OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
6 | 6 |
7 #include <sddl.h> | 7 #include <sddl.h> |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <stdint.h> | 9 #include <stdint.h> |
10 | 10 |
(...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
126 use_alternate_desktop_(false), | 126 use_alternate_desktop_(false), |
127 use_alternate_winstation_(false), | 127 use_alternate_winstation_(false), |
128 file_system_init_(false), | 128 file_system_init_(false), |
129 relaxed_interceptions_(true), | 129 relaxed_interceptions_(true), |
130 stdout_handle_(INVALID_HANDLE_VALUE), | 130 stdout_handle_(INVALID_HANDLE_VALUE), |
131 stderr_handle_(INVALID_HANDLE_VALUE), | 131 stderr_handle_(INVALID_HANDLE_VALUE), |
132 integrity_level_(INTEGRITY_LEVEL_LAST), | 132 integrity_level_(INTEGRITY_LEVEL_LAST), |
133 delayed_integrity_level_(INTEGRITY_LEVEL_LAST), | 133 delayed_integrity_level_(INTEGRITY_LEVEL_LAST), |
134 mitigations_(0), | 134 mitigations_(0), |
135 delayed_mitigations_(0), | 135 delayed_mitigations_(0), |
| 136 is_csrss_connected_(true), |
136 policy_maker_(NULL), | 137 policy_maker_(NULL), |
137 policy_(NULL), | 138 policy_(NULL), |
138 lowbox_sid_(NULL) { | 139 lowbox_sid_(NULL) { |
139 ::InitializeCriticalSection(&lock_); | 140 ::InitializeCriticalSection(&lock_); |
140 dispatcher_.reset(new TopLevelDispatcher(this)); | 141 dispatcher_.reset(new TopLevelDispatcher(this)); |
141 } | 142 } |
142 | 143 |
143 PolicyBase::~PolicyBase() { | 144 PolicyBase::~PolicyBase() { |
144 ClearSharedHandles(); | 145 ClearSharedHandles(); |
145 | 146 |
(...skipping 472 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
618 } | 619 } |
619 if (it == targets_.end()) { | 620 if (it == targets_.end()) { |
620 return false; | 621 return false; |
621 } | 622 } |
622 TargetProcess* target = *it; | 623 TargetProcess* target = *it; |
623 targets_.erase(it); | 624 targets_.erase(it); |
624 delete target; | 625 delete target; |
625 return true; | 626 return true; |
626 } | 627 } |
627 | 628 |
| 629 void PolicyBase::SetDisconnectCsrss() { |
| 630 if (base::win::GetVersion() >= base::win::VERSION_WIN8) { |
| 631 is_csrss_connected_ = false; |
| 632 AddKernelObjectToClose(L"ALPC Port", NULL); |
| 633 } |
| 634 } |
| 635 |
628 EvalResult PolicyBase::EvalPolicy(int service, | 636 EvalResult PolicyBase::EvalPolicy(int service, |
629 CountedParameterSetBase* params) { | 637 CountedParameterSetBase* params) { |
630 if (NULL != policy_) { | 638 if (NULL != policy_) { |
631 if (NULL == policy_->entry[service]) { | 639 if (NULL == policy_->entry[service]) { |
632 // There is no policy for this particular service. This is not a big | 640 // There is no policy for this particular service. This is not a big |
633 // deal. | 641 // deal. |
634 return DENY_ACCESS; | 642 return DENY_ACCESS; |
635 } | 643 } |
636 for (int i = 0; i < params->count; i++) { | 644 for (int i = 0; i < params->count; i++) { |
637 if (!params->parameters[i].IsValid()) { | 645 if (!params->parameters[i].IsValid()) { |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
670 } | 678 } |
671 } | 679 } |
672 | 680 |
673 if (!blacklisted_dlls_.empty()) { | 681 if (!blacklisted_dlls_.empty()) { |
674 std::vector<base::string16>::iterator it = blacklisted_dlls_.begin(); | 682 std::vector<base::string16>::iterator it = blacklisted_dlls_.begin(); |
675 for (; it != blacklisted_dlls_.end(); ++it) { | 683 for (; it != blacklisted_dlls_.end(); ++it) { |
676 manager.AddToUnloadModules(it->c_str()); | 684 manager.AddToUnloadModules(it->c_str()); |
677 } | 685 } |
678 } | 686 } |
679 | 687 |
680 if (!SetupBasicInterceptions(&manager)) | 688 if (!SetupBasicInterceptions(&manager, is_csrss_connected_)) |
681 return false; | 689 return false; |
682 | 690 |
683 if (!manager.InitializeInterceptions()) | 691 if (!manager.InitializeInterceptions()) |
684 return false; | 692 return false; |
685 | 693 |
686 // Finally, setup imports on the target so the interceptions can work. | 694 // Finally, setup imports on the target so the interceptions can work. |
687 return SetupNtdllImports(target); | 695 return SetupNtdllImports(target); |
688 } | 696 } |
689 | 697 |
690 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 698 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
765 break; | 773 break; |
766 } | 774 } |
767 | 775 |
768 default: { return SBOX_ERROR_UNSUPPORTED; } | 776 default: { return SBOX_ERROR_UNSUPPORTED; } |
769 } | 777 } |
770 | 778 |
771 return SBOX_ALL_OK; | 779 return SBOX_ALL_OK; |
772 } | 780 } |
773 | 781 |
774 } // namespace sandbox | 782 } // namespace sandbox |
OLD | NEW |