| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/callback.h" | 8 #include "base/callback.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/win/windows_version.h" | 10 #include "base/win/windows_version.h" |
| 11 #include "sandbox/win/src/app_container.h" | 11 #include "sandbox/win/src/app_container.h" |
| 12 #include "sandbox/win/src/filesystem_dispatcher.h" | 12 #include "sandbox/win/src/filesystem_dispatcher.h" |
| 13 #include "sandbox/win/src/filesystem_policy.h" | 13 #include "sandbox/win/src/filesystem_policy.h" |
| 14 #include "sandbox/win/src/handle_dispatcher.h" | 14 #include "sandbox/win/src/handle_dispatcher.h" |
| 15 #include "sandbox/win/src/handle_policy.h" | 15 #include "sandbox/win/src/handle_policy.h" |
| 16 #include "sandbox/win/src/job.h" | 16 #include "sandbox/win/src/job.h" |
| 17 #include "sandbox/win/src/interception.h" | 17 #include "sandbox/win/src/interception.h" |
| 18 #include "sandbox/win/src/process_mitigations.h" | 18 #include "sandbox/win/src/process_mitigations.h" |
| 19 #include "sandbox/win/src/named_pipe_dispatcher.h" | 19 #include "sandbox/win/src/named_pipe_dispatcher.h" |
| 20 #include "sandbox/win/src/named_pipe_policy.h" | 20 #include "sandbox/win/src/named_pipe_policy.h" |
| 21 #include "sandbox/win/src/policy_broker.h" | 21 #include "sandbox/win/src/policy_broker.h" |
| 22 #include "sandbox/win/src/policy_engine_processor.h" | 22 #include "sandbox/win/src/policy_engine_processor.h" |
| 23 #include "sandbox/win/src/policy_low_level.h" | 23 #include "sandbox/win/src/policy_low_level.h" |
| 24 #include "sandbox/win/src/process_mitigations_win32k_dispatcher.h" |
| 25 #include "sandbox/win/src/process_mitigations_win32k_policy.h" |
| 24 #include "sandbox/win/src/process_thread_dispatcher.h" | 26 #include "sandbox/win/src/process_thread_dispatcher.h" |
| 25 #include "sandbox/win/src/process_thread_policy.h" | 27 #include "sandbox/win/src/process_thread_policy.h" |
| 26 #include "sandbox/win/src/registry_dispatcher.h" | 28 #include "sandbox/win/src/registry_dispatcher.h" |
| 27 #include "sandbox/win/src/registry_policy.h" | 29 #include "sandbox/win/src/registry_policy.h" |
| 28 #include "sandbox/win/src/restricted_token_utils.h" | 30 #include "sandbox/win/src/restricted_token_utils.h" |
| 29 #include "sandbox/win/src/sandbox_policy.h" | 31 #include "sandbox/win/src/sandbox_policy.h" |
| 30 #include "sandbox/win/src/sync_dispatcher.h" | 32 #include "sandbox/win/src/sync_dispatcher.h" |
| 31 #include "sandbox/win/src/sync_policy.h" | 33 #include "sandbox/win/src/sync_policy.h" |
| 32 #include "sandbox/win/src/target_process.h" | 34 #include "sandbox/win/src/target_process.h" |
| 33 #include "sandbox/win/src/window.h" | 35 #include "sandbox/win/src/window.h" |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 118 dispatcher = new SyncDispatcher(this); | 120 dispatcher = new SyncDispatcher(this); |
| 119 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher; | 121 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher; |
| 120 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; | 122 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; |
| 121 | 123 |
| 122 dispatcher = new RegistryDispatcher(this); | 124 dispatcher = new RegistryDispatcher(this); |
| 123 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; | 125 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; |
| 124 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; | 126 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; |
| 125 | 127 |
| 126 dispatcher = new HandleDispatcher(this); | 128 dispatcher = new HandleDispatcher(this); |
| 127 ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher; | 129 ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher; |
| 130 |
| 131 dispatcher = new ProcessMitigationsWin32KDispatcher(this); |
| 132 ipc_targets_[IPC_GDI_GDIDLLINITIALIZE_TAG] = dispatcher; |
| 133 ipc_targets_[IPC_GDI_GETSTOCKOBJECT_TAG] = dispatcher; |
| 134 ipc_targets_[IPC_USER_REGISTERCLASSW_TAG] = dispatcher; |
| 128 } | 135 } |
| 129 | 136 |
| 130 PolicyBase::~PolicyBase() { | 137 PolicyBase::~PolicyBase() { |
| 131 TargetSet::iterator it; | 138 TargetSet::iterator it; |
| 132 for (it = targets_.begin(); it != targets_.end(); ++it) { | 139 for (it = targets_.begin(); it != targets_.end(); ++it) { |
| 133 TargetProcess* target = (*it); | 140 TargetProcess* target = (*it); |
| 134 delete target; | 141 delete target; |
| 135 } | 142 } |
| 136 delete ipc_targets_[IPC_NTCREATEFILE_TAG]; | 143 delete ipc_targets_[IPC_NTCREATEFILE_TAG]; |
| 137 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG]; | 144 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG]; |
| (...skipping 280 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 418 } | 425 } |
| 419 break; | 426 break; |
| 420 } | 427 } |
| 421 case SUBSYS_HANDLES: { | 428 case SUBSYS_HANDLES: { |
| 422 if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) { | 429 if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) { |
| 423 NOTREACHED(); | 430 NOTREACHED(); |
| 424 return SBOX_ERROR_BAD_PARAMS; | 431 return SBOX_ERROR_BAD_PARAMS; |
| 425 } | 432 } |
| 426 break; | 433 break; |
| 427 } | 434 } |
| 435 |
| 436 case SUBSYS_WIN32K_LOCKDOWN: { |
| 437 if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules( |
| 438 pattern, semantics,policy_maker_)) { |
| 439 NOTREACHED(); |
| 440 return SBOX_ERROR_BAD_PARAMS; |
| 441 } |
| 442 break; |
| 443 } |
| 444 |
| 428 default: { | 445 default: { |
| 429 return SBOX_ERROR_UNSUPPORTED; | 446 return SBOX_ERROR_UNSUPPORTED; |
| 430 } | 447 } |
| 431 } | 448 } |
| 432 | 449 |
| 433 return SBOX_ALL_OK; | 450 return SBOX_ALL_OK; |
| 434 } | 451 } |
| 435 | 452 |
| 436 ResultCode PolicyBase::AddDllToUnload(const wchar_t* dll_name) { | 453 ResultCode PolicyBase::AddDllToUnload(const wchar_t* dll_name) { |
| 437 blacklisted_dlls_.push_back(dll_name); | 454 blacklisted_dlls_.push_back(dll_name); |
| (...skipping 253 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 691 | 708 |
| 692 // Finally, setup imports on the target so the interceptions can work. | 709 // Finally, setup imports on the target so the interceptions can work. |
| 693 return SetupNtdllImports(target); | 710 return SetupNtdllImports(target); |
| 694 } | 711 } |
| 695 | 712 |
| 696 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 713 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
| 697 return handle_closer_.InitializeTargetHandles(target); | 714 return handle_closer_.InitializeTargetHandles(target); |
| 698 } | 715 } |
| 699 | 716 |
| 700 } // namespace sandbox | 717 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 318603003:
Sandbox policy and intercepts for the MITIGATION_WIN32K_DISABLE policy for renderer processes. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src