Cache sandbox tokens

sandbox/win/src/broker_services.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/broker_services.h"
 
+#include <AclAPI.h>
+
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/threading/platform_thread.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_process_information.h"
 #include "base/win/startup_information.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/app_container.h"
 #include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox_policy_base.h"
@@ skipping 56 matching lines @@
 
 void DeregisterPeerTracker(PeerTracker* peer) {
   // Deregistration shouldn't fail, but we leak rather than crash if it does.
   if (::UnregisterWaitEx(peer->wait_object, INVALID_HANDLE_VALUE)) {
     delete peer;
   } else {
     NOTREACHED();
   }
 }
 
+// Utility function to pack token values into a key for the cache map.
+uint32_t GenerateTokenCacheKey(const sandbox::PolicyBase* policy) {
+  const size_t kTokenShift = 3;
+  uint32_t key;
+
+  // Make sure our token values aren't too large to pack into the key.
+  static_assert(sandbox::USER_LAST <= (1 << kTokenShift),
+                "TokenLevel too large");
+  static_assert(sandbox::INTEGRITY_LEVEL_LAST <= (1 << kTokenShift),
+                "IntegrityLevel too large");
+  static_assert(sizeof(key) < (kTokenShift * 3),
+                "Token key type too small");
+
+  // The key is the enum values shifted to avoid overlap and OR'd together.
+  key = policy->GetInitialTokenLevel();
+  key <<= kTokenShift;
+  key |= policy->GetLockdownTokenLevel();
+  key <<= kTokenShift;
+  key |= policy->GetIntegrityLevel();
+
+  return key;
+}
+
 }  // namespace
 
 namespace sandbox {
 
 BrokerServicesBase::BrokerServicesBase()
     : thread_pool_(NULL), job_port_(NULL), no_targets_(NULL),
       job_thread_(NULL) {
 }
 
 // The broker uses a dedicated worker thread that services the job completion
@@ skipping 53 matching lines @@
 
   // Cancel the wait events and delete remaining peer trackers.
   for (PeerTrackerMap::iterator it = peer_map_.begin();
        it != peer_map_.end(); ++it) {
     DeregisterPeerTracker(it->second);
   }
 
   // If job_port_ isn't NULL, assumes that the lock has been initialized.
   if (job_port_)
     ::DeleteCriticalSection(&lock_);
+
+  // Close any token in the cache.
+  for (TokenCacheMap::iterator it = token_cache_.begin();
+       it != token_cache_.end(); ++it) {
+    ::CloseHandle(it->second.first);
+    ::CloseHandle(it->second.second);
+  }
 }
 
 TargetPolicy* BrokerServicesBase::CreatePolicy() {
   // If you change the type of the object being created here you must also
   // change the downcast to it in SpawnTarget().
   return new PolicyBase;
 }
 
 void BrokerServicesBase::FreeResources(JobTracker* tracker) {
   if (NULL != tracker->policy) {
@@ skipping 126 matching lines @@
 
   AutoLock lock(&lock_);
 
   // This downcast is safe as long as we control CreatePolicy()
   PolicyBase* policy_base = static_cast<PolicyBase*>(policy);
 
   // Construct the tokens and the job object that we are going to associate
   // with the soon to be created target process.
   HANDLE initial_token_temp;
   HANDLE lockdown_token_temp;
-  ResultCode result = policy_base->MakeTokens(&initial_token_temp,
-                                              &lockdown_token_temp);
-  if (SBOX_ALL_OK != result)
-    return result;
+  ResultCode result = SBOX_ALL_OK;
+
+  // Create the master tokens only once and save them in a cache. That way
+  // can just duplicate them to avoid hammering LSASS on every sandboxed
+  // process launch.
+  uint32_t token_key = GenerateTokenCacheKey(policy_base);
+  TokenCacheMap::iterator it = token_cache_.find(token_key);
+  if (it != token_cache_.end()) {
+    initial_token_temp = it->second.first;
+    lockdown_token_temp = it->second.second;
+  } else {
+    result = policy_base->MakeTokens(&initial_token_temp,
+                                     &lockdown_token_temp);
+    if (SBOX_ALL_OK != result)
+      return result;
+    token_cache_[token_key] =
+        std::pair<HANDLE, HANDLE>(initial_token_temp, lockdown_token_temp);
+  }
+
+  if (!::DuplicateToken(initial_token_temp, SecurityImpersonation,
+                        &initial_token_temp)) {
+    return SBOX_ERROR_GENERIC;
+  }
+
+  if (!::DuplicateTokenEx(lockdown_token_temp, TOKEN_ALL_ACCESS, 0,
+                          SecurityIdentification, TokenPrimary,
+                          &lockdown_token_temp)) {
+    return SBOX_ERROR_GENERIC;
+  }
 
   base::win::ScopedHandle initial_token(initial_token_temp);
   base::win::ScopedHandle lockdown_token(lockdown_token_temp);
 
   HANDLE job_temp;
   result = policy_base->MakeJobObject(&job_temp);
   if (SBOX_ALL_OK != result)
     return result;
 
   base::win::ScopedHandle job(job_temp);
@@ skipping 185 matching lines @@
     return SBOX_ERROR_UNSUPPORTED;
 
   base::string16 name = LookupAppContainer(sid);
   if (name.empty())
     return SBOX_ERROR_INVALID_APP_CONTAINER;
 
   return DeleteAppContainer(sid);
 }
 
 }  // namespace sandbox