| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
| 6 | 6 |
| 7 #include <sddl.h> | 7 #include <sddl.h> |
| 8 #include <stddef.h> | 8 #include <stddef.h> |
| 9 #include <stdint.h> | 9 #include <stdint.h> |
| 10 | 10 |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 129 relaxed_interceptions_(true), | 129 relaxed_interceptions_(true), |
| 130 stdout_handle_(INVALID_HANDLE_VALUE), | 130 stdout_handle_(INVALID_HANDLE_VALUE), |
| 131 stderr_handle_(INVALID_HANDLE_VALUE), | 131 stderr_handle_(INVALID_HANDLE_VALUE), |
| 132 integrity_level_(INTEGRITY_LEVEL_LAST), | 132 integrity_level_(INTEGRITY_LEVEL_LAST), |
| 133 delayed_integrity_level_(INTEGRITY_LEVEL_LAST), | 133 delayed_integrity_level_(INTEGRITY_LEVEL_LAST), |
| 134 mitigations_(0), | 134 mitigations_(0), |
| 135 delayed_mitigations_(0), | 135 delayed_mitigations_(0), |
| 136 is_csrss_connected_(true), | 136 is_csrss_connected_(true), |
| 137 policy_maker_(NULL), | 137 policy_maker_(NULL), |
| 138 policy_(NULL), | 138 policy_(NULL), |
| 139 lowbox_sid_(NULL) { | 139 lowbox_sid_(NULL), |
| 140 lockdown_default_dacl_(false) { |
| 140 ::InitializeCriticalSection(&lock_); | 141 ::InitializeCriticalSection(&lock_); |
| 141 dispatcher_.reset(new TopLevelDispatcher(this)); | 142 dispatcher_.reset(new TopLevelDispatcher(this)); |
| 142 } | 143 } |
| 143 | 144 |
| 144 PolicyBase::~PolicyBase() { | 145 PolicyBase::~PolicyBase() { |
| 145 TargetSet::iterator it; | 146 TargetSet::iterator it; |
| 146 for (it = targets_.begin(); it != targets_.end(); ++it) { | 147 for (it = targets_.begin(); it != targets_.end(); ++it) { |
| 147 TargetProcess* target = (*it); | 148 TargetProcess* target = (*it); |
| 148 delete target; | 149 delete target; |
| 149 } | 150 } |
| (...skipping 277 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 427 CHECK(handle && handle != INVALID_HANDLE_VALUE); | 428 CHECK(handle && handle != INVALID_HANDLE_VALUE); |
| 428 | 429 |
| 429 // Ensure the handle can be inherited. | 430 // Ensure the handle can be inherited. |
| 430 BOOL result = SetHandleInformation(handle, HANDLE_FLAG_INHERIT, | 431 BOOL result = SetHandleInformation(handle, HANDLE_FLAG_INHERIT, |
| 431 HANDLE_FLAG_INHERIT); | 432 HANDLE_FLAG_INHERIT); |
| 432 PCHECK(result); | 433 PCHECK(result); |
| 433 | 434 |
| 434 handles_to_share_.push_back(handle); | 435 handles_to_share_.push_back(handle); |
| 435 } | 436 } |
| 436 | 437 |
| 438 void PolicyBase::SetLockdownDefaultDacl() { |
| 439 lockdown_default_dacl_ = true; |
| 440 } |
| 441 |
| 437 const base::HandlesToInheritVector& PolicyBase::GetHandlesBeingShared() { | 442 const base::HandlesToInheritVector& PolicyBase::GetHandlesBeingShared() { |
| 438 return handles_to_share_; | 443 return handles_to_share_; |
| 439 } | 444 } |
| 440 | 445 |
| 441 ResultCode PolicyBase::MakeJobObject(base::win::ScopedHandle* job) { | 446 ResultCode PolicyBase::MakeJobObject(base::win::ScopedHandle* job) { |
| 442 if (job_level_ != JOB_NONE) { | 447 if (job_level_ != JOB_NONE) { |
| 443 // Create the windows job object. | 448 // Create the windows job object. |
| 444 Job job_obj; | 449 Job job_obj; |
| 445 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_, | 450 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_, |
| 446 memory_limit_); | 451 memory_limit_); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 457 ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, | 462 ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, |
| 458 base::win::ScopedHandle* lockdown, | 463 base::win::ScopedHandle* lockdown, |
| 459 base::win::ScopedHandle* lowbox) { | 464 base::win::ScopedHandle* lowbox) { |
| 460 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() && | 465 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() && |
| 461 lowbox_sid_) { | 466 lowbox_sid_) { |
| 462 return SBOX_ERROR_BAD_PARAMS; | 467 return SBOX_ERROR_BAD_PARAMS; |
| 463 } | 468 } |
| 464 | 469 |
| 465 // Create the 'naked' token. This will be the permanent token associated | 470 // Create the 'naked' token. This will be the permanent token associated |
| 466 // with the process and therefore with any thread that is not impersonating. | 471 // with the process and therefore with any thread that is not impersonating. |
| 467 DWORD result = CreateRestrictedToken(lockdown_level_, integrity_level_, | 472 DWORD result = |
| 468 PRIMARY, lockdown); | 473 CreateRestrictedToken(lockdown_level_, integrity_level_, PRIMARY, |
| 474 lockdown_default_dacl_, lockdown); |
| 469 if (ERROR_SUCCESS != result) | 475 if (ERROR_SUCCESS != result) |
| 470 return SBOX_ERROR_GENERIC; | 476 return SBOX_ERROR_GENERIC; |
| 471 | 477 |
| 472 // If we're launching on the alternate desktop we need to make sure the | 478 // If we're launching on the alternate desktop we need to make sure the |
| 473 // integrity label on the object is no higher than the sandboxed process's | 479 // integrity label on the object is no higher than the sandboxed process's |
| 474 // integrity level. So, we lower the label on the desktop process if it's | 480 // integrity level. So, we lower the label on the desktop process if it's |
| 475 // not already low enough for our process. | 481 // not already low enough for our process. |
| 476 if (alternate_desktop_handle_ && use_alternate_desktop_ && | 482 if (alternate_desktop_handle_ && use_alternate_desktop_ && |
| 477 integrity_level_ != INTEGRITY_LEVEL_LAST && | 483 integrity_level_ != INTEGRITY_LEVEL_LAST && |
| 478 alternate_desktop_integrity_level_label_ < integrity_level_) { | 484 alternate_desktop_integrity_level_label_ < integrity_level_) { |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 525 if (!NT_SUCCESS(status)) | 531 if (!NT_SUCCESS(status)) |
| 526 return SBOX_ERROR_GENERIC; | 532 return SBOX_ERROR_GENERIC; |
| 527 | 533 |
| 528 DCHECK(token_lowbox); | 534 DCHECK(token_lowbox); |
| 529 lowbox->Set(token_lowbox); | 535 lowbox->Set(token_lowbox); |
| 530 } | 536 } |
| 531 | 537 |
| 532 // Create the 'better' token. We use this token as the one that the main | 538 // Create the 'better' token. We use this token as the one that the main |
| 533 // thread uses when booting up the process. It should contain most of | 539 // thread uses when booting up the process. It should contain most of |
| 534 // what we need (before reaching main( )) | 540 // what we need (before reaching main( )) |
| 535 result = CreateRestrictedToken(initial_level_, integrity_level_, | 541 result = |
| 536 IMPERSONATION, initial); | 542 CreateRestrictedToken(initial_level_, integrity_level_, IMPERSONATION, |
| 543 lockdown_default_dacl_, initial); |
| 537 if (ERROR_SUCCESS != result) | 544 if (ERROR_SUCCESS != result) |
| 538 return SBOX_ERROR_GENERIC; | 545 return SBOX_ERROR_GENERIC; |
| 539 | 546 |
| 540 return SBOX_ALL_OK; | 547 return SBOX_ALL_OK; |
| 541 } | 548 } |
| 542 | 549 |
| 543 const AppContainerAttributes* PolicyBase::GetAppContainer() const { | 550 const AppContainerAttributes* PolicyBase::GetAppContainer() const { |
| 544 if (!appcontainer_list_.get() || !appcontainer_list_->HasAppContainer()) | 551 if (!appcontainer_list_.get() || !appcontainer_list_->HasAppContainer()) |
| 545 return NULL; | 552 return NULL; |
| 546 | 553 |
| (...skipping 214 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 761 break; | 768 break; |
| 762 } | 769 } |
| 763 | 770 |
| 764 default: { return SBOX_ERROR_UNSUPPORTED; } | 771 default: { return SBOX_ERROR_UNSUPPORTED; } |
| 765 } | 772 } |
| 766 | 773 |
| 767 return SBOX_ALL_OK; | 774 return SBOX_ALL_OK; |
| 768 } | 775 } |
| 769 | 776 |
| 770 } // namespace sandbox | 777 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1821193002:
Added a policy option to restrict the default DACL for tokens. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master