| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/callback.h" | 8 #include "base/callback.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/win/windows_version.h" | 10 #include "base/win/windows_version.h" |
| 11 #include "sandbox/win/src/app_container.h" | 11 #include "sandbox/win/src/app_container.h" |
| 12 #include "sandbox/win/src/filesystem_dispatcher.h" | 12 #include "sandbox/win/src/filesystem_dispatcher.h" |
| 13 #include "sandbox/win/src/filesystem_policy.h" | 13 #include "sandbox/win/src/filesystem_policy.h" |
| 14 #include "sandbox/win/src/handle_dispatcher.h" | 14 #include "sandbox/win/src/handle_dispatcher.h" |
| 15 #include "sandbox/win/src/handle_policy.h" | 15 #include "sandbox/win/src/handle_policy.h" |
| 16 #include "sandbox/win/src/job.h" | 16 #include "sandbox/win/src/job.h" |
| 17 #include "sandbox/win/src/interception.h" | 17 #include "sandbox/win/src/interception.h" |
| 18 #include "sandbox/win/src/process_mitigations.h" | 18 #include "sandbox/win/src/process_mitigations.h" |
| 19 #include "sandbox/win/src/named_pipe_dispatcher.h" | 19 #include "sandbox/win/src/named_pipe_dispatcher.h" |
| 20 #include "sandbox/win/src/named_pipe_policy.h" | 20 #include "sandbox/win/src/named_pipe_policy.h" |
| 21 #include "sandbox/win/src/policy_broker.h" | 21 #include "sandbox/win/src/policy_broker.h" |
| 22 #include "sandbox/win/src/policy_engine_processor.h" | 22 #include "sandbox/win/src/policy_engine_processor.h" |
| 23 #include "sandbox/win/src/policy_low_level.h" | 23 #include "sandbox/win/src/policy_low_level.h" |
| 24 #include "sandbox/win/src/process_mitigations_win32k_dispatcher.h" |
| 25 #include "sandbox/win/src/process_mitigations_win32k_policy.h" |
| 24 #include "sandbox/win/src/process_thread_dispatcher.h" | 26 #include "sandbox/win/src/process_thread_dispatcher.h" |
| 25 #include "sandbox/win/src/process_thread_policy.h" | 27 #include "sandbox/win/src/process_thread_policy.h" |
| 26 #include "sandbox/win/src/registry_dispatcher.h" | 28 #include "sandbox/win/src/registry_dispatcher.h" |
| 27 #include "sandbox/win/src/registry_policy.h" | 29 #include "sandbox/win/src/registry_policy.h" |
| 28 #include "sandbox/win/src/restricted_token_utils.h" | 30 #include "sandbox/win/src/restricted_token_utils.h" |
| 29 #include "sandbox/win/src/sandbox_policy.h" | 31 #include "sandbox/win/src/sandbox_policy.h" |
| 30 #include "sandbox/win/src/sync_dispatcher.h" | 32 #include "sandbox/win/src/sync_dispatcher.h" |
| 31 #include "sandbox/win/src/sync_policy.h" | 33 #include "sandbox/win/src/sync_policy.h" |
| 32 #include "sandbox/win/src/target_process.h" | 34 #include "sandbox/win/src/target_process.h" |
| 33 #include "sandbox/win/src/window.h" | 35 #include "sandbox/win/src/window.h" |
| (...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 dispatcher = new SyncDispatcher(this); | 119 dispatcher = new SyncDispatcher(this); |
| 118 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher; | 120 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher; |
| 119 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; | 121 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; |
| 120 | 122 |
| 121 dispatcher = new RegistryDispatcher(this); | 123 dispatcher = new RegistryDispatcher(this); |
| 122 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; | 124 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; |
| 123 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; | 125 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; |
| 124 | 126 |
| 125 dispatcher = new HandleDispatcher(this); | 127 dispatcher = new HandleDispatcher(this); |
| 126 ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher; | 128 ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher; |
| 129 |
| 130 dispatcher = new ProcessMitigationsWin32KDispatcher(this); |
| 131 ipc_targets_[IPC_GDI_GDIDLLINITIALIZE_TAG] = dispatcher; |
| 132 ipc_targets_[IPC_GDI_GETSTOCKOBJECT_TAG] = dispatcher; |
| 133 ipc_targets_[IPC_USER_REGISTERCLASSW_TAG] = dispatcher; |
| 127 } | 134 } |
| 128 | 135 |
| 129 PolicyBase::~PolicyBase() { | 136 PolicyBase::~PolicyBase() { |
| 130 TargetSet::iterator it; | 137 TargetSet::iterator it; |
| 131 for (it = targets_.begin(); it != targets_.end(); ++it) { | 138 for (it = targets_.begin(); it != targets_.end(); ++it) { |
| 132 TargetProcess* target = (*it); | 139 TargetProcess* target = (*it); |
| 133 delete target; | 140 delete target; |
| 134 } | 141 } |
| 135 delete ipc_targets_[IPC_NTCREATEFILE_TAG]; | 142 delete ipc_targets_[IPC_NTCREATEFILE_TAG]; |
| 136 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG]; | 143 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG]; |
| (...skipping 257 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 394 } | 401 } |
| 395 break; | 402 break; |
| 396 } | 403 } |
| 397 case SUBSYS_HANDLES: { | 404 case SUBSYS_HANDLES: { |
| 398 if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) { | 405 if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) { |
| 399 NOTREACHED(); | 406 NOTREACHED(); |
| 400 return SBOX_ERROR_BAD_PARAMS; | 407 return SBOX_ERROR_BAD_PARAMS; |
| 401 } | 408 } |
| 402 break; | 409 break; |
| 403 } | 410 } |
| 411 |
| 412 case SUBSYS_WIN32K_LOCKDOWN: { |
| 413 if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules( |
| 414 pattern, semantics,policy_maker_)) { |
| 415 NOTREACHED(); |
| 416 return SBOX_ERROR_BAD_PARAMS; |
| 417 } |
| 418 break; |
| 419 } |
| 420 |
| 404 default: { | 421 default: { |
| 405 return SBOX_ERROR_UNSUPPORTED; | 422 return SBOX_ERROR_UNSUPPORTED; |
| 406 } | 423 } |
| 407 } | 424 } |
| 408 | 425 |
| 409 return SBOX_ALL_OK; | 426 return SBOX_ALL_OK; |
| 410 } | 427 } |
| 411 | 428 |
| 412 ResultCode PolicyBase::AddDllToUnload(const wchar_t* dll_name) { | 429 ResultCode PolicyBase::AddDllToUnload(const wchar_t* dll_name) { |
| 413 blacklisted_dlls_.push_back(dll_name); | 430 blacklisted_dlls_.push_back(dll_name); |
| (...skipping 252 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 666 | 683 |
| 667 // Finally, setup imports on the target so the interceptions can work. | 684 // Finally, setup imports on the target so the interceptions can work. |
| 668 return SetupNtdllImports(target); | 685 return SetupNtdllImports(target); |
| 669 } | 686 } |
| 670 | 687 |
| 671 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 688 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
| 672 return handle_closer_.InitializeTargetHandles(target); | 689 return handle_closer_.InitializeTargetHandles(target); |
| 673 } | 690 } |
| 674 | 691 |
| 675 } // namespace sandbox | 692 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 318603003:
Sandbox policy and intercepts for the MITIGATION_WIN32K_DISABLE policy for renderer processes. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src