1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/win/src/sandbox_policy_base.h"
9 #include "base/basictypes.h"
10 #include "base/callback.h"
11 #include "base/logging.h"
12 #include "base/stl_util.h"
13 #include "base/strings/stringprintf.h"
14 #include "base/win/windows_version.h"
15 #include "sandbox/win/src/app_container.h"
16 #include "sandbox/win/src/filesystem_dispatcher.h"
17 #include "sandbox/win/src/filesystem_policy.h"
18 #include "sandbox/win/src/handle_dispatcher.h"
19 #include "sandbox/win/src/handle_policy.h"
20 #include "sandbox/win/src/job.h"
21 #include "sandbox/win/src/interception.h"
22 #include "sandbox/win/src/process_mitigations.h"
23 #include "sandbox/win/src/named_pipe_dispatcher.h"
24 #include "sandbox/win/src/named_pipe_policy.h"
25 #include "sandbox/win/src/policy_broker.h"
26 #include "sandbox/win/src/policy_engine_processor.h"
27 #include "sandbox/win/src/policy_low_level.h"
28 #include "sandbox/win/src/process_mitigations_win32k_dispatcher.h"
29 #include "sandbox/win/src/process_mitigations_win32k_policy.h"
30 #include "sandbox/win/src/process_thread_dispatcher.h"
31 #include "sandbox/win/src/process_thread_policy.h"
32 #include "sandbox/win/src/registry_dispatcher.h"
33 #include "sandbox/win/src/registry_policy.h"
34 #include "sandbox/win/src/restricted_token_utils.h"
35 #include "sandbox/win/src/sandbox_policy.h"
36 #include "sandbox/win/src/sandbox_utils.h"
37 #include "sandbox/win/src/sync_dispatcher.h"
38 #include "sandbox/win/src/sync_policy.h"
39 #include "sandbox/win/src/target_process.h"
40 #include "sandbox/win/src/window.h"
44 // The standard windows size for one memory page.
45 const size_t kOneMemPage
= 4096;
46 // The IPC and Policy shared memory sizes.
47 const size_t kIPCMemSize
= kOneMemPage
* 2;
48 const size_t kPolMemSize
= kOneMemPage
* 14;
50 // Helper function to allocate space (on the heap) for policy.
51 sandbox::PolicyGlobal
* MakeBrokerPolicyMemory() {
52 const size_t kTotalPolicySz
= kPolMemSize
;
53 sandbox::PolicyGlobal
* policy
= static_cast<sandbox::PolicyGlobal
*>
54 (::operator new(kTotalPolicySz
));
56 memset(policy
, 0, kTotalPolicySz
);
57 policy
->data_size
= kTotalPolicySz
- sizeof(sandbox::PolicyGlobal
);
61 bool IsInheritableHandle(HANDLE handle
) {
64 if (handle
== INVALID_HANDLE_VALUE
)
66 // File handles (FILE_TYPE_DISK) and pipe handles are known to be
67 // inheritable. Console handles (FILE_TYPE_CHAR) are not
68 // inheritable via PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
69 DWORD handle_type
= GetFileType(handle
);
70 return handle_type
== FILE_TYPE_DISK
|| handle_type
== FILE_TYPE_PIPE
;
73 HANDLE
CreateLowBoxObjectDirectory(PSID lowbox_sid
) {
75 if (!::ProcessIdToSessionId(::GetCurrentProcessId(), &session_id
))
78 LPWSTR sid_string
= NULL
;
79 if (!::ConvertSidToStringSid(lowbox_sid
, &sid_string
))
82 base::string16 directory_path
= base::StringPrintf(
83 L
"\\Sessions\\%d\\AppContainerNamedObjects\\%ls",
84 session_id
, sid_string
).c_str();
85 ::LocalFree(sid_string
);
87 NtCreateDirectoryObjectFunction CreateObjectDirectory
= NULL
;
88 ResolveNTFunctionPtr("NtCreateDirectoryObject", &CreateObjectDirectory
);
90 OBJECT_ATTRIBUTES obj_attr
;
91 UNICODE_STRING obj_name
;
92 sandbox::InitObjectAttribs(directory_path
,
93 OBJ_CASE_INSENSITIVE
| OBJ_OPENIF
,
100 NTSTATUS status
= CreateObjectDirectory(&handle
,
101 DIRECTORY_ALL_ACCESS
,
104 if (!NT_SUCCESS(status
))
114 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level
;
115 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations
;
117 // Initializes static members.
118 HWINSTA
PolicyBase::alternate_winstation_handle_
= NULL
;
119 HDESK
PolicyBase::alternate_desktop_handle_
= NULL
;
120 IntegrityLevel
PolicyBase::alternate_desktop_integrity_level_label_
=
121 INTEGRITY_LEVEL_SYSTEM
;
123 PolicyBase::PolicyBase()
125 lockdown_level_(USER_LOCKDOWN
),
126 initial_level_(USER_LOCKDOWN
),
127 job_level_(JOB_LOCKDOWN
),
130 use_alternate_desktop_(false),
131 use_alternate_winstation_(false),
132 file_system_init_(false),
133 relaxed_interceptions_(true),
134 stdout_handle_(INVALID_HANDLE_VALUE
),
135 stderr_handle_(INVALID_HANDLE_VALUE
),
136 integrity_level_(INTEGRITY_LEVEL_LAST
),
137 delayed_integrity_level_(INTEGRITY_LEVEL_LAST
),
139 delayed_mitigations_(0),
143 ::InitializeCriticalSection(&lock_
);
144 // Initialize the IPC dispatcher array.
145 memset(&ipc_targets_
, NULL
, sizeof(ipc_targets_
));
146 Dispatcher
* dispatcher
= NULL
;
148 dispatcher
= new FilesystemDispatcher(this);
149 ipc_targets_
[IPC_NTCREATEFILE_TAG
] = dispatcher
;
150 ipc_targets_
[IPC_NTOPENFILE_TAG
] = dispatcher
;
151 ipc_targets_
[IPC_NTSETINFO_RENAME_TAG
] = dispatcher
;
152 ipc_targets_
[IPC_NTQUERYATTRIBUTESFILE_TAG
] = dispatcher
;
153 ipc_targets_
[IPC_NTQUERYFULLATTRIBUTESFILE_TAG
] = dispatcher
;
155 dispatcher
= new NamedPipeDispatcher(this);
156 ipc_targets_
[IPC_CREATENAMEDPIPEW_TAG
] = dispatcher
;
158 dispatcher
= new ThreadProcessDispatcher(this);
159 ipc_targets_
[IPC_NTOPENTHREAD_TAG
] = dispatcher
;
160 ipc_targets_
[IPC_NTOPENPROCESS_TAG
] = dispatcher
;
161 ipc_targets_
[IPC_CREATEPROCESSW_TAG
] = dispatcher
;
162 ipc_targets_
[IPC_NTOPENPROCESSTOKEN_TAG
] = dispatcher
;
163 ipc_targets_
[IPC_NTOPENPROCESSTOKENEX_TAG
] = dispatcher
;
165 dispatcher
= new SyncDispatcher(this);
166 ipc_targets_
[IPC_CREATEEVENT_TAG
] = dispatcher
;
167 ipc_targets_
[IPC_OPENEVENT_TAG
] = dispatcher
;
169 dispatcher
= new RegistryDispatcher(this);
170 ipc_targets_
[IPC_NTCREATEKEY_TAG
] = dispatcher
;
171 ipc_targets_
[IPC_NTOPENKEY_TAG
] = dispatcher
;
173 dispatcher
= new HandleDispatcher(this);
174 ipc_targets_
[IPC_DUPLICATEHANDLEPROXY_TAG
] = dispatcher
;
176 dispatcher
= new ProcessMitigationsWin32KDispatcher(this);
177 ipc_targets_
[IPC_GDI_GDIDLLINITIALIZE_TAG
] = dispatcher
;
178 ipc_targets_
[IPC_GDI_GETSTOCKOBJECT_TAG
] = dispatcher
;
179 ipc_targets_
[IPC_USER_REGISTERCLASSW_TAG
] = dispatcher
;
182 PolicyBase::~PolicyBase() {
183 ClearSharedHandles();
185 TargetSet::iterator it
;
186 for (it
= targets_
.begin(); it
!= targets_
.end(); ++it
) {
187 TargetProcess
* target
= (*it
);
190 delete ipc_targets_
[IPC_NTCREATEFILE_TAG
];
191 delete ipc_targets_
[IPC_CREATENAMEDPIPEW_TAG
];
192 delete ipc_targets_
[IPC_NTOPENTHREAD_TAG
];
193 delete ipc_targets_
[IPC_CREATEEVENT_TAG
];
194 delete ipc_targets_
[IPC_NTCREATEKEY_TAG
];
195 delete ipc_targets_
[IPC_DUPLICATEHANDLEPROXY_TAG
];
196 delete policy_maker_
;
200 ::LocalFree(lowbox_sid_
);
202 ::DeleteCriticalSection(&lock_
);
205 void PolicyBase::AddRef() {
206 ::InterlockedIncrement(&ref_count
);
209 void PolicyBase::Release() {
210 if (0 == ::InterlockedDecrement(&ref_count
))
214 ResultCode
PolicyBase::SetTokenLevel(TokenLevel initial
, TokenLevel lockdown
) {
215 if (initial
< lockdown
) {
216 return SBOX_ERROR_BAD_PARAMS
;
218 initial_level_
= initial
;
219 lockdown_level_
= lockdown
;
223 TokenLevel
PolicyBase::GetInitialTokenLevel() const {
224 return initial_level_
;
227 TokenLevel
PolicyBase::GetLockdownTokenLevel() const{
228 return lockdown_level_
;
231 ResultCode
PolicyBase::SetJobLevel(JobLevel job_level
, uint32 ui_exceptions
) {
232 if (memory_limit_
&& job_level
== JOB_NONE
) {
233 return SBOX_ERROR_BAD_PARAMS
;
235 job_level_
= job_level
;
236 ui_exceptions_
= ui_exceptions
;
240 ResultCode
PolicyBase::SetJobMemoryLimit(size_t memory_limit
) {
241 if (memory_limit
&& job_level_
== JOB_NONE
) {
242 return SBOX_ERROR_BAD_PARAMS
;
244 memory_limit_
= memory_limit
;
248 ResultCode
PolicyBase::SetAlternateDesktop(bool alternate_winstation
) {
249 use_alternate_desktop_
= true;
250 use_alternate_winstation_
= alternate_winstation
;
251 return CreateAlternateDesktop(alternate_winstation
);
254 base::string16
PolicyBase::GetAlternateDesktop() const {
255 // No alternate desktop or winstation. Return an empty string.
256 if (!use_alternate_desktop_
&& !use_alternate_winstation_
) {
257 return base::string16();
260 // The desktop and winstation should have been created by now.
261 // If we hit this scenario, it means that the user ignored the failure
262 // during SetAlternateDesktop, so we ignore it here too.
263 if (use_alternate_desktop_
&& !alternate_desktop_handle_
) {
264 return base::string16();
266 if (use_alternate_winstation_
&& (!alternate_desktop_handle_
||
267 !alternate_winstation_handle_
)) {
268 return base::string16();
271 return GetFullDesktopName(alternate_winstation_handle_
,
272 alternate_desktop_handle_
);
275 ResultCode
PolicyBase::CreateAlternateDesktop(bool alternate_winstation
) {
276 if (alternate_winstation
) {
277 // Previously called with alternate_winstation = false?
278 if (!alternate_winstation_handle_
&& alternate_desktop_handle_
)
279 return SBOX_ERROR_UNSUPPORTED
;
281 // Check if it's already created.
282 if (alternate_winstation_handle_
&& alternate_desktop_handle_
)
285 DCHECK(!alternate_winstation_handle_
);
286 // Create the window station.
287 ResultCode result
= CreateAltWindowStation(&alternate_winstation_handle_
);
288 if (SBOX_ALL_OK
!= result
)
291 // Verify that everything is fine.
292 if (!alternate_winstation_handle_
||
293 GetWindowObjectName(alternate_winstation_handle_
).empty())
294 return SBOX_ERROR_CANNOT_CREATE_DESKTOP
;
296 // Create the destkop.
297 result
= CreateAltDesktop(alternate_winstation_handle_
,
298 &alternate_desktop_handle_
);
299 if (SBOX_ALL_OK
!= result
)
302 // Verify that everything is fine.
303 if (!alternate_desktop_handle_
||
304 GetWindowObjectName(alternate_desktop_handle_
).empty())
305 return SBOX_ERROR_CANNOT_CREATE_DESKTOP
;
307 // Previously called with alternate_winstation = true?
308 if (alternate_winstation_handle_
)
309 return SBOX_ERROR_UNSUPPORTED
;
311 // Check if it already exists.
312 if (alternate_desktop_handle_
)
315 // Create the destkop.
316 ResultCode result
= CreateAltDesktop(NULL
, &alternate_desktop_handle_
);
317 if (SBOX_ALL_OK
!= result
)
320 // Verify that everything is fine.
321 if (!alternate_desktop_handle_
||
322 GetWindowObjectName(alternate_desktop_handle_
).empty())
323 return SBOX_ERROR_CANNOT_CREATE_DESKTOP
;
329 void PolicyBase::DestroyAlternateDesktop() {
330 if (alternate_desktop_handle_
) {
331 ::CloseDesktop(alternate_desktop_handle_
);
332 alternate_desktop_handle_
= NULL
;
335 if (alternate_winstation_handle_
) {
336 ::CloseWindowStation(alternate_winstation_handle_
);
337 alternate_winstation_handle_
= NULL
;
341 ResultCode
PolicyBase::SetIntegrityLevel(IntegrityLevel integrity_level
) {
342 integrity_level_
= integrity_level
;
346 IntegrityLevel
PolicyBase::GetIntegrityLevel() const {
347 return integrity_level_
;
350 ResultCode
PolicyBase::SetDelayedIntegrityLevel(
351 IntegrityLevel integrity_level
) {
352 delayed_integrity_level_
= integrity_level
;
356 ResultCode
PolicyBase::SetAppContainer(const wchar_t* sid
) {
357 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8
)
360 // SetLowBox and SetAppContainer are mutually exclusive.
362 return SBOX_ERROR_UNSUPPORTED
;
364 // Windows refuses to work with an impersonation token for a process inside
365 // an AppContainer. If the caller wants to use a more privileged initial
366 // token, or if the lockdown level will prevent the process from starting,
367 // we have to fail the operation.
368 if (lockdown_level_
< USER_LIMITED
|| lockdown_level_
!= initial_level_
)
369 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER
;
371 DCHECK(!appcontainer_list_
.get());
372 appcontainer_list_
.reset(new AppContainerAttributes
);
373 ResultCode rv
= appcontainer_list_
->SetAppContainer(sid
, capabilities_
);
374 if (rv
!= SBOX_ALL_OK
)
380 ResultCode
PolicyBase::SetCapability(const wchar_t* sid
) {
381 capabilities_
.push_back(sid
);
385 ResultCode
PolicyBase::SetLowBox(const wchar_t* sid
) {
386 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8
)
387 return SBOX_ERROR_UNSUPPORTED
;
389 // SetLowBox and SetAppContainer are mutually exclusive.
390 if (appcontainer_list_
.get())
391 return SBOX_ERROR_UNSUPPORTED
;
396 return SBOX_ERROR_BAD_PARAMS
;
398 if (!ConvertStringSidToSid(sid
, &lowbox_sid_
))
399 return SBOX_ERROR_GENERIC
;
404 ResultCode
PolicyBase::SetProcessMitigations(
405 MitigationFlags flags
) {
406 if (!CanSetProcessMitigationsPreStartup(flags
))
407 return SBOX_ERROR_BAD_PARAMS
;
408 mitigations_
= flags
;
412 MitigationFlags
PolicyBase::GetProcessMitigations() {
416 ResultCode
PolicyBase::SetDelayedProcessMitigations(
417 MitigationFlags flags
) {
418 if (!CanSetProcessMitigationsPostStartup(flags
))
419 return SBOX_ERROR_BAD_PARAMS
;
420 delayed_mitigations_
= flags
;
424 MitigationFlags
PolicyBase::GetDelayedProcessMitigations() const {
425 return delayed_mitigations_
;
428 void PolicyBase::SetStrictInterceptions() {
429 relaxed_interceptions_
= false;
432 ResultCode
PolicyBase::SetStdoutHandle(HANDLE handle
) {
433 if (!IsInheritableHandle(handle
))
434 return SBOX_ERROR_BAD_PARAMS
;
435 stdout_handle_
= handle
;
439 ResultCode
PolicyBase::SetStderrHandle(HANDLE handle
) {
440 if (!IsInheritableHandle(handle
))
441 return SBOX_ERROR_BAD_PARAMS
;
442 stderr_handle_
= handle
;
446 ResultCode
PolicyBase::AddRule(SubSystem subsystem
,
448 const wchar_t* pattern
) {
449 ResultCode result
= AddRuleInternal(subsystem
, semantics
, pattern
);
450 LOG_IF(ERROR
, result
!= SBOX_ALL_OK
) << "Failed to add sandbox rule."
451 << " error = " << result
452 << ", subsystem = " << subsystem
453 << ", semantics = " << semantics
454 << ", pattern = '" << pattern
<< "'";
458 ResultCode
PolicyBase::AddDllToUnload(const wchar_t* dll_name
) {
459 blacklisted_dlls_
.push_back(dll_name
);
463 ResultCode
PolicyBase::AddKernelObjectToClose(const base::char16
* handle_type
,
464 const base::char16
* handle_name
) {
465 return handle_closer_
.AddHandle(handle_type
, handle_name
);
468 void* PolicyBase::AddHandleToShare(HANDLE handle
) {
469 if (base::win::GetVersion() < base::win::VERSION_VISTA
)
475 HANDLE duped_handle
= nullptr;
476 if (!::DuplicateHandle(::GetCurrentProcess(), handle
, ::GetCurrentProcess(),
477 &duped_handle
, 0, TRUE
, DUPLICATE_SAME_ACCESS
)) {
480 handles_to_share_
.push_back(new base::win::ScopedHandle(duped_handle
));
484 const HandleList
& PolicyBase::GetHandlesBeingShared() {
485 return handles_to_share_
;
488 void PolicyBase::ClearSharedHandles() {
489 STLDeleteElements(&handles_to_share_
);
492 // When an IPC is ready in any of the targets we get called. We manage an array
493 // of IPC dispatchers which are keyed on the IPC tag so we normally delegate
494 // to the appropriate dispatcher unless we can handle the IPC call ourselves.
495 Dispatcher
* PolicyBase::OnMessageReady(IPCParams
* ipc
,
496 CallbackGeneric
* callback
) {
498 static const IPCParams ping1
= {IPC_PING1_TAG
, {UINT32_TYPE
}};
499 static const IPCParams ping2
= {IPC_PING2_TAG
, {INOUTPTR_TYPE
}};
501 if (ping1
.Matches(ipc
) || ping2
.Matches(ipc
)) {
502 *callback
= reinterpret_cast<CallbackGeneric
>(
503 static_cast<Callback1
>(&PolicyBase::Ping
));
507 Dispatcher
* dispatch
= GetDispatcher(ipc
->ipc_tag
);
512 return dispatch
->OnMessageReady(ipc
, callback
);
515 // Delegate to the appropriate dispatcher.
516 bool PolicyBase::SetupService(InterceptionManager
* manager
, int service
) {
517 if (IPC_PING1_TAG
== service
|| IPC_PING2_TAG
== service
)
520 Dispatcher
* dispatch
= GetDispatcher(service
);
525 return dispatch
->SetupService(manager
, service
);
528 ResultCode
PolicyBase::MakeJobObject(HANDLE
* job
) {
529 if (job_level_
!= JOB_NONE
) {
530 // Create the windows job object.
532 DWORD result
= job_obj
.Init(job_level_
, NULL
, ui_exceptions_
,
534 if (ERROR_SUCCESS
!= result
) {
535 return SBOX_ERROR_GENERIC
;
537 *job
= job_obj
.Detach();
544 ResultCode
PolicyBase::MakeTokens(base::win::ScopedHandle
* initial
,
545 base::win::ScopedHandle
* lockdown
) {
546 if (appcontainer_list_
.get() && appcontainer_list_
->HasAppContainer() &&
548 return SBOX_ERROR_BAD_PARAMS
;
551 // Create the 'naked' token. This will be the permanent token associated
552 // with the process and therefore with any thread that is not impersonating.
553 DWORD result
= CreateRestrictedToken(lockdown_level_
, integrity_level_
,
555 if (ERROR_SUCCESS
!= result
)
556 return SBOX_ERROR_GENERIC
;
558 // If we're launching on the alternate desktop we need to make sure the
559 // integrity label on the object is no higher than the sandboxed process's
560 // integrity level. So, we lower the label on the desktop process if it's
561 // not already low enough for our process.
562 if (alternate_desktop_handle_
&& use_alternate_desktop_
&&
563 integrity_level_
!= INTEGRITY_LEVEL_LAST
&&
564 alternate_desktop_integrity_level_label_
< integrity_level_
&&
565 base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA
) {
566 // Integrity label enum is reversed (higher level is a lower value).
567 static_assert(INTEGRITY_LEVEL_SYSTEM
< INTEGRITY_LEVEL_UNTRUSTED
,
568 "Integrity level ordering reversed.");
569 result
= SetObjectIntegrityLabel(alternate_desktop_handle_
,
572 GetIntegrityLevelString(integrity_level_
));
573 if (ERROR_SUCCESS
!= result
)
574 return SBOX_ERROR_GENERIC
;
576 alternate_desktop_integrity_level_label_
= integrity_level_
;
579 // We are maintaining two mutually exclusive approaches. One is to start an
580 // AppContainer process through StartupInfoEx and other is replacing
581 // existing token with LowBox token after process creation.
582 if (appcontainer_list_
.get() && appcontainer_list_
->HasAppContainer()) {
583 // Windows refuses to work with an impersonation token. See SetAppContainer
584 // implementation for more details.
585 if (lockdown_level_
< USER_LIMITED
|| lockdown_level_
!= initial_level_
)
586 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER
;
588 *initial
= base::win::ScopedHandle();
593 NtCreateLowBoxToken CreateLowBoxToken
= NULL
;
594 ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBoxToken
);
595 OBJECT_ATTRIBUTES obj_attr
;
596 InitializeObjectAttributes(&obj_attr
, NULL
, 0, NULL
, NULL
);
597 HANDLE token_lowbox
= NULL
;
599 if (!lowbox_directory_
.IsValid())
600 lowbox_directory_
.Set(CreateLowBoxObjectDirectory(lowbox_sid_
));
601 DCHECK(lowbox_directory_
.IsValid());
603 // The order of handles isn't important in the CreateLowBoxToken call.
604 // The kernel will maintain a reference to the object directory handle.
605 HANDLE saved_handles
[1] = {lowbox_directory_
.Get()};
606 DWORD saved_handles_count
= lowbox_directory_
.IsValid() ? 1 : 0;
608 NTSTATUS status
= CreateLowBoxToken(&token_lowbox
, lockdown
->Get(),
609 TOKEN_ALL_ACCESS
, &obj_attr
,
610 lowbox_sid_
, 0, NULL
,
611 saved_handles_count
, saved_handles
);
612 if (!NT_SUCCESS(status
))
613 return SBOX_ERROR_GENERIC
;
615 DCHECK(token_lowbox
);
616 lockdown
->Set(token_lowbox
);
619 // Create the 'better' token. We use this token as the one that the main
620 // thread uses when booting up the process. It should contain most of
621 // what we need (before reaching main( ))
622 result
= CreateRestrictedToken(initial_level_
, integrity_level_
,
623 IMPERSONATION
, initial
);
624 if (ERROR_SUCCESS
!= result
)
625 return SBOX_ERROR_GENERIC
;
630 const AppContainerAttributes
* PolicyBase::GetAppContainer() const {
631 if (!appcontainer_list_
.get() || !appcontainer_list_
->HasAppContainer())
634 return appcontainer_list_
.get();
637 const PSID
PolicyBase::GetLowBoxSid() const {
641 bool PolicyBase::AddTarget(TargetProcess
* target
) {
643 policy_maker_
->Done();
645 if (!ApplyProcessMitigationsToSuspendedProcess(target
->Process(),
650 if (!SetupAllInterceptions(target
))
653 if (!SetupHandleCloser(target
))
656 // Initialize the sandbox infrastructure for the target.
657 if (ERROR_SUCCESS
!= target
->Init(this, policy_
, kIPCMemSize
, kPolMemSize
))
660 g_shared_delayed_integrity_level
= delayed_integrity_level_
;
661 ResultCode ret
= target
->TransferVariable(
662 "g_shared_delayed_integrity_level",
663 &g_shared_delayed_integrity_level
,
664 sizeof(g_shared_delayed_integrity_level
));
665 g_shared_delayed_integrity_level
= INTEGRITY_LEVEL_LAST
;
666 if (SBOX_ALL_OK
!= ret
)
669 // Add in delayed mitigations and pseudo-mitigations enforced at startup.
670 g_shared_delayed_mitigations
= delayed_mitigations_
|
671 FilterPostStartupProcessMitigations(mitigations_
);
672 if (!CanSetProcessMitigationsPostStartup(g_shared_delayed_mitigations
))
675 ret
= target
->TransferVariable("g_shared_delayed_mitigations",
676 &g_shared_delayed_mitigations
,
677 sizeof(g_shared_delayed_mitigations
));
678 g_shared_delayed_mitigations
= 0;
679 if (SBOX_ALL_OK
!= ret
)
682 AutoLock
lock(&lock_
);
683 targets_
.push_back(target
);
687 bool PolicyBase::OnJobEmpty(HANDLE job
) {
688 AutoLock
lock(&lock_
);
689 TargetSet::iterator it
;
690 for (it
= targets_
.begin(); it
!= targets_
.end(); ++it
) {
691 if ((*it
)->Job() == job
)
694 if (it
== targets_
.end()) {
697 TargetProcess
* target
= *it
;
703 EvalResult
PolicyBase::EvalPolicy(int service
,
704 CountedParameterSetBase
* params
) {
705 if (NULL
!= policy_
) {
706 if (NULL
== policy_
->entry
[service
]) {
707 // There is no policy for this particular service. This is not a big
711 for (int i
= 0; i
< params
->count
; i
++) {
712 if (!params
->parameters
[i
].IsValid()) {
717 PolicyProcessor
pol_evaluator(policy_
->entry
[service
]);
718 PolicyResult result
= pol_evaluator
.Evaluate(kShortEval
,
721 if (POLICY_MATCH
== result
) {
722 return pol_evaluator
.GetAction();
724 DCHECK(POLICY_ERROR
!= result
);
730 HANDLE
PolicyBase::GetStdoutHandle() {
731 return stdout_handle_
;
734 HANDLE
PolicyBase::GetStderrHandle() {
735 return stderr_handle_
;
738 // We service IPC_PING_TAG message which is a way to test a round trip of the
739 // IPC subsystem. We receive a integer cookie and we are expected to return the
740 // cookie times two (or three) and the current tick count.
741 bool PolicyBase::Ping(IPCInfo
* ipc
, void* arg1
) {
742 switch (ipc
->ipc_tag
) {
743 case IPC_PING1_TAG
: {
744 IPCInt
ipc_int(arg1
);
745 uint32 cookie
= ipc_int
.As32Bit();
746 ipc
->return_info
.extended_count
= 2;
747 ipc
->return_info
.extended
[0].unsigned_int
= ::GetTickCount();
748 ipc
->return_info
.extended
[1].unsigned_int
= 2 * cookie
;
751 case IPC_PING2_TAG
: {
752 CountedBuffer
* io_buffer
= reinterpret_cast<CountedBuffer
*>(arg1
);
753 if (sizeof(uint32
) != io_buffer
->Size())
756 uint32
* cookie
= reinterpret_cast<uint32
*>(io_buffer
->Buffer());
757 *cookie
= (*cookie
) * 3;
760 default: return false;
764 Dispatcher
* PolicyBase::GetDispatcher(int ipc_tag
) {
765 if (ipc_tag
>= IPC_LAST_TAG
|| ipc_tag
<= IPC_UNUSED_TAG
)
768 return ipc_targets_
[ipc_tag
];
771 bool PolicyBase::SetupAllInterceptions(TargetProcess
* target
) {
772 InterceptionManager
manager(target
, relaxed_interceptions_
);
775 for (int i
= 0; i
< IPC_LAST_TAG
; i
++) {
776 if (policy_
->entry
[i
] && !ipc_targets_
[i
]->SetupService(&manager
, i
))
781 if (!blacklisted_dlls_
.empty()) {
782 std::vector
<base::string16
>::iterator it
= blacklisted_dlls_
.begin();
783 for (; it
!= blacklisted_dlls_
.end(); ++it
) {
784 manager
.AddToUnloadModules(it
->c_str());
788 if (!SetupBasicInterceptions(&manager
))
791 if (!manager
.InitializeInterceptions())
794 // Finally, setup imports on the target so the interceptions can work.
795 return SetupNtdllImports(target
);
798 bool PolicyBase::SetupHandleCloser(TargetProcess
* target
) {
799 return handle_closer_
.InitializeTargetHandles(target
);
802 ResultCode
PolicyBase::AddRuleInternal(SubSystem subsystem
,
804 const wchar_t* pattern
) {
805 if (NULL
== policy_
) {
806 policy_
= MakeBrokerPolicyMemory();
808 policy_maker_
= new LowLevelPolicy(policy_
);
809 DCHECK(policy_maker_
);
814 if (!file_system_init_
) {
815 if (!FileSystemPolicy::SetInitialRules(policy_maker_
))
816 return SBOX_ERROR_BAD_PARAMS
;
817 file_system_init_
= true;
819 if (!FileSystemPolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
821 return SBOX_ERROR_BAD_PARAMS
;
826 if (!SyncPolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
828 return SBOX_ERROR_BAD_PARAMS
;
832 case SUBSYS_PROCESS
: {
833 if (lockdown_level_
< USER_INTERACTIVE
&&
834 TargetPolicy::PROCESS_ALL_EXEC
== semantics
) {
835 // This is unsupported. This is a huge security risk to give full access
836 // to a process handle.
837 return SBOX_ERROR_UNSUPPORTED
;
839 if (!ProcessPolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
841 return SBOX_ERROR_BAD_PARAMS
;
845 case SUBSYS_NAMED_PIPES
: {
846 if (!NamedPipePolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
848 return SBOX_ERROR_BAD_PARAMS
;
852 case SUBSYS_REGISTRY
: {
853 if (!RegistryPolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
855 return SBOX_ERROR_BAD_PARAMS
;
859 case SUBSYS_HANDLES
: {
860 if (!HandlePolicy::GenerateRules(pattern
, semantics
, policy_maker_
)) {
862 return SBOX_ERROR_BAD_PARAMS
;
867 case SUBSYS_WIN32K_LOCKDOWN
: {
868 if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules(
869 pattern
, semantics
, policy_maker_
)) {
871 return SBOX_ERROR_BAD_PARAMS
;
876 default: { return SBOX_ERROR_UNSUPPORTED
; }
882 } // namespace sandbox