Sandbox policy and intercepts for the MITIGATION_WIN32K_DISABLE policy for renderer processes.

sandbox/win/src/sandbox_policy_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/sandbox_policy_base.h"
 
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/app_container.h"
 #include "sandbox/win/src/filesystem_dispatcher.h"
 #include "sandbox/win/src/filesystem_policy.h"
 #include "sandbox/win/src/handle_dispatcher.h"
 #include "sandbox/win/src/handle_policy.h"
 #include "sandbox/win/src/job.h"
 #include "sandbox/win/src/interception.h"
 #include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/named_pipe_dispatcher.h"
 #include "sandbox/win/src/named_pipe_policy.h"
 #include "sandbox/win/src/policy_broker.h"
 #include "sandbox/win/src/policy_engine_processor.h"
 #include "sandbox/win/src/policy_low_level.h"
+#include "sandbox/win/src/process_mitigations_win32k_dispatcher.h"
+#include "sandbox/win/src/process_mitigations_win32k_policy.h"

[jschuh, 2014/06/06 03:23:37]

Remove this include because you're removing the file.

[ananta, 2014/06/06 23:57:35]

Ditto

 #include "sandbox/win/src/process_thread_dispatcher.h"
 #include "sandbox/win/src/process_thread_policy.h"
 #include "sandbox/win/src/registry_dispatcher.h"
 #include "sandbox/win/src/registry_policy.h"
 #include "sandbox/win/src/restricted_token_utils.h"
 #include "sandbox/win/src/sandbox_policy.h"
 #include "sandbox/win/src/sync_dispatcher.h"
 #include "sandbox/win/src/sync_policy.h"
 #include "sandbox/win/src/target_process.h"
 #include "sandbox/win/src/window.h"
@@ skipping 83 matching lines @@
   dispatcher = new SyncDispatcher(this);
   ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher;
   ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher;
 
   dispatcher = new RegistryDispatcher(this);
   ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher;
   ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher;
 
   dispatcher = new HandleDispatcher(this);
   ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher;
+
+  dispatcher = new ProcessMitigationsWin32KDispatcher(this);

[rvargas (doing something else), 2014/06/06 21:22:24]

I guess this is the core of the matter.

I'd like to keep the consistency... so I want to have a formal dispatcher, even
if it doesn't do anything on the broker side.

One way or another, this is a policy driven interception (even if there is no
IPC), so we may do without a low level policy, but all the current
infrastructure assumes a dispatcher means low level policy, so the option would
be change that.

On the other hand, we could do policy look up on the target, say to decide if we
should fake success or failure, but that is most likely overkill for what we
need at this point (assuming we don't find out very soon that we need more
interceptions).

[ananta, 2014/06/06 23:57:35]

Leaving this as is. Sort of agree that maintaining existing structure is better.

+  ipc_targets_[IPC_GDI_GDIDLLINITIALIZE_TAG] = dispatcher;
+  ipc_targets_[IPC_GDI_GETSTOCKOBJECT_TAG] = dispatcher;
+  ipc_targets_[IPC_USER_REGISTERCLASSW_TAG] = dispatcher;
 }
 
 PolicyBase::~PolicyBase() {
   TargetSet::iterator it;
   for (it = targets_.begin(); it != targets_.end(); ++it) {
     TargetProcess* target = (*it);
     delete target;
   }
   delete ipc_targets_[IPC_NTCREATEFILE_TAG];
   delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG];
@@ skipping 156 matching lines @@
 
 ResultCode PolicyBase::SetCapability(const wchar_t* sid) {
   capabilities_.push_back(sid);
   return SBOX_ALL_OK;
 }
 
 ResultCode PolicyBase::SetProcessMitigations(
     MitigationFlags flags) {
   if (!CanSetProcessMitigationsPreStartup(flags))
     return SBOX_ERROR_BAD_PARAMS;
   mitigations_ = flags;

[rvargas (doing something else), 2014/06/06 21:22:24]

If we don't want to have a separate SUBSYS_WIN32K_LOCKDOWN, we could also call
ProcessMitigationsWin32KLockdownPolicy::GenerateRules from here after checking
the right flag.

[ananta, 2014/06/06 23:57:35]

Not doing that. Leaving the SUBSYS_WIN32K_LOCKDOWN code as is. This is a touch
cleaner.

   return SBOX_ALL_OK;
 }
 
 MitigationFlags PolicyBase::GetProcessMitigations() {
   return mitigations_;
 }
 
 ResultCode PolicyBase::SetDelayedProcessMitigations(
     MitigationFlags flags) {
   if (!CanSetProcessMitigationsPostStartup(flags))
@@ skipping 80 matching lines @@
       }
       break;
     }
     case SUBSYS_HANDLES: {
       if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) {
         NOTREACHED();
         return SBOX_ERROR_BAD_PARAMS;
       }
       break;
     }
+
+    case SUBSYS_WIN32K_LOCKDOWN: {
+      if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules(
+              pattern, semantics,policy_maker_)) {
+        NOTREACHED();
+        return SBOX_ERROR_BAD_PARAMS;
+      }
+      break;
+    }

[jschuh, 2014/06/06 03:23:37]

Remove this whole case.

[ananta, 2014/06/06 23:57:35]

Leaving this as is.

+
     default: {
       return SBOX_ERROR_UNSUPPORTED;
     }
   }
 
   return SBOX_ALL_OK;
 }
 
 ResultCode PolicyBase::AddDllToUnload(const wchar_t* dll_name) {
   blacklisted_dlls_.push_back(dll_name);
@@ skipping 252 matching lines @@
 
   // Finally, setup imports on the target so the interceptions can work.
   return SetupNtdllImports(target);
 }
 
 bool PolicyBase::SetupHandleCloser(TargetProcess* target) {
   return handle_closer_.InitializeTargetHandles(target);
 }
 
 }  // namespace sandbox