| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "sandbox/win/src/app_container.h" | |
| 6 | |
| 7 #include <Sddl.h> | |
| 8 #include <stddef.h> | |
| 9 #include <vector> | |
| 10 | |
| 11 #include "base/logging.h" | |
| 12 #include "base/memory/scoped_ptr.h" | |
| 13 #include "base/win/startup_information.h" | |
| 14 #include "sandbox/win/src/internal_types.h" | |
| 15 | |
| 16 namespace { | |
| 17 | |
| 18 // Converts the passed in sid string to a PSID that must be relased with | |
| 19 // LocalFree. | |
| 20 PSID ConvertSid(const base::string16& sid) { | |
| 21 PSID local_sid; | |
| 22 if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) | |
| 23 return NULL; | |
| 24 return local_sid; | |
| 25 } | |
| 26 | |
| 27 template <typename T> | |
| 28 T BindFunction(const char* name) { | |
| 29 HMODULE module = GetModuleHandle(sandbox::kKerneldllName); | |
| 30 void* function = GetProcAddress(module, name); | |
| 31 if (!function) { | |
| 32 module = GetModuleHandle(sandbox::kKernelBasedllName); | |
| 33 function = GetProcAddress(module, name); | |
| 34 } | |
| 35 return reinterpret_cast<T>(function); | |
| 36 } | |
| 37 | |
| 38 } // namespace | |
| 39 | |
| 40 namespace sandbox { | |
| 41 | |
| 42 AppContainerAttributes::AppContainerAttributes() { | |
| 43 memset(&capabilities_, 0, sizeof(capabilities_)); | |
| 44 } | |
| 45 | |
| 46 AppContainerAttributes::~AppContainerAttributes() { | |
| 47 for (size_t i = 0; i < attributes_.size(); i++) | |
| 48 LocalFree(attributes_[i].Sid); | |
| 49 LocalFree(capabilities_.AppContainerSid); | |
| 50 } | |
| 51 | |
| 52 ResultCode AppContainerAttributes::SetAppContainer( | |
| 53 const base::string16& app_container_sid, | |
| 54 const std::vector<base::string16>& capabilities) { | |
| 55 DCHECK(!capabilities_.AppContainerSid); | |
| 56 DCHECK(attributes_.empty()); | |
| 57 capabilities_.AppContainerSid = ConvertSid(app_container_sid); | |
| 58 if (!capabilities_.AppContainerSid) | |
| 59 return SBOX_ERROR_INVALID_APP_CONTAINER; | |
| 60 | |
| 61 for (size_t i = 0; i < capabilities.size(); i++) { | |
| 62 SID_AND_ATTRIBUTES sid_and_attributes; | |
| 63 sid_and_attributes.Sid = ConvertSid(capabilities[i]); | |
| 64 if (!sid_and_attributes.Sid) | |
| 65 return SBOX_ERROR_INVALID_CAPABILITY; | |
| 66 | |
| 67 sid_and_attributes.Attributes = SE_GROUP_ENABLED; | |
| 68 attributes_.push_back(sid_and_attributes); | |
| 69 } | |
| 70 | |
| 71 if (capabilities.size()) { | |
| 72 capabilities_.CapabilityCount = static_cast<DWORD>(capabilities.size()); | |
| 73 capabilities_.Capabilities = &attributes_[0]; | |
| 74 } | |
| 75 return SBOX_ALL_OK; | |
| 76 } | |
| 77 | |
| 78 ResultCode AppContainerAttributes::ShareForStartup( | |
| 79 base::win::StartupInformation* startup_information) const { | |
| 80 // The only thing we support so far is an AppContainer. | |
| 81 if (!capabilities_.AppContainerSid) | |
| 82 return SBOX_ERROR_INVALID_APP_CONTAINER; | |
| 83 | |
| 84 if (!startup_information->UpdateProcThreadAttribute( | |
| 85 PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, | |
| 86 const_cast<SECURITY_CAPABILITIES*>(&capabilities_), | |
| 87 sizeof(capabilities_))) { | |
| 88 DPLOG(ERROR) << "Failed UpdateProcThreadAttribute"; | |
| 89 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER; | |
| 90 } | |
| 91 return SBOX_ALL_OK; | |
| 92 } | |
| 93 | |
| 94 bool AppContainerAttributes::HasAppContainer() const { | |
| 95 return (capabilities_.AppContainerSid != NULL); | |
| 96 } | |
| 97 | |
| 98 ResultCode CreateAppContainer(const base::string16& sid, | |
| 99 const base::string16& name) { | |
| 100 PSID local_sid; | |
| 101 if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) | |
| 102 return SBOX_ERROR_INVALID_APP_CONTAINER; | |
| 103 | |
| 104 typedef HRESULT (WINAPI* AppContainerRegisterSidPtr)(PSID sid, | |
| 105 LPCWSTR moniker, | |
| 106 LPCWSTR display_name); | |
| 107 static AppContainerRegisterSidPtr AppContainerRegisterSid = NULL; | |
| 108 | |
| 109 if (!AppContainerRegisterSid) { | |
| 110 AppContainerRegisterSid = | |
| 111 BindFunction<AppContainerRegisterSidPtr>("AppContainerRegisterSid"); | |
| 112 } | |
| 113 | |
| 114 ResultCode operation_result = SBOX_ERROR_GENERIC; | |
| 115 if (AppContainerRegisterSid) { | |
| 116 HRESULT rv = AppContainerRegisterSid(local_sid, name.c_str(), name.c_str()); | |
| 117 if (SUCCEEDED(rv)) | |
| 118 operation_result = SBOX_ALL_OK; | |
| 119 else | |
| 120 DLOG(ERROR) << "AppContainerRegisterSid error:" << std::hex << rv; | |
| 121 } | |
| 122 LocalFree(local_sid); | |
| 123 return operation_result; | |
| 124 } | |
| 125 | |
| 126 ResultCode DeleteAppContainer(const base::string16& sid) { | |
| 127 PSID local_sid; | |
| 128 if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) | |
| 129 return SBOX_ERROR_INVALID_APP_CONTAINER; | |
| 130 | |
| 131 typedef HRESULT (WINAPI* AppContainerUnregisterSidPtr)(PSID sid); | |
| 132 static AppContainerUnregisterSidPtr AppContainerUnregisterSid = NULL; | |
| 133 | |
| 134 if (!AppContainerUnregisterSid) { | |
| 135 AppContainerUnregisterSid = | |
| 136 BindFunction<AppContainerUnregisterSidPtr>("AppContainerUnregisterSid"); | |
| 137 } | |
| 138 | |
| 139 ResultCode operation_result = SBOX_ERROR_GENERIC; | |
| 140 if (AppContainerUnregisterSid) { | |
| 141 HRESULT rv = AppContainerUnregisterSid(local_sid); | |
| 142 if (SUCCEEDED(rv)) | |
| 143 operation_result = SBOX_ALL_OK; | |
| 144 else | |
| 145 DLOG(ERROR) << "AppContainerUnregisterSid error:" << std::hex << rv; | |
| 146 } | |
| 147 LocalFree(local_sid); | |
| 148 return operation_result; | |
| 149 } | |
| 150 | |
| 151 base::string16 LookupAppContainer(const base::string16& sid) { | |
| 152 PSID local_sid; | |
| 153 if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) | |
| 154 return base::string16(); | |
| 155 | |
| 156 typedef HRESULT (WINAPI* AppContainerLookupMonikerPtr)(PSID sid, | |
| 157 LPWSTR* moniker); | |
| 158 typedef BOOLEAN (WINAPI* AppContainerFreeMemoryPtr)(void* ptr); | |
| 159 | |
| 160 static AppContainerLookupMonikerPtr AppContainerLookupMoniker = NULL; | |
| 161 static AppContainerFreeMemoryPtr AppContainerFreeMemory = NULL; | |
| 162 | |
| 163 if (!AppContainerLookupMoniker || !AppContainerFreeMemory) { | |
| 164 AppContainerLookupMoniker = | |
| 165 BindFunction<AppContainerLookupMonikerPtr>("AppContainerLookupMoniker"); | |
| 166 AppContainerFreeMemory = | |
| 167 BindFunction<AppContainerFreeMemoryPtr>("AppContainerFreeMemory"); | |
| 168 } | |
| 169 | |
| 170 if (!AppContainerLookupMoniker || !AppContainerFreeMemory) | |
| 171 return base::string16(); | |
| 172 | |
| 173 wchar_t* buffer = NULL; | |
| 174 HRESULT rv = AppContainerLookupMoniker(local_sid, &buffer); | |
| 175 if (FAILED(rv)) | |
| 176 return base::string16(); | |
| 177 | |
| 178 base::string16 name(buffer); | |
| 179 if (!AppContainerFreeMemory(buffer)) | |
| 180 NOTREACHED(); | |
| 181 return name; | |
| 182 } | |
| 183 | |
| 184 } // namespace sandbox | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1851213002:
Remove sandbox on Windows. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master