Add UIPI support for sandbox alternate desktop

sandbox/win/src/sandbox_policy_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/sandbox_policy_base.h"
 
+#include <sddl.h>
+
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/app_container.h"
 #include "sandbox/win/src/filesystem_dispatcher.h"
 #include "sandbox/win/src/filesystem_policy.h"
 #include "sandbox/win/src/handle_dispatcher.h"
 #include "sandbox/win/src/handle_policy.h"
 #include "sandbox/win/src/job.h"
@@ skipping 51 matching lines @@
 }
 
 namespace sandbox {
 
 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level;
 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations;
 
 // Initializes static members.
 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL;
 HDESK PolicyBase::alternate_desktop_handle_ = NULL;
+IntegrityLevel PolicyBase::alternate_desktop_integrity_level_label_ =
+    INTEGRITY_LEVEL_SYSTEM;
 
 PolicyBase::PolicyBase()
     : ref_count(1),
       lockdown_level_(USER_LOCKDOWN),
       initial_level_(USER_LOCKDOWN),
       job_level_(JOB_LOCKDOWN),
       ui_exceptions_(0),
       memory_limit_(0),
       use_alternate_desktop_(false),
       use_alternate_winstation_(false),
@@ skipping 422 matching lines @@
     *job = NULL;
   }
   return SBOX_ALL_OK;
 }
 
 ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
   // Create the 'naked' token. This will be the permanent token associated
   // with the process and therefore with any thread that is not impersonating.
   DWORD result = CreateRestrictedToken(lockdown, lockdown_level_,
                                        integrity_level_, PRIMARY);
-  if (ERROR_SUCCESS != result) {
+  if (ERROR_SUCCESS != result)
     return SBOX_ERROR_GENERIC;
+
+  // If we're launching on the alternate desktop we need to make sure the
+  // integrity label on the object is no higher than the sandboxed process's
+  // integrity level. So, we lower the label on the desktop process if it's
+  // not already low enough for our process.
+  if (use_alternate_desktop_ &&
+      integrity_level_ != INTEGRITY_LEVEL_LAST &&
+      alternate_desktop_integrity_level_label_ < integrity_level_ &&
+      base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
+    // Integrity label enum is reversed (higher level is a lower value).
+    static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED,
+                  "Integrity level ordering reversed.");
+    result = SetObjectIntegrityLabel(alternate_desktop_handle_,
+                                     SE_WINDOW_OBJECT,
+                                     L"",
+                                     GetIntegrityLevelString(integrity_level_));
+    if (ERROR_SUCCESS != result)
+      return SBOX_ERROR_GENERIC;
+
+    alternate_desktop_integrity_level_label_ = integrity_level_;
   }
 
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
     // Windows refuses to work with an impersonation token. See SetAppContainer
     // implementation for more details.
     if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
       return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
 
     *initial = INVALID_HANDLE_VALUE;
     return SBOX_ALL_OK;
@@ skipping 173 matching lines @@
 
   // Finally, setup imports on the target so the interceptions can work.
   return SetupNtdllImports(target);
 }
 
 bool PolicyBase::SetupHandleCloser(TargetProcess* target) {
   return handle_closer_.InitializeTargetHandles(target);
 }
 
 }  // namespace sandbox