Add sandbox support for Windows process mitigations

sandbox/src/target_process.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/src/target_process.h"
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/win/pe_image.h"
 #include "base/win/windows_version.h"
 #include "sandbox/src/crosscall_server.h"
 #include "sandbox/src/crosscall_client.h"
+#include "sandbox/src/internal_types.h"
 #include "sandbox/src/policy_low_level.h"
 #include "sandbox/src/sandbox_types.h"
 #include "sandbox/src/sharedmem_ipc_server.h"
 
 namespace {
 
 void CopyPolicyToTarget(const void* source, size_t size, void* dest) {
   if (!source || !size)
     return;
   memcpy(dest, source, size);
@@ skipping 25 matching lines @@
     if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
       break;
     size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k,
                            static_cast<SIZE_T>(end - ptr));
     if (ptr && memory_info.State == MEM_FREE)
       ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS);
     ptr += size;
   }
 }
 
-}
+// This helper class wraps the STARTUPINFO structure and handles the
+// additional attributes in STARTUPINFOEX.
+class ScopedStartupInfo {
+ public:
+  ScopedStartupInfo() {
+    memset(&startup_info_, 0, sizeof(startup_info_));
+
+    // Pre Windows Vista doesn't support STARTUPINFOEX.
+    if (base::win::GetVersion() < base::win::VERSION_VISTA) {
+      startup_info_.StartupInfo.cb = sizeof(STARTUPINFO);
+      return;
+    }
+
+    startup_info_.StartupInfo.cb = sizeof(STARTUPINFOEX);

[cpu_(ooo_6.6-7.5), 2012/07/02 21:42:32]

sizeof(startup_info_)

+
+    // Load the attribute API functions.
+    if (!s_InitializeProcThreadAttributeList) {
+      HMODULE module = ::GetModuleHandleW(sandbox::kKerneldllName);
+      s_InitializeProcThreadAttributeList =
+          reinterpret_cast<InitializeProcThreadAttributeListFunction>(
+              ::GetProcAddress(module, "InitializeProcThreadAttributeList"));
+      s_UpdateProcThreadAttribute =
+          reinterpret_cast<UpdateProcThreadAttributeFunction>(
+              ::GetProcAddress(module, "UpdateProcThreadAttribute"));
+      s_DeleteProcThreadAttributeList =
+          reinterpret_cast<DeleteProcThreadAttributeListFunction>(
+              ::GetProcAddress(module, "DeleteProcThreadAttributeList"));
+    }
+  }
+
+  ~ScopedStartupInfo() {
+    if (startup_info_.lpAttributeList) {
+      s_DeleteProcThreadAttributeList(startup_info_.lpAttributeList);
+      delete [] reinterpret_cast<BYTE*>(startup_info_.lpAttributeList);
+    }
+  }
+
+  // Initialize the attribute list to the specified number of entries.
+  bool InitializeProcThreadAttributeList(DWORD attribute_count) {
+    if (startup_info_.lpAttributeList)
+      return false;
+
+    SIZE_T size = 0;
+    s_InitializeProcThreadAttributeList(NULL, attribute_count, 0, &size);
+    if (size == 0)
+      return false;
+
+    startup_info_.lpAttributeList =
+        reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(new BYTE[size]);
+    if (!s_InitializeProcThreadAttributeList(startup_info_.lpAttributeList,
+                                             attribute_count, 0, &size)) {
+      delete [] reinterpret_cast<BYTE*>(startup_info_.lpAttributeList);
+      return false;
+    }
+
+    return true;
+  }
+
+  // Sets one entry in the initialized attribute list.
+  bool UpdateProcThreadAttribute(DWORD_PTR attribute,
+                                 PVOID value,

[cpu_(ooo_6.6-7.5), 2012/07/02 21:42:32]

PVOID --> void*

Interestingly we also mix SIZE_T and size_t in this file. I'll let that go :)

+                                 SIZE_T size) {
+    if (!startup_info_.lpAttributeList)
+      return false;
+    return s_UpdateProcThreadAttribute(startup_info_.lpAttributeList, 0,
+                                       attribute, value, size, NULL, NULL);
+  }
+
+  STARTUPINFO* data() { return &startup_info_.StartupInfo; }
+
+ private:
+  STARTUPINFOEX startup_info_;
+
+  typedef BOOL (WINAPI *InitializeProcThreadAttributeListFunction)(
+      LPPROC_THREAD_ATTRIBUTE_LIST attribute_list,
+      DWORD attribute_count,
+      DWORD flags,
+      PSIZE_T size);
+  static InitializeProcThreadAttributeListFunction
+      s_InitializeProcThreadAttributeList;
+
+  typedef BOOL (WINAPI *UpdateProcThreadAttributeFunction)(
+      LPPROC_THREAD_ATTRIBUTE_LIST attribute_list,
+      DWORD flags,
+      DWORD_PTR attribute,
+      PVOID value,
+      SIZE_T size,
+      PVOID previous_value,
+      PSIZE_T return_size);
+  static UpdateProcThreadAttributeFunction s_UpdateProcThreadAttribute;
+
+  typedef VOID (WINAPI *DeleteProcThreadAttributeListFunction)(
+      LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList);
+  static DeleteProcThreadAttributeListFunction s_DeleteProcThreadAttributeList;
+
+  DISALLOW_COPY_AND_ASSIGN(ScopedStartupInfo);
+};
+
+ScopedStartupInfo::InitializeProcThreadAttributeListFunction
+    ScopedStartupInfo::s_InitializeProcThreadAttributeList;
+ScopedStartupInfo::UpdateProcThreadAttributeFunction
+    ScopedStartupInfo::s_UpdateProcThreadAttribute;
+ScopedStartupInfo::DeleteProcThreadAttributeListFunction
+    ScopedStartupInfo::s_DeleteProcThreadAttributeList;
+
+}  // namespace
 
 namespace sandbox {
 
 SANDBOX_INTERCEPT HANDLE g_shared_section;
 SANDBOX_INTERCEPT size_t g_shared_IPC_size;
 SANDBOX_INTERCEPT size_t g_shared_policy_size;
 
 // Returns the address of the main exe module in memory taking in account
 // address space layout randomization.
 void* GetBaseAddress(const wchar_t* exe_name, void* entry_point) {
@@ skipping 69 matching lines @@
   // Start the target process suspended.
   DWORD flags =
       CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT | DETACHED_PROCESS;
 
   if (base::win::GetVersion() < base::win::VERSION_WIN8) {
     // Windows 8 implements nested jobs, but for older systems we need to
     // break out of any job we're in to enforce our restrictions.
     flags |= CREATE_BREAKAWAY_FROM_JOB;
   }
 
-  STARTUPINFO startup_info = {sizeof(STARTUPINFO)};
-  if (desktop) {
-    startup_info.lpDesktop = desktop_name.get();
+  ScopedStartupInfo startup_info;
+  if (desktop)
+    startup_info.data()->lpDesktop = desktop_name.get();
+  if (base::win::GetVersion() >= base::win::VERSION_WIN7) {

[cpu_(ooo_6.6-7.5), 2012/07/02 21:42:32]

space after line 256

+    flags |= EXTENDED_STARTUPINFO_PRESENT;
+    DWORD_PTR mitigation_flags =
+        PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE |
+        PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE |

[cpu_(ooo_6.6-7.5), 2012/07/02 21:42:32]

I think these flags need to be passed as an argument. We can harcode them one
level up for the time being.

For example dep_atl_thunk_enable weakens the protection and it is not necessary
for renderers, which should not be using ATL window thunking.

Check also sandbox::SetCurrentProcessDEP in startup_helper_win.cc
we should unify with that as well.

+        PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE;
+
+// TODO(jschuh): Remove this #ifdef after we resolve the SDK versioning.
+#if defined(_WIN32_WINNT_WIN8) && _WIN32_WINNT >= _WIN32_WINNT_WIN8
+    if (base::win::GetVersion() >= base::win::VERSION_WIN8) {
+      mitigation_flags |=
+        PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON |
+        PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON |
+        PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON |
+        PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS;
+    }
+#endif
+
+    if (startup_info.InitializeProcThreadAttributeList(1)) {
+      startup_info.UpdateProcThreadAttribute(
+          PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigation_flags,
+          sizeof(mitigation_flags));
+    }
   }
 
   base::win::ScopedProcessInformation process_info;
 
   if (!::CreateProcessAsUserW(lockdown_token_,
                               exe_path,
                               cmd_line.get(),
                               NULL,   // No security attribute.
                               NULL,   // No thread attribute.
                               FALSE,  // Do not inherit handles.
                               flags,
                               NULL,   // Use the environment of the caller.
                               NULL,   // Use current directory of the caller.
-                              &startup_info,
+                              startup_info.data(),
                               process_info.Receive())) {
     return ::GetLastError();
   }
   lockdown_token_.Close();
 
   PoisonLowerAddressRange(process_info.process_handle());
 
   DWORD win_result = ERROR_SUCCESS;
 
   // Assign the suspended target to the windows job object
@@ skipping 171 matching lines @@
 
 
 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) {
   TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL);
   target->sandbox_process_info_.Receive()->hProcess = process;
   target->base_address_ = base_address;
   return target;
 }
 
 }  // namespace sandbox