContainerAttributes);
373 ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_);
374 if (rv != SBOX_ALL_OK)
375 return rv;
376
377 return SBOX_ALL_OK;
378 }
379
380 ResultCode PolicyBase::SetCapability(const wchar_t* sid) {
381 capabilities_.push_back(sid);
382 return SBOX_ALL_OK;
383 }
384
385 ResultCode PolicyBase::SetLowBox(const wchar_t* sid) {
386 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
387 return SBOX_ERROR_UNSUPPORTED;
388
389 // SetLowBox and SetAppContainer are mutually exclusive.
390 if (appcontainer_list_.get())
391 return SBOX_ERROR_UNSUPPORTED;
392
393 DCHECK(sid);
394
395 if (lowbox_sid_)
396 return SBOX_ERROR_BAD_PARAMS;
397
398 if (!ConvertStringSidToSid(sid, &lowbox_sid_))
399 return SBOX_ERROR_GENERIC;
400
401 return SBOX_ALL_OK;
402 }
403
404 ResultCode PolicyBase::SetProcessMitigations(
405 MitigationFlags flags) {
406 if (!CanSetProcessMitigationsPreStartup(flags))
407 return SBOX_ERROR_BAD_PARAMS;
408 mitigations_ = flags;
409 return SBOX_ALL_OK;
410 }
411
412 MitigationFlags PolicyBase::GetProcessMitigations() {
413 return mitigations_;
414 }
415
416 ResultCode PolicyBase::SetDelayedProcessMitigations(
417 MitigationFlags flags) {
418 if (!CanSetProcessMitigationsPostStartup(flags))
419 return SBOX_ERROR_BAD_PARAMS;
420 delayed_mitigations_ = flags;
421 return SBOX_ALL_OK;
422 }
423
424 MitigationFlags PolicyBase::GetDelayedProcessMitigations() const {
425 return delayed_mitigations_;
426 }
427
428 void PolicyBase::SetStrictInterceptions() {
429 relaxed_interceptions_ = false;
430 }
431
432 ResultCode PolicyBase::SetStdoutHandle(HANDLE handle) {
433 if (!IsInheritableHandle(handle))
434 return SBOX_ERROR_BAD_PARAMS;
435 stdout_handle_ = handle;
436 return SBOX_ALL_OK;
437 }
438
439 ResultCode PolicyBase::SetStderrHandle(HANDLE handle) {
440 if (!IsInheritableHandle(handle))
441 return SBOX_ERROR_BAD_PARAMS;
442 stderr_handle_ = handle;
443 return SBOX_ALL_OK;
444 }
445
446 ResultCode PolicyBase::AddRule(SubSystem subsystem,
447 Semantics semantics,
448 const wchar_t* pattern) {
449 ResultCode result = AddRuleInternal(subsystem, semantics, pattern);
450 LOG_IF(ERROR, result != SBOX_ALL_OK) << "Failed to add sandbox rule."
451 << " error = " << result
452 << ", subsystem = " << subsystem
453 << ", semantics = " << semantics
454 << ", pattern = '" << pattern << "'";
455 return result;
456 }
457
458 ResultCode PolicyBase::AddDllToUnload(const wchar_t* dll_name) {
459 blacklisted_dlls_.push_back(dll_name);
460 return SBOX_ALL_OK;
461 }
462
463 ResultCode PolicyBase::AddKernelObjectToClose(const base::char16* handle_type,
464 const base::char16* handle_name) {
465 return handle_closer_.AddHandle(handle_type, handle_name);
466 }
467
468 void* PolicyBase::AddHandleToShare(HANDLE handle) {
469 if (base::win::GetVersion() < base::win::VERSION_VISTA)
470 return nullptr;
471
472 if (!handle)
473 return nullptr;
474
475 HANDLE duped_handle = nullptr;
476 if (!::DuplicateHandle(::GetCurrentProcess(), handle, ::GetCurrentProcess(),
477 &duped_handle, 0, TRUE, DUPLICATE_SAME_ACCESS)) {
478 return nullptr;
479 }
480 handles_to_share_.push_back(new base::win::ScopedHandle(duped_handle));
481 return duped_handle;
482 }
483
484 const HandleList& PolicyBase::GetHandlesBeingShared() {
485 return handles_to_share_;
486 }
487
488 void PolicyBase::ClearSharedHandles() {
489 STLDeleteElements(&handles_to_share_);
490 }
491
492 // When an IPC is ready in any of the targets we get called. We manage an array
493 // of IPC dispatchers which are keyed on the IPC tag so we normally delegate
494 // to the appropriate dispatcher unless we can handle the IPC call ourselves.
495 Dispatcher* PolicyBase::OnMessageReady(IPCParams* ipc,
496 CallbackGeneric* callback) {
497 DCHECK(callback);
498 static const IPCParams ping1 = {IPC_PING1_TAG, {UINT32_TYPE}};
499 static const IPCParams ping2 = {IPC_PING2_TAG, {INOUTPTR_TYPE}};
500
501 if (ping1.Matches(ipc) || ping2.Matches(ipc)) {
502 *callback = reinterpret_cast<CallbackGeneric>(
503 static_cast<Callback1>(&PolicyBase::Ping));
504 return this;
505 }
506
507 Dispatcher* dispatch = GetDispatcher(ipc->ipc_tag);
508 if (!dispatch) {
509 NOTREACHED();
510 return NULL;
511 }
512 return dispatch->OnMessageReady(ipc, callback);
513 }
514
515 // Delegate to the appropriate dispatcher.
516 bool PolicyBase::SetupService(InterceptionManager* manager, int service) {
517 if (IPC_PING1_TAG == service || IPC_PING2_TAG == service)
518 return true;
519
520 Dispatcher* dispatch = GetDispatcher(service);
521 if (!dispatch) {
522 NOTREACHED();
523 return false;
524 }
525 return dispatch->SetupService(manager, service);
526 }
527
528 ResultCode PolicyBase::MakeJobObject(base::win::ScopedHandle* job) {
529 if (job_level_ != JOB_NONE) {
530 // Create the windows job object.
531 Job job_obj;
532 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_,
533 memory_limit_);
534 if (ERROR_SUCCESS != result)
535 return SBOX_ERROR_GENERIC;
536
537 *job = job_obj.Take();
538 } else {
539 *job = base::win::ScopedHandle();
540 }
541 return SBOX_ALL_OK;
542 }
543
544 ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
545 base::win::ScopedHandle* lockdown) {
546 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() &&
547 lowbox_sid_) {
548 return SBOX_ERROR_BAD_PARAMS;
549 }
550
551 // Create the 'naked' token. This will be the permanent token associated
552 // with the process and therefore with any thread that is not impersonating.
553 DWORD result = CreateRestrictedToken(lockdown_level_, integrity_level_,
554 PRIMARY, lockdown);
555 if (ERROR_SUCCESS != result)
556 return SBOX_ERROR_GENERIC;
557
558 // If we're launching on the alternate desktop we need to make sure the
559 // integrity label on the object is no higher than the sandboxed process's
560 // integrity level. So, we lower the label on the desktop process if it's
561 // not already low enough for our process.
562 if (alternate_desktop_handle_ && use_alternate_desktop_ &&
563 integrity_level_ != INTEGRITY_LEVEL_LAST &&
564 alternate_desktop_integrity_level_label_ < integrity_level_ &&
565 base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
566 // Integrity label enum is reversed (higher level is a lower value).
567 static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED,
568 "Integrity level ordering reversed.");
569 result = SetObjectIntegrityLabel(alternate_desktop_handle_,
570 SE_WINDOW_OBJECT,
571 L"",
572 GetIntegrityLevelString(integrity_level_));
573 if (ERROR_SUCCESS != result)
574 return SBOX_ERROR_GENERIC;
575
576 alternate_desktop_integrity_level_label_ = integrity_level_;
577 }
578
579 // We are maintaining two mutually exclusive approaches. One is to start an
580 // AppContainer process through StartupInfoEx and other is replacing
581 // existing token with LowBox token after process creation.
582 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
583 // Windows refuses to work with an impersonation token. See SetAppContainer
584 // implementation for more details.
585 if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
586 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
587
588 *initial = base::win::ScopedHandle();
589 return SBOX_ALL_OK;
590 }
591
592 if (lowbox_sid_) {
593 NtCreateLowBoxToken CreateLowBoxToken = NULL;
594 ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBoxToken);
595 OBJECT_ATTRIBUTES obj_attr;
596 InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
597 HANDLE token_lowbox = NULL;
598
599 if (!lowbox_directory_.IsValid())
600 lowbox_directory_.Set(CreateLowBoxObjectDirectory(lowbox_sid_));
601 DCHECK(lowbox_directory_.IsValid());
602
603 // The order of handles isn't important in the CreateLowBoxToken call.
604 // The kernel will maintain a reference to the object directory handle.
605 HANDLE saved_handles[1] = {lowbox_directory_.Get()};
606 DWORD saved_handles_count = lowbox_directory_.IsValid() ? 1 : 0;
607
608 NTSTATUS status = CreateLowBoxToken(&token_lowbox, lockdown->Get(),
609 TOKEN_ALL_ACCESS, &obj_attr,
610 lowbox_sid_, 0, NULL,
611 saved_handles_count, saved_handles);
612 if (!NT_SUCCESS(status))
613 return SBOX_ERROR_GENERIC;
614
615 DCHECK(token_lowbox);
616 lockdown->Set(token_lowbox);
617 }
618
619 // Create the 'better' token. We use this token as the one that the main
620 // thread uses when booting up the process. It should contain most of
621 // what we need (before reaching main( ))
622 result = CreateRestrictedToken(initial_level_, integrity_level_,
623 IMPERSONATION, initial);
624 if (ERROR_SUCCESS != result)
625 return SBOX_ERROR_GENERIC;
626
627 return SBOX_ALL_OK;
628 }
629
630 const AppContainerAttributes* PolicyBase::GetAppContainer() const {
631 if (!appcontainer_list_.get() || !appcontainer_list_->HasAppContainer())
632 return NULL;
633
634 return appcontainer_list_.get();
635 }
636
637 const PSID PolicyBase::GetLowBoxSid() const {
638 return lowbox_sid_;
639 }
640
641 bool PolicyBase::AddTarget(TargetProcess* target) {
642 if (NULL != policy_)
643 policy_maker_->Done();
644
645 if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(),
646 mitigations_)) {
647 return false;
648 }
649
650 if (!SetupAllInterceptions(target))
651 return false;
652
653 if (!SetupHandleCloser(target))
654 return false;
655
656 // Initialize the sandbox infrastructure for the target.
657 if (ERROR_SUCCESS != target->Init(this, policy_, kIPCMemSize, kPolMemSize))
658 return false;
659
660 g_shared_delayed_integrity_level = delayed_integrity_level_;
661 ResultCode ret = target->TransferVariable(
662 "g_shared_delayed_integrity_level",
663 &g_shared_delayed_integrity_level,
664 sizeof(g_shared_delayed_integrity_level));
665 g_shared_delayed_integrity_level = INTEGRITY_LEVEL_LAST;
666 if (SBOX_ALL_OK != ret)
667 return false;
668
669 // Add in delayed mitigations and pseudo-mitigations enforced at startup.
670 g_shared_delayed_mitigations = delayed_mitigations_ |
671 FilterPostStartupProcessMitigations(mitigations_);
672 if (!CanSetProcessMitigationsPostStartup(g_shared_delayed_mitigations))
673 return false;
674
675 ret = target->TransferVariable("g_shared_delayed_mitigations",
676 &g_shared_delayed_mitigations,
677 sizeof(g_shared_delayed_mitigations));
678 g_shared_delayed_mitigations = 0;
679 if (SBOX_ALL_OK != ret)
680 return false;
681
682 AutoLock lock(&lock_);
683 targets_.push_back(target);
684 return true;
685 }
686
687 bool PolicyBase::OnJobEmpty(HANDLE job) {
688 AutoLock lock(&lock_);
689 TargetSet::iterator it;
690 for (it = targets_.begin(); it != targets_.end(); ++it) {
691 if ((*it)->Job() == job)
692 break;
693 }
694 if (it == targets_.end()) {
695 return false;
696 }
697 TargetProcess* target = *it;
698 targets_.erase(it);
699 delete target;
700 return true;
701 }
702
703 EvalResult PolicyBase::EvalPolicy(int service,
704 CountedParameterSetBase* params) {
705 if (NULL != policy_) {
706 if (NULL == policy_->entry[service]) {
707 // There is no policy for this particular service. This is not a big
708 // deal.
709 return DENY_ACCESS;
710 }
711 for (int i = 0; i < params->count; i++) {
712 if (!params->parameters[i].IsValid()) {
713 NOTREACHED();
714 return SIGNAL_ALARM;
715 }
716 }
717 PolicyProcessor pol_evaluator(policy_->entry[service]);
718 PolicyResult result = pol_evaluator.Evaluate(kShortEval,
719 params->parameters,
720 params->count);
721 if (POLICY_MATCH == result) {
722 return pol_evaluator.GetAction();
723 }
724 DCHECK(POLICY_ERROR != result);
725 }
726
727 return DENY_ACCESS;
728 }
729
730 HANDLE PolicyBase::GetStdoutHandle() {
731 return stdout_handle_;
732 }
733
734 HANDLE PolicyBase::GetStderrHandle() {
735 return stderr_handle_;
736 }
737
738 // We service IPC_PING_TAG message which is a way to test a round trip of the
739 // IPC subsystem. We receive a integer cookie and we are expected to return the
740 // cookie times two (or three) and the current tick count.
741 bool PolicyBase::Ping(IPCInfo* ipc, void* arg1) {
742 switch (ipc->ipc_tag) {
743 case IPC_PING1_TAG: {
744 IPCInt ipc_int(arg1);
745 uint32 cookie = ipc_int.As32Bit();
746 ipc->return_info.extended_count = 2;
747 ipc->return_info.extended[0].unsigned_int = ::GetTickCount();
748 ipc->return_info.extended[1].unsigned_int = 2 * cookie;
749 return true;
750 }
751 case IPC_PING2_TAG: {
752 CountedBuffer* io_buffer = reinterpret_cast<CountedBuffer*>(arg1);
753 if (sizeof(uint32) != io_buffer->Size())
754 return false;
755
756 uint32* cookie = reinterpret_cast<uint32*>(io_buffer->Buffer());
757 *cookie = (*cookie) * 3;
758 return true;
759 }
760 default: return false;
761 }
762 }
763
764 Dispatcher* PolicyBase::GetDispatcher(int ipc_tag) {
765 if (ipc_tag >= IPC_LAST_TAG || ipc_tag <= IPC_UNUSED_TAG)
766 return NULL;
767
768 return ipc_targets_[ipc_tag];
769 }
770
771 bool PolicyBase::SetupAllInterceptions(TargetProcess* target) {
772 InterceptionManager manager(target, relaxed_interceptions_);
773
774 if (policy_) {
775 for (int i = 0; i < IPC_LAST_TAG; i++) {
776 if (policy_->entry[i] && !ipc_targets_[i]->SetupService(&manager, i))
777 return false;
778 }
779 }
780
781 if (!blacklisted_dlls_.empty()) {
782 std::vector<base::string16>::iterator it = blacklisted_dlls_.begin();
783 for (; it != blacklisted_dlls_.end(); ++it) {
784 manager.AddToUnloadModules(it->c_str());
785 }
786 }
787
788 if (!SetupBasicInterceptions(&manager))
789 return false;
790
791 if (!manager.InitializeInterceptions())
792 return false;
793
794 // Finally, setup imports on the target so the interceptions can work.
795 return SetupNtdllImports(target);
796 }
797
798 bool PolicyBase::SetupHandleCloser(TargetProcess* target) {
799 return handle_closer_.InitializeTargetHandles(target);
800 }
801
802 ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem,
803 Semantics semantics,
804 const wchar_t* pattern) {
805 if (NULL == policy_) {
806 policy_ = MakeBrokerPolicyMemory();
807 DCHECK(policy_);
808 policy_maker_ = new LowLevelPolicy(policy_);
809 DCHECK(policy_maker_);
810 }
811
812 switch (subsystem) {
813 case SUBSYS_FILES: {
814 if (!file_system_init_) {
815 if (!FileSystemPolicy::SetInitialRules(policy_maker_))
816 return SBOX_ERROR_BAD_PARAMS;
817 file_system_init_ = true;
818 }
819 if (!FileSystemPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
820 NOTREACHED();
821 return SBOX_ERROR_BAD_PARAMS;
822 }
823 break;
824 }
825 case SUBSYS_SYNC: {
826 if (!SyncPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
827 NOTREACHED();
828 return SBOX_ERROR_BAD_PARAMS;
829 }
830 break;
831 }
832 case SUBSYS_PROCESS: {
833 if (lockdown_level_ < USER_INTERACTIVE &&
834 TargetPolicy::PROCESS_ALL_EXEC == semantics) {
835 // This is unsupported. This is a huge security risk to give full access
836 // to a process handle.
837 return SBOX_ERROR_UNSUPPORTED;
838 }
839 if (!ProcessPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
840 NOTREACHED();
841 return SBOX_ERROR_BAD_PARAMS;
842 }
843 break;
844 }
845 case SUBSYS_NAMED_PIPES: {
846 if (!NamedPipePolicy::GenerateRules(pattern, semantics, policy_maker_)) {
847 NOTREACHED();
848 return SBOX_ERROR_BAD_PARAMS;
849 }
850 break;
851 }
852 case SUBSYS_REGISTRY: {
853 if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
854 NOTREACHED();
855 return SBOX_ERROR_BAD_PARAMS;
856 }
857 break;
858 }
859 case SUBSYS_HANDLES: {
860 if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) {
861 NOTREACHED();
862 return SBOX_ERROR_BAD_PARAMS;
863 }
864 break;
865 }
866
867 case SUBSYS_WIN32K_LOCKDOWN: {
868 if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules(
869 pattern, semantics, policy_maker_)) {
870 NOTREACHED();
871 return SBOX_ERROR_BAD_PARAMS;
872 }
873 break;
874 }
875
876 default: { return SBOX_ERROR_UNSUPPORTED; }
877 }
878
879 return SBOX_ALL_OK;
880 }
881
882 } // namespace sandbox