OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/win/src/broker_services.h" | 5 #include "sandbox/win/src/broker_services.h" |
6 | 6 |
7 #include <AclAPI.h> | 7 #include <AclAPI.h> |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 | 9 |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
(...skipping 312 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
323 if (SBOX_ALL_OK != result) | 323 if (SBOX_ALL_OK != result) |
324 return result; | 324 return result; |
325 | 325 |
326 base::win::ScopedHandle job; | 326 base::win::ScopedHandle job; |
327 result = policy_base->MakeJobObject(&job); | 327 result = policy_base->MakeJobObject(&job); |
328 if (SBOX_ALL_OK != result) | 328 if (SBOX_ALL_OK != result) |
329 return result; | 329 return result; |
330 | 330 |
331 // Initialize the startup information from the policy. | 331 // Initialize the startup information from the policy. |
332 base::win::StartupInformation startup_info; | 332 base::win::StartupInformation startup_info; |
333 // The liftime of |mitigations| and |inherit_handle_list| have to be at least | 333 // The liftime of |mitigations|, |inherit_handle_list| and |
334 // as long as |startup_info| because |UpdateProcThreadAttribute| requires that | 334 // |child_process_creation| have to be at least as long as |
| 335 // |startup_info| because |UpdateProcThreadAttribute| requires that |
335 // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is | 336 // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is |
336 // called; StartupInformation's destructor makes such a call. | 337 // called; StartupInformation's destructor makes such a call. |
337 DWORD64 mitigations; | 338 DWORD64 mitigations; |
338 | |
339 std::vector<HANDLE> inherited_handle_list; | 339 std::vector<HANDLE> inherited_handle_list; |
| 340 DWORD child_process_creation = PROCESS_CREATION_CHILD_PROCESS_RESTRICTED; |
340 | 341 |
341 base::string16 desktop = policy_base->GetAlternateDesktop(); | 342 base::string16 desktop = policy_base->GetAlternateDesktop(); |
342 if (!desktop.empty()) { | 343 if (!desktop.empty()) { |
343 startup_info.startup_info()->lpDesktop = | 344 startup_info.startup_info()->lpDesktop = |
344 const_cast<wchar_t*>(desktop.c_str()); | 345 const_cast<wchar_t*>(desktop.c_str()); |
345 } | 346 } |
346 | 347 |
347 bool inherit_handles = false; | 348 bool inherit_handles = false; |
348 | 349 |
349 if (base::win::GetVersion() >= base::win::VERSION_VISTA) { | 350 if (base::win::GetVersion() >= base::win::VERSION_VISTA) { |
350 int attribute_count = 0; | 351 int attribute_count = 0; |
351 const AppContainerAttributes* app_container = | 352 const AppContainerAttributes* app_container = |
352 policy_base->GetAppContainer(); | 353 policy_base->GetAppContainer(); |
353 if (app_container) | 354 if (app_container) |
354 ++attribute_count; | 355 ++attribute_count; |
355 | 356 |
356 size_t mitigations_size; | 357 size_t mitigations_size; |
357 ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(), | 358 ConvertProcessMitigationsToPolicy(policy_base->GetProcessMitigations(), |
358 &mitigations, &mitigations_size); | 359 &mitigations, &mitigations_size); |
359 if (mitigations) | 360 if (mitigations) |
360 ++attribute_count; | 361 ++attribute_count; |
361 | 362 |
| 363 bool restrict_child_process_creation = false; |
| 364 if (base::win::GetVersion() >= base::win::VERSION_WIN10_TH2 && |
| 365 policy_base->GetJobLevel() <= JOB_LIMITED_USER) { |
| 366 restrict_child_process_creation = true; |
| 367 ++attribute_count; |
| 368 } |
| 369 |
362 HANDLE stdout_handle = policy_base->GetStdoutHandle(); | 370 HANDLE stdout_handle = policy_base->GetStdoutHandle(); |
363 HANDLE stderr_handle = policy_base->GetStderrHandle(); | 371 HANDLE stderr_handle = policy_base->GetStderrHandle(); |
364 | 372 |
365 if (stdout_handle != INVALID_HANDLE_VALUE) | 373 if (stdout_handle != INVALID_HANDLE_VALUE) |
366 inherited_handle_list.push_back(stdout_handle); | 374 inherited_handle_list.push_back(stdout_handle); |
367 | 375 |
368 // Handles in the list must be unique. | 376 // Handles in the list must be unique. |
369 if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE) | 377 if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE) |
370 inherited_handle_list.push_back(stderr_handle); | 378 inherited_handle_list.push_back(stderr_handle); |
371 | 379 |
(...skipping 15 matching lines...) Expand all Loading... |
387 } | 395 } |
388 | 396 |
389 if (mitigations) { | 397 if (mitigations) { |
390 if (!startup_info.UpdateProcThreadAttribute( | 398 if (!startup_info.UpdateProcThreadAttribute( |
391 PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations, | 399 PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations, |
392 mitigations_size)) { | 400 mitigations_size)) { |
393 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; | 401 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; |
394 } | 402 } |
395 } | 403 } |
396 | 404 |
| 405 if (restrict_child_process_creation) { |
| 406 if (!startup_info.UpdateProcThreadAttribute( |
| 407 PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY, |
| 408 &child_process_creation, sizeof(child_process_creation))) { |
| 409 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; |
| 410 } |
| 411 } |
| 412 |
397 if (inherited_handle_list.size()) { | 413 if (inherited_handle_list.size()) { |
398 if (!startup_info.UpdateProcThreadAttribute( | 414 if (!startup_info.UpdateProcThreadAttribute( |
399 PROC_THREAD_ATTRIBUTE_HANDLE_LIST, | 415 PROC_THREAD_ATTRIBUTE_HANDLE_LIST, |
400 &inherited_handle_list[0], | 416 &inherited_handle_list[0], |
401 sizeof(HANDLE) * inherited_handle_list.size())) { | 417 sizeof(HANDLE) * inherited_handle_list.size())) { |
402 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; | 418 return SBOX_ERROR_PROC_THREAD_ATTRIBUTES; |
403 } | 419 } |
404 startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES; | 420 startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES; |
405 startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE; | 421 startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE; |
406 startup_info.startup_info()->hStdOutput = stdout_handle; | 422 startup_info.startup_info()->hStdOutput = stdout_handle; |
407 startup_info.startup_info()->hStdError = stderr_handle; | 423 startup_info.startup_info()->hStdError = stderr_handle; |
408 // Allowing inheritance of handles is only secure now that we | 424 // Allowing inheritance of handles is only secure now that we |
409 // have limited which handles will be inherited. | 425 // have limited which handles will be inherited. |
410 inherit_handles = true; | 426 inherit_handles = true; |
411 } | 427 } |
412 } | 428 } |
413 | 429 |
414 // Construct the thread pool here in case it is expensive. | 430 // Construct the thread pool here in case it is expensive. |
415 // The thread pool is shared by all the targets | 431 // The thread pool is shared by all the targets |
416 if (NULL == thread_pool_) | 432 if (NULL == thread_pool_) |
417 thread_pool_ = new Win2kThreadPool(); | 433 thread_pool_ = new Win2kThreadPool(); |
418 | 434 |
419 // Create the TargetProces object and spawn the target suspended. Note that | 435 // Create the TargetProcess object and spawn the target suspended. Note that |
420 // Brokerservices does not own the target object. It is owned by the Policy. | 436 // Brokerservices does not own the target object. It is owned by the Policy. |
421 base::win::ScopedProcessInformation process_info; | 437 base::win::ScopedProcessInformation process_info; |
422 TargetProcess* target = | 438 TargetProcess* target = |
423 new TargetProcess(initial_token.Pass(), lockdown_token.Pass(), | 439 new TargetProcess(initial_token.Pass(), lockdown_token.Pass(), |
424 lowbox_token.Pass(), job.Get(), thread_pool_); | 440 lowbox_token.Pass(), job.Get(), thread_pool_); |
425 | 441 |
426 DWORD win_result = target->Create(exe_path, command_line, inherit_handles, | 442 DWORD win_result = target->Create(exe_path, command_line, inherit_handles, |
427 startup_info, &process_info); | 443 startup_info, &process_info); |
428 | 444 |
429 policy_base->ClearSharedHandles(); | 445 policy_base->ClearSharedHandles(); |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
541 return SBOX_ERROR_UNSUPPORTED; | 557 return SBOX_ERROR_UNSUPPORTED; |
542 | 558 |
543 base::string16 name = LookupAppContainer(sid); | 559 base::string16 name = LookupAppContainer(sid); |
544 if (name.empty()) | 560 if (name.empty()) |
545 return SBOX_ERROR_INVALID_APP_CONTAINER; | 561 return SBOX_ERROR_INVALID_APP_CONTAINER; |
546 | 562 |
547 return DeleteAppContainer(sid); | 563 return DeleteAppContainer(sid); |
548 } | 564 } |
549 | 565 |
550 } // namespace sandbox | 566 } // namespace sandbox |
OLD | NEW |