OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <stdint.h> | |
6 | |
7 #include <string> | 5 #include <string> |
8 | 6 |
9 #include "sandbox/win/src/sync_policy.h" | 7 #include "sandbox/win/src/sync_policy.h" |
10 | 8 |
11 #include "base/logging.h" | 9 #include "base/logging.h" |
12 #include "base/strings/stringprintf.h" | 10 #include "base/strings/stringprintf.h" |
13 #include "sandbox/win/src/ipc_tags.h" | 11 #include "sandbox/win/src/ipc_tags.h" |
14 #include "sandbox/win/src/nt_internals.h" | 12 #include "sandbox/win/src/nt_internals.h" |
15 #include "sandbox/win/src/policy_engine_opcodes.h" | 13 #include "sandbox/win/src/policy_engine_opcodes.h" |
16 #include "sandbox/win/src/policy_params.h" | 14 #include "sandbox/win/src/policy_params.h" |
(...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
140 // Add the open rule. | 138 // Add the open rule. |
141 EvalResult result = ASK_BROKER; | 139 EvalResult result = ASK_BROKER; |
142 PolicyRule open(result); | 140 PolicyRule open(result); |
143 | 141 |
144 if (!open.AddStringMatch(IF, OpenEventParams::NAME, name, CASE_INSENSITIVE)) | 142 if (!open.AddStringMatch(IF, OpenEventParams::NAME, name, CASE_INSENSITIVE)) |
145 return false; | 143 return false; |
146 | 144 |
147 if (TargetPolicy::EVENTS_ALLOW_READONLY == semantics) { | 145 if (TargetPolicy::EVENTS_ALLOW_READONLY == semantics) { |
148 // We consider all flags that are not known to be readonly as potentially | 146 // We consider all flags that are not known to be readonly as potentially |
149 // used for write. | 147 // used for write. |
150 uint32_t allowed_flags = SYNCHRONIZE | GENERIC_READ | READ_CONTROL; | 148 uint32 allowed_flags = SYNCHRONIZE | GENERIC_READ | READ_CONTROL; |
151 uint32_t restricted_flags = ~allowed_flags; | 149 uint32 restricted_flags = ~allowed_flags; |
152 open.AddNumberMatch(IF_NOT, OpenEventParams::ACCESS, restricted_flags, AND); | 150 open.AddNumberMatch(IF_NOT, OpenEventParams::ACCESS, restricted_flags, AND); |
153 } | 151 } |
154 | 152 |
155 if (!policy->AddRule(IPC_OPENEVENT_TAG, &open)) | 153 if (!policy->AddRule(IPC_OPENEVENT_TAG, &open)) |
156 return false; | 154 return false; |
157 | 155 |
158 // If it's not a read only, add the create rule. | 156 // If it's not a read only, add the create rule. |
159 if (TargetPolicy::EVENTS_ALLOW_READONLY != semantics) { | 157 if (TargetPolicy::EVENTS_ALLOW_READONLY != semantics) { |
160 PolicyRule create(result); | 158 PolicyRule create(result); |
161 if (!create.AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE)) | 159 if (!create.AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE)) |
162 return false; | 160 return false; |
163 | 161 |
164 if (!policy->AddRule(IPC_CREATEEVENT_TAG, &create)) | 162 if (!policy->AddRule(IPC_CREATEEVENT_TAG, &create)) |
165 return false; | 163 return false; |
166 } | 164 } |
167 | 165 |
168 return true; | 166 return true; |
169 } | 167 } |
170 | 168 |
171 NTSTATUS SyncPolicy::CreateEventAction(EvalResult eval_result, | 169 NTSTATUS SyncPolicy::CreateEventAction(EvalResult eval_result, |
172 const ClientInfo& client_info, | 170 const ClientInfo& client_info, |
173 const base::string16& event_name, | 171 const base::string16 &event_name, |
174 uint32_t event_type, | 172 uint32 event_type, |
175 uint32_t initial_state, | 173 uint32 initial_state, |
176 HANDLE* handle) { | 174 HANDLE *handle) { |
177 NtCreateEventFunction NtCreateEvent = NULL; | 175 NtCreateEventFunction NtCreateEvent = NULL; |
178 ResolveNTFunctionPtr("NtCreateEvent", &NtCreateEvent); | 176 ResolveNTFunctionPtr("NtCreateEvent", &NtCreateEvent); |
179 | 177 |
180 // The only action supported is ASK_BROKER which means create the requested | 178 // The only action supported is ASK_BROKER which means create the requested |
181 // file as specified. | 179 // file as specified. |
182 if (ASK_BROKER != eval_result) | 180 if (ASK_BROKER != eval_result) |
183 return false; | 181 return false; |
184 | 182 |
185 HANDLE object_directory = NULL; | 183 HANDLE object_directory = NULL; |
186 NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory); | 184 NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory); |
(...skipping 15 matching lines...) Expand all Loading... |
202 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, | 200 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, |
203 client_info.process, handle, 0, FALSE, | 201 client_info.process, handle, 0, FALSE, |
204 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { | 202 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { |
205 return STATUS_ACCESS_DENIED; | 203 return STATUS_ACCESS_DENIED; |
206 } | 204 } |
207 return status; | 205 return status; |
208 } | 206 } |
209 | 207 |
210 NTSTATUS SyncPolicy::OpenEventAction(EvalResult eval_result, | 208 NTSTATUS SyncPolicy::OpenEventAction(EvalResult eval_result, |
211 const ClientInfo& client_info, | 209 const ClientInfo& client_info, |
212 const base::string16& event_name, | 210 const base::string16 &event_name, |
213 uint32_t desired_access, | 211 uint32 desired_access, |
214 HANDLE* handle) { | 212 HANDLE *handle) { |
215 NtOpenEventFunction NtOpenEvent = NULL; | 213 NtOpenEventFunction NtOpenEvent = NULL; |
216 ResolveNTFunctionPtr("NtOpenEvent", &NtOpenEvent); | 214 ResolveNTFunctionPtr("NtOpenEvent", &NtOpenEvent); |
217 | 215 |
218 // The only action supported is ASK_BROKER which means create the requested | 216 // The only action supported is ASK_BROKER which means create the requested |
219 // event as specified. | 217 // event as specified. |
220 if (ASK_BROKER != eval_result) | 218 if (ASK_BROKER != eval_result) |
221 return false; | 219 return false; |
222 | 220 |
223 HANDLE object_directory = NULL; | 221 HANDLE object_directory = NULL; |
224 NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory); | 222 NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory); |
(...skipping 12 matching lines...) Expand all Loading... |
237 | 235 |
238 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, | 236 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, |
239 client_info.process, handle, 0, FALSE, | 237 client_info.process, handle, 0, FALSE, |
240 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { | 238 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { |
241 return STATUS_ACCESS_DENIED; | 239 return STATUS_ACCESS_DENIED; |
242 } | 240 } |
243 return status; | 241 return status; |
244 } | 242 } |
245 | 243 |
246 } // namespace sandbox | 244 } // namespace sandbox |
OLD | NEW |