OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/win/src/broker_services.h" | 5 #include "sandbox/win/src/broker_services.h" |
6 | 6 |
7 #include <AclAPI.h> | 7 #include <AclAPI.h> |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 | 9 |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
(...skipping 312 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
323 if (SBOX_ALL_OK != result) | 323 if (SBOX_ALL_OK != result) |
324 return result; | 324 return result; |
325 | 325 |
326 base::win::ScopedHandle job; | 326 base::win::ScopedHandle job; |
327 result = policy_base->MakeJobObject(&job); | 327 result = policy_base->MakeJobObject(&job); |
328 if (SBOX_ALL_OK != result) | 328 if (SBOX_ALL_OK != result) |
329 return result; | 329 return result; |
330 | 330 |
331 // Initialize the startup information from the policy. | 331 // Initialize the startup information from the policy. |
332 base::win::StartupInformation startup_info; | 332 base::win::StartupInformation startup_info; |
333 // The liftime of |mitigations| and |inherit_handle_list| have to be at least | 333 // The liftime of |mitigations|, |inherit_handle_list| and |
334 // |child_process_creation| have to be at least | |
334 // as long as |startup_info| because |UpdateProcThreadAttribute| requires that | 335 // as long as |startup_info| because |UpdateProcThreadAttribute| requires that |
335 // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is | 336 // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is |
336 // called; StartupInformation's destructor makes such a call. | 337 // called; StartupInformation's destructor makes such a call. |
337 DWORD64 mitigations; | 338 DWORD64 mitigations; |
338 | |
339 std::vector<HANDLE> inherited_handle_list; | 339 std::vector<HANDLE> inherited_handle_list; |
340 DWORD child_process_creation = PROCESS_CREATION_CHILD_PROCESS_RESTRICTED; | |
jschuh
2016/01/25 23:53:51
This feels awkward. The job object already has fla
penny
2016/01/26 22:37:10
Acknowledged. See my comments on this.
| |
340 | 341 |
341 base::string16 desktop = policy_base->GetAlternateDesktop(); | 342 base::string16 desktop = policy_base->GetAlternateDesktop(); |
342 if (!desktop.empty()) { | 343 if (!desktop.empty()) { |
343 startup_info.startup_info()->lpDesktop = | 344 startup_info.startup_info()->lpDesktop = |
344 const_cast<wchar_t*>(desktop.c_str()); | 345 const_cast<wchar_t*>(desktop.c_str()); |
345 } | 346 } |
346 | 347 |
347 bool inherit_handles = false; | 348 bool inherit_handles = false; |
348 | 349 |
349 if (base::win::GetVersion() >= base::win::VERSION_VISTA) { | 350 if (base::win::GetVersion() >= base::win::VERSION_VISTA) { |
350 int attribute_count = 0; | 351 int attribute_count = 0; |
351 const AppContainerAttributes* app_container = | 352 const AppContainerAttributes* app_container = |
352 policy_base->GetAppContainer(); | 353 policy_base->GetAppContainer(); |
353 if (app_container) | 354 if (app_container) |
354 ++attribute_count; | 355 ++attribute_count; |
355 | 356 |
356 size_t mitigations_size; | 357 size_t mitigations_size; |
358 bool restrict_child_process_creation; | |
357 ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(), | 359 ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(), |
358 &mitigations, &mitigations_size); | 360 &mitigations, &mitigations_size, |
361 &restrict_child_process_creation); | |
359 if (mitigations) | 362 if (mitigations) |
360 ++attribute_count; | 363 ++attribute_count; |
364 if (restrict_child_process_creation) | |
365 ++attribute_count; | |
361 | 366 |
362 HANDLE stdout_handle = policy_base->GetStdoutHandle(); | 367 HANDLE stdout_handle = policy_base->GetStdoutHandle(); |
363 HANDLE stderr_handle = policy_base->GetStderrHandle(); | 368 HANDLE stderr_handle = policy_base->GetStderrHandle(); |
364 | 369 |
365 if (stdout_handle != INVALID_HANDLE_VALUE) | 370 if (stdout_handle != INVALID_HANDLE_VALUE) |
366 inherited_handle_list.push_back(stdout_handle); | 371 inherited_handle_list.push_back(stdout_handle); |
367 | 372 |
368 // Handles in the list must be unique. | 373 // Handles in the list must be unique. |
369 if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE) | 374 if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE) |
370 inherited_handle_list.push_back(stderr_handle); | 375 inherited_handle_list.push_back(stderr_handle); |
(...skipping 16 matching lines...) Expand all Loading... | |
387 } | 392 } |
388 | 393 |
389 if (mitigations) { | 394 if (mitigations) { |
390 if (!startup_info.UpdateProcThreadAttribute( | 395 if (!startup_info.UpdateProcThreadAttribute( |
391 PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations, | 396 PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations, |
392 mitigations_size)) { | 397 mitigations_size)) { |
393 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; | 398 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; |
394 } | 399 } |
395 } | 400 } |
396 | 401 |
402 if (restrict_child_process_creation) { | |
403 if (!startup_info.UpdateProcThreadAttribute( | |
404 PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY, | |
405 &child_process_creation, sizeof(child_process_creation))) { | |
406 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; | |
407 } | |
408 } | |
409 | |
397 if (inherited_handle_list.size()) { | 410 if (inherited_handle_list.size()) { |
398 if (!startup_info.UpdateProcThreadAttribute( | 411 if (!startup_info.UpdateProcThreadAttribute( |
399 PROC_THREAD_ATTRIBUTE_HANDLE_LIST, | 412 PROC_THREAD_ATTRIBUTE_HANDLE_LIST, |
400 &inherited_handle_list[0], | 413 &inherited_handle_list[0], |
401 sizeof(HANDLE) * inherited_handle_list.size())) { | 414 sizeof(HANDLE) * inherited_handle_list.size())) { |
402 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; | 415 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; |
403 } | 416 } |
404 startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES; | 417 startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES; |
405 startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE; | 418 startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE; |
406 startup_info.startup_info()->hStdOutput = stdout_handle; | 419 startup_info.startup_info()->hStdOutput = stdout_handle; |
407 startup_info.startup_info()->hStdError = stderr_handle; | 420 startup_info.startup_info()->hStdError = stderr_handle; |
408 // Allowing inheritance of handles is only secure now that we | 421 // Allowing inheritance of handles is only secure now that we |
409 // have limited which handles will be inherited. | 422 // have limited which handles will be inherited. |
410 inherit_handles = true; | 423 inherit_handles = true; |
411 } | 424 } |
412 } | 425 } |
413 | 426 |
414 // Construct the thread pool here in case it is expensive. | 427 // Construct the thread pool here in case it is expensive. |
415 // The thread pool is shared by all the targets | 428 // The thread pool is shared by all the targets |
416 if (NULL == thread_pool_) | 429 if (NULL == thread_pool_) |
417 thread_pool_ = new Win2kThreadPool(); | 430 thread_pool_ = new Win2kThreadPool(); |
418 | 431 |
419 // Create the TargetProces object and spawn the target suspended. Note that | 432 // Create the TargetProcess object and spawn the target suspended. Note that |
420 // Brokerservices does not own the target object. It is owned by the Policy. | 433 // Brokerservices does not own the target object. It is owned by the Policy. |
421 base::win::ScopedProcessInformation process_info; | 434 base::win::ScopedProcessInformation process_info; |
422 TargetProcess* target = | 435 TargetProcess* target = |
423 new TargetProcess(initial_token.Pass(), lockdown_token.Pass(), | 436 new TargetProcess(initial_token.Pass(), lockdown_token.Pass(), |
424 lowbox_token.Pass(), job.Get(), thread_pool_); | 437 lowbox_token.Pass(), job.Get(), thread_pool_); |
425 | 438 |
426 DWORD win_result = target->Create(exe_path, command_line, inherit_handles, | 439 DWORD win_result = target->Create(exe_path, command_line, inherit_handles, |
427 startup_info, &process_info); | 440 startup_info, &process_info); |
428 | 441 |
429 policy_base->ClearSharedHandles(); | 442 policy_base->ClearSharedHandles(); |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
541 return SBOX_ERROR_UNSUPPORTED; | 554 return SBOX_ERROR_UNSUPPORTED; |
542 | 555 |
543 base::string16 name = LookupAppContainer(sid); | 556 base::string16 name = LookupAppContainer(sid); |
544 if (name.empty()) | 557 if (name.empty()) |
545 return SBOX_ERROR_INVALID_APP_CONTAINER; | 558 return SBOX_ERROR_INVALID_APP_CONTAINER; |
546 | 559 |
547 return DeleteAppContainer(sid); | 560 return DeleteAppContainer(sid); |
548 } | 561 } |
549 | 562 |
550 } // namespace sandbox | 563 } // namespace sandbox |
OLD | NEW |