Made setting lowbox token a warning.

sandbox/win/src/broker_services.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/broker_services.h"
 
 #include <AclAPI.h>
 #include <stddef.h>
 
 #include <memory>
@@ skipping 19 matching lines @@
 // Utility function to associate a completion port to a job object.
 bool AssociateCompletionPort(HANDLE job, HANDLE port, void* key) {
   JOBOBJECT_ASSOCIATE_COMPLETION_PORT job_acp = { key, port };
   return ::SetInformationJobObject(job,
                                    JobObjectAssociateCompletionPortInformation,
                                    &job_acp, sizeof(job_acp))? true : false;
 }
 
 // Utility function to do the cleanup necessary when something goes wrong
 // while in SpawnTarget and we must terminate the target process.
-sandbox::ResultCode SpawnCleanup(sandbox::TargetProcess* target, DWORD error) {
-  if (0 == error)
-    error = ::GetLastError();
-
+sandbox::ResultCode SpawnCleanup(sandbox::TargetProcess* target) {
   target->Terminate();
   delete target;
-  ::SetLastError(error);
   return sandbox::SBOX_ERROR_GENERIC;
 }
 
 // the different commands that you can send to the worker thread that
 // executes TargetEventsThread().
 enum {
   THREAD_CTRL_NONE,
   THREAD_CTRL_QUIT,
   THREAD_CTRL_LAST,
 };
@@ skipping 209 matching lines @@
 
   NOTREACHED();
   return 0;
 }
 
 // SpawnTarget does all the interesting sandbox setup and creates the target
 // process inside the sandbox.
 ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
                                            const wchar_t* command_line,
                                            TargetPolicy* policy,
+                                           ResultCode* last_warning,
+                                           DWORD* last_error,
                                            PROCESS_INFORMATION* target_info) {
   if (!exe_path)
     return SBOX_ERROR_BAD_PARAMS;
 
   if (!policy)
     return SBOX_ERROR_BAD_PARAMS;
 
   // Even though the resources touched by SpawnTarget can be accessed in
   // multiple threads, the method itself cannot be called from more than
   // 1 thread. This is to protect the global variables used while setting up
   // the child process.
   static DWORD thread_id = ::GetCurrentThreadId();
   DCHECK(thread_id == ::GetCurrentThreadId());
+  *last_warning = SBOX_ALL_OK;
 
   AutoLock lock(&lock_);
 
   // This downcast is safe as long as we control CreatePolicy()
   PolicyBase* policy_base = static_cast<PolicyBase*>(policy);
 
   // Construct the tokens and the job object that we are going to associate
   // with the soon to be created target process.
   base::win::ScopedHandle initial_token;
   base::win::ScopedHandle lockdown_token;
   base::win::ScopedHandle lowbox_token;
   ResultCode result = SBOX_ALL_OK;
 
   result =
       policy_base->MakeTokens(&initial_token, &lockdown_token, &lowbox_token);
   if (SBOX_ALL_OK != result)
     return result;
+  if (lowbox_token.IsValid() &&
+      base::win::GetVersion() < base::win::VERSION_WIN8) {
+    // We don't allow lowbox_token below Windows 8.
+    return SBOX_ERROR_BAD_PARAMS;
+  }
 
   base::win::ScopedHandle job;
   result = policy_base->MakeJobObject(&job);
   if (SBOX_ALL_OK != result)
     return result;
 
   // Initialize the startup information from the policy.
   base::win::StartupInformation startup_info;
   // The liftime of |mitigations|, |inherit_handle_list| and
   // |child_process_creation| have to be at least as long as
@@ skipping 84 matching lines @@
   // Construct the thread pool here in case it is expensive.
   // The thread pool is shared by all the targets
   if (NULL == thread_pool_)
     thread_pool_ = new Win2kThreadPool();
 
   // Create the TargetProcess object and spawn the target suspended. Note that
   // Brokerservices does not own the target object. It is owned by the Policy.
   base::win::ScopedProcessInformation process_info;
   TargetProcess* target =
       new TargetProcess(std::move(initial_token), std::move(lockdown_token),
-                        std::move(lowbox_token), job.Get(), thread_pool_);
+                        job.Get(), thread_pool_);
 
-  DWORD win_result;
   result = target->Create(exe_path, command_line, inherit_handles, startup_info,
-                          &process_info, &win_result);
+                          &process_info, last_error);
 
   if (result != SBOX_ALL_OK) {
-    SpawnCleanup(target, win_result);
+    SpawnCleanup(target);
     return result;
   }
 
+  if (lowbox_token.IsValid()) {
+    *last_warning = target->AssignLowBoxToken(lowbox_token);
+    // If this fails we continue, but report the error as a warning.
+    // This is due to certain configurations causing the setting of the
+    // token to fail post creation, and we'd rather continue if possible.
+    if (*last_warning != SBOX_ALL_OK)
+      *last_error = ::GetLastError();
+  }
+
   // Now the policy is the owner of the target.
   result = policy_base->AddTarget(target);
 
   if (result != SBOX_ALL_OK) {
-    SpawnCleanup(target, 0);
+    *last_error = ::GetLastError();
+    SpawnCleanup(target);
     return result;
   }
 
   // We are going to keep a pointer to the policy because we'll call it when
   // the job object generates notifications using the completion port.
   policy_base->AddRef();
   if (job.IsValid()) {
     std::unique_ptr<JobTracker> tracker(
         new JobTracker(std::move(job), policy_base));
 
@@ skipping 23 matching lines @@
   ::WaitForSingleObject(no_targets_.Get(), INFINITE);
   return SBOX_ALL_OK;
 }
 
 bool BrokerServicesBase::IsActiveTarget(DWORD process_id) {
   AutoLock lock(&lock_);
   return child_process_ids_.find(process_id) != child_process_ids_.end();
 }
 
 }  // namespace sandbox