| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include <stdint.h> | |
| 6 | |
| 7 #include <string> | |
| 8 | |
| 9 #include "sandbox/win/src/sync_policy.h" | |
| 10 | |
| 11 #include "base/logging.h" | |
| 12 #include "base/strings/stringprintf.h" | |
| 13 #include "sandbox/win/src/ipc_tags.h" | |
| 14 #include "sandbox/win/src/nt_internals.h" | |
| 15 #include "sandbox/win/src/policy_engine_opcodes.h" | |
| 16 #include "sandbox/win/src/policy_params.h" | |
| 17 #include "sandbox/win/src/sandbox_types.h" | |
| 18 #include "sandbox/win/src/sandbox_utils.h" | |
| 19 #include "sandbox/win/src/sync_interception.h" | |
| 20 #include "sandbox/win/src/win_utils.h" | |
| 21 | |
| 22 namespace sandbox { | |
| 23 | |
| 24 // Provides functionality to resolve a symbolic link within the object | |
| 25 // directory passed in. | |
| 26 NTSTATUS ResolveSymbolicLink(const base::string16& directory_name, | |
| 27 const base::string16& name, | |
| 28 base::string16* target) { | |
| 29 NtOpenDirectoryObjectFunction NtOpenDirectoryObject = NULL; | |
| 30 ResolveNTFunctionPtr("NtOpenDirectoryObject", &NtOpenDirectoryObject); | |
| 31 | |
| 32 NtQuerySymbolicLinkObjectFunction NtQuerySymbolicLinkObject = NULL; | |
| 33 ResolveNTFunctionPtr("NtQuerySymbolicLinkObject", | |
| 34 &NtQuerySymbolicLinkObject); | |
| 35 | |
| 36 NtOpenSymbolicLinkObjectFunction NtOpenSymbolicLinkObject = NULL; | |
| 37 ResolveNTFunctionPtr("NtOpenSymbolicLinkObject", &NtOpenSymbolicLinkObject); | |
| 38 | |
| 39 NtCloseFunction NtClose = NULL; | |
| 40 ResolveNTFunctionPtr("NtClose", &NtClose); | |
| 41 | |
| 42 OBJECT_ATTRIBUTES symbolic_link_directory_attributes = {}; | |
| 43 UNICODE_STRING symbolic_link_directory_string = {}; | |
| 44 InitObjectAttribs(directory_name, OBJ_CASE_INSENSITIVE, NULL, | |
| 45 &symbolic_link_directory_attributes, | |
| 46 &symbolic_link_directory_string, NULL); | |
| 47 | |
| 48 HANDLE symbolic_link_directory = NULL; | |
| 49 NTSTATUS status = NtOpenDirectoryObject(&symbolic_link_directory, | |
| 50 DIRECTORY_QUERY, | |
| 51 &symbolic_link_directory_attributes); | |
| 52 if (!NT_SUCCESS(status)) | |
| 53 return status; | |
| 54 | |
| 55 OBJECT_ATTRIBUTES symbolic_link_attributes = {}; | |
| 56 UNICODE_STRING name_string = {}; | |
| 57 InitObjectAttribs(name, OBJ_CASE_INSENSITIVE, symbolic_link_directory, | |
| 58 &symbolic_link_attributes, &name_string, NULL); | |
| 59 | |
| 60 HANDLE symbolic_link = NULL; | |
| 61 status = NtOpenSymbolicLinkObject(&symbolic_link, GENERIC_READ, | |
| 62 &symbolic_link_attributes); | |
| 63 CHECK(NT_SUCCESS(NtClose(symbolic_link_directory))); | |
| 64 if (!NT_SUCCESS(status)) | |
| 65 return status; | |
| 66 | |
| 67 UNICODE_STRING target_path = {}; | |
| 68 unsigned long target_length = 0; | |
| 69 status = NtQuerySymbolicLinkObject(symbolic_link, &target_path, | |
| 70 &target_length); | |
| 71 if (status != STATUS_BUFFER_TOO_SMALL) { | |
| 72 CHECK(NT_SUCCESS(NtClose(symbolic_link))); | |
| 73 return status; | |
| 74 } | |
| 75 | |
| 76 target_path.Length = 0; | |
| 77 target_path.MaximumLength = static_cast<USHORT>(target_length); | |
| 78 target_path.Buffer = new wchar_t[target_path.MaximumLength + 1]; | |
| 79 status = NtQuerySymbolicLinkObject(symbolic_link, &target_path, | |
| 80 &target_length); | |
| 81 if (NT_SUCCESS(status)) | |
| 82 target->assign(target_path.Buffer, target_length); | |
| 83 | |
| 84 CHECK(NT_SUCCESS(NtClose(symbolic_link))); | |
| 85 delete[] target_path.Buffer; | |
| 86 return status; | |
| 87 } | |
| 88 | |
| 89 NTSTATUS GetBaseNamedObjectsDirectory(HANDLE* directory) { | |
| 90 static HANDLE base_named_objects_handle = NULL; | |
| 91 if (base_named_objects_handle) { | |
| 92 *directory = base_named_objects_handle; | |
| 93 return STATUS_SUCCESS; | |
| 94 } | |
| 95 | |
| 96 NtOpenDirectoryObjectFunction NtOpenDirectoryObject = NULL; | |
| 97 ResolveNTFunctionPtr("NtOpenDirectoryObject", &NtOpenDirectoryObject); | |
| 98 | |
| 99 DWORD session_id = 0; | |
| 100 ProcessIdToSessionId(::GetCurrentProcessId(), &session_id); | |
| 101 | |
| 102 base::string16 base_named_objects_path; | |
| 103 | |
| 104 NTSTATUS status = ResolveSymbolicLink(L"\\Sessions\\BNOLINKS", | |
| 105 base::StringPrintf(L"%d", session_id), | |
| 106 &base_named_objects_path); | |
| 107 if (!NT_SUCCESS(status)) { | |
| 108 DLOG(ERROR) << "Failed to resolve BaseNamedObjects path. Error: " | |
| 109 << status; | |
| 110 return status; | |
| 111 } | |
| 112 | |
| 113 UNICODE_STRING directory_name = {}; | |
| 114 OBJECT_ATTRIBUTES object_attributes = {}; | |
| 115 InitObjectAttribs(base_named_objects_path, OBJ_CASE_INSENSITIVE, NULL, | |
| 116 &object_attributes, &directory_name, NULL); | |
| 117 status = NtOpenDirectoryObject(&base_named_objects_handle, | |
| 118 DIRECTORY_ALL_ACCESS, | |
| 119 &object_attributes); | |
| 120 if (NT_SUCCESS(status)) | |
| 121 *directory = base_named_objects_handle; | |
| 122 return status; | |
| 123 } | |
| 124 | |
| 125 bool SyncPolicy::GenerateRules(const wchar_t* name, | |
| 126 TargetPolicy::Semantics semantics, | |
| 127 LowLevelPolicy* policy) { | |
| 128 base::string16 mod_name(name); | |
| 129 if (mod_name.empty()) { | |
| 130 return false; | |
| 131 } | |
| 132 | |
| 133 if (TargetPolicy::EVENTS_ALLOW_ANY != semantics && | |
| 134 TargetPolicy::EVENTS_ALLOW_READONLY != semantics) { | |
| 135 // Other flags are not valid for sync policy yet. | |
| 136 NOTREACHED(); | |
| 137 return false; | |
| 138 } | |
| 139 | |
| 140 // Add the open rule. | |
| 141 EvalResult result = ASK_BROKER; | |
| 142 PolicyRule open(result); | |
| 143 | |
| 144 if (!open.AddStringMatch(IF, OpenEventParams::NAME, name, CASE_INSENSITIVE)) | |
| 145 return false; | |
| 146 | |
| 147 if (TargetPolicy::EVENTS_ALLOW_READONLY == semantics) { | |
| 148 // We consider all flags that are not known to be readonly as potentially | |
| 149 // used for write. | |
| 150 uint32_t allowed_flags = SYNCHRONIZE | GENERIC_READ | READ_CONTROL; | |
| 151 uint32_t restricted_flags = ~allowed_flags; | |
| 152 open.AddNumberMatch(IF_NOT, OpenEventParams::ACCESS, restricted_flags, AND); | |
| 153 } | |
| 154 | |
| 155 if (!policy->AddRule(IPC_OPENEVENT_TAG, &open)) | |
| 156 return false; | |
| 157 | |
| 158 // If it's not a read only, add the create rule. | |
| 159 if (TargetPolicy::EVENTS_ALLOW_READONLY != semantics) { | |
| 160 PolicyRule create(result); | |
| 161 if (!create.AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE)) | |
| 162 return false; | |
| 163 | |
| 164 if (!policy->AddRule(IPC_CREATEEVENT_TAG, &create)) | |
| 165 return false; | |
| 166 } | |
| 167 | |
| 168 return true; | |
| 169 } | |
| 170 | |
| 171 NTSTATUS SyncPolicy::CreateEventAction(EvalResult eval_result, | |
| 172 const ClientInfo& client_info, | |
| 173 const base::string16& event_name, | |
| 174 uint32_t event_type, | |
| 175 uint32_t initial_state, | |
| 176 HANDLE* handle) { | |
| 177 NtCreateEventFunction NtCreateEvent = NULL; | |
| 178 ResolveNTFunctionPtr("NtCreateEvent", &NtCreateEvent); | |
| 179 | |
| 180 // The only action supported is ASK_BROKER which means create the requested | |
| 181 // file as specified. | |
| 182 if (ASK_BROKER != eval_result) | |
| 183 return false; | |
| 184 | |
| 185 HANDLE object_directory = NULL; | |
| 186 NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory); | |
| 187 if (status != STATUS_SUCCESS) | |
| 188 return status; | |
| 189 | |
| 190 UNICODE_STRING unicode_event_name = {}; | |
| 191 OBJECT_ATTRIBUTES object_attributes = {}; | |
| 192 InitObjectAttribs(event_name, OBJ_CASE_INSENSITIVE, object_directory, | |
| 193 &object_attributes, &unicode_event_name, NULL); | |
| 194 | |
| 195 HANDLE local_handle = NULL; | |
| 196 status = NtCreateEvent(&local_handle, EVENT_ALL_ACCESS, &object_attributes, | |
| 197 static_cast<EVENT_TYPE>(event_type), | |
| 198 static_cast<BOOLEAN>(initial_state)); | |
| 199 if (NULL == local_handle) | |
| 200 return status; | |
| 201 | |
| 202 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, | |
| 203 client_info.process, handle, 0, FALSE, | |
| 204 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { | |
| 205 return STATUS_ACCESS_DENIED; | |
| 206 } | |
| 207 return status; | |
| 208 } | |
| 209 | |
| 210 NTSTATUS SyncPolicy::OpenEventAction(EvalResult eval_result, | |
| 211 const ClientInfo& client_info, | |
| 212 const base::string16& event_name, | |
| 213 uint32_t desired_access, | |
| 214 HANDLE* handle) { | |
| 215 NtOpenEventFunction NtOpenEvent = NULL; | |
| 216 ResolveNTFunctionPtr("NtOpenEvent", &NtOpenEvent); | |
| 217 | |
| 218 // The only action supported is ASK_BROKER which means create the requested | |
| 219 // event as specified. | |
| 220 if (ASK_BROKER != eval_result) | |
| 221 return false; | |
| 222 | |
| 223 HANDLE object_directory = NULL; | |
| 224 NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory); | |
| 225 if (status != STATUS_SUCCESS) | |
| 226 return status; | |
| 227 | |
| 228 UNICODE_STRING unicode_event_name = {}; | |
| 229 OBJECT_ATTRIBUTES object_attributes = {}; | |
| 230 InitObjectAttribs(event_name, OBJ_CASE_INSENSITIVE, object_directory, | |
| 231 &object_attributes, &unicode_event_name, NULL); | |
| 232 | |
| 233 HANDLE local_handle = NULL; | |
| 234 status = NtOpenEvent(&local_handle, desired_access, &object_attributes); | |
| 235 if (NULL == local_handle) | |
| 236 return status; | |
| 237 | |
| 238 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, | |
| 239 client_info.process, handle, 0, FALSE, | |
| 240 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { | |
| 241 return STATUS_ACCESS_DENIED; | |
| 242 } | |
| 243 return status; | |
| 244 } | |
| 245 | |
| 246 } // namespace sandbox | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1851213002:
Remove sandbox on Windows. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master