Sandbox: Make PolicyBase::MakeTokens return ScopedHandes

sandbox/win/src/sandbox_policy_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/sandbox_policy_base.h"
 
 #include <sddl.h>
 
 #include "base/basictypes.h"
 #include "base/callback.h"
@@ skipping 529 matching lines @@
     if (ERROR_SUCCESS != result) {
       return SBOX_ERROR_GENERIC;
     }
     *job = job_obj.Detach();
   } else {
     *job = NULL;
   }
   return SBOX_ALL_OK;
 }
 
-ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
+ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
+                                  base::win::ScopedHandle* lockdown) {
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() &&
       lowbox_sid_) {
     return SBOX_ERROR_BAD_PARAMS;
   }
 
   // Create the 'naked' token. This will be the permanent token associated
   // with the process and therefore with any thread that is not impersonating.
-  DWORD result = CreateRestrictedToken(lockdown, lockdown_level_,
+  HANDLE temp_handle;
+  DWORD result = CreateRestrictedToken(&temp_handle, lockdown_level_,
                                        integrity_level_, PRIMARY);
   if (ERROR_SUCCESS != result)
     return SBOX_ERROR_GENERIC;
 
+  lockdown->Set(temp_handle);
+
   // If we're launching on the alternate desktop we need to make sure the
   // integrity label on the object is no higher than the sandboxed process's
   // integrity level. So, we lower the label on the desktop process if it's
   // not already low enough for our process.
   if (alternate_desktop_handle_ && use_alternate_desktop_ &&
       integrity_level_ != INTEGRITY_LEVEL_LAST &&
       alternate_desktop_integrity_level_label_ < integrity_level_ &&
       base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
     // Integrity label enum is reversed (higher level is a lower value).
     static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED,
@@ skipping 10 matching lines @@
 
   // We are maintaining two mutually exclusive approaches. One is to start an
   // AppContainer process through StartupInfoEx and other is replacing
   // existing token with LowBox token after process creation.
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
     // Windows refuses to work with an impersonation token. See SetAppContainer
     // implementation for more details.
     if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
       return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
 
-    *initial = INVALID_HANDLE_VALUE;
+    *initial = base::win::ScopedHandle();
     return SBOX_ALL_OK;
-  } else if (lowbox_sid_) {
+  }
+
+  if (lowbox_sid_) {

[Will Harris, 2015/07/10 18:11:31]

maybe DCHECK that we are not also using AppContainer since these approaches are
mutually exclusive.

[rvargas (doing something else), 2015/07/10 18:31:56]

Do you mean line the if at line 522? :)

[Will Harris, 2015/07/10 18:45:07]

ah yes. :)

     NtCreateLowBoxToken CreateLowBoxToken = NULL;
     ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBoxToken);
     OBJECT_ATTRIBUTES obj_attr;
     InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
     HANDLE token_lowbox = NULL;
 
     if (!lowbox_directory_.IsValid())
       lowbox_directory_.Set(CreateLowBoxObjectDirectory(lowbox_sid_));
     DCHECK(lowbox_directory_.IsValid());
 
     // The order of handles isn't important in the CreateLowBoxToken call.
     // The kernel will maintain a reference to the object directory handle.
     HANDLE saved_handles[1] = {lowbox_directory_.Get()};
     DWORD saved_handles_count = lowbox_directory_.IsValid() ? 1 : 0;
 
-    NTSTATUS status = CreateLowBoxToken(&token_lowbox, *lockdown,
+    NTSTATUS status = CreateLowBoxToken(&token_lowbox, lockdown->Get(),
                                         TOKEN_ALL_ACCESS, &obj_attr,
                                         lowbox_sid_, 0, NULL,
                                         saved_handles_count, saved_handles);
     if (!NT_SUCCESS(status))
       return SBOX_ERROR_GENERIC;
 
     DCHECK(token_lowbox);
-    ::CloseHandle(*lockdown);
-    *lockdown = token_lowbox;
+    lockdown->Set(token_lowbox);

[Will Harris, 2015/07/10 18:11:31]

scoped handles really does make this a lot more elegant :)

   }
 
   // Create the 'better' token. We use this token as the one that the main
   // thread uses when booting up the process. It should contain most of
   // what we need (before reaching main( ))
-  result = CreateRestrictedToken(initial, initial_level_,
+  result = CreateRestrictedToken(&temp_handle, initial_level_,
                                  integrity_level_, IMPERSONATION);
-  if (ERROR_SUCCESS != result) {
-    ::CloseHandle(*lockdown);
+  if (ERROR_SUCCESS != result)
     return SBOX_ERROR_GENERIC;
-  }
+
+  initial->Set(temp_handle);
   return SBOX_ALL_OK;
 }
 
 const AppContainerAttributes* PolicyBase::GetAppContainer() const {
   if (!appcontainer_list_.get() || !appcontainer_list_->HasAppContainer())
     return NULL;
 
   return appcontainer_list_.get();
 }
 
@@ skipping 236 matching lines @@
       break;
     }
 
     default: { return SBOX_ERROR_UNSUPPORTED; }
   }
 
   return SBOX_ALL_OK;
 }
 
 }  // namespace sandbox