sandbox/win/src/window.cc

   1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/win/src/window.h"
   6
   7 #include <aclapi.h>
   8
   9 #include "base/logging.h"
  10 #include "base/memory/scoped_ptr.h"
  11 #include "sandbox/win/src/acl.h"
  12 #include "sandbox/win/src/sid.h"
  13
  14 namespace {
  15
  16 // Gets the security attributes of a window object referenced by |handle|. The
  17 // lpSecurityDescriptor member of the SECURITY_ATTRIBUTES parameter returned
  18 // must be freed using LocalFree by the caller.
  19 bool GetSecurityAttributes(HANDLE handle, SECURITY_ATTRIBUTES* attributes) {
  20   attributes->bInheritHandle = FALSE;
  21   attributes->nLength = sizeof(SECURITY_ATTRIBUTES);
  22
  23   PACL dacl = NULL;
  24   DWORD result = ::GetSecurityInfo(handle, SE_WINDOW_OBJECT,
  25                                    DACL_SECURITY_INFORMATION, NULL, NULL, &dacl,
  26                                    NULL, &attributes->lpSecurityDescriptor);
  27   if (ERROR_SUCCESS == result)
  28     return true;
  29
  30   return false;
  31 }
  32
  33 }
  34
  35 namespace sandbox {
  36
  37 ResultCode CreateAltWindowStation(HWINSTA* winsta) {
  38   // Get the security attributes from the current window station; we will
  39   // use this as the base security attributes for the new window station.
  40   SECURITY_ATTRIBUTES attributes = {0};
  41   if (!GetSecurityAttributes(::GetProcessWindowStation(), &attributes)) {
  42     return SBOX_ERROR_CANNOT_CREATE_WINSTATION;
  43   }
  44
  45   // Create the window station using NULL for the name to ask the os to
  46   // generate it.
  47   *winsta = ::CreateWindowStationW(
  48       NULL, 0, GENERIC_READ | WINSTA_CREATEDESKTOP, &attributes);
  49   LocalFree(attributes.lpSecurityDescriptor);
  50
  51   if (*winsta)
  52     return SBOX_ALL_OK;
  53
  54   return SBOX_ERROR_CANNOT_CREATE_WINSTATION;
  55 }
  56
  57 ResultCode CreateAltDesktop(HWINSTA winsta, HDESK* desktop) {
  58   base::string16 desktop_name = L"sbox_alternate_desktop_";
  59
  60   // Append the current PID to the desktop name.
  61   wchar_t buffer[16];
  62   _snwprintf_s(buffer, sizeof(buffer) / sizeof(wchar_t), L"0x%X",
  63                ::GetCurrentProcessId());
  64   desktop_name += buffer;
  65
  66   // Get the security attributes from the current desktop, we will use this as
  67   // the base security attributes for the new desktop.
  68   SECURITY_ATTRIBUTES attributes = {0};
  69   if (!GetSecurityAttributes(GetThreadDesktop(GetCurrentThreadId()),
  70                              &attributes)) {
  71     return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
  72   }
  73
  74   // Back up the current window station, in case we need to switch it.
  75   HWINSTA current_winsta = ::GetProcessWindowStation();
  76
  77   if (winsta) {
  78     // We need to switch to the alternate window station before creating the
  79     // desktop.
  80     if (!::SetProcessWindowStation(winsta)) {
  81       ::LocalFree(attributes.lpSecurityDescriptor);
  82       return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
  83     }
  84   }
  85
  86   // Create the destkop.
  87   *desktop = ::CreateDesktop(desktop_name.c_str(),
  88                              NULL,
  89                              NULL,
  90                              0,
  91                              DESKTOP_CREATEWINDOW | DESKTOP_READOBJECTS |
  92                                  READ_CONTROL | WRITE_DAC | WRITE_OWNER,
  93                              &attributes);
  94   ::LocalFree(attributes.lpSecurityDescriptor);
  95
  96   if (winsta) {
  97     // Revert to the right window station.
  98     if (!::SetProcessWindowStation(current_winsta)) {
  99       return SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION;
 100     }
 101   }
 102
 103   if (*desktop) {
 104     // Replace the DACL on the new Desktop with a reduced privilege version.
 105     // We can soft fail on this for now, as it's just an extra mitigation.
 106     static const ACCESS_MASK kDesktopDenyMask = WRITE_DAC | WRITE_OWNER |
 107                                                 DELETE |
 108                                                 DESKTOP_CREATEMENU |
 109                                                 DESKTOP_CREATEWINDOW |
 110                                                 DESKTOP_HOOKCONTROL |
 111                                                 DESKTOP_JOURNALPLAYBACK |
 112                                                 DESKTOP_JOURNALRECORD |
 113                                                 DESKTOP_SWITCHDESKTOP;
 114     AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT, Sid(WinRestrictedCodeSid),
 115                         DENY_ACCESS, kDesktopDenyMask);
 116     return SBOX_ALL_OK;
 117   }
 118
 119   return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
 120 }
 121
 122 base::string16 GetWindowObjectName(HANDLE handle) {
 123   // Get the size of the name.
 124   DWORD size = 0;
 125   ::GetUserObjectInformation(handle, UOI_NAME, NULL, 0, &size);
 126
 127   if (!size) {
 128     NOTREACHED();
 129     return base::string16();
 130   }
 131
 132   // Create the buffer that will hold the name.
 133   scoped_ptr<wchar_t[]> name_buffer(new wchar_t[size]);
 134
 135   // Query the name of the object.
 136   if (!::GetUserObjectInformation(handle, UOI_NAME, name_buffer.get(), size,
 137                                   &size)) {
 138     NOTREACHED();
 139     return base::string16();
 140   }
 141
 142   return base::string16(name_buffer.get());
 143 }
 144
 145 base::string16 GetFullDesktopName(HWINSTA winsta, HDESK desktop) {
 146   if (!desktop) {
 147     NOTREACHED();
 148     return base::string16();
 149   }
 150
 151   base::string16 name;
 152   if (winsta) {
 153     name = GetWindowObjectName(winsta);
 154     name += L'\\';
 155   }
 156
 157   name += GetWindowObjectName(desktop);
 158   return name;
 159 }
 160
 161 }  // namespace sandbox