search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "Fix broken channel icon in chrome://help on CrOS" and try again
[chromium-blink-merge.git] / sandbox / win / src / target_services.cc
blob116f0c929b81ee71ac9d5f7f686593e56a3e78f4
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/target_services.h"
6
7 #include <new>
8
9 #include <process.h>
10
11 #include "base/basictypes.h"
12 #include "base/win/windows_version.h"
13 #include "sandbox/win/src/crosscall_client.h"
14 #include "sandbox/win/src/handle_closer_agent.h"
15 #include "sandbox/win/src/handle_interception.h"
16 #include "sandbox/win/src/ipc_tags.h"
17 #include "sandbox/win/src/process_mitigations.h"
18 #include "sandbox/win/src/restricted_token_utils.h"
19 #include "sandbox/win/src/sandbox.h"
20 #include "sandbox/win/src/sandbox_types.h"
21 #include "sandbox/win/src/sharedmem_ipc_client.h"
22 #include "sandbox/win/src/sandbox_nt_util.h"
23
24 namespace {
25
26 // Flushing a cached key is triggered by just opening the key and closing the
27 // resulting handle. RegDisablePredefinedCache() is the documented way to flush
28 // HKCU so do not use it with this function.
29 bool FlushRegKey(HKEY root) {
30 HKEY key;
31 if (ERROR_SUCCESS == ::RegOpenKeyExW(root, NULL, 0, MAXIMUM_ALLOWED, &key)) {
32 if (ERROR_SUCCESS != ::RegCloseKey(key))
33 return false;
34 }
35 return true;
36 }
37
38 // This function forces advapi32.dll to release some internally cached handles
39 // that were made during calls to RegOpenkey and RegOpenKeyEx if it is called
40 // with a more restrictive token. Returns true if the flushing is succesful
41 // although this behavior is undocumented and there is no guarantee that in
42 // fact this will happen in future versions of windows.
43 bool FlushCachedRegHandles() {
44 return (FlushRegKey(HKEY_LOCAL_MACHINE) &&
45 FlushRegKey(HKEY_CLASSES_ROOT) &&
46 FlushRegKey(HKEY_USERS));
47 }
48
49 // Checks if we have handle entries pending and runs the closer.
50 // Updates is_csrss_connected based on which handle types are closed.
51 bool CloseOpenHandles(bool* is_csrss_connected) {
52 if (sandbox::HandleCloserAgent::NeedsHandlesClosed()) {
53 sandbox::HandleCloserAgent handle_closer;
54 handle_closer.InitializeHandlesToClose(is_csrss_connected);
55 if (!handle_closer.CloseHandles())
56 return false;
57 }
58
59 return true;
60 }
61
62
63 // Used as storage for g_target_services, because other allocation facilities
64 // are not available early. We can't use a regular function static because on
65 // VS2015, because the CRT tries to acquire a lock to guard initialization, but
66 // this code runs before the CRT is initialized.
67 char g_target_services_memory[sizeof(sandbox::TargetServicesBase)];
68 sandbox::TargetServicesBase* g_target_services = nullptr;
69
70 } // namespace
71
72 namespace sandbox {
73
74 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
75 INTEGRITY_LEVEL_LAST;
76 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations = 0;
77
78 TargetServicesBase::TargetServicesBase() {
79 }
80
81 ResultCode TargetServicesBase::Init() {
82 process_state_.SetInitCalled();
83 return SBOX_ALL_OK;
84 }
85
86 // Failure here is a breach of security so the process is terminated.
87 void TargetServicesBase::LowerToken() {
88 if (ERROR_SUCCESS !=
89 SetProcessIntegrityLevel(g_shared_delayed_integrity_level))
90 ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_INTEGRITY);
91 process_state_.SetRevertedToSelf();
92 // If the client code as called RegOpenKey, advapi32.dll has cached some
93 // handles. The following code gets rid of them.
94 if (!::RevertToSelf())
95 ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_DROPTOKEN);
96 if (!FlushCachedRegHandles())
97 ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
98 if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
99 ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
100 bool is_csrss_connected = true;
101 if (!CloseOpenHandles(&is_csrss_connected))
102 ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
103 process_state_.SetCsrssConnected(is_csrss_connected);
104 // Enabling mitigations must happen last otherwise handle closing breaks
105 if (g_shared_delayed_mitigations &&
106 !ApplyProcessMitigationsToCurrentProcess(g_shared_delayed_mitigations))
107 ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_MITIGATION);
108 }
109
110 ProcessState* TargetServicesBase::GetState() {
111 return &process_state_;
112 }
113
114 TargetServicesBase* TargetServicesBase::GetInstance() {
115 // Leak on purpose TargetServicesBase.
116 if (!g_target_services)
117 g_target_services = new (g_target_services_memory) TargetServicesBase;
118 return g_target_services;
119 }
120
121 // The broker services a 'test' IPC service with the IPC_PING_TAG tag.
122 bool TargetServicesBase::TestIPCPing(int version) {
123 void* memory = GetGlobalIPCMemory();
124 if (NULL == memory) {
125 return false;
126 }
127 SharedMemIPCClient ipc(memory);
128 CrossCallReturn answer = {0};
129
130 if (1 == version) {
131 uint32 tick1 = ::GetTickCount();
132 uint32 cookie = 717115;
133 ResultCode code = CrossCall(ipc, IPC_PING1_TAG, cookie, &answer);
134
135 if (SBOX_ALL_OK != code) {
136 return false;
137 }
138 // We should get two extended returns values from the IPC, one is the
139 // tick count on the broker and the other is the cookie times two.
140 if ((answer.extended_count != 2)) {
141 return false;
142 }
143 // We test the first extended answer to be within the bounds of the tick
144 // count only if there was no tick count wraparound.
145 uint32 tick2 = ::GetTickCount();
146 if (tick2 >= tick1) {
147 if ((answer.extended[0].unsigned_int < tick1) ||
148 (answer.extended[0].unsigned_int > tick2)) {
149 return false;
150 }
151 }
152
153 if (answer.extended[1].unsigned_int != cookie * 2) {
154 return false;
155 }
156 } else if (2 == version) {
157 uint32 cookie = 717111;
158 InOutCountedBuffer counted_buffer(&cookie, sizeof(cookie));
159 ResultCode code = CrossCall(ipc, IPC_PING2_TAG, counted_buffer, &answer);
160
161 if (SBOX_ALL_OK != code) {
162 return false;
163 }
164 if (cookie != 717111 * 3) {
165 return false;
166 }
167 } else {
168 return false;
169 }
170 return true;
171 }
172
173 ProcessState::ProcessState() : process_state_(0), csrss_connected_(true) {
174 }
175
176 bool ProcessState::IsKernel32Loaded() const {
177 return process_state_ != 0;
178 }
179
180 bool ProcessState::InitCalled() const {
181 return process_state_ > 1;
182 }
183
184 bool ProcessState::RevertedToSelf() const {
185 return process_state_ > 2;
186 }
187
188 bool ProcessState::IsCsrssConnected() const {
189 return csrss_connected_;
190 }
191
192 void ProcessState::SetKernel32Loaded() {
193 if (!process_state_)
194 process_state_ = 1;
195 }
196
197 void ProcessState::SetInitCalled() {
198 if (process_state_ < 2)
199 process_state_ = 2;
200 }
201
202 void ProcessState::SetRevertedToSelf() {
203 if (process_state_ < 3)
204 process_state_ = 3;
205 }
206
207 void ProcessState::SetCsrssConnected(bool csrss_connected) {
208 csrss_connected_ = csrss_connected;
209 }
210
211
212 ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
213 DWORD target_process_id,
214 HANDLE* target_handle,
215 DWORD desired_access,
216 DWORD options) {
217 return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
218 target_handle, desired_access, options);
219 }
220
221 } // namespace sandbox