Sandbox: Make CreateRestrictedToken return a ScopedHandle.

sandbox/win/src/restricted_token.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/restricted_token.h"
 
 #include <vector>
 
 #include "base/logging.h"
 #include "sandbox/win/src/acl.h"
@@ skipping 35 matching lines @@
     if (!::OpenProcessToken(::GetCurrentProcess(),
                             TOKEN_ALL_ACCESS,
                             &effective_token_))
       return ::GetLastError();
   }
 
   init_ = true;
   return ERROR_SUCCESS;
 }
 
-unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const {
+unsigned RestrictedToken::GetRestrictedToken(
+    base::win::ScopedHandle* token) const {
   DCHECK(init_);
   if (!init_)
     return ERROR_NO_TOKEN;
 
   size_t deny_size = sids_for_deny_only_.size();
   size_t restrict_size = sids_to_restrict_.size();
   size_t privileges_size = privileges_to_disable_.size();
 
   SID_AND_ATTRIBUTES *deny_only_array = NULL;
   if (deny_size) {
@@ skipping 21 matching lines @@
   if (privileges_size) {
     privileges_to_disable_array = new LUID_AND_ATTRIBUTES[privileges_size];
 
     for (unsigned int i = 0; i < privileges_size; ++i) {
       privileges_to_disable_array[i].Attributes = 0;
       privileges_to_disable_array[i].Luid = privileges_to_disable_[i];
     }
   }
 
   BOOL result = TRUE;
-  HANDLE new_token = NULL;
+  HANDLE new_token_handle = NULL;
   // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell
   // if a token has ben restricted given the limiations of IsTokenRestricted()
   // but it appears that in Windows 7 it hints the AppLocker subsystem to
   // leave us alone.
   if (deny_size || restrict_size || privileges_size) {
     result = ::CreateRestrictedToken(effective_token_,
                                      SANDBOX_INERT,
                                      static_cast<DWORD>(deny_size),
                                      deny_only_array,
                                      static_cast<DWORD>(privileges_size),
                                      privileges_to_disable_array,
                                      static_cast<DWORD>(restrict_size),
                                      sids_to_restrict_array,
-                                     &new_token);
+                                     &new_token_handle);
   } else {
     // Duplicate the token even if it's not modified at this point
     // because any subsequent changes to this token would also affect the
     // current process.
     result = ::DuplicateTokenEx(effective_token_, TOKEN_ALL_ACCESS, NULL,
                                 SecurityIdentification, TokenPrimary,
-                                &new_token);
+                                &new_token_handle);
   }
 
   if (deny_only_array)
     delete[] deny_only_array;
 
   if (sids_to_restrict_array)
     delete[] sids_to_restrict_array;
 
   if (privileges_to_disable_array)
     delete[] privileges_to_disable_array;
 
   if (!result)
     return ::GetLastError();
 
+  base::win::ScopedHandle new_token(new_token_handle);
+
   // Modify the default dacl on the token to contain Restricted and the user.
-  if (!AddSidToDefaultDacl(new_token, WinRestrictedCodeSid, GENERIC_ALL))
+  if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, GENERIC_ALL))
     return ::GetLastError();
 
-  if (!AddUserSidToDefaultDacl(new_token, GENERIC_ALL))
+  if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL))
     return ::GetLastError();
 
-  DWORD error = SetTokenIntegrityLevel(new_token, integrity_level_);
+  DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_);
   if (ERROR_SUCCESS != error)
     return error;
 
-  BOOL status = ::DuplicateHandle(::GetCurrentProcess(),
-                                  new_token,
-                                  ::GetCurrentProcess(),
-                                  token_handle,
-                                  TOKEN_ALL_ACCESS,
-                                  FALSE,  // Don't inherit.
-                                  0);
+  HANDLE token_handle;
+  if (!::DuplicateHandle(::GetCurrentProcess(), new_token.Get(),
+                         ::GetCurrentProcess(), &token_handle,
+                         TOKEN_ALL_ACCESS, FALSE,  // Don't inherit.
+                         0)) {
+    return ::GetLastError();
+  }
 
-  if (new_token != effective_token_)
-    ::CloseHandle(new_token);
-
-  if (!status)
-    return ::GetLastError();
-
+  token->Set(token_handle);
   return ERROR_SUCCESS;
 }
 
-unsigned RestrictedToken::GetRestrictedTokenHandleForImpersonation(
-    HANDLE *token_handle) const {
+unsigned RestrictedToken::GetRestrictedTokenForImpersonation(
+    base::win::ScopedHandle* token) const {
   DCHECK(init_);
   if (!init_)
     return ERROR_NO_TOKEN;
 
-  HANDLE restricted_token_handle;
-  unsigned err_code = GetRestrictedTokenHandle(&restricted_token_handle);
+  base::win::ScopedHandle restricted_token;
+  unsigned err_code = GetRestrictedToken(&restricted_token);
   if (ERROR_SUCCESS != err_code)
     return err_code;
 
-  HANDLE impersonation_token;
-  if (!::DuplicateToken(restricted_token_handle,
+  HANDLE impersonation_token_handle;
+  if (!::DuplicateToken(restricted_token.Get(),
                         SecurityImpersonation,
-                        &impersonation_token)) {
-    ::CloseHandle(restricted_token_handle);
+                        &impersonation_token_handle)) {
+    return ::GetLastError();
+  }
+  base::win::ScopedHandle impersonation_token(impersonation_token_handle);
+
+  HANDLE token_handle;
+  if (!::DuplicateHandle(::GetCurrentProcess(), impersonation_token.Get(),
+                         ::GetCurrentProcess(), &token_handle,
+                         TOKEN_ALL_ACCESS, FALSE,  // Don't inherit.
+                         0)) {
     return ::GetLastError();
   }
 
-  ::CloseHandle(restricted_token_handle);
-
-  BOOL status = ::DuplicateHandle(::GetCurrentProcess(),
-                                  impersonation_token,
-                                  ::GetCurrentProcess(),
-                                  token_handle,
-                                  TOKEN_ALL_ACCESS,
-                                  FALSE,  // Don't inherit.
-                                  0);
-
-  ::CloseHandle(impersonation_token);
-
-  if (!status)
-    return ::GetLastError();
-
+  token->Set(token_handle);
   return ERROR_SUCCESS;
 }
 
 unsigned RestrictedToken::AddAllSidsForDenyOnly(std::vector<Sid> *exceptions) {
   DCHECK(init_);
   if (!init_)
     return ERROR_NO_TOKEN;
 
   TOKEN_GROUPS *token_groups = NULL;
   DWORD size = 0;
@@ skipping 266 matching lines @@
 
   return ERROR_SUCCESS;
 }
 
 unsigned RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) {
   integrity_level_ = integrity_level;
   return ERROR_SUCCESS;
 }
 
 }  // namespace sandbox