| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/filesystem_dispatcher.h" | 5 #include "sandbox/win/src/filesystem_dispatcher.h" |
| 6 | 6 |
| 7 #include "sandbox/win/src/crosscall_client.h" | 7 #include "sandbox/win/src/crosscall_client.h" |
| 8 #include "sandbox/win/src/filesystem_interception.h" | 8 #include "sandbox/win/src/filesystem_interception.h" |
| 9 #include "sandbox/win/src/filesystem_policy.h" | 9 #include "sandbox/win/src/filesystem_policy.h" |
| 10 #include "sandbox/win/src/interception.h" | 10 #include "sandbox/win/src/interception.h" |
| 11 #include "sandbox/win/src/interceptors.h" | 11 #include "sandbox/win/src/interceptors.h" |
| 12 #include "sandbox/win/src/ipc_tags.h" | 12 #include "sandbox/win/src/ipc_tags.h" |
| 13 #include "sandbox/win/src/policy_broker.h" | 13 #include "sandbox/win/src/policy_broker.h" |
| 14 #include "sandbox/win/src/policy_params.h" | 14 #include "sandbox/win/src/policy_params.h" |
| 15 #include "sandbox/win/src/sandbox.h" | 15 #include "sandbox/win/src/sandbox.h" |
| 16 #include "sandbox/win/src/sandbox_nt_util.h" | 16 #include "sandbox/win/src/sandbox_nt_util.h" |
| 17 | 17 |
| 18 namespace sandbox { | 18 namespace sandbox { |
| 19 | 19 |
| 20 FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base) | 20 FilesystemDispatcher::FilesystemDispatcher(TargetPolicy* policy) |
| 21 : policy_base_(policy_base) { | 21 : policy_(policy) { |
| 22 static const IPCCall create_params = { | 22 static const IPCCall create_params = { |
| 23 {IPC_NTCREATEFILE_TAG, | 23 {IPC_NTCREATEFILE_TAG, |
| 24 {WCHAR_TYPE, | 24 {WCHAR_TYPE, |
| 25 UINT32_TYPE, | 25 UINT32_TYPE, |
| 26 UINT32_TYPE, | 26 UINT32_TYPE, |
| 27 UINT32_TYPE, | 27 UINT32_TYPE, |
| 28 UINT32_TYPE, | 28 UINT32_TYPE, |
| 29 UINT32_TYPE, | 29 UINT32_TYPE, |
| 30 UINT32_TYPE}}, | 30 UINT32_TYPE}}, |
| 31 reinterpret_cast<CallbackGeneric>(&FilesystemDispatcher::NtCreateFile)}; | 31 reinterpret_cast<CallbackGeneric>(&FilesystemDispatcher::NtCreateFile)}; |
| (...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 104 CountedParameterSet<OpenFile> params; | 104 CountedParameterSet<OpenFile> params; |
| 105 params[OpenFile::NAME] = ParamPickerMake(filename); | 105 params[OpenFile::NAME] = ParamPickerMake(filename); |
| 106 params[OpenFile::ACCESS] = ParamPickerMake(desired_access); | 106 params[OpenFile::ACCESS] = ParamPickerMake(desired_access); |
| 107 params[OpenFile::DISPOSITION] = ParamPickerMake(create_disposition); | 107 params[OpenFile::DISPOSITION] = ParamPickerMake(create_disposition); |
| 108 params[OpenFile::OPTIONS] = ParamPickerMake(create_options); | 108 params[OpenFile::OPTIONS] = ParamPickerMake(create_options); |
| 109 params[OpenFile::BROKER] = ParamPickerMake(broker); | 109 params[OpenFile::BROKER] = ParamPickerMake(broker); |
| 110 | 110 |
| 111 // To evaluate the policy we need to call back to the policy object. We | 111 // To evaluate the policy we need to call back to the policy object. We |
| 112 // are just middlemen in the operation since is the FileSystemPolicy which | 112 // are just middlemen in the operation since is the FileSystemPolicy which |
| 113 // knows what to do. | 113 // knows what to do. |
| 114 EvalResult result = policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG, | 114 EvalResult result = |
| 115 params.GetBase()); | 115 policy_->EvalPolicy(IPC_NTCREATEFILE_TAG, params.GetBase()); |
| 116 HANDLE handle; | 116 HANDLE handle; |
| 117 ULONG_PTR io_information = 0; | 117 ULONG_PTR io_information = 0; |
| 118 NTSTATUS nt_status; | 118 NTSTATUS nt_status; |
| 119 if (!FileSystemPolicy::CreateFileAction(result, *ipc->client_info, *name, | 119 if (!FileSystemPolicy::CreateFileAction(result, *ipc->client_info, *name, |
| 120 attributes, desired_access, | 120 attributes, desired_access, |
| 121 file_attributes, share_access, | 121 file_attributes, share_access, |
| 122 create_disposition, create_options, | 122 create_disposition, create_options, |
| 123 &handle, &nt_status, | 123 &handle, &nt_status, |
| 124 &io_information)) { | 124 &io_information)) { |
| 125 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; | 125 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; |
| (...skipping 25 matching lines...) Expand all Loading... |
| 151 CountedParameterSet<OpenFile> params; | 151 CountedParameterSet<OpenFile> params; |
| 152 params[OpenFile::NAME] = ParamPickerMake(filename); | 152 params[OpenFile::NAME] = ParamPickerMake(filename); |
| 153 params[OpenFile::ACCESS] = ParamPickerMake(desired_access); | 153 params[OpenFile::ACCESS] = ParamPickerMake(desired_access); |
| 154 params[OpenFile::DISPOSITION] = ParamPickerMake(create_disposition); | 154 params[OpenFile::DISPOSITION] = ParamPickerMake(create_disposition); |
| 155 params[OpenFile::OPTIONS] = ParamPickerMake(open_options); | 155 params[OpenFile::OPTIONS] = ParamPickerMake(open_options); |
| 156 params[OpenFile::BROKER] = ParamPickerMake(broker); | 156 params[OpenFile::BROKER] = ParamPickerMake(broker); |
| 157 | 157 |
| 158 // To evaluate the policy we need to call back to the policy object. We | 158 // To evaluate the policy we need to call back to the policy object. We |
| 159 // are just middlemen in the operation since is the FileSystemPolicy which | 159 // are just middlemen in the operation since is the FileSystemPolicy which |
| 160 // knows what to do. | 160 // knows what to do. |
| 161 EvalResult result = policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG, | 161 EvalResult result = policy_->EvalPolicy(IPC_NTOPENFILE_TAG, params.GetBase()); |
| 162 params.GetBase()); | |
| 163 HANDLE handle; | 162 HANDLE handle; |
| 164 ULONG_PTR io_information = 0; | 163 ULONG_PTR io_information = 0; |
| 165 NTSTATUS nt_status; | 164 NTSTATUS nt_status; |
| 166 if (!FileSystemPolicy::OpenFileAction(result, *ipc->client_info, *name, | 165 if (!FileSystemPolicy::OpenFileAction(result, *ipc->client_info, *name, |
| 167 attributes, desired_access, | 166 attributes, desired_access, |
| 168 share_access, open_options, &handle, | 167 share_access, open_options, &handle, |
| 169 &nt_status, &io_information)) { | 168 &nt_status, &io_information)) { |
| 170 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; | 169 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; |
| 171 return true; | 170 return true; |
| 172 } | 171 } |
| (...skipping 19 matching lines...) Expand all Loading... |
| 192 | 191 |
| 193 uint32 broker = TRUE; | 192 uint32 broker = TRUE; |
| 194 const wchar_t* filename = name->c_str(); | 193 const wchar_t* filename = name->c_str(); |
| 195 CountedParameterSet<FileName> params; | 194 CountedParameterSet<FileName> params; |
| 196 params[FileName::NAME] = ParamPickerMake(filename); | 195 params[FileName::NAME] = ParamPickerMake(filename); |
| 197 params[FileName::BROKER] = ParamPickerMake(broker); | 196 params[FileName::BROKER] = ParamPickerMake(broker); |
| 198 | 197 |
| 199 // To evaluate the policy we need to call back to the policy object. We | 198 // To evaluate the policy we need to call back to the policy object. We |
| 200 // are just middlemen in the operation since is the FileSystemPolicy which | 199 // are just middlemen in the operation since is the FileSystemPolicy which |
| 201 // knows what to do. | 200 // knows what to do. |
| 202 EvalResult result = policy_base_->EvalPolicy(IPC_NTQUERYATTRIBUTESFILE_TAG, | 201 EvalResult result = |
| 203 params.GetBase()); | 202 policy_->EvalPolicy(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase()); |
| 204 | 203 |
| 205 FILE_BASIC_INFORMATION* information = | 204 FILE_BASIC_INFORMATION* information = |
| 206 reinterpret_cast<FILE_BASIC_INFORMATION*>(info->Buffer()); | 205 reinterpret_cast<FILE_BASIC_INFORMATION*>(info->Buffer()); |
| 207 NTSTATUS nt_status; | 206 NTSTATUS nt_status; |
| 208 if (!FileSystemPolicy::QueryAttributesFileAction(result, *ipc->client_info, | 207 if (!FileSystemPolicy::QueryAttributesFileAction(result, *ipc->client_info, |
| 209 *name, attributes, | 208 *name, attributes, |
| 210 information, &nt_status)) { | 209 information, &nt_status)) { |
| 211 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; | 210 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; |
| 212 return true; | 211 return true; |
| 213 } | 212 } |
| (...skipping 18 matching lines...) Expand all Loading... |
| 232 | 231 |
| 233 uint32 broker = TRUE; | 232 uint32 broker = TRUE; |
| 234 const wchar_t* filename = name->c_str(); | 233 const wchar_t* filename = name->c_str(); |
| 235 CountedParameterSet<FileName> params; | 234 CountedParameterSet<FileName> params; |
| 236 params[FileName::NAME] = ParamPickerMake(filename); | 235 params[FileName::NAME] = ParamPickerMake(filename); |
| 237 params[FileName::BROKER] = ParamPickerMake(broker); | 236 params[FileName::BROKER] = ParamPickerMake(broker); |
| 238 | 237 |
| 239 // To evaluate the policy we need to call back to the policy object. We | 238 // To evaluate the policy we need to call back to the policy object. We |
| 240 // are just middlemen in the operation since is the FileSystemPolicy which | 239 // are just middlemen in the operation since is the FileSystemPolicy which |
| 241 // knows what to do. | 240 // knows what to do. |
| 242 EvalResult result = policy_base_->EvalPolicy( | 241 EvalResult result = |
| 243 IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase()); | 242 policy_->EvalPolicy(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase()); |
| 244 | 243 |
| 245 FILE_NETWORK_OPEN_INFORMATION* information = | 244 FILE_NETWORK_OPEN_INFORMATION* information = |
| 246 reinterpret_cast<FILE_NETWORK_OPEN_INFORMATION*>(info->Buffer()); | 245 reinterpret_cast<FILE_NETWORK_OPEN_INFORMATION*>(info->Buffer()); |
| 247 NTSTATUS nt_status; | 246 NTSTATUS nt_status; |
| 248 if (!FileSystemPolicy::QueryFullAttributesFileAction(result, | 247 if (!FileSystemPolicy::QueryFullAttributesFileAction(result, |
| 249 *ipc->client_info, | 248 *ipc->client_info, |
| 250 *name, attributes, | 249 *name, attributes, |
| 251 information, | 250 information, |
| 252 &nt_status)) { | 251 &nt_status)) { |
| 253 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; | 252 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 287 | 286 |
| 288 uint32 broker = TRUE; | 287 uint32 broker = TRUE; |
| 289 const wchar_t* filename = name.c_str(); | 288 const wchar_t* filename = name.c_str(); |
| 290 CountedParameterSet<FileName> params; | 289 CountedParameterSet<FileName> params; |
| 291 params[FileName::NAME] = ParamPickerMake(filename); | 290 params[FileName::NAME] = ParamPickerMake(filename); |
| 292 params[FileName::BROKER] = ParamPickerMake(broker); | 291 params[FileName::BROKER] = ParamPickerMake(broker); |
| 293 | 292 |
| 294 // To evaluate the policy we need to call back to the policy object. We | 293 // To evaluate the policy we need to call back to the policy object. We |
| 295 // are just middlemen in the operation since is the FileSystemPolicy which | 294 // are just middlemen in the operation since is the FileSystemPolicy which |
| 296 // knows what to do. | 295 // knows what to do. |
| 297 EvalResult result = policy_base_->EvalPolicy(IPC_NTSETINFO_RENAME_TAG, | 296 EvalResult result = |
| 298 params.GetBase()); | 297 policy_->EvalPolicy(IPC_NTSETINFO_RENAME_TAG, params.GetBase()); |
| 299 | 298 |
| 300 IO_STATUS_BLOCK* io_status = | 299 IO_STATUS_BLOCK* io_status = |
| 301 reinterpret_cast<IO_STATUS_BLOCK*>(status->Buffer()); | 300 reinterpret_cast<IO_STATUS_BLOCK*>(status->Buffer()); |
| 302 NTSTATUS nt_status; | 301 NTSTATUS nt_status; |
| 303 if (!FileSystemPolicy::SetInformationFileAction(result, *ipc->client_info, | 302 if (!FileSystemPolicy::SetInformationFileAction(result, *ipc->client_info, |
| 304 handle, rename_info, length, | 303 handle, rename_info, length, |
| 305 info_class, io_status, | 304 info_class, io_status, |
| 306 &nt_status)) { | 305 &nt_status)) { |
| 307 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; | 306 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; |
| 308 return true; | 307 return true; |
| 309 } | 308 } |
| 310 | 309 |
| 311 // Return operation status on the IPC. | 310 // Return operation status on the IPC. |
| 312 ipc->return_info.nt_status = nt_status; | 311 ipc->return_info.nt_status = nt_status; |
| 313 return true; | 312 return true; |
| 314 } | 313 } |
| 315 | 314 |
| 316 } // namespace sandbox | 315 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1460903002:
Unify PolicyBase into TargetPolicy. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@policy_dispatcher