| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "sandbox/win/src/process_mitigations.h" | |
| 6 | |
| 7 #include <stddef.h> | |
| 8 | |
| 9 #include <algorithm> | |
| 10 | |
| 11 #include "base/win/windows_version.h" | |
| 12 #include "sandbox/win/src/nt_internals.h" | |
| 13 #include "sandbox/win/src/restricted_token_utils.h" | |
| 14 #include "sandbox/win/src/sandbox_rand.h" | |
| 15 #include "sandbox/win/src/win_utils.h" | |
| 16 | |
| 17 namespace { | |
| 18 | |
| 19 // Functions for enabling policies. | |
| 20 typedef BOOL (WINAPI *SetProcessDEPPolicyFunction)(DWORD dwFlags); | |
| 21 | |
| 22 typedef BOOL (WINAPI *SetProcessMitigationPolicyFunction)( | |
| 23 PROCESS_MITIGATION_POLICY mitigation_policy, | |
| 24 PVOID buffer, | |
| 25 SIZE_T length); | |
| 26 | |
| 27 typedef BOOL (WINAPI *SetDefaultDllDirectoriesFunction)( | |
| 28 DWORD DirectoryFlags); | |
| 29 | |
| 30 } // namespace | |
| 31 | |
| 32 namespace sandbox { | |
| 33 | |
| 34 bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) { | |
| 35 if (!CanSetProcessMitigationsPostStartup(flags)) | |
| 36 return false; | |
| 37 | |
| 38 base::win::Version version = base::win::GetVersion(); | |
| 39 HMODULE module = ::GetModuleHandleA("kernel32.dll"); | |
| 40 | |
| 41 if (flags & MITIGATION_DLL_SEARCH_ORDER) { | |
| 42 SetDefaultDllDirectoriesFunction set_default_dll_directories = | |
| 43 reinterpret_cast<SetDefaultDllDirectoriesFunction>( | |
| 44 ::GetProcAddress(module, "SetDefaultDllDirectories")); | |
| 45 | |
| 46 // Check for SetDefaultDllDirectories since it requires KB2533623. | |
| 47 if (set_default_dll_directories) { | |
| 48 if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) && | |
| 49 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 50 return false; | |
| 51 } | |
| 52 } | |
| 53 } | |
| 54 | |
| 55 // Set the heap to terminate on corruption | |
| 56 if (flags & MITIGATION_HEAP_TERMINATE) { | |
| 57 if (!::HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, | |
| 58 NULL, 0) && | |
| 59 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 60 return false; | |
| 61 } | |
| 62 } | |
| 63 | |
| 64 if (flags & MITIGATION_HARDEN_TOKEN_IL_POLICY) { | |
| 65 DWORD error = HardenProcessIntegrityLevelPolicy(); | |
| 66 if ((error != ERROR_SUCCESS) && (error != ERROR_ACCESS_DENIED)) | |
| 67 return false; | |
| 68 } | |
| 69 | |
| 70 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | |
| 71 if (flags & MITIGATION_DEP) { | |
| 72 DWORD dep_flags = PROCESS_DEP_ENABLE; | |
| 73 | |
| 74 if (flags & MITIGATION_DEP_NO_ATL_THUNK) | |
| 75 dep_flags |= PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION; | |
| 76 | |
| 77 SetProcessDEPPolicyFunction set_process_dep_policy = | |
| 78 reinterpret_cast<SetProcessDEPPolicyFunction>( | |
| 79 ::GetProcAddress(module, "SetProcessDEPPolicy")); | |
| 80 if (set_process_dep_policy) { | |
| 81 if (!set_process_dep_policy(dep_flags) && | |
| 82 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 83 return false; | |
| 84 } | |
| 85 } else | |
| 86 return false; | |
| 87 } | |
| 88 #endif | |
| 89 | |
| 90 // This is all we can do in Win7 and below. | |
| 91 if (version < base::win::VERSION_WIN8) | |
| 92 return true; | |
| 93 | |
| 94 SetProcessMitigationPolicyFunction set_process_mitigation_policy = | |
| 95 reinterpret_cast<SetProcessMitigationPolicyFunction>( | |
| 96 ::GetProcAddress(module, "SetProcessMitigationPolicy")); | |
| 97 if (!set_process_mitigation_policy) | |
| 98 return false; | |
| 99 | |
| 100 // Enable ASLR policies. | |
| 101 if (flags & MITIGATION_RELOCATE_IMAGE) { | |
| 102 PROCESS_MITIGATION_ASLR_POLICY policy = {}; | |
| 103 policy.EnableForceRelocateImages = true; | |
| 104 policy.DisallowStrippedImages = (flags & | |
| 105 MITIGATION_RELOCATE_IMAGE_REQUIRED) == | |
| 106 MITIGATION_RELOCATE_IMAGE_REQUIRED; | |
| 107 | |
| 108 if (!set_process_mitigation_policy(ProcessASLRPolicy, &policy, | |
| 109 sizeof(policy)) && | |
| 110 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 111 return false; | |
| 112 } | |
| 113 } | |
| 114 | |
| 115 // Enable strict handle policies. | |
| 116 if (flags & MITIGATION_STRICT_HANDLE_CHECKS) { | |
| 117 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = {}; | |
| 118 policy.HandleExceptionsPermanentlyEnabled = | |
| 119 policy.RaiseExceptionOnInvalidHandleReference = true; | |
| 120 | |
| 121 if (!set_process_mitigation_policy(ProcessStrictHandleCheckPolicy, &policy, | |
| 122 sizeof(policy)) && | |
| 123 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 124 return false; | |
| 125 } | |
| 126 } | |
| 127 | |
| 128 // Enable system call policies. | |
| 129 if (flags & MITIGATION_WIN32K_DISABLE) { | |
| 130 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {}; | |
| 131 policy.DisallowWin32kSystemCalls = true; | |
| 132 | |
| 133 if (!set_process_mitigation_policy(ProcessSystemCallDisablePolicy, &policy, | |
| 134 sizeof(policy)) && | |
| 135 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 136 return false; | |
| 137 } | |
| 138 } | |
| 139 | |
| 140 // Enable dll extension policies. | |
| 141 if (flags & MITIGATION_EXTENSION_DLL_DISABLE) { | |
| 142 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | |
| 143 policy.DisableExtensionPoints = true; | |
| 144 | |
| 145 if (!set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, | |
| 146 &policy, sizeof(policy)) && | |
| 147 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 148 return false; | |
| 149 } | |
| 150 } | |
| 151 | |
| 152 if (version < base::win::VERSION_WIN10) | |
| 153 return true; | |
| 154 | |
| 155 // Enable font policies. | |
| 156 if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) { | |
| 157 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; | |
| 158 policy.DisableNonSystemFonts = true; | |
| 159 | |
| 160 if (!set_process_mitigation_policy(ProcessFontDisablePolicy, &policy, | |
| 161 sizeof(policy)) && | |
| 162 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 163 return false; | |
| 164 } | |
| 165 } | |
| 166 | |
| 167 if (version < base::win::VERSION_WIN10_TH2) | |
| 168 return true; | |
| 169 | |
| 170 // Enable image load policies. | |
| 171 if (flags & MITIGATION_IMAGE_LOAD_NO_REMOTE || | |
| 172 flags & MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) { | |
| 173 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
| 174 if (flags & MITIGATION_IMAGE_LOAD_NO_REMOTE) | |
| 175 policy.NoRemoteImages = true; | |
| 176 if (flags & MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) | |
| 177 policy.NoLowMandatoryLabelImages = true; | |
| 178 | |
| 179 if (!set_process_mitigation_policy(ProcessImageLoadPolicy, &policy, | |
| 180 sizeof(policy)) && | |
| 181 ERROR_ACCESS_DENIED != ::GetLastError()) { | |
| 182 return false; | |
| 183 } | |
| 184 } | |
| 185 | |
| 186 return true; | |
| 187 } | |
| 188 | |
| 189 void ConvertProcessMitigationsToPolicy(MitigationFlags flags, | |
| 190 DWORD64* policy_flags, | |
| 191 size_t* size) { | |
| 192 base::win::Version version = base::win::GetVersion(); | |
| 193 | |
| 194 *policy_flags = 0; | |
| 195 #if defined(_WIN64) | |
| 196 *size = sizeof(*policy_flags); | |
| 197 #elif defined(_M_IX86) | |
| 198 // A 64-bit flags attribute is illegal on 32-bit Win 7 and below. | |
| 199 if (version < base::win::VERSION_WIN8) | |
| 200 *size = sizeof(DWORD); | |
| 201 else | |
| 202 *size = sizeof(*policy_flags); | |
| 203 #else | |
| 204 #error This platform is not supported. | |
| 205 #endif | |
| 206 | |
| 207 // DEP and SEHOP are not valid for 64-bit Windows | |
| 208 #if !defined(_WIN64) | |
| 209 if (flags & MITIGATION_DEP) { | |
| 210 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE; | |
| 211 if (!(flags & MITIGATION_DEP_NO_ATL_THUNK)) | |
| 212 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE; | |
| 213 } | |
| 214 | |
| 215 if (flags & MITIGATION_SEHOP) | |
| 216 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE; | |
| 217 #endif | |
| 218 | |
| 219 // Win 7 | |
| 220 if (version < base::win::VERSION_WIN8) | |
| 221 return; | |
| 222 | |
| 223 if (flags & MITIGATION_RELOCATE_IMAGE) { | |
| 224 *policy_flags |= | |
| 225 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON; | |
| 226 if (flags & MITIGATION_RELOCATE_IMAGE_REQUIRED) { | |
| 227 *policy_flags |= | |
| 228 PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ
_RELOCS; | |
| 229 } | |
| 230 } | |
| 231 | |
| 232 if (flags & MITIGATION_HEAP_TERMINATE) { | |
| 233 *policy_flags |= | |
| 234 PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON; | |
| 235 } | |
| 236 | |
| 237 if (flags & MITIGATION_BOTTOM_UP_ASLR) { | |
| 238 *policy_flags |= | |
| 239 PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON; | |
| 240 } | |
| 241 | |
| 242 if (flags & MITIGATION_HIGH_ENTROPY_ASLR) { | |
| 243 *policy_flags |= | |
| 244 PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON; | |
| 245 } | |
| 246 | |
| 247 if (flags & MITIGATION_STRICT_HANDLE_CHECKS) { | |
| 248 *policy_flags |= | |
| 249 PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON; | |
| 250 } | |
| 251 | |
| 252 if (flags & MITIGATION_WIN32K_DISABLE) { | |
| 253 *policy_flags |= | |
| 254 PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON; | |
| 255 } | |
| 256 | |
| 257 if (flags & MITIGATION_EXTENSION_DLL_DISABLE) { | |
| 258 *policy_flags |= | |
| 259 PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON; | |
| 260 } | |
| 261 | |
| 262 if (version < base::win::VERSION_WIN10) | |
| 263 return; | |
| 264 | |
| 265 if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) { | |
| 266 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON; | |
| 267 } | |
| 268 | |
| 269 if (version < base::win::VERSION_WIN10_TH2) | |
| 270 return; | |
| 271 | |
| 272 if (flags & MITIGATION_IMAGE_LOAD_NO_REMOTE) { | |
| 273 *policy_flags |= | |
| 274 PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON; | |
| 275 } | |
| 276 | |
| 277 if (flags & MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) { | |
| 278 *policy_flags |= | |
| 279 PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON; | |
| 280 } | |
| 281 } | |
| 282 | |
| 283 MitigationFlags FilterPostStartupProcessMitigations(MitigationFlags flags) { | |
| 284 base::win::Version version = base::win::GetVersion(); | |
| 285 | |
| 286 // Windows 7. | |
| 287 if (version < base::win::VERSION_WIN8) { | |
| 288 return flags & (MITIGATION_BOTTOM_UP_ASLR | | |
| 289 MITIGATION_DLL_SEARCH_ORDER | | |
| 290 MITIGATION_HEAP_TERMINATE); | |
| 291 } | |
| 292 | |
| 293 // Windows 8 and above. | |
| 294 return flags & (MITIGATION_BOTTOM_UP_ASLR | | |
| 295 MITIGATION_DLL_SEARCH_ORDER); | |
| 296 } | |
| 297 | |
| 298 bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process, | |
| 299 MitigationFlags flags) { | |
| 300 // This is a hack to fake a weak bottom-up ASLR on 32-bit Windows. | |
| 301 #if !defined(_WIN64) | |
| 302 if (flags & MITIGATION_BOTTOM_UP_ASLR) { | |
| 303 unsigned int limit; | |
| 304 GetRandom(&limit); | |
| 305 char* ptr = 0; | |
| 306 const size_t kMask64k = 0xFFFF; | |
| 307 // Random range (512k-16.5mb) in 64k steps. | |
| 308 const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k); | |
| 309 while (ptr < end) { | |
| 310 MEMORY_BASIC_INFORMATION memory_info; | |
| 311 if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info))) | |
| 312 break; | |
| 313 size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k, | |
| 314 static_cast<SIZE_T>(end - ptr)); | |
| 315 if (ptr && memory_info.State == MEM_FREE) | |
| 316 ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS); | |
| 317 ptr += size; | |
| 318 } | |
| 319 } | |
| 320 #endif | |
| 321 | |
| 322 return true; | |
| 323 } | |
| 324 | |
| 325 bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) { | |
| 326 // All of these mitigations can be enabled after startup. | |
| 327 return !( | |
| 328 flags & | |
| 329 ~(MITIGATION_HEAP_TERMINATE | | |
| 330 MITIGATION_DEP | | |
| 331 MITIGATION_DEP_NO_ATL_THUNK | | |
| 332 MITIGATION_RELOCATE_IMAGE | | |
| 333 MITIGATION_RELOCATE_IMAGE_REQUIRED | | |
| 334 MITIGATION_BOTTOM_UP_ASLR | | |
| 335 MITIGATION_STRICT_HANDLE_CHECKS | | |
| 336 MITIGATION_EXTENSION_DLL_DISABLE | | |
| 337 MITIGATION_DLL_SEARCH_ORDER | | |
| 338 MITIGATION_HARDEN_TOKEN_IL_POLICY | | |
| 339 MITIGATION_WIN32K_DISABLE | | |
| 340 MITIGATION_NONSYSTEM_FONT_DISABLE | | |
| 341 MITIGATION_IMAGE_LOAD_NO_REMOTE | | |
| 342 MITIGATION_IMAGE_LOAD_NO_LOW_LABEL)); | |
| 343 } | |
| 344 | |
| 345 bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) { | |
| 346 // These mitigations cannot be enabled prior to startup. | |
| 347 return !(flags & (MITIGATION_STRICT_HANDLE_CHECKS | | |
| 348 MITIGATION_DLL_SEARCH_ORDER)); | |
| 349 } | |
| 350 | |
| 351 } // namespace sandbox | |
| 352 | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1851213002:
Remove sandbox on Windows. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master