| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/sync_interception.h" | 5 #include "sandbox/win/src/sync_interception.h" |
| 6 | 6 |
| 7 #include "sandbox/win/src/crosscall_client.h" | 7 #include "sandbox/win/src/crosscall_client.h" |
| 8 #include "sandbox/win/src/ipc_tags.h" | 8 #include "sandbox/win/src/ipc_tags.h" |
| 9 #include "sandbox/win/src/policy_params.h" | 9 #include "sandbox/win/src/policy_params.h" |
| 10 #include "sandbox/win/src/policy_target.h" | 10 #include "sandbox/win/src/policy_target.h" |
| 11 #include "sandbox/win/src/sandbox_factory.h" | 11 #include "sandbox/win/src/sandbox_factory.h" |
| 12 #include "sandbox/win/src/sandbox_nt_util.h" | 12 #include "sandbox/win/src/sandbox_nt_util.h" |
| 13 #include "sandbox/win/src/sharedmem_ipc_client.h" | 13 #include "sandbox/win/src/sharedmem_ipc_client.h" |
| 14 #include "sandbox/win/src/target_services.h" | 14 #include "sandbox/win/src/target_services.h" |
| 15 | 15 |
| 16 namespace sandbox { | 16 namespace sandbox { |
| 17 | 17 |
| 18 ResultCode ProxyCreateEvent(LPCWSTR name, | 18 ResultCode ProxyCreateEvent(LPCWSTR name, |
| 19 BOOL initial_state, | 19 BOOL initial_state, |
| 20 BOOL manual_reset, | 20 EVENT_TYPE event_type, |
| 21 void* ipc_memory, |
| 21 CrossCallReturn* answer) { | 22 CrossCallReturn* answer) { |
| 22 void* memory = GetGlobalIPCMemory(); | |
| 23 if (!memory) | |
| 24 return SBOX_ERROR_GENERIC; | |
| 25 | |
| 26 CountedParameterSet<NameBased> params; | 23 CountedParameterSet<NameBased> params; |
| 27 params[NameBased::NAME] = ParamPickerMake(name); | 24 params[NameBased::NAME] = ParamPickerMake(name); |
| 28 | 25 |
| 29 if (!QueryBroker(IPC_CREATEEVENT_TAG, params.GetBase())) | 26 if (!QueryBroker(IPC_CREATEEVENT_TAG, params.GetBase())) |
| 30 return SBOX_ERROR_GENERIC; | 27 return SBOX_ERROR_GENERIC; |
| 31 | 28 |
| 32 SharedMemIPCClient ipc(memory); | 29 SharedMemIPCClient ipc(ipc_memory); |
| 33 ResultCode code = CrossCall(ipc, IPC_CREATEEVENT_TAG, name, manual_reset, | 30 ResultCode code = CrossCall(ipc, IPC_CREATEEVENT_TAG, name, event_type, |
| 34 initial_state, answer); | 31 initial_state, answer); |
| 35 return code; | 32 return code; |
| 36 } | 33 } |
| 37 | 34 |
| 38 ResultCode ProxyOpenEvent(LPCWSTR name, | 35 ResultCode ProxyOpenEvent(LPCWSTR name, |
| 39 ACCESS_MASK desired_access, | 36 ACCESS_MASK desired_access, |
| 40 BOOL inherit_handle, | 37 void* ipc_memory, |
| 41 CrossCallReturn* answer) { | 38 CrossCallReturn* answer) { |
| 42 void* memory = GetGlobalIPCMemory(); | |
| 43 if (!memory) | |
| 44 return SBOX_ERROR_GENERIC; | |
| 45 | |
| 46 uint32 inherit_handle_ipc = inherit_handle; | |
| 47 CountedParameterSet<OpenEventParams> params; | 39 CountedParameterSet<OpenEventParams> params; |
| 48 params[OpenEventParams::NAME] = ParamPickerMake(name); | 40 params[OpenEventParams::NAME] = ParamPickerMake(name); |
| 49 params[OpenEventParams::ACCESS] = ParamPickerMake(desired_access); | 41 params[OpenEventParams::ACCESS] = ParamPickerMake(desired_access); |
| 50 | 42 |
| 51 if (!QueryBroker(IPC_OPENEVENT_TAG, params.GetBase())) | 43 if (!QueryBroker(IPC_OPENEVENT_TAG, params.GetBase())) |
| 52 return SBOX_ERROR_GENERIC; | 44 return SBOX_ERROR_GENERIC; |
| 53 | 45 |
| 54 SharedMemIPCClient ipc(memory); | 46 SharedMemIPCClient ipc(ipc_memory); |
| 55 ResultCode code = CrossCall(ipc, IPC_OPENEVENT_TAG, name, desired_access, | 47 ResultCode code = CrossCall(ipc, IPC_OPENEVENT_TAG, name, desired_access, |
| 56 inherit_handle_ipc, answer); | 48 answer); |
| 57 | 49 |
| 58 return code; | 50 return code; |
| 59 } | 51 } |
| 60 | 52 |
| 61 HANDLE WINAPI TargetCreateEventW(CreateEventWFunction orig_CreateEvent, | 53 NTSTATUS WINAPI TargetNtCreateEvent(NtCreateEventFunction orig_CreateEvent, |
| 62 LPSECURITY_ATTRIBUTES security_attributes, | 54 PHANDLE event_handle, |
| 63 BOOL manual_reset, | 55 ACCESS_MASK desired_access, |
| 64 BOOL initial_state, | 56 POBJECT_ATTRIBUTES object_attributes, |
| 65 LPCWSTR name) { | 57 EVENT_TYPE event_type, |
| 66 // Check if the process can create it first. | 58 BOOLEAN initial_state) { |
| 67 HANDLE handle = orig_CreateEvent(security_attributes, manual_reset, | 59 NTSTATUS status = orig_CreateEvent(event_handle, desired_access, |
| 68 initial_state, name); | 60 object_attributes, event_type, |
| 69 if (handle || !name) | 61 initial_state); |
| 70 return handle; | 62 if (status != STATUS_ACCESS_DENIED || !object_attributes) |
| 63 return status; |
| 71 | 64 |
| 72 // We don't trust that the IPC can work this early. | 65 // We don't trust that the IPC can work this early. |
| 73 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | 66 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) |
| 74 return NULL; | 67 return status; |
| 75 | 68 |
| 76 DWORD original_error = ::GetLastError(); | 69 do { |
| 70 if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE)) |
| 71 break; |
| 77 | 72 |
| 78 CrossCallReturn answer = {0}; | 73 void* memory = GetGlobalIPCMemory(); |
| 79 ResultCode code = ProxyCreateEvent(name, initial_state, manual_reset, | 74 if (memory == NULL) |
| 80 &answer); | 75 break; |
| 81 | 76 |
| 82 if (code == SBOX_ALL_OK) { | 77 OBJECT_ATTRIBUTES object_attribs_copy = *object_attributes; |
| 83 ::SetLastError(answer.win32_result); | 78 // The RootDirectory points to BaseNamedObjects. We can ignore it. |
| 84 return answer.handle; | 79 object_attribs_copy.RootDirectory = NULL; |
| 85 } | 80 |
| 86 ::SetLastError(original_error); | 81 wchar_t* name = NULL; |
| 87 return NULL; | 82 uint32 attributes = 0; |
| 83 NTSTATUS ret = AllocAndCopyName(&object_attribs_copy, &name, &attributes, |
| 84 NULL); |
| 85 if (!NT_SUCCESS(ret) || name == NULL) |
| 86 break; |
| 87 |
| 88 CrossCallReturn answer = {0}; |
| 89 ResultCode code = ProxyCreateEvent(name, initial_state, event_type, memory, |
| 90 &answer); |
| 91 operator delete(name, NT_ALLOC); |
| 92 |
| 93 if (code != SBOX_ALL_OK) { |
| 94 status = answer.nt_status; |
| 95 break; |
| 96 } |
| 97 __try { |
| 98 *event_handle = answer.handle; |
| 99 status = STATUS_SUCCESS; |
| 100 } __except(EXCEPTION_EXECUTE_HANDLER) { |
| 101 break; |
| 102 } |
| 103 } while (false); |
| 104 |
| 105 return status; |
| 88 } | 106 } |
| 89 | 107 |
| 90 HANDLE WINAPI TargetCreateEventA(CreateEventAFunction orig_CreateEvent, | 108 NTSTATUS WINAPI TargetNtOpenEvent(NtOpenEventFunction orig_OpenEvent, |
| 91 LPSECURITY_ATTRIBUTES security_attributes, | 109 PHANDLE event_handle, |
| 92 BOOL manual_reset, | 110 ACCESS_MASK desired_access, |
| 93 BOOL initial_state, | 111 POBJECT_ATTRIBUTES object_attributes) { |
| 94 LPCSTR name) { | 112 NTSTATUS status = orig_OpenEvent(event_handle, desired_access, |
| 95 // Check if the process can create it first. | 113 object_attributes); |
| 96 HANDLE handle = orig_CreateEvent(security_attributes, manual_reset, | 114 if (status != STATUS_ACCESS_DENIED || !object_attributes) |
| 97 initial_state, name); | 115 return status; |
| 98 if (handle || !name) | |
| 99 return handle; | |
| 100 | 116 |
| 101 // We don't trust that the IPC can work this early. | 117 // We don't trust that the IPC can work this early. |
| 102 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | 118 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) |
| 103 return NULL; | 119 return status; |
| 104 | 120 |
| 105 DWORD original_error = ::GetLastError(); | 121 do { |
| 122 if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE)) |
| 123 break; |
| 106 | 124 |
| 107 UNICODE_STRING* wide_name = AnsiToUnicode(name); | 125 void* memory = GetGlobalIPCMemory(); |
| 108 if (!wide_name) | 126 if (memory == NULL) |
| 109 return NULL; | 127 break; |
| 110 | 128 |
| 111 CrossCallReturn answer = {0}; | 129 OBJECT_ATTRIBUTES object_attribs_copy = *object_attributes; |
| 112 ResultCode code = ProxyCreateEvent(wide_name->Buffer, initial_state, | 130 // The RootDirectory points to BaseNamedObjects. We can ignore it. |
| 113 manual_reset, &answer); | 131 object_attribs_copy.RootDirectory = NULL; |
| 114 operator delete(wide_name, NT_ALLOC); | |
| 115 | 132 |
| 116 if (code == SBOX_ALL_OK) { | 133 wchar_t* name = NULL; |
| 117 ::SetLastError(answer.win32_result); | 134 uint32 attributes = 0; |
| 118 return answer.handle; | 135 NTSTATUS ret = AllocAndCopyName(&object_attribs_copy, &name, &attributes, |
| 119 } | 136 NULL); |
| 120 ::SetLastError(original_error); | 137 if (!NT_SUCCESS(ret) || name == NULL) |
| 121 return NULL; | 138 break; |
| 122 } | |
| 123 | 139 |
| 124 // Interception of OpenEventW on the child process. | 140 CrossCallReturn answer = {0}; |
| 125 // It should never be called directly | 141 ResultCode code = ProxyOpenEvent(name, desired_access, memory, &answer); |
| 126 HANDLE WINAPI TargetOpenEventW(OpenEventWFunction orig_OpenEvent, | 142 operator delete(name, NT_ALLOC); |
| 127 DWORD desired_access, | |
| 128 BOOL inherit_handle, | |
| 129 LPCWSTR name) { | |
| 130 // Check if the process can open it first. | |
| 131 HANDLE handle = orig_OpenEvent(desired_access, inherit_handle, name); | |
| 132 if (handle || !name) | |
| 133 return handle; | |
| 134 | 143 |
| 135 // We don't trust that the IPC can work this early. | 144 if (code != SBOX_ALL_OK) { |
| 136 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | 145 status = answer.nt_status; |
| 137 return NULL; | 146 break; |
| 147 } |
| 148 __try { |
| 149 *event_handle = answer.handle; |
| 150 status = STATUS_SUCCESS; |
| 151 } __except(EXCEPTION_EXECUTE_HANDLER) { |
| 152 break; |
| 153 } |
| 154 } while (false); |
| 138 | 155 |
| 139 DWORD original_error = ::GetLastError(); | 156 return status; |
| 140 | |
| 141 CrossCallReturn answer = {0}; | |
| 142 | |
| 143 ResultCode code = ProxyOpenEvent(name, desired_access, inherit_handle, | |
| 144 &answer); | |
| 145 if (code == SBOX_ALL_OK) { | |
| 146 ::SetLastError(answer.win32_result); | |
| 147 return answer.handle; | |
| 148 } | |
| 149 ::SetLastError(original_error); | |
| 150 return NULL; | |
| 151 } | |
| 152 | |
| 153 HANDLE WINAPI TargetOpenEventA(OpenEventAFunction orig_OpenEvent, | |
| 154 DWORD desired_access, | |
| 155 BOOL inherit_handle, | |
| 156 LPCSTR name) { | |
| 157 // Check if the process can open it first. | |
| 158 HANDLE handle = orig_OpenEvent(desired_access, inherit_handle, name); | |
| 159 if (handle || !name) | |
| 160 return handle; | |
| 161 | |
| 162 // We don't trust that the IPC can work this early. | |
| 163 if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) | |
| 164 return NULL; | |
| 165 | |
| 166 DWORD original_error = ::GetLastError(); | |
| 167 | |
| 168 UNICODE_STRING* wide_name = AnsiToUnicode(name); | |
| 169 if (!wide_name) | |
| 170 return NULL; | |
| 171 | |
| 172 CrossCallReturn answer = {0}; | |
| 173 ResultCode code = ProxyOpenEvent(wide_name->Buffer, desired_access, | |
| 174 inherit_handle, &answer); | |
| 175 operator delete(wide_name, NT_ALLOC); | |
| 176 | |
| 177 if (code == SBOX_ALL_OK) { | |
| 178 ::SetLastError(answer.win32_result); | |
| 179 return answer.handle; | |
| 180 } | |
| 181 ::SetLastError(original_error); | |
| 182 return NULL; | |
| 183 } | 157 } |
| 184 | 158 |
| 185 } // namespace sandbox | 159 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 31933005:
Replace the CreateEvent/OpenEvent patches with their Nt counterparts like NtOpenEvent and NtCreateE… (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/