Unify PolicyBase into TargetPolicy.

sandbox/win/src/sandbox_policy.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
 
-#include <string>
+#include <windows.h>
+
+#include <list>
+#include <vector>
 
 #include "base/basictypes.h"
+#include "base/compiler_specific.h"
 #include "base/strings/string16.h"
+#include "base/win/scoped_handle.h"
+#include "sandbox/win/src/app_container.h"
+#include "sandbox/win/src/crosscall_server.h"
+#include "sandbox/win/src/handle_closer.h"
+#include "sandbox/win/src/ipc_tags.h"
+#include "sandbox/win/src/policy_engine_opcodes.h"
+#include "sandbox/win/src/policy_engine_params.h"
+#include "sandbox/win/src/policy_low_level.h"
+#include "sandbox/win/src/sandbox_policy.h"
 #include "sandbox/win/src/sandbox_types.h"
 #include "sandbox/win/src/security_level.h"
+#include "sandbox/win/src/target_process.h"
+#include "sandbox/win/src/win_utils.h"
 
 namespace sandbox {
 
+typedef std::vector<base::win::ScopedHandle*> HandleList;
+
+// A Windows sandbox policy. All public methods are virtual since they may be
+// called from a dll, while the implementation of the methods lives in the main
+// exe.
 class TargetPolicy {
  public:
+  TargetPolicy();
+

[cpu_(ooo_6.6-7.5), 2016/01/06 18:09:40]

Advance apologies for the rambling nature of the comment that follows.

the code here needs to be a "pure" interface class. That is, nothing more than a
vtable.

The reason is that unlike the other platforms, the sandbox is implemented in
chrome.exe but the broker interface is used from chrome.dll

So between two dlls you should not really transfer a 'fat' object pointer. There
are a variety of issues there. I can go into some details if you want but in the
windows universe this is one of the issues that COM solves, in C++ with pure
interfaces.

In practice this rule is violated a thousand times in the component build, for
example. However 1) we don't ship the component build to users and 2) the
component build uses the dynamic crt (the crt as a dll).

That last point is important because c++ memory management uses the module's
heap so when a fat object is used and there is method inlining, you could new an
object from one heap and free it in another.  Having the crt as a separate
module shared by all other modules solves that problem.

The above paragraph was true for the last 20 years but very recently we learned
that the microsoft crt no longer creates its own heap but uses the 'process
heap' thereby avoiding the problem. That however is an internal detail which
could change.

Although if that changes we could probably "fix it" because we hook the crt
memory functions, however we have a feature request pending to Microsoft which
will let us stop hooking the crt, which we should not do, except we have a very
powerful reason. wfh@ can go into the details.

Heaps is not the only problem, for example crt state such as the one in srttok
is also problematic.

Could we get away with this change? probably, after all, the component build
does sort of, kind of, work. It is certainly less correct.

So the long story short, unless there is a very powerful reason, we should keep
the broker and target interface pure virtual.

One last point worth mentioning is that because how we do upgrades in place of
chrome and where the chrome.exe and chrome.dll live we have a non zero set of
users which sometimes run the exe of an old version with the dll of a new
version. We are not fully sure how that happens. Maybe they tamper with the
installation.

If you want we can do a VC meeting with justin and will to go over the finer
points.

   // Windows subsystems that can have specific rules.
   // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request
   // exactly like the CreateProcess API does. See the comment at the top of
   // process_thread_dispatcher.cc for more details.
   enum SubSystem {
     SUBSYS_FILES,             // Creation and opening of files and pipes.
     SUBSYS_NAMED_PIPES,       // Creation of named pipes.
     SUBSYS_PROCESS,           // Creation of child processes.
     SUBSYS_REGISTRY,          // Creation and opening of registry keys.
     SUBSYS_SYNC,              // Creation of named sync objects.
@@ skipping 25 matching lines @@
     EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access.
     REG_ALLOW_READONLY,    // Allows readonly access to a registry key.
     REG_ALLOW_ANY,         // Allows read and write access to a registry key.
     FAKE_USER_GDI_INIT     // Fakes user32 and gdi32 initialization. This can
                            // be used to allow the DLLs to load and initialize
                            // even if the process cannot access that subsystem.
   };
 
   // Increments the reference count of this object. The reference count must
   // be incremented if this interface is given to another component.
-  virtual void AddRef() = 0;
+  virtual void AddRef();
 
   // Decrements the reference count of this object. When the reference count
   // is zero the object is automatically destroyed.
   // Indicates that the caller is done with this interface. After calling
   // release no other method should be called.
-  virtual void Release() = 0;
+  virtual void Release();
 
   // Sets the security level for the target process' two tokens.
   // This setting is permanent and cannot be changed once the target process is
   // spawned.
   // initial: the security level for the initial token. This is the token that
   //   is used by the process from the creation of the process until the moment
   //   the process calls TargetServices::LowerToken() or the process calls
   //   win32's RevertToSelf(). Once this happens the initial token is no longer
   //   available and the lockdown token is in effect. Using an initial token is
   //   not compatible with AppContainer, see SetAppContainer.
   // lockdown: the security level for the token that comes into force after the
   //   process calls TargetServices::LowerToken() or the process calls
   //   RevertToSelf(). See the explanation of each level in the TokenLevel
   //   definition.
   // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
   //   Returns false if the lockdown value is more permissive than the initial
   //   value.
   //
   // Important: most of the sandbox-provided security relies on this single
   // setting. The caller should strive to set the lockdown level as restricted
   // as possible.
-  virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
+  virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown);
 
   // Returns the initial token level.
-  virtual TokenLevel GetInitialTokenLevel() const = 0;
+  virtual TokenLevel GetInitialTokenLevel() const;
 
   // Returns the lockdown token level.
-  virtual TokenLevel GetLockdownTokenLevel() const = 0;
+  virtual TokenLevel GetLockdownTokenLevel() const;
 
   // Sets the security level of the Job Object to which the target process will
   // belong. This setting is permanent and cannot be changed once the target
   // process is spawned. The job controls the global security settings which
   // can not be specified in the token security profile.
   // job_level: the security level for the job. See the explanation of each
   //   level in the JobLevel definition.
   // ui_exceptions: specify what specific rights that are disabled in the
   //   chosen job_level that need to be granted. Use this parameter to avoid
   //   selecting the next permissive job level unless you need all the rights
@@ skipping 14 matching lines @@
   // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops.
   // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows().
   //
   // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
   //
   // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at
   // length in:
   //   http://msdn2.microsoft.com/en-us/library/ms684152.aspx
   //
   // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN.
-  virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0;
+  virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions);
 
   // Sets a hard limit on the size of the commit set for the sandboxed process.
   // If the limit is reached, the process will be terminated with
   // SBOX_FATAL_MEMORY_EXCEEDED (7012).
-  virtual ResultCode SetJobMemoryLimit(size_t memory_limit) = 0;
+  virtual ResultCode SetJobMemoryLimit(size_t memory_limit);
 
   // Specifies the desktop on which the application is going to run. If the
   // desktop does not exist, it will be created. If alternate_winstation is
   // set to true, the desktop will be created on an alternate window station.
-  virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0;
+  virtual ResultCode SetAlternateDesktop(bool alternate_winstation);
 
   // Returns the name of the alternate desktop used. If an alternate window
   // station is specified, the name is prepended by the window station name,
   // followed by a backslash.
-  virtual base::string16 GetAlternateDesktop() const = 0;
+  virtual base::string16 GetAlternateDesktop() const;
 
   // Precreates the desktop and window station, if any.
-  virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0;
+  virtual ResultCode CreateAlternateDesktop(bool alternate_winstation);
 
   // Destroys the desktop and windows station.
-  virtual void DestroyAlternateDesktop() = 0;
+  virtual void DestroyAlternateDesktop();
 
   // Sets the integrity level of the process in the sandbox. Both the initial
   // token and the main token will be affected by this. If the integrity level
   // is set to a level higher than the current level, the sandbox will fail
   // to start.
-  virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0;
+  virtual ResultCode SetIntegrityLevel(IntegrityLevel level);
 
   // Returns the initial integrity level used.
-  virtual IntegrityLevel GetIntegrityLevel() const = 0;
+  virtual IntegrityLevel GetIntegrityLevel() const;
 
   // Sets the integrity level of the process in the sandbox. The integrity level
   // will not take effect before you call LowerToken. User Interface Privilege
   // Isolation is not affected by this setting and will remain off for the
   // process in the sandbox. If the integrity level is set to a level higher
   // than the current level, the sandbox will fail to start.
-  virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0;
+  virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level);
 
   // Sets the AppContainer to be used for the sandboxed process. Any capability
   // to be enabled for the process should be added before this method is invoked
   // (by calling SetCapability() as many times as needed).
   // The desired AppContainer must be already installed on the system, otherwise
   // launching the sandboxed process will fail. See BrokerServices for details
   // about installing an AppContainer.
   // Note that currently Windows restricts the use of impersonation within
   // AppContainers, so this function is incompatible with the use of an initial
   // token.
-  virtual ResultCode SetAppContainer(const wchar_t* sid) = 0;
+  virtual ResultCode SetAppContainer(const wchar_t* sid);
 
   // Sets a capability to be enabled for the sandboxed process' AppContainer.
-  virtual ResultCode SetCapability(const wchar_t* sid) = 0;
+  virtual ResultCode SetCapability(const wchar_t* sid);
 
   // Sets the LowBox token for sandboxed process. This is mutually exclusive
   // with SetAppContainer method.
-  virtual ResultCode SetLowBox(const wchar_t* sid) = 0;
+  virtual ResultCode SetLowBox(const wchar_t* sid);
 
   // Sets the mitigations enabled when the process is created. Most of these
   // are implemented as attributes passed via STARTUPINFOEX. So they take
   // effect before any thread in the target executes. The declaration of
   // MitigationFlags is followed by a detailed description of each flag.
-  virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0;
+  virtual ResultCode SetProcessMitigations(MitigationFlags flags);
 
   // Returns the currently set mitigation flags.
-  virtual MitigationFlags GetProcessMitigations() = 0;
+  virtual MitigationFlags GetProcessMitigations();
 
   // Sets process mitigation flags that don't take effect before the call to
   // LowerToken().
-  virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0;
+  virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags);
 
   // Returns the currently set delayed mitigation flags.
-  virtual MitigationFlags GetDelayedProcessMitigations() const = 0;
+  virtual MitigationFlags GetDelayedProcessMitigations() const;
 
   // Sets the interceptions to operate in strict mode. By default, interceptions
   // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
   // already patched we attempt to intercept it anyway. Setting interceptions
   // to strict mode means that when we detect that the function is patched we'll
   // refuse to perform the interception.
-  virtual void SetStrictInterceptions() = 0;
+  void SetStrictInterceptions();
 
   // Set the handles the target process should inherit for stdout and
   // stderr.  The handles the caller passes must remain valid for the
   // lifetime of the policy object.  This only has an effect on
   // Windows Vista and later versions.  These methods accept pipe and
   // file handles, but not console handles.
-  virtual ResultCode SetStdoutHandle(HANDLE handle) = 0;
-  virtual ResultCode SetStderrHandle(HANDLE handle) = 0;
+  virtual ResultCode SetStdoutHandle(HANDLE handle);
+  virtual ResultCode SetStderrHandle(HANDLE handle);
 
   // Adds a policy rule effective for processes spawned using this policy.
   // subsystem: One of the above enumerated windows subsystems.
   // semantics: One of the above enumerated FileSemantics.
   // pattern: A specific full path or a full path with wildcard patterns.
   //   The valid wildcards are:
   //   '*' : Matches zero or more character. Only one in series allowed.
   //   '?' : Matches a single character. One or more in series are allowed.
   // Examples:
   //   "c:\\documents and settings\\vince\\*.dmp"
   //   "c:\\documents and settings\\*\\crashdumps\\*.dmp"
   //   "c:\\temp\\app_log_?????_chrome.txt"
-  virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
-                             const wchar_t* pattern) = 0;
+  virtual ResultCode AddRule(SubSystem subsystem,
+                             Semantics semantics,
+                             const wchar_t* pattern);
 
   // Adds a dll that will be unloaded in the target process before it gets
   // a chance to initialize itself. Typically, dlls that cause the target
   // to crash go here.
-  virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0;
+  virtual ResultCode AddDllToUnload(const wchar_t* dll_name);
 
   // Adds a handle that will be closed in the target process after lockdown.
   // A NULL value for handle_name indicates all handles of the specified type.
   // An empty string for handle_name indicates the handle is unnamed.
   virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
-                                            const wchar_t* handle_name) = 0;
+                                            const wchar_t* handle_name);
 
   // Adds a handle that will be shared with the target process.
   // Returns the handle which was actually shared with the target. This is
   // achieved by duplicating the handle to ensure that it is inheritable by
   // the target. The caller should treat this as an opaque value.
-  virtual void* AddHandleToShare(HANDLE handle) = 0;
+  virtual void* AddHandleToShare(HANDLE handle);
+
+  // Creates a Job object with the level specified in a previous call to
+  // SetJobLevel().
+  virtual ResultCode MakeJobObject(base::win::ScopedHandle* job);
+
+  // Creates the two tokens with the levels specified in a previous call to
+  // SetTokenLevel(). Also creates a lowbox token if specified based on the
+  // lowbox SID.
+  virtual ResultCode MakeTokens(base::win::ScopedHandle* initial,
+                                base::win::ScopedHandle* lockdown,
+                                base::win::ScopedHandle* lowbox);
+
+  virtual const AppContainerAttributes* GetAppContainer() const;
+
+  virtual PSID GetLowBoxSid() const;
+
+  // Adds a target process to the internal list of targets. Internally a
+  // call to TargetProcess::Init() is issued.
+  virtual bool AddTarget(TargetProcess* target);
+
+  // Called when there are no more active processes in a Job.
+  // Removes a Job object associated with this policy and the target associated
+  // with the job.
+  virtual bool OnJobEmpty(HANDLE job);
+
+  virtual EvalResult EvalPolicy(int service, CountedParameterSetBase* params);
+
+  virtual HANDLE GetStdoutHandle();
+  virtual HANDLE GetStderrHandle();
+
+  // Returns the list of handles being shared with the target process.
+  virtual const HandleList& GetHandlesBeingShared();
+
+  // Closes the handles being shared with the target and clears out the list.
+  virtual void ClearSharedHandles();
+
+ private:
+  friend class base::RefCountedThreadSafe<TargetPolicy>;
+  ~TargetPolicy();
+
+  // Sets up interceptions for a new target.
+  bool SetupAllInterceptions(TargetProcess* target);
+
+  // Sets up the handle closer for a new target.
+  bool SetupHandleCloser(TargetProcess* target);
+
+  ResultCode AddRuleInternal(SubSystem subsystem,
+                             Semantics semantics,
+                             const wchar_t* pattern);
+
+  // This lock synchronizes operations on the targets_ collection.
+  CRITICAL_SECTION lock_;
+
+  // Maintains the list of target process associated with this policy.
+  // The policy takes ownership of them.
+  typedef std::list<TargetProcess*> TargetSet;
+  TargetSet targets_;
+  // Standard object-lifetime reference counter.
+  volatile LONG ref_count;
+  // The user-defined global policy settings.
+  TokenLevel lockdown_level_;
+  TokenLevel initial_level_;
+  JobLevel job_level_;
+  uint32 ui_exceptions_;
+  size_t memory_limit_;
+  bool use_alternate_desktop_;
+  bool use_alternate_winstation_;
+  // Helps the file system policy initialization.
+  bool file_system_init_;
+  bool relaxed_interceptions_;
+  HANDLE stdout_handle_;
+  HANDLE stderr_handle_;
+  IntegrityLevel integrity_level_;
+  IntegrityLevel delayed_integrity_level_;
+  MitigationFlags mitigations_;
+  MitigationFlags delayed_mitigations_;
+  // Object in charge of generating the low level policy.
+  LowLevelPolicy* policy_maker_;
+  // Memory structure that stores the low level policy.
+  PolicyGlobal* policy_;
+  // The list of dlls to unload in the target process.
+  std::vector<base::string16> blacklisted_dlls_;
+  // This is a map of handle-types to names that we need to close in the
+  // target process. A null set means we need to close all handles of the
+  // given type.
+  HandleCloser handle_closer_;
+  std::vector<base::string16> capabilities_;
+  scoped_ptr<AppContainerAttributes> appcontainer_list_;
+  PSID lowbox_sid_;
+  base::win::ScopedHandle lowbox_directory_;
+  scoped_ptr<Dispatcher> dispatcher_;
+
+  static HDESK alternate_desktop_handle_;
+  static HWINSTA alternate_winstation_handle_;
+  static IntegrityLevel alternate_desktop_integrity_level_label_;
+
+  // Contains the list of handles being shared with the target process.
+  // This list contains handles other than the stderr/stdout handles which are
+  // shared with the target at times.
+  HandleList handles_to_share_;
+
+  DISALLOW_COPY_AND_ASSIGN(TargetPolicy);
 };
 
 }  // namespace sandbox
 
-
 #endif  // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_