OLD | NEW |
| (Empty) |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "sandbox/win/src/registry_interception.h" | |
6 | |
7 #include <stdint.h> | |
8 | |
9 #include "sandbox/win/src/crosscall_client.h" | |
10 #include "sandbox/win/src/ipc_tags.h" | |
11 #include "sandbox/win/src/policy_params.h" | |
12 #include "sandbox/win/src/policy_target.h" | |
13 #include "sandbox/win/src/sandbox_factory.h" | |
14 #include "sandbox/win/src/sandbox_nt_util.h" | |
15 #include "sandbox/win/src/sharedmem_ipc_client.h" | |
16 #include "sandbox/win/src/target_services.h" | |
17 | |
18 namespace sandbox { | |
19 | |
20 NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey, | |
21 PHANDLE key, ACCESS_MASK desired_access, | |
22 POBJECT_ATTRIBUTES object_attributes, | |
23 ULONG title_index, PUNICODE_STRING class_name, | |
24 ULONG create_options, PULONG disposition) { | |
25 // Check if the process can create it first. | |
26 NTSTATUS status = orig_CreateKey(key, desired_access, object_attributes, | |
27 title_index, class_name, create_options, | |
28 disposition); | |
29 if (NT_SUCCESS(status)) | |
30 return status; | |
31 | |
32 // We don't trust that the IPC can work this early. | |
33 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | |
34 return status; | |
35 | |
36 do { | |
37 if (!ValidParameter(key, sizeof(HANDLE), WRITE)) | |
38 break; | |
39 | |
40 if (disposition && !ValidParameter(disposition, sizeof(ULONG), WRITE)) | |
41 break; | |
42 | |
43 // At this point we don't support class_name. | |
44 if (class_name && class_name->Buffer && class_name->Length) | |
45 break; | |
46 | |
47 // We don't support creating link keys, volatile keys and backup/restore. | |
48 if (create_options) | |
49 break; | |
50 | |
51 void* memory = GetGlobalIPCMemory(); | |
52 if (NULL == memory) | |
53 break; | |
54 | |
55 wchar_t* name; | |
56 uint32_t attributes = 0; | |
57 HANDLE root_directory = 0; | |
58 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, | |
59 &root_directory); | |
60 if (!NT_SUCCESS(ret) || NULL == name) | |
61 break; | |
62 | |
63 uint32_t desired_access_uint32 = desired_access; | |
64 CountedParameterSet<OpenKey> params; | |
65 params[OpenKey::ACCESS] = ParamPickerMake(desired_access_uint32); | |
66 | |
67 wchar_t* full_name = NULL; | |
68 | |
69 if (root_directory) { | |
70 ret = sandbox::AllocAndGetFullPath(root_directory, name, &full_name); | |
71 if (!NT_SUCCESS(ret) || NULL == full_name) | |
72 break; | |
73 params[OpenKey::NAME] = ParamPickerMake(full_name); | |
74 } else { | |
75 params[OpenKey::NAME] = ParamPickerMake(name); | |
76 } | |
77 | |
78 bool query_broker = QueryBroker(IPC_NTCREATEKEY_TAG, params.GetBase()); | |
79 | |
80 if (full_name != NULL) | |
81 operator delete(full_name, NT_ALLOC); | |
82 | |
83 if (!query_broker) | |
84 break; | |
85 | |
86 SharedMemIPCClient ipc(memory); | |
87 CrossCallReturn answer = {0}; | |
88 | |
89 ResultCode code = CrossCall(ipc, IPC_NTCREATEKEY_TAG, name, attributes, | |
90 root_directory, desired_access, title_index, | |
91 create_options, &answer); | |
92 | |
93 operator delete(name, NT_ALLOC); | |
94 | |
95 if (SBOX_ALL_OK != code) | |
96 break; | |
97 | |
98 if (!NT_SUCCESS(answer.nt_status)) | |
99 // TODO(nsylvain): We should return answer.nt_status here instead | |
100 // of status. We can do this only after we checked the policy. | |
101 // otherwise we will returns ACCESS_DENIED for all paths | |
102 // that are not specified by a policy, even though your token allows | |
103 // access to that path, and the original call had a more meaningful | |
104 // error. Bug 4369 | |
105 break; | |
106 | |
107 __try { | |
108 *key = answer.handle; | |
109 | |
110 if (disposition) | |
111 *disposition = answer.extended[0].unsigned_int; | |
112 | |
113 status = answer.nt_status; | |
114 } __except(EXCEPTION_EXECUTE_HANDLER) { | |
115 break; | |
116 } | |
117 } while (false); | |
118 | |
119 return status; | |
120 } | |
121 | |
122 NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, PHANDLE key, | |
123 ACCESS_MASK desired_access, | |
124 POBJECT_ATTRIBUTES object_attributes) { | |
125 // We don't trust that the IPC can work this early. | |
126 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | |
127 return status; | |
128 | |
129 do { | |
130 if (!ValidParameter(key, sizeof(HANDLE), WRITE)) | |
131 break; | |
132 | |
133 void* memory = GetGlobalIPCMemory(); | |
134 if (NULL == memory) | |
135 break; | |
136 | |
137 wchar_t* name; | |
138 uint32_t attributes; | |
139 HANDLE root_directory; | |
140 NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes, | |
141 &root_directory); | |
142 if (!NT_SUCCESS(ret) || NULL == name) | |
143 break; | |
144 | |
145 uint32_t desired_access_uint32 = desired_access; | |
146 CountedParameterSet<OpenKey> params; | |
147 params[OpenKey::ACCESS] = ParamPickerMake(desired_access_uint32); | |
148 | |
149 wchar_t* full_name = NULL; | |
150 | |
151 if (root_directory) { | |
152 ret = sandbox::AllocAndGetFullPath(root_directory, name, &full_name); | |
153 if (!NT_SUCCESS(ret) || NULL == full_name) | |
154 break; | |
155 params[OpenKey::NAME] = ParamPickerMake(full_name); | |
156 } else { | |
157 params[OpenKey::NAME] = ParamPickerMake(name); | |
158 } | |
159 | |
160 bool query_broker = QueryBroker(IPC_NTOPENKEY_TAG, params.GetBase()); | |
161 | |
162 if (full_name != NULL) | |
163 operator delete(full_name, NT_ALLOC); | |
164 | |
165 if (!query_broker) | |
166 break; | |
167 | |
168 SharedMemIPCClient ipc(memory); | |
169 CrossCallReturn answer = {0}; | |
170 ResultCode code = CrossCall(ipc, IPC_NTOPENKEY_TAG, name, attributes, | |
171 root_directory, desired_access, &answer); | |
172 | |
173 operator delete(name, NT_ALLOC); | |
174 | |
175 if (SBOX_ALL_OK != code) | |
176 break; | |
177 | |
178 if (!NT_SUCCESS(answer.nt_status)) | |
179 // TODO(nsylvain): We should return answer.nt_status here instead | |
180 // of status. We can do this only after we checked the policy. | |
181 // otherwise we will returns ACCESS_DENIED for all paths | |
182 // that are not specified by a policy, even though your token allows | |
183 // access to that path, and the original call had a more meaningful | |
184 // error. Bug 4369 | |
185 break; | |
186 | |
187 __try { | |
188 *key = answer.handle; | |
189 status = answer.nt_status; | |
190 } __except(EXCEPTION_EXECUTE_HANDLER) { | |
191 break; | |
192 } | |
193 } while (false); | |
194 | |
195 return status; | |
196 } | |
197 | |
198 NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key, | |
199 ACCESS_MASK desired_access, | |
200 POBJECT_ATTRIBUTES object_attributes) { | |
201 // Check if the process can open it first. | |
202 NTSTATUS status = orig_OpenKey(key, desired_access, object_attributes); | |
203 if (NT_SUCCESS(status)) | |
204 return status; | |
205 | |
206 return CommonNtOpenKey(status, key, desired_access, object_attributes); | |
207 } | |
208 | |
209 NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpenKeyExFunction orig_OpenKeyEx, | |
210 PHANDLE key, ACCESS_MASK desired_access, | |
211 POBJECT_ATTRIBUTES object_attributes, | |
212 ULONG open_options) { | |
213 // Check if the process can open it first. | |
214 NTSTATUS status = orig_OpenKeyEx(key, desired_access, object_attributes, | |
215 open_options); | |
216 | |
217 // We do not support open_options at this time. The 2 current known values | |
218 // are REG_OPTION_CREATE_LINK, to open a symbolic link, and | |
219 // REG_OPTION_BACKUP_RESTORE to open the key with special privileges. | |
220 if (NT_SUCCESS(status) || open_options != 0) | |
221 return status; | |
222 | |
223 return CommonNtOpenKey(status, key, desired_access, object_attributes); | |
224 } | |
225 | |
226 } // namespace sandbox | |
OLD | NEW |