Chromium Code Reviews Chromium Code Reviews
Issue 330853002:
Add UIPI support for sandbox alternate desktop (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
| 6 | 6 |
| 7 #include <sddl.h> | |
| 8 | |
| 7 #include "base/basictypes.h" | 9 #include "base/basictypes.h" |
| 8 #include "base/callback.h" | 10 #include "base/callback.h" |
| 9 #include "base/logging.h" | 11 #include "base/logging.h" |
| 10 #include "base/win/windows_version.h" | 12 #include "base/win/windows_version.h" |
| 11 #include "sandbox/win/src/app_container.h" | 13 #include "sandbox/win/src/app_container.h" |
| 12 #include "sandbox/win/src/filesystem_dispatcher.h" | 14 #include "sandbox/win/src/filesystem_dispatcher.h" |
| 13 #include "sandbox/win/src/filesystem_policy.h" | 15 #include "sandbox/win/src/filesystem_policy.h" |
| 14 #include "sandbox/win/src/handle_dispatcher.h" | 16 #include "sandbox/win/src/handle_dispatcher.h" |
| 15 #include "sandbox/win/src/handle_policy.h" | 17 #include "sandbox/win/src/handle_policy.h" |
| 16 #include "sandbox/win/src/job.h" | 18 #include "sandbox/win/src/job.h" |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 68 } | 70 } |
| 69 | 71 |
| 70 namespace sandbox { | 72 namespace sandbox { |
| 71 | 73 |
| 72 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level; | 74 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level; |
| 73 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations; | 75 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations; |
| 74 | 76 |
| 75 // Initializes static members. | 77 // Initializes static members. |
| 76 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL; | 78 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL; |
| 77 HDESK PolicyBase::alternate_desktop_handle_ = NULL; | 79 HDESK PolicyBase::alternate_desktop_handle_ = NULL; |
| 80 IntegrityLevel PolicyBase::alternate_desktop_integrity_level_label_ = | |
| 81 INTEGRITY_LEVEL_LAST; | |
|
rvargas (doing something else)
2014/06/20 23:13:08
At this point I would be OK if you want to set thi
jschuh
2014/06/20 23:21:04
Done.
| |
| 78 | 82 |
| 79 PolicyBase::PolicyBase() | 83 PolicyBase::PolicyBase() |
| 80 : ref_count(1), | 84 : ref_count(1), |
| 81 lockdown_level_(USER_LOCKDOWN), | 85 lockdown_level_(USER_LOCKDOWN), |
| 82 initial_level_(USER_LOCKDOWN), | 86 initial_level_(USER_LOCKDOWN), |
| 83 job_level_(JOB_LOCKDOWN), | 87 job_level_(JOB_LOCKDOWN), |
| 84 ui_exceptions_(0), | 88 ui_exceptions_(0), |
| 85 memory_limit_(0), | 89 memory_limit_(0), |
| 86 use_alternate_desktop_(false), | 90 use_alternate_desktop_(false), |
| 87 use_alternate_winstation_(false), | 91 use_alternate_winstation_(false), |
| (...skipping 422 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 510 *job = NULL; | 514 *job = NULL; |
| 511 } | 515 } |
| 512 return SBOX_ALL_OK; | 516 return SBOX_ALL_OK; |
| 513 } | 517 } |
| 514 | 518 |
| 515 ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { | 519 ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
| 516 // Create the 'naked' token. This will be the permanent token associated | 520 // Create the 'naked' token. This will be the permanent token associated |
| 517 // with the process and therefore with any thread that is not impersonating. | 521 // with the process and therefore with any thread that is not impersonating. |
| 518 DWORD result = CreateRestrictedToken(lockdown, lockdown_level_, | 522 DWORD result = CreateRestrictedToken(lockdown, lockdown_level_, |
| 519 integrity_level_, PRIMARY); | 523 integrity_level_, PRIMARY); |
| 520 if (ERROR_SUCCESS != result) { | 524 if (ERROR_SUCCESS != result) { |
|
rvargas (doing something else)
2014/06/20 23:13:08
nit: Could you remove these {}
jschuh
2014/06/20 23:21:04
Done.
| |
| 521 return SBOX_ERROR_GENERIC; | 525 return SBOX_ERROR_GENERIC; |
| 522 } | 526 } |
| 523 | 527 |
| 528 // If we're launching on the alternate desktop we need to make sure the | |
| 529 // integrity label on the object is no higher than the sandboxed process's | |
| 530 // integrity level. So, we lower the label on the desktop process if it's | |
| 531 // not already low enough for our process. | |
| 532 if (use_alternate_desktop_ && | |
| 533 integrity_level_ != INTEGRITY_LEVEL_LAST && | |
| 534 (alternate_desktop_integrity_level_label_ == INTEGRITY_LEVEL_LAST || | |
| 535 alternate_desktop_integrity_level_label_ < integrity_level_) && | |
| 536 base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { | |
| 537 // Integrity label enum is reversed (higher level is a lower value). | |
| 538 static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED, | |
| 539 "Integrity level ordering reversed."); | |
| 540 result = SetObjectIntegrityLabel(alternate_desktop_handle_, | |
| 541 SE_WINDOW_OBJECT, | |
| 542 L"", | |
| 543 GetIntegrityLevelString(integrity_level_)); | |
| 544 if (ERROR_SUCCESS != result) | |
| 545 return SBOX_ERROR_GENERIC; | |
| 546 | |
| 547 alternate_desktop_integrity_level_label_ = integrity_level_; | |
| 548 } | |
| 549 | |
| 524 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { | 550 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { |
| 525 // Windows refuses to work with an impersonation token. See SetAppContainer | 551 // Windows refuses to work with an impersonation token. See SetAppContainer |
| 526 // implementation for more details. | 552 // implementation for more details. |
| 527 if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_) | 553 if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_) |
| 528 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER; | 554 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER; |
| 529 | 555 |
| 530 *initial = INVALID_HANDLE_VALUE; | 556 *initial = INVALID_HANDLE_VALUE; |
| 531 return SBOX_ALL_OK; | 557 return SBOX_ALL_OK; |
| 532 } | 558 } |
| 533 | 559 |
| (...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 705 | 731 |
| 706 // Finally, setup imports on the target so the interceptions can work. | 732 // Finally, setup imports on the target so the interceptions can work. |
| 707 return SetupNtdllImports(target); | 733 return SetupNtdllImports(target); |
| 708 } | 734 } |
| 709 | 735 |
| 710 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 736 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
| 711 return handle_closer_.InitializeTargetHandles(target); | 737 return handle_closer_.InitializeTargetHandles(target); |
| 712 } | 738 } |
| 713 | 739 |
| 714 } // namespace sandbox | 740 } // namespace sandbox |
| OLD | NEW |
