OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
6 | 6 |
7 #include <sddl.h> | 7 #include <sddl.h> |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <stdint.h> | 9 #include <stdint.h> |
10 | 10 |
(...skipping 485 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
496 if (ERROR_SUCCESS != result) | 496 if (ERROR_SUCCESS != result) |
497 return SBOX_ERROR_GENERIC; | 497 return SBOX_ERROR_GENERIC; |
498 | 498 |
499 return SBOX_ALL_OK; | 499 return SBOX_ALL_OK; |
500 } | 500 } |
501 | 501 |
502 PSID PolicyBase::GetLowBoxSid() const { | 502 PSID PolicyBase::GetLowBoxSid() const { |
503 return lowbox_sid_; | 503 return lowbox_sid_; |
504 } | 504 } |
505 | 505 |
506 bool PolicyBase::AddTarget(TargetProcess* target) { | 506 ResultCode PolicyBase::AddTarget(TargetProcess* target) { |
507 if (NULL != policy_) | 507 if (NULL != policy_) |
508 policy_maker_->Done(); | 508 policy_maker_->Done(); |
509 | 509 |
510 if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(), | 510 if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(), |
511 mitigations_)) { | 511 mitigations_)) { |
512 return false; | 512 return SBOX_ERROR_APPLY_ASLR_MITIGATIONS; |
513 } | 513 } |
514 | 514 |
515 if (!SetupAllInterceptions(target)) | 515 ResultCode ret = SetupAllInterceptions(target); |
516 return false; | 516 |
| 517 if (ret != SBOX_ALL_OK) |
| 518 return ret; |
517 | 519 |
518 if (!SetupHandleCloser(target)) | 520 if (!SetupHandleCloser(target)) |
519 return false; | 521 return SBOX_ERROR_SETUP_HANDLE_CLOSER; |
520 | 522 |
| 523 DWORD win_error = ERROR_SUCCESS; |
521 // Initialize the sandbox infrastructure for the target. | 524 // Initialize the sandbox infrastructure for the target. |
522 if (ERROR_SUCCESS != | 525 // TODO(wfh) do something with win_error code here. |
523 target->Init(dispatcher_.get(), policy_, kIPCMemSize, kPolMemSize)) | 526 ret = target->Init(dispatcher_.get(), policy_, kIPCMemSize, kPolMemSize, |
524 return false; | 527 &win_error); |
| 528 |
| 529 if (ret != SBOX_ALL_OK) |
| 530 return ret; |
525 | 531 |
526 g_shared_delayed_integrity_level = delayed_integrity_level_; | 532 g_shared_delayed_integrity_level = delayed_integrity_level_; |
527 ResultCode ret = target->TransferVariable( | 533 ret = target->TransferVariable("g_shared_delayed_integrity_level", |
528 "g_shared_delayed_integrity_level", | 534 &g_shared_delayed_integrity_level, |
529 &g_shared_delayed_integrity_level, | 535 sizeof(g_shared_delayed_integrity_level)); |
530 sizeof(g_shared_delayed_integrity_level)); | |
531 g_shared_delayed_integrity_level = INTEGRITY_LEVEL_LAST; | 536 g_shared_delayed_integrity_level = INTEGRITY_LEVEL_LAST; |
532 if (SBOX_ALL_OK != ret) | 537 if (SBOX_ALL_OK != ret) |
533 return false; | 538 return ret; |
534 | 539 |
535 // Add in delayed mitigations and pseudo-mitigations enforced at startup. | 540 // Add in delayed mitigations and pseudo-mitigations enforced at startup. |
536 g_shared_delayed_mitigations = delayed_mitigations_ | | 541 g_shared_delayed_mitigations = delayed_mitigations_ | |
537 FilterPostStartupProcessMitigations(mitigations_); | 542 FilterPostStartupProcessMitigations(mitigations_); |
538 if (!CanSetProcessMitigationsPostStartup(g_shared_delayed_mitigations)) | 543 if (!CanSetProcessMitigationsPostStartup(g_shared_delayed_mitigations)) |
539 return false; | 544 return SBOX_ERROR_BAD_PARAMS; |
540 | 545 |
541 ret = target->TransferVariable("g_shared_delayed_mitigations", | 546 ret = target->TransferVariable("g_shared_delayed_mitigations", |
542 &g_shared_delayed_mitigations, | 547 &g_shared_delayed_mitigations, |
543 sizeof(g_shared_delayed_mitigations)); | 548 sizeof(g_shared_delayed_mitigations)); |
544 g_shared_delayed_mitigations = 0; | 549 g_shared_delayed_mitigations = 0; |
545 if (SBOX_ALL_OK != ret) | 550 if (SBOX_ALL_OK != ret) |
546 return false; | 551 return ret; |
547 | 552 |
548 AutoLock lock(&lock_); | 553 AutoLock lock(&lock_); |
549 targets_.push_back(target); | 554 targets_.push_back(target); |
550 return true; | 555 return SBOX_ALL_OK; |
551 } | 556 } |
552 | 557 |
553 bool PolicyBase::OnJobEmpty(HANDLE job) { | 558 bool PolicyBase::OnJobEmpty(HANDLE job) { |
554 AutoLock lock(&lock_); | 559 AutoLock lock(&lock_); |
555 TargetSet::iterator it; | 560 TargetSet::iterator it; |
556 for (it = targets_.begin(); it != targets_.end(); ++it) { | 561 for (it = targets_.begin(); it != targets_.end(); ++it) { |
557 if ((*it)->Job() == job) | 562 if ((*it)->Job() == job) |
558 break; | 563 break; |
559 } | 564 } |
560 if (it == targets_.end()) { | 565 if (it == targets_.end()) { |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
609 } | 614 } |
610 | 615 |
611 void PolicyBase::SetEnableOPMRedirection() { | 616 void PolicyBase::SetEnableOPMRedirection() { |
612 enable_opm_redirection_ = true; | 617 enable_opm_redirection_ = true; |
613 } | 618 } |
614 | 619 |
615 bool PolicyBase::GetEnableOPMRedirection() { | 620 bool PolicyBase::GetEnableOPMRedirection() { |
616 return enable_opm_redirection_; | 621 return enable_opm_redirection_; |
617 } | 622 } |
618 | 623 |
619 bool PolicyBase::SetupAllInterceptions(TargetProcess* target) { | 624 ResultCode PolicyBase::SetupAllInterceptions(TargetProcess* target) { |
620 InterceptionManager manager(target, relaxed_interceptions_); | 625 InterceptionManager manager(target, relaxed_interceptions_); |
621 | 626 |
622 if (policy_) { | 627 if (policy_) { |
623 for (int i = 0; i < IPC_LAST_TAG; i++) { | 628 for (int i = 0; i < IPC_LAST_TAG; i++) { |
624 if (policy_->entry[i] && !dispatcher_->SetupService(&manager, i)) | 629 if (policy_->entry[i] && !dispatcher_->SetupService(&manager, i)) |
625 return false; | 630 return SBOX_ERROR_SETUP_INTERCEPTION_SERVICE; |
626 } | 631 } |
627 } | 632 } |
628 | 633 |
629 if (!blacklisted_dlls_.empty()) { | 634 if (!blacklisted_dlls_.empty()) { |
630 std::vector<base::string16>::iterator it = blacklisted_dlls_.begin(); | 635 std::vector<base::string16>::iterator it = blacklisted_dlls_.begin(); |
631 for (; it != blacklisted_dlls_.end(); ++it) { | 636 for (; it != blacklisted_dlls_.end(); ++it) { |
632 manager.AddToUnloadModules(it->c_str()); | 637 manager.AddToUnloadModules(it->c_str()); |
633 } | 638 } |
634 } | 639 } |
635 | 640 |
636 if (!SetupBasicInterceptions(&manager, is_csrss_connected_)) | 641 if (!SetupBasicInterceptions(&manager, is_csrss_connected_)) |
637 return false; | 642 return SBOX_ERROR_SETUP_BASIC_INTERCEPTIONS; |
638 | 643 |
639 if (!manager.InitializeInterceptions()) | 644 if (!manager.InitializeInterceptions()) |
640 return false; | 645 return SBOX_ERROR_INITIALIZE_INTERCEPTIONS; |
641 | 646 |
642 // Finally, setup imports on the target so the interceptions can work. | 647 // Finally, setup imports on the target so the interceptions can work. |
643 return SetupNtdllImports(target); | 648 if (!SetupNtdllImports(target)) |
| 649 return SBOX_ERROR_SETUP_NTDLL_IMPORTS; |
| 650 |
| 651 return SBOX_ALL_OK; |
644 } | 652 } |
645 | 653 |
646 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 654 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
647 return handle_closer_.InitializeTargetHandles(target); | 655 return handle_closer_.InitializeTargetHandles(target); |
648 } | 656 } |
649 | 657 |
650 ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem, | 658 ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem, |
651 Semantics semantics, | 659 Semantics semantics, |
652 const wchar_t* pattern) { | 660 const wchar_t* pattern) { |
653 if (NULL == policy_) { | 661 if (NULL == policy_) { |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
713 break; | 721 break; |
714 } | 722 } |
715 | 723 |
716 default: { return SBOX_ERROR_UNSUPPORTED; } | 724 default: { return SBOX_ERROR_UNSUPPORTED; } |
717 } | 725 } |
718 | 726 |
719 return SBOX_ALL_OK; | 727 return SBOX_ALL_OK; |
720 } | 728 } |
721 | 729 |
722 } // namespace sandbox | 730 } // namespace sandbox |
OLD | NEW |