OLD | NEW |
| (Empty) |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <stdint.h> | |
6 | |
7 #include <string> | |
8 | |
9 #include "sandbox/win/src/registry_policy.h" | |
10 | |
11 #include "base/logging.h" | |
12 #include "sandbox/win/src/ipc_tags.h" | |
13 #include "sandbox/win/src/policy_engine_opcodes.h" | |
14 #include "sandbox/win/src/policy_params.h" | |
15 #include "sandbox/win/src/sandbox_types.h" | |
16 #include "sandbox/win/src/sandbox_utils.h" | |
17 #include "sandbox/win/src/win_utils.h" | |
18 | |
19 namespace { | |
20 | |
21 static const uint32_t kAllowedRegFlags = | |
22 KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_READ | | |
23 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL; | |
24 | |
25 // Opens the key referenced by |obj_attributes| with |access| and | |
26 // checks what permission was given. Remove the WRITE flags and update | |
27 // |access| with the new value. | |
28 NTSTATUS TranslateMaximumAllowed(OBJECT_ATTRIBUTES* obj_attributes, | |
29 DWORD* access) { | |
30 NtOpenKeyFunction NtOpenKey = NULL; | |
31 ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey); | |
32 | |
33 NtCloseFunction NtClose = NULL; | |
34 ResolveNTFunctionPtr("NtClose", &NtClose); | |
35 | |
36 NtQueryObjectFunction NtQueryObject = NULL; | |
37 ResolveNTFunctionPtr("NtQueryObject", &NtQueryObject); | |
38 | |
39 // Open the key. | |
40 HANDLE handle; | |
41 NTSTATUS status = NtOpenKey(&handle, *access, obj_attributes); | |
42 if (!NT_SUCCESS(status)) | |
43 return status; | |
44 | |
45 OBJECT_BASIC_INFORMATION info = {0}; | |
46 status = NtQueryObject(handle, ObjectBasicInformation, &info, sizeof(info), | |
47 NULL); | |
48 CHECK(NT_SUCCESS(NtClose(handle))); | |
49 if (!NT_SUCCESS(status)) | |
50 return status; | |
51 | |
52 *access = info.GrantedAccess & kAllowedRegFlags; | |
53 return STATUS_SUCCESS; | |
54 } | |
55 | |
56 NTSTATUS NtCreateKeyInTarget(HANDLE* target_key_handle, | |
57 ACCESS_MASK desired_access, | |
58 OBJECT_ATTRIBUTES* obj_attributes, | |
59 ULONG title_index, | |
60 UNICODE_STRING* class_name, | |
61 ULONG create_options, | |
62 ULONG* disposition, | |
63 HANDLE target_process) { | |
64 NtCreateKeyFunction NtCreateKey = NULL; | |
65 ResolveNTFunctionPtr("NtCreateKey", &NtCreateKey); | |
66 | |
67 if (MAXIMUM_ALLOWED & desired_access) { | |
68 NTSTATUS status = TranslateMaximumAllowed(obj_attributes, &desired_access); | |
69 if (!NT_SUCCESS(status)) | |
70 return STATUS_ACCESS_DENIED; | |
71 } | |
72 | |
73 HANDLE local_handle = INVALID_HANDLE_VALUE; | |
74 NTSTATUS status = NtCreateKey(&local_handle, desired_access, obj_attributes, | |
75 title_index, class_name, create_options, | |
76 disposition); | |
77 if (!NT_SUCCESS(status)) | |
78 return status; | |
79 | |
80 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, | |
81 target_process, target_key_handle, 0, FALSE, | |
82 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { | |
83 return STATUS_ACCESS_DENIED; | |
84 } | |
85 return STATUS_SUCCESS; | |
86 } | |
87 | |
88 NTSTATUS NtOpenKeyInTarget(HANDLE* target_key_handle, | |
89 ACCESS_MASK desired_access, | |
90 OBJECT_ATTRIBUTES* obj_attributes, | |
91 HANDLE target_process) { | |
92 NtOpenKeyFunction NtOpenKey = NULL; | |
93 ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey); | |
94 | |
95 if (MAXIMUM_ALLOWED & desired_access) { | |
96 NTSTATUS status = TranslateMaximumAllowed(obj_attributes, &desired_access); | |
97 if (!NT_SUCCESS(status)) | |
98 return STATUS_ACCESS_DENIED; | |
99 } | |
100 | |
101 HANDLE local_handle = INVALID_HANDLE_VALUE; | |
102 NTSTATUS status = NtOpenKey(&local_handle, desired_access, obj_attributes); | |
103 | |
104 if (!NT_SUCCESS(status)) | |
105 return status; | |
106 | |
107 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, | |
108 target_process, target_key_handle, 0, FALSE, | |
109 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { | |
110 return STATUS_ACCESS_DENIED; | |
111 } | |
112 return STATUS_SUCCESS; | |
113 } | |
114 | |
115 } | |
116 | |
117 namespace sandbox { | |
118 | |
119 bool RegistryPolicy::GenerateRules(const wchar_t* name, | |
120 TargetPolicy::Semantics semantics, | |
121 LowLevelPolicy* policy) { | |
122 base::string16 resovled_name(name); | |
123 if (resovled_name.empty()) { | |
124 return false; | |
125 } | |
126 | |
127 if (!ResolveRegistryName(resovled_name, &resovled_name)) | |
128 return false; | |
129 | |
130 name = resovled_name.c_str(); | |
131 | |
132 EvalResult result = ASK_BROKER; | |
133 | |
134 PolicyRule open(result); | |
135 PolicyRule create(result); | |
136 | |
137 switch (semantics) { | |
138 case TargetPolicy::REG_ALLOW_READONLY: { | |
139 // We consider all flags that are not known to be readonly as potentially | |
140 // used for write. Here we also support MAXIMUM_ALLOWED, but we are going | |
141 // to expand it to read-only before the call. | |
142 uint32_t restricted_flags = ~(kAllowedRegFlags | MAXIMUM_ALLOWED); | |
143 open.AddNumberMatch(IF_NOT, OpenKey::ACCESS, restricted_flags, AND); | |
144 create.AddNumberMatch(IF_NOT, OpenKey::ACCESS, restricted_flags, AND); | |
145 break; | |
146 } | |
147 case TargetPolicy::REG_ALLOW_ANY: { | |
148 break; | |
149 } | |
150 default: { | |
151 NOTREACHED(); | |
152 return false; | |
153 } | |
154 } | |
155 | |
156 if (!create.AddStringMatch(IF, OpenKey::NAME, name, CASE_INSENSITIVE) || | |
157 !policy->AddRule(IPC_NTCREATEKEY_TAG, &create)) { | |
158 return false; | |
159 } | |
160 | |
161 if (!open.AddStringMatch(IF, OpenKey::NAME, name, CASE_INSENSITIVE) || | |
162 !policy->AddRule(IPC_NTOPENKEY_TAG, &open)) { | |
163 return false; | |
164 } | |
165 | |
166 return true; | |
167 } | |
168 | |
169 bool RegistryPolicy::CreateKeyAction(EvalResult eval_result, | |
170 const ClientInfo& client_info, | |
171 const base::string16& key, | |
172 uint32_t attributes, | |
173 HANDLE root_directory, | |
174 uint32_t desired_access, | |
175 uint32_t title_index, | |
176 uint32_t create_options, | |
177 HANDLE* handle, | |
178 NTSTATUS* nt_status, | |
179 ULONG* disposition) { | |
180 // The only action supported is ASK_BROKER which means create the requested | |
181 // file as specified. | |
182 if (ASK_BROKER != eval_result) { | |
183 *nt_status = STATUS_ACCESS_DENIED; | |
184 return false; | |
185 } | |
186 | |
187 // We don't support creating link keys, volatile keys or backup/restore. | |
188 if (create_options) { | |
189 *nt_status = STATUS_ACCESS_DENIED; | |
190 return false; | |
191 } | |
192 | |
193 UNICODE_STRING uni_name = {0}; | |
194 OBJECT_ATTRIBUTES obj_attributes = {0}; | |
195 InitObjectAttribs(key, attributes, root_directory, &obj_attributes, | |
196 &uni_name, NULL); | |
197 *nt_status = NtCreateKeyInTarget(handle, desired_access, &obj_attributes, | |
198 title_index, NULL, create_options, | |
199 disposition, client_info.process); | |
200 return true; | |
201 } | |
202 | |
203 bool RegistryPolicy::OpenKeyAction(EvalResult eval_result, | |
204 const ClientInfo& client_info, | |
205 const base::string16& key, | |
206 uint32_t attributes, | |
207 HANDLE root_directory, | |
208 uint32_t desired_access, | |
209 HANDLE* handle, | |
210 NTSTATUS* nt_status) { | |
211 // The only action supported is ASK_BROKER which means open the requested | |
212 // file as specified. | |
213 if (ASK_BROKER != eval_result) { | |
214 *nt_status = STATUS_ACCESS_DENIED; | |
215 return true; | |
216 } | |
217 | |
218 UNICODE_STRING uni_name = {0}; | |
219 OBJECT_ATTRIBUTES obj_attributes = {0}; | |
220 InitObjectAttribs(key, attributes, root_directory, &obj_attributes, | |
221 &uni_name, NULL); | |
222 *nt_status = NtOpenKeyInTarget(handle, desired_access, &obj_attributes, | |
223 client_info.process); | |
224 return true; | |
225 } | |
226 | |
227 } // namespace sandbox | |
OLD | NEW |