Sandbox: Make PolicyBase::MakeTokens return ScopedHandes

sandbox/win/src/broker_services.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/broker_services.h"
 
 #include <AclAPI.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
@@ skipping 339 matching lines @@
   AutoLock lock(&lock_);
 
   // This downcast is safe as long as we control CreatePolicy()
   PolicyBase* policy_base = static_cast<PolicyBase*>(policy);
 
   if (policy_base->GetAppContainer() && policy_base->GetLowBoxSid())
     return SBOX_ERROR_BAD_PARAMS;
 
   // Construct the tokens and the job object that we are going to associate
   // with the soon to be created target process.
-  HANDLE initial_token_temp;
-  HANDLE lockdown_token_temp;
+  base::win::ScopedHandle initial_token;
+  base::win::ScopedHandle lockdown_token;
   ResultCode result = SBOX_ALL_OK;
 
   if (IsTokenCacheable(policy_base)) {
     // Create the master tokens only once and save them in a cache. That way
     // can just duplicate them to avoid hammering LSASS on every sandboxed
     // process launch.
     uint32_t token_key = GenerateTokenCacheKey(policy_base);
     TokenCacheMap::iterator it = token_cache_.find(token_key);
+    HANDLE initial_token_temp;
+    HANDLE lockdown_token_temp;
     if (it != token_cache_.end()) {
       initial_token_temp = it->second.first;
       lockdown_token_temp = it->second.second;
     } else {
-      result =
-          policy_base->MakeTokens(&initial_token_temp, &lockdown_token_temp);
+      result = policy_base->MakeTokens(&initial_token, &lockdown_token);
       if (SBOX_ALL_OK != result)
         return result;
       token_cache_[token_key] =
-          std::pair<HANDLE, HANDLE>(initial_token_temp, lockdown_token_temp);
+          std::make_pair(initial_token.Get(), lockdown_token.Get());
+      initial_token_temp = initial_token.Take();
+      lockdown_token_temp = lockdown_token.Take();
     }
 
     if (!::DuplicateToken(initial_token_temp, SecurityImpersonation,
                           &initial_token_temp)) {
       return SBOX_ERROR_GENERIC;
     }
+    initial_token.Set(initial_token_temp);
 
     if (!::DuplicateTokenEx(lockdown_token_temp, TOKEN_ALL_ACCESS, 0,
                             SecurityIdentification, TokenPrimary,
                             &lockdown_token_temp)) {
       return SBOX_ERROR_GENERIC;
     }
+    lockdown_token.Set(lockdown_token_temp);
   } else {
-    result = policy_base->MakeTokens(&initial_token_temp, &lockdown_token_temp);
+    result = policy_base->MakeTokens(&initial_token, &lockdown_token);
     if (SBOX_ALL_OK != result)
       return result;
   }
 
-  base::win::ScopedHandle initial_token(initial_token_temp);
-  base::win::ScopedHandle lockdown_token(lockdown_token_temp);
-
   HANDLE job_temp;
   result = policy_base->MakeJobObject(&job_temp);
   if (SBOX_ALL_OK != result)
     return result;
 
   base::win::ScopedHandle job(job_temp);
 
   // Initialize the startup information from the policy.
   base::win::StartupInformation startup_info;
   // The liftime of |mitigations| and |inherit_handle_list| have to be at least
@@ skipping 208 matching lines @@
     return SBOX_ERROR_UNSUPPORTED;
 
   base::string16 name = LookupAppContainer(sid);
   if (name.empty())
     return SBOX_ERROR_INVALID_APP_CONTAINER;
 
   return DeleteAppContainer(sid);
 }
 
 }  // namespace sandbox