OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "sandbox/win/src/app_container.h" | |
6 | |
7 #include <Sddl.h> | |
8 #include <stddef.h> | |
9 #include <vector> | |
10 | |
11 #include "base/logging.h" | |
12 #include "base/memory/scoped_ptr.h" | |
13 #include "base/win/startup_information.h" | |
14 #include "sandbox/win/src/internal_types.h" | |
15 | |
16 namespace { | |
17 | |
18 // Converts the passed in sid string to a PSID that must be relased with | |
19 // LocalFree. | |
20 PSID ConvertSid(const base::string16& sid) { | |
21 PSID local_sid; | |
22 if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) | |
23 return NULL; | |
24 return local_sid; | |
25 } | |
26 | |
27 template <typename T> | |
28 T BindFunction(const char* name) { | |
29 HMODULE module = GetModuleHandle(sandbox::kKerneldllName); | |
30 void* function = GetProcAddress(module, name); | |
31 if (!function) { | |
32 module = GetModuleHandle(sandbox::kKernelBasedllName); | |
33 function = GetProcAddress(module, name); | |
34 } | |
35 return reinterpret_cast<T>(function); | |
36 } | |
37 | |
38 } // namespace | |
39 | |
40 namespace sandbox { | |
41 | |
42 AppContainerAttributes::AppContainerAttributes() { | |
43 memset(&capabilities_, 0, sizeof(capabilities_)); | |
44 } | |
45 | |
46 AppContainerAttributes::~AppContainerAttributes() { | |
47 for (size_t i = 0; i < attributes_.size(); i++) | |
48 LocalFree(attributes_[i].Sid); | |
49 LocalFree(capabilities_.AppContainerSid); | |
50 } | |
51 | |
52 ResultCode AppContainerAttributes::SetAppContainer( | |
53 const base::string16& app_container_sid, | |
54 const std::vector<base::string16>& capabilities) { | |
55 DCHECK(!capabilities_.AppContainerSid); | |
56 DCHECK(attributes_.empty()); | |
57 capabilities_.AppContainerSid = ConvertSid(app_container_sid); | |
58 if (!capabilities_.AppContainerSid) | |
59 return SBOX_ERROR_INVALID_APP_CONTAINER; | |
60 | |
61 for (size_t i = 0; i < capabilities.size(); i++) { | |
62 SID_AND_ATTRIBUTES sid_and_attributes; | |
63 sid_and_attributes.Sid = ConvertSid(capabilities[i]); | |
64 if (!sid_and_attributes.Sid) | |
65 return SBOX_ERROR_INVALID_CAPABILITY; | |
66 | |
67 sid_and_attributes.Attributes = SE_GROUP_ENABLED; | |
68 attributes_.push_back(sid_and_attributes); | |
69 } | |
70 | |
71 if (capabilities.size()) { | |
72 capabilities_.CapabilityCount = static_cast<DWORD>(capabilities.size()); | |
73 capabilities_.Capabilities = &attributes_[0]; | |
74 } | |
75 return SBOX_ALL_OK; | |
76 } | |
77 | |
78 ResultCode AppContainerAttributes::ShareForStartup( | |
79 base::win::StartupInformation* startup_information) const { | |
80 // The only thing we support so far is an AppContainer. | |
81 if (!capabilities_.AppContainerSid) | |
82 return SBOX_ERROR_INVALID_APP_CONTAINER; | |
83 | |
84 if (!startup_information->UpdateProcThreadAttribute( | |
85 PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, | |
86 const_cast<SECURITY_CAPABILITIES*>(&capabilities_), | |
87 sizeof(capabilities_))) { | |
88 DPLOG(ERROR) << "Failed UpdateProcThreadAttribute"; | |
89 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER; | |
90 } | |
91 return SBOX_ALL_OK; | |
92 } | |
93 | |
94 bool AppContainerAttributes::HasAppContainer() const { | |
95 return (capabilities_.AppContainerSid != NULL); | |
96 } | |
97 | |
98 ResultCode CreateAppContainer(const base::string16& sid, | |
99 const base::string16& name) { | |
100 PSID local_sid; | |
101 if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) | |
102 return SBOX_ERROR_INVALID_APP_CONTAINER; | |
103 | |
104 typedef HRESULT (WINAPI* AppContainerRegisterSidPtr)(PSID sid, | |
105 LPCWSTR moniker, | |
106 LPCWSTR display_name); | |
107 static AppContainerRegisterSidPtr AppContainerRegisterSid = NULL; | |
108 | |
109 if (!AppContainerRegisterSid) { | |
110 AppContainerRegisterSid = | |
111 BindFunction<AppContainerRegisterSidPtr>("AppContainerRegisterSid"); | |
112 } | |
113 | |
114 ResultCode operation_result = SBOX_ERROR_GENERIC; | |
115 if (AppContainerRegisterSid) { | |
116 HRESULT rv = AppContainerRegisterSid(local_sid, name.c_str(), name.c_str()); | |
117 if (SUCCEEDED(rv)) | |
118 operation_result = SBOX_ALL_OK; | |
119 else | |
120 DLOG(ERROR) << "AppContainerRegisterSid error:" << std::hex << rv; | |
121 } | |
122 LocalFree(local_sid); | |
123 return operation_result; | |
124 } | |
125 | |
126 ResultCode DeleteAppContainer(const base::string16& sid) { | |
127 PSID local_sid; | |
128 if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) | |
129 return SBOX_ERROR_INVALID_APP_CONTAINER; | |
130 | |
131 typedef HRESULT (WINAPI* AppContainerUnregisterSidPtr)(PSID sid); | |
132 static AppContainerUnregisterSidPtr AppContainerUnregisterSid = NULL; | |
133 | |
134 if (!AppContainerUnregisterSid) { | |
135 AppContainerUnregisterSid = | |
136 BindFunction<AppContainerUnregisterSidPtr>("AppContainerUnregisterSid"); | |
137 } | |
138 | |
139 ResultCode operation_result = SBOX_ERROR_GENERIC; | |
140 if (AppContainerUnregisterSid) { | |
141 HRESULT rv = AppContainerUnregisterSid(local_sid); | |
142 if (SUCCEEDED(rv)) | |
143 operation_result = SBOX_ALL_OK; | |
144 else | |
145 DLOG(ERROR) << "AppContainerUnregisterSid error:" << std::hex << rv; | |
146 } | |
147 LocalFree(local_sid); | |
148 return operation_result; | |
149 } | |
150 | |
151 base::string16 LookupAppContainer(const base::string16& sid) { | |
152 PSID local_sid; | |
153 if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) | |
154 return base::string16(); | |
155 | |
156 typedef HRESULT (WINAPI* AppContainerLookupMonikerPtr)(PSID sid, | |
157 LPWSTR* moniker); | |
158 typedef BOOLEAN (WINAPI* AppContainerFreeMemoryPtr)(void* ptr); | |
159 | |
160 static AppContainerLookupMonikerPtr AppContainerLookupMoniker = NULL; | |
161 static AppContainerFreeMemoryPtr AppContainerFreeMemory = NULL; | |
162 | |
163 if (!AppContainerLookupMoniker || !AppContainerFreeMemory) { | |
164 AppContainerLookupMoniker = | |
165 BindFunction<AppContainerLookupMonikerPtr>("AppContainerLookupMoniker"); | |
166 AppContainerFreeMemory = | |
167 BindFunction<AppContainerFreeMemoryPtr>("AppContainerFreeMemory"); | |
168 } | |
169 | |
170 if (!AppContainerLookupMoniker || !AppContainerFreeMemory) | |
171 return base::string16(); | |
172 | |
173 wchar_t* buffer = NULL; | |
174 HRESULT rv = AppContainerLookupMoniker(local_sid, &buffer); | |
175 if (FAILED(rv)) | |
176 return base::string16(); | |
177 | |
178 base::string16 name(buffer); | |
179 if (!AppContainerFreeMemory(buffer)) | |
180 NOTREACHED(); | |
181 return name; | |
182 } | |
183 | |
184 } // namespace sandbox | |
OLD | NEW |